Tuesday, November 30, 2010

Complete DHS Daily Report for November 30, 2010

Daily Report

Top Stories

• According to NBC News, the U.S. Secretary of State condemned the release of more than 250,000 classified State Department documents November 29, saying the United States was taking aggressive steps to hold responsible those who “stole” the information, which includes unflattering assessments of world leaders and revelations about backstage U.S. diplomacy. (See item 42)

42. November 29, NBC News, msnbc.com, Associated Press and Reuters – (National; International) Clinton: U.S. ‘deeply regrets’ WikiLeaks disclosures. The U.S. Secretary of State condemned the release of more than 250,000 classified State Department documents November 29, saying the United States was taking aggressive steps to hold responsible those who “stole” the information. In her first public comments since the November 28 release of the classified State Department cables, she said online whistleblower Wikileaks acted illegally in posting the material. She said the U.S. Presidential administration was “aggressively pursuing” those responsible for the leak. Her comments come as the Presidential administration moved into damage control mode, trying to contain fallout from unflattering assessments of world leaders and revelations about backstage U.S. diplomacy. The publication of the secret cables amplified widespread global alarm about Iran’s nuclear ambitions and unveiled occasional U.S. pressure tactics aimed at hot spots in Afghanistan, Pakistan, and North Korea. According to the vast cache of cables, a Saudi Arabian leader repeatedly urged the United States to attack Iran’s nuclear program, and China directed cyber attacks on the United States. The documents, given to five media groups by the whistle-blowing Web site WikiLeaks, provide candid and at times critical views of foreign leaders as well as sensitive information on terrorism and nuclear proliferation filed by U.S. diplomats, according to The New York Times. The White House condemned the release, and said the disclosures may endanger U.S. informants abroad. Source: http://www.msnbc.msn.com/id/40412689/ns/us_news-security

• A 19-year-old naturalized U.S. citizen from Somalia was arrested on charges of attempting to use a weapon of mass destruction in connection with a plot to detonate a vehicle bomb at an annual Christmas tree lighting ceremony in Portland, Oregon, the U.S. Justice Department announced. (See item 62)

62. November 26, U.S. Department of Justice – (Oregon) Oregon resident arrested in plot to bomb Christmas tree lighting ceremony in Portland. A 19-year-old naturalized U.S. citizen from Somalia and resident of Corvallis, Oregon, has been arrested on charges of attempting to use a weapon of mass destruction (explosives) in connection with a plot to detonate a vehicle bomb at an annual Christmas tree lighting ceremony November 26 in Portland, Oregon, the Justice Department announced. According to a criminal complaint signed in the District of Oregon, the man was arrested by the FBI and Portland Police Bureau November 26 after he attempted to detonate what he believed to be an explosives-laden van that was parked near the tree lighting ceremony in Portland’s Pioneer Courthouse Square. The arrest was the culmination of a long-term undercover operation, during which the man had been monitored closely for months as his alleged bomb plot developed. The device was in fact inert; and the public was never in danger from the device. The man is expected to make his initial appearance in federal court in Portland November 29. He faces a maximum statutory sentence of life in prison and a $250,000 fine if convicted of the charge of attempting to use a weapon of mass destruction. Source: http://portland.fbi.gov/dojpressrel/pressrel10/pd112610.htm

Details

Banking and Finance Sector

17. November 29, FINalternatives – (National) First arrest in wide insider-trading probe. The FBI has made the first arrest in a sweeping insider-trading investigation targeting hedge funds and others. One male suspect was arrested November 24 at his Somerset, New Jersey, home and charged with conspiracy to commit securities fraud and conspiracy to commit wire fraud. According to prosecutors, while at Primary Global Research, the suspect provided confidential tips about Atheros Communications, Broadcom Corp., and Sierra Wireless Inc. to a hedge fund manager. The suspect’s arrest provides the first concrete link between the current insider-trading investigation, which has seen three hedge funds raided and dozens of others served with subpoenas, and the Galleon Group insider-trading case. The former hedge fund manager, who ran Spherix Capital, is a cooperating witness in the Galleon case. Source: http://www.finalternatives.com/node/14698

18. November 29, LoanSafe.org – (Virginia) Virginia woman indicted in multi-million dollar mortgage elimination scam. On November 29, a federal grand jury indicted a 51-year-old Manassas, Virginia woman for her alleged involvement in a “mortgage elimination” scheme that caused more than $10 million in losses. The U.S. Attorney for the Eastern District of Virginia, and the Assistant Director in Charge of the FBI’s Washington D.C. Field Office, made the announcement November 29. The indictment alleged the woman defrauded more than 150 homeowners of $10 million. It noted that from 2004 through 2008, the suspect is accused of marketing a scheme known as a “Mortgage Elimination Program.” The suspect allegedly falsely represented to potential homeowner clients that lenders were acting illegally with regard to refinanced mortgages, and that she could obtain a discharge of newly refinanced loans because of the lenders’ illegal actions. The suspect allegedly proposed that she, acting through her businesses, would represent homeowner clients and challenge the lenders for their purportedly illegal actions, and any monetary settlements obtained from successful challenges against the lenders would be applied against the balances due on the refinanced mortgages, thereby eliminating the mortgages. Source: http://www.loansafe.org/virginia-woman-indicted-in-multi-million-dollar-mortgage-elimination-scam

19. November 27, Greek Reporter – (National) Greek American Pihakis busted by feds for $5.8 million. An 80 year-old Greek-American living in Pensacola Beach, Florida, has been charged by federal authorities in Arizona with stealing $5.8 million in a financial scheme. He is also charged with conspiracy to commit wire fraud for his part in a scam that allowed him to receive $2.5 million. He asked his victims to invest in the trust and prove they have $10 million in a bank account to receive investments in their projects. In case they could not prove they had that much money, the investors were told they could pay a 4 percent fee instead. This money was used to purchase a “proof of funds” instrument from a bank; the trust was supposed to agree to provide funding for the investors’ projects. In order to convince his potential investors for his liability, the suspect often presented to them bank statements from various banks showing hundreds of millions of dollars in accounts. It was not until September that an FBI agent in Africa took a copy of one bank statement to Barclay’s Bank of Ghana. The bank statement read $677 million in the account that the suspect used to lure investors. Investors complained that they didn’t see any money for years. When the suspect was pressed by investors to make good on the investments, he would tell them that money was tied up in a fund for a Thailand tsunami relief project, or that they needed more investors before he could begin paying. Source: http://usa.greekreporter.com/2010/11/27/greek-american-pihakis-busted-by-feds-for-5-8-million/

20. November 27, Crystal Lake Northwest Herald – (Illinois) Huntley armed robbery suspect caught; LITH incident probed. A 29-year-old Huntley, Illinois, man is in police custody after he allegedly robbed a Harris Bank November 27. At about 11 a.m., police said the suspect entered the bank at 12920 Route 47 in Huntley. He approached the teller while carrying a shotgun and demanded money. After receiving an undisclosed amount of cash, he fled in a white Ford Tempo, according to a news release. A description of the suspect and his vehicle was given to Huntley police officers. They located the suspect driving the Tempo near Route 47 and Powers Road. Officers attempted to stop him, but he continued to flee. The pursuit continued onto Route 31 in Elgin with the assistance of the Elgin Police Department. The suspect then damaged his vehicle by driving over a curb. The vehicle came to a rest at the bottom of a grassy hill, where the suspect exited and attempted to flee on foot. Officers apprehended him and took him into custody. A Huntley Police spokesman said the suspect was transferred November 27 from the Huntley Police Department to FBI headquarters in Chicago, where he awaits charges. Source: http://www.nwherald.com/2010/11/27/huntley-armed-robbery-suspect-caught-lith-incident-probed/ad0vlv/

Information Technology

48. November 29, Help Net Security – (International) Fake Facebook ‘photo comment’ e-mail leads to malware. As Facebook has announced its new messaging system and its deployment in the coming months, online scammers have been trying to use that announcement against unsuspecting Facebook users that may have heard about it and believe that changes will be made in the way that the social network contacts and notifies its users. McAfee warns about the latest of these scams — a fake “Your friend commented on your photo” e-mail: The e-mail is coming from a Gmail address — a fact that should tell the recipients that the e-mail is not legitimate. And, if they run their mouse over the embedded link, they will also notice that the real link has nothing to do with Facebook. A click on it will redirect the user to a malicious page serving malware. Source: http://www.net-security.org/malware_news.php?id=1549

49. November 29, The Register – (International) Feds seize 70 ‘filesharing, dodgy goods’ sites. The U.S. government has seized 70 sites allegedly offering counterfeit goods or links to copyright-infringing material. Among the domains seized was a BitTorrent meta-search engine Torrent-Finder.com, along with other music linking sites. Other sites on the hitlist allegedly sold fake designer clothes. Surfers visiting the seized sites were confronted by a notice from Immigration and Customs Enforcement (ICE), instead of the expected content. ICE told the New York Times the seizures were part of an “ongoing investigation” but declined to elaborate, beyond saying court-issued seizure warrants were involved. The seizures happened as a new bill addressing this issue, the Combating Online Infringements and Counterfeits Act, has been introduced in Congress. Source: http://www.theregister.co.uk/2010/11/29/ice_piracy_domain_seizures/

50. November 29, The Register – (International) Lone hacker theory in Wikileaks DDoS attack. A denial of service attack against Wikileaks that brought the whistleblower site to its knees November 28 in the run up to its publication of classified State Department documents, may turn out to be the work of a lone hacker. The attack, which rendered the site inaccessible for several hours, might be blamed on an application level assault targeting a vulnerability in Wikileak’s Apache Web server, according to Internet reports. A hacker called The Jester has previously used the XerXeS attack tool to attack jihadist sites. Now, if the rumors are true, this tool was turned against Wikileaks, making the site unavailable at a critical time. “We are currently under a mass distributed denial of service attic,” Wikileaks said November 28 via updates to its Twitter feed. “El Pais, Le Monde, Speigel, Guardian & NYT will publish many U.S. embassy cables tonight, even if WikiLeaks goes down,” it added. Rather than a purely conventional packet flood, it seems probable the site was also hit by the XerXeS tool. The Jester claimed responsibility for an attack on Wikileaks via a Twitter update November 28. Source: http://www.theregister.co.uk/2010/11/29/wikileaks_ddos/

51. November 29, New New Internet – (National) Cocky hacker defaces Navy Memorial site, ridicules admin. A hacker broke into the U.S. Navy Memorial Web site and left a message for the administrator, mocking him for the inadequate security and offering his assistance, Softpedia reported. Operated by the U.S. Navy Memorial Foundation, the site provides visitors information about the memorial, as well as news, annual reports, and other services. The breach was detected by a senior threat researcher at GFI Software, who wrote on the company blog that the hacker had left his message in a .txt file inside a directory on the server. However, because the folder was accessible to search engine crawlers, the message got indexed and became available on Google. The hacker offered to help and left his contact information, something overly confident hackers sometimes do, according to Softpedia. Source: http://www.thenewnewinternet.com/2010/11/29/hackers-defaces-us-navy-memorial-site-ridicules-admin/

52. November 28, IDG News Service – (International) Leaked U.S. document links China to Google attack. The cache of more than 250,000 U.S. Department of State cables that WikiLeaks began releasing November 28 includes a document linking China’s Politburo to the December 2009 hack of Google’s computer systems. The U.S. Embassy in Beijing was told by an unidentified Chinese contact that China’s Politburo “directed the intrusion into Google’s computer systems,” the New York Times reported November 28, citing a single leaked State Department cable. “The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts, and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said,” the Times reported. The cable is another piece of evidence, albeit thinly sourced, linking China to the Google attack. Security experts have linked the attacks to servers at a university used by the Chinese military, and both Google and the State Department implied that they thought China was behind the attacks when they were first disclosed in January 2010, but nobody has produced conclusive proof that they were state-sponsored. Source: http://www.computerworld.com/s/article/9198198/Leaked_U.S._document_links_China_to_Google_attack

53. November 27, Computerworld – (International) ‘Nightmare’ kernel bug lets attackers evade Windows UAC security. Microsoft is investigating reports of an unpatched vulnerability in the Windows kernel that could be used by attackers to sidestep an important operating system security measure. One security firm dubbed the bug a potential “nightmare,” but Microsoft downplayed the threat by reminding users that hackers would need a second exploit to launch remote attacks. The exploit was disclosed November 24 — the same day proof-of-concept code went public — and lets attackers bypass the User Account Control (UAC) feature in Windows Vista and Windows 7. UAC, which was frequently panned when Vista debuted in 2007, displays prompts that users must read and react to. It was designed to make silent malware installation impossible, or at least more difficult. The bug is in the “win32k.sys” file, a part of the kernel, and exists in all versions of Windows, including XP, Vista, Server 2003, Windows 7, and Server 2008, a Sophos researcher said in a November 25 blog post. Several security companies, including Sophos and Vupen, have confirmed the vulnerability and reported that the publicly-released attack code works on systems running Vista, Windows 7, and Server 2008. Source: http://www.computerworld.com/s/article/9198158/_Nightmare_kernel_bug_lets_attackers_evade_Windows_UAC_security

54. November 25, TrendLabs Malware Blog – (International) ZeuS-SpyEye merger in progress? In late October 2010, it was reported the “rivalry” between the ZeuS and SpyEye malware families was ending with a merger of the two families. It was reported ZeuS author Slavik or Monstr had gone underground and had given his toolkit’s source code to SpyEye author Gribodemon or Harderman. This has prompted a lot of speculation about what will come next. Many researchers are waiting for a new malware family that will combine the features of SpyEye and ZeuS. For now, SpyEye and ZeuS remain separate malware families. Whether the merger pushes through or not, however, SpyEye is still growing as a threat. According to new data, the number of SpyEye infections has grown since July 2010 to as much as 20 times to date. Since news of this “merger” first came out, many security analysts rushed to gather intelligence on SpyEye. In anticipation, Gribodemon went through many underground forums and deleted his posts to cover up what he was doing. Trend Micro and the rest of the security industry are ready to respond. One of the more public signs of this is the ZeuS Tracker administrator has opened the SpyEye Tracker, to track SpyEye. This will aid law enforcement agencies and security companies in taking down and investigating SpyEye command-and-control (C&C) servers. Source: http://blog.trendmicro.com/zeus-spyeye-merger-in-progress/

Communications Sector

55. November 29, msnbc.com – (National) Comcast Internet outage hits eastern U.S. A failure of Comcast’s Internet services hit a wide swath of the Eastern United States. November 28, and the company said the issue was a problem with its DNS servers. Comcast told the Baltimore Sun that service was restored late November 28. A spokesman told the Sun that extra staff were brought in to fix the problem. Earlier, another Comcast spokesman told NBC News: “All other services are working properly. ... We certainly apologize for any inconvenience this may be causing our customers.” It was not clear how widespread the failure was. A technician who answered Comcast’s customer service line told NBC News that there were significant Internet outages in Connecticut, Maryland, Virginia, Massachusetts, New York, and New Hampshire. The “focus” of the outages was in the Boston and Washington D.C. areas. Television and telephone service from Comcast was unaffected. Source: http://www.msnbc.msn.com/id/40410491/ns/technology_and_science-tech_and_gadgets/

56. November 29, InformationWeek – (National) FBI warns of mobile cyber threats. People should be wary of criminal efforts targeting their cell phones, the FBI is warning. The agency’s Internet Crime Complaint Center (IC3) said that creative criminals will be using scams called “smishing” or “vishing” to steal people’s personal information, such as bank account numbers, personal identification number (PIN) codes, or credit card numbers. Smishing is a combination of SMS texting and the common online practice of phishing, which uses e-mails to direct people to Web sites where they are asked to give up personal information. In a smishing scam, people receive a text message on their phone telling them there is a problem with their bank account. The message will contain a phone number to call or a Web site to log into. To pull off these crimes, people set up an automated dialing system to text or call mobile phone subscribers in a particular region or area code. They also steal phone numbers from banks and credit companies and target people on these lists, according to the FBI. If a person follows through and follows directions, it is likely there is a criminal on the other end stealing personal information. Vishing is similar to smishing except instead of an SMS, a person will receive a voicemail giving them the same information. People who fall victim to mobile device scams could be in danger even if they stop short of giving up the information requested, the FBI warned. If they only log onto the fake Web site via their mobile device, they could end up downloading malicious software giving criminals access to anything on their phone, the agency said. Source: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=228400096&cid=RSSfeed_IWK_All

57. November 26, KGO 7 San Francisco – (California) AT&T blames vandals for outages. AT&T is confirming reports of vandalism at several East and South Bay, California locations that cut off service to some customers November 25-26. A spokesperson said lines were cut in 15 locations causing a loss of both phone and Internet service to customers in Walnut Creek, Orinda, and Morgan Hill. The outages began November 25. AT&T crews worked through the night to repair those lines and expected all customers to be back up and running by November 26. They would not say how many customers were affected. Source: http://abclocal.go.com/kgo/story?section=news/local/east_bay&id=7811914

Monday, November 29, 2010

Complete DHS Daily Report for November 29, 2010

Daily Report

Top Stories

· A package containing ―GE 68,‖ a radioactive material, has disappeared in transit, according to WGN-TV 9 Chicago. The package was shipped by FedEx from Fargo, North Dakota, to Knoxville, Tennessee. When the package was opened, the GE 68 was missing. The Nuclear Regulatory Commission has notified public safety agencies. (See item 13)

13. November 26, WGN-TV 9 Chicago – (National) Fedex package with radioactive material missing. A package containing radioactive material has disappeared in transit. The package, containing material known as ―GE 68‖ was shipped, by FedEx, from Fargo, North Dakota to Knoxville, Tennessee. But when it was opened the GE 68 was missing. A spokesperson from Federal Express told WGN that there should not be any threat to public safety, as long as the package is not tampered with. The Nuclear Regulatory Commission (NRC) has notified public safety agencies. Among those agencies notified of the incident by the NRC include the CDC, the FBI, the EPA, and the Department of Homeland Security. Source: http://www.wgntv.com/news/wgntv-fedex-radioactive-package-nov25,0,3949749.story

· According to a report by the Associated Press, the Saginaw Water Treatment Plant in Michigan discharged 10 million gallons of untreated or partially treated sewage into the Saginaw River between November 22 and 23. The release happened after a 1.75-inch rainfall that caused 4 retention basins to overflow. (See item 18)

18. November 26, Associated Press – (Michigan) 10M gallons of sewage released into Saginaw River. Facility officials say the Saginaw Water Treatment Plant has discharged 10 million gallons of untreated or partially treated sewage into the Saginaw River. Officials tell the Saginaw News the release happened between the night of November 22 and the morning of November 23 following a 1.75-inch rainfall that caused four retention basins to overflow. Water treatment officials at the mid-Michigan plant say they pretreated the sewage with hypochloride. They also allowed solids to settle before discharging overflow. Officials tested for E. coli at two points along the river. Results are pending. Source: http://www.chicagotribune.com/news/chi-ap-mi-sewagedischarge-s,0,6154850.story

Details

Banking and Finance Sector

8. November 26, Associated Press – (Massachusetts) Boston man sentenced in mortgage fraud scheme. A Boston man has received a jail sentence and been ordered to pay $100,000 restitution for his role in a mortgage fraud scheme. Prosecutors say the 39-year-old mortgage broker was sentenced this week to a year in jail, with all but one month suspended for a probationary period of three years. He pleaded guilty to charges including multiple larceny counts. The attorney general’s office says the man was one of six people involved in the scheme, in which investors interested in buying multifamily homes in the Boston area were lured in with inflated appraisals of 26 distressed properties. The buyers were then left with properties not worth the loans obtained to purchase them. The convicted man’s lawyer did not immediately respond to a call for comment on November 26. Source: http://abcnews.go.com/Business/wireStory?id=12249356

9. November 25, Department of Justice – (Ohio) Ohio woman charged in identity theft and fraudulent credit card scheme. A grand jury returned a two-count indictment charging a 35-year-old woman, who hails from Macedonia, Ohio, with aggravated identity theft and fraud in relation to use of access devices, the United States Attorney for the Northern District of Ohio, announced November 25. The indictment alleges that the suspect used the personal identifiers of 14 real people, including their Social Security numbers and dates of birth, to open 14 credit card accounts with Capital One. The indictment also alleges that suspect then used those fraudulent credit cards to obtain things of value totaling more than $1,000. Source: http://7thspace.com/headlines/364958/ohio_woman_charged_in_identity_theft_and_fraudulent_credit_card_scheme.html

10. November 24, Bank Info Security – (National) ATM outage stirs debate. Several financial institutions saw their ATM and online banking channels taken offline over the weekend of the daylight saving time change. The institutions allegedly affected by the outage, including Bank of America, Chase, U.S. Bank, Wells Fargo, Compass, USAA, Suntrust, Chase, Fairwinds Credit Union, American Express, BB&T on the East Coast, and PNC, reportedly blamed the downtime on a computer glitch related to the time-zone change. But a senior analyst at Aite Group LLC who covers banking and payments fraud, says more is likely going on behind the scenes. In fact, she says the outage could have been related to anything from a widespread malware attack to outdated technical infrastructures. ―Infrastructure is certainly a problem with banks,‖ the analyst says. ―They acknowledge it.‖ And given the proprietary nature of most banking institutions’ code, she says it is unlikely that a bug related to the time-zone would simultaneously hit all of these institutions, or at least within the same relative timeframe. ―That just doesn’t seem like a plausible reason for me,‖ she says. ―I think malware if probably the most likely culprit, or some sort of coordinated attack.‖ Source: http://www.bankinfosecurity.com/articles.php?art_id=3127

Information Technology

30. November 26, The Register – (International) Secunia recovers from DNS redirection hack. Security notification firm Secunia has confirmed that a DNS redirection hack was to blame for the redirection of surfers to a hacker site on November 25. Secunia’s authoritative DNS hosting was redirected for 70 minutes. But because of the way DNS caching works, many surfers were still redirected to a defacement site hours after the Danish firm’s definitive records were straightened out. The attack resulted in a temporary redirection of traffic from all customers of registrar DirectNIC, not just Secunia. The hack was carried out by serial defacer TurkGuvenligi, who has used site-redirection techniques in previous attacks and seems to be motivated by bragging rights or pure mischief rather than anything more malign. In a statement, Secunia was keen to stress that the redirection had no impact on any customer data it held from users of its patch management tools. Source: http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/

31. November 25, The Register – (International) ZeuS variant only infects super-fast PCs. Miscreants behind one variant of the ZeuS Trojan have outfoxed themselves in their attempts to outwit anti-virus analysts by releasing a variant of the malware that only infects high-performance PCs. Security firms use automation and virtualization technologies to cope with the growing volume of malware spewed out by cybercrooks every day. VXers are well aware of this and use virtual machine detection and anti-debugging code in their creations. The tactic is designed to frustrate security researchers and in so doing increase the time it takes to detect, develop, and distribute anti-virus updates. Users of the ZeuS crimeware toolkit are very much involved in this cat and mouse game between security researchers and cybercriminals. But one particular group using the crimeware toolkit released a variant whose anti-debugging efforts are so aggressive it effectively assumes any machine whose CPU is running at lower than 2GHz must be running a debugger. As a result the malware only runs its malicious routines on high-performance machines, remaining inert on lower horsepower boxes. A security analyst at F-secure explains: ―With a CPU below 2GHz the sample acts as if it is being debugged, aborts execution and does not infect the system. I tested the sample on an IBM T42 (1.86 GHz) notebook and the system was slow enough to avoid being infected.‖ Source: http://www.theregister.co.uk/2010/11/25/snobby_zeus_variant_avoids_bog_standard_pcs/

32. November 24, Softpedia – (International) Recent Cutwail spam employs complex text obfuscation techniques. Security researchers from Symantec warn that a new rogue pharmacy spam run uses HTML and CSS techniques to obfuscate text advertisements and avoid detection. Pharma spam has been steadily making a comeback since Spamit, the world’s largest rogue pharmacy affiliate program, closed up shop at the beginning of October. A lot of campaigns seen recently advertise a rogue pharmacy called ―Canadian Health&Care Mall‖ and are being sent by the Cutwail botnet. The latest spam involves emails formatted in HTML, which use CSS floating and color declaractions to deobfuscate what looks like random text and show only the relevant parts to recipients. The resulting message reads: ―Everyone has heard about lower-cost drugs from abroad drugstore. The difficulty is to find the reliable one. «CanadianPharmacy» is an experienced, trusted and fully-licensed Canadian online drugstore.‖ In addition to using text obfuscation in order to evade anti-spam filters, the spammers also try to trick URL blocking systems by linking to a Google cached version of the spam site. The resulting link points to a location to a domain called googleusercontent.com, which is possibly whitelisted, instead of a rogue one. Source: http://news.softpedia.com/news/Recent-Cutwail-Spam-Employs-Complex-HTML-Obfuscation-Techniques-168434.shtml

33. November 24, Help Net Security – (International) 34% of all malware ever created appeared in 2010. According to PandaLabs, in the first ten months of the year the number of threats created and distributed account for one third of all viruses that exist. These means that 34 percent of all malware ever created has appeared in the last 10 months. The company’s database, which automatically detects, analyzes and classifies 99.4 percent of the threats received, now has 134 million separate files, 60 million of which are malware (viruses, worms, Trojans and other threats). In the year up to October, some 20 million new strains of malware have been created (including new threats and variants of existing families), the same amount as in the whole of 2009. The average number of new threats created every day has risen from 55,000 to 63,000. This would all suggest that the cyber-crime market is currently in rude health, although this is also possibly conditioned by the increasing number of cyber-crooks with limited technical knowledge who are turning their hand to these activities. This also means that although more malicious software is created, its lifespan is shorter: 54 percent of malware samples are active for just 24 hours, as opposed to the lifespan of several months enjoyed by the threats of previous years. They now infect just a few systems and then disappear. Source: http://www.net-security.org/malware_news.php?id=1545

Communications Sector

34. November 25, Charleston Daily Mail – (West Virginia) Metro 911 wants say in outage probe. Kanawha County, West Virginia’s Metro Emergency Operations Center has petitioned to intervene in the state Public Service Commission’s investigation into the way telecommunications providers notify public safety agencies of service outages. The commission opened an investigation following FiberNet’s October 10 statewide service outage. The Kanawha Commission president requested the probe. He has said that no one from FiberNet contacted Metro 911 about either the October 10 statewide outage or a widespread FiberNet outage that occurred on October 25. Metro 911 said it is the largest so-called ―Public Safety Answering Point‖ in the state. In its petition, filed November 23, the agency said it will be a helpful party to the investigation because it is uniquely situated to discuss the needs of a ―Public Safety Answering Point‖ in knowing when the community is experiencing a telephone service outage. Source: http://www.dailymail.com/Business/GeorgeHohmann/201011241231

35. November 25, Prescott Daily Courier – (Arizona) Suspect arrested on charges of wire theft. Prescott police recently arrested a man on charges including burglary after he sold copper wire to Yavapai Metal Recycling that he allegedly stole from Qwest. Officers booked the man into the Yavapai County Jail in Camp Verde on charges of burglary and trafficking in stolen property. On October 28, Qwest told police that he misrepresented himself by telling the company that he was subcontracting a work project with Qwest. He allegedly stole about 400 pounds of copper wire from Qwest’s yard at 1445 Masonry Way, Prescott, said a spokesman for the Prescott Police Department. Shortly after the suspect left with the wire, Yavapai Metal Recycling called Qwest to tell them that he sold them copper wire that appeared new and still had Qwest tags. A Qwest representative verified the copper wire as from the Prescott yard and said it was not targeted for recycling. When detectives found the suspect, he allegedly told them he had worked in the telecommunications repair field for 10 years and knew the lingo so he was able to convince Qwest he was authorized to take the copper wire. He also told detectives he stole copper wire from the Qwest yard when no employees were around. Source: http://www.dcourier.com/main.asp?SectionID=1&SubSectionID=1&ArticleID=87847

Friday, November 26, 2010

Complete DHS Daily Report for November 26, 2010

Daily Report

Top Stories

• According to the Associated Press, a woman charged with making threats that caused 300 Broward County, Florida schools to be locked down was arrested November 23, federal authorities said. (See item 43)

43. November 23, Associated Press – (Florida) Fla. woman accused in school threats arrested. A woman charged with making threats that caused 300 Florida schools to be locked down and a congressman-elect’s top aide to step down was arrested November 23, federal authorities said. FBI agents apprehended the 48-year-old suspect of New Port Richey, Florida, near Los Angeles, the U.S. Attorney’s Office in Miami said. She is accused of sending an e-mail on November 10 to a WFTL 850 AM conservative talk show host, who was tapped to be a U.S. Representative-elect’s chief of staff. The suspect called the Pompano Beach station later that morning and claimed that her husband was going to go to a school in Pembroke Pines and start shooting, according to federal authorities who said they traced the call. Authorities responded by placing all 300 Broward County schools in lockdown for several hours. The talk show host has been on South Florida radio for nearly 20 years. She stepped down as chief of staff a day after the lockdown, saying she wanted to avoid any repercussions against the U.S. Representative. Source: http://www.bloomberg.com/news/2010-11-24/fla-woman-accused-in-school-threats-arrested.html

• According to BBC News, one fifth of Facebook users are exposed to malware contained in their news feeds, claim researchers at security firm BitDefender.

See item 49 below in the Information Technology sector.

Details

Banking and Finance Sector

19. November 24, Krebs on Security – (International) Crooks rock audio-based ATM skimmers. Criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers, devices designed to be attached to cash machines and siphon card + PIN data, a new report warns. The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs. EAST said it also discovered that a new type of analog skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs). Source: http://krebsonsecurity.com/2010/11/crooks-rock-audio-based-atm-skimmers/

20. November 24, Krebs on Security – (Missouri) Escrow Co. sues bank over $440K cyber theft. An escrow firm in Missouri is suing its bank to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines. The attack against Springfield, Missouri based title insurance provider Choice Escrow and Land Title LLC began late in the afternoon on St. Patrick’s Day, when hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus. The following day, when Choice Escrow received a notice about the transfer from its financial institution — Tupelo, Mississippi based BancorpSouth Inc. — it contacted the bank to dispute the transfer. But by the close of business on March 18, the bank was distancing itself from the incident and its customer, said the director of business development for Choice Escrow. “What they really were doing is contacting their legal department and figuring out what they were going to say to us. It took them until 5 p.m. to call us back, and they basically said, ‘Sorry, we can’t help you. This is your responsibility.’” A spokesman for BancorpSouth declined to discuss the bank’s security measures or the specifics of this case, saying the institution does not comment on ongoing litigation. Source: http://krebsonsecurity.com/2010/11/escrow-co-sues-bank-over-440k-cyber-theft/

21. November 24, Tallahassee Democrat – (Florida) Capital Circle NE remains closed after bomb threat. Capital Circle Northeast in Tallahassee, Florida, remained closed in both directions between Raymond Diehl and Lonnbladh roads on November 24 as police officers and bomb squad technicians investigate a bomb threat made by a bank robber. A 56-year-old man entered Premier Bank, 3110 Capital Circle NE, said that he had a bomb and demanded money from a teller, said a spokesman for Tallahassee Police Department (TPD). There were customers in the bank at the time of the robbery, but no injuries have been reported. Capital Circle should be reopened within an hour, the spokesman said. Police officers arrived before the man could exit the bank, and he was taken into custody without incident. The man then claimed the bomb threat was merely a bluff, but law-enforcement officials are required to take the threat seriously. The Big Bend Regional Bomb Squad, comprised of officials from TPD, the Tallahassee Fire Department, Florida Capital Police, and other local law-enforcement agencies, deployed a robot to the bank earlier in the morning. Investigators also examined a secondary search site, the parking lot of Gold’s Gym, 2695 Capital Circle NE, where they think the man may have parked his car. Source: http://www.tallahassee.com/article/20101124/BREAKINGNEWS/101124004/Updated--Capital-Circle-NE-remains-closed-after-bomb-threat

Information Technology

48. November 24, Help Net Security – (International) Kids lured to scam site by promises of parental control bypassing. The latest scam to hit Facebook users is one that supposedly offers a completely free proxy service for those who want to bypass parental controls and blocks set up by schools and at workplaces that prevent users from accessing certain sites such as Facebook. The campaign is specifically targeting kids, luring them into trying out the service located at hxxp://myfatherisonline.com to access Facebook in school. Sunbelt researchers have have poked around the site and discovered a veritable trove of various scamming attempts. The victims are faced with an affiliate site containing malware, surveys, quizzes, and offers for free iPhones that will try to get them to subscribe to a premium rate service or sign up for spam. Source: http://www.net-security.org/malware_news.php?id=1546

49. November 24, BBC News – (International) Facebook news feeds beset with malware. One fifth of Facebook users are exposed to malware contained in their news feeds, claim security researchers. Security firm BitDefender said it had detected infections contained in the news feeds of around 20 percent of Facebook users. Facebook said it already had steps in place to identify and remove malware-containing links. BitDefender arrived at its figures by analyzing data from 14,000 Facebook users that had installed a security app, called safego, it makes for the social network site. In the month since safego launched, it has analyzed 17 million Facebook posts, said BitDefender. The majority of infections were associated with apps written by independent developers, which promised enticements and rewards to trick users into installing the malware. These apps would then either install malware used for spying on users or to send messages containing adverts to the users’ contacts. Facebook said it had processes and checks in place to guard against the risk of malware. “Once we detect a phony message, we delete all instances of that message across the site,” the site said in a statement. Source: http://www.bbc.co.uk/news/technology-11827856

50. November 24, PCWorld – (International) Android browser flaw exposes user data. A vulnerability in the Android browser could permit an attacker to steal the user’s local data, according to a report November 23 from a security expert. Specifically, a malicious Web site could use the flaw to access the contents of files stored on the device’s SD card as well as “a limited range of other data and files stored on the phone,” the expert explained. In essence, the problem arises because the Android browser does not prompt the user when downloading a file. “This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort,” he noted. The Android Security Team responded within 20 minutes of the expert’s notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated. In the meantime, the security expert suggests a few steps users can take to protect themselves, including disabling JavaScript in the browser. Source: http://www.pcworld.com/businesscenter/article/211623/android_browser_flaw_exposes_user_data.html

51. November 24, Help Net Security – (International) Korean cross-border attacks exploited to spread malware. The recent cross-border shellings between North and South Korea have left many people wondering what has been going on and what triggered the attacks, and scareware and malware pushers have been very prompt at poisoning related search results. Search combinations such as “north korea bombs/attacks south korea”, “kim jong il”, “korean war”, “world war 3”, “yeonpyeong island” and “korean news” have been producing results that take users to pages where warnings about infection on their computers are shown and the users are offered to download rogue antivirus solutions, to pages that attempt to hijack their browser through JavaScript or pages that offer Trojans disguised as codecs and bogus updates for Mozilla’s Firefox. The Tech Herald reports that all of the offending compromised domains are using open source CMS software which was not updated and, consequently, vulnerable to attack. They also noted that topics related to Black Friday, Dancing with the Stars, and others have been targeted by the same black hat SEO campaign. Source: http://www.net-security.org/malware_news.php?id=1544

52. November 23, Network World – (International) HTTPS Everywhere gets Firefox “Firesheep” protection. The Electronic Frontier Foundation (EFF) November 23 said it rolled out a version of HTTPS Everywhere that offers protection against “Firesheep” and other tools that seek to exploit Web page security flaws. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors’ log-in credentials. EFF says the new version of HTTPS Everywhere (0.9.x) is a direct response to growing concerns about Web site vulnerability in the wake of Firesheep on social networking sites or Web mail systems, for example — if the browser’s connection to the Web application either does not use cryptography or does not use it thoroughly enough. EFF says that HTTPS Everywhere now protects sites such as Bit.ly, Cisco, Dropbox, Evernote, and GitHub. Source: http://www.networkworld.com/community/node/68828

53. November 23, The Register – (International) Network card rootkit offers extra stealth. Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card. A reverse engineer at French security firm Sogeti ESEC was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards. He used publicly available documentations and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where firmware code is stored, as well as the bootstrap process of the device. Using the knowledge gained from this process, he was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors. Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card. Source: http://www.theregister.co.uk/2010/11/23/network_card_rootkit/

Communications Sector

See item 50 above in Information Technology