Tuesday, November 9, 2010

Complete DHS Daily Report for November 9, 2010

Daily Report

Top Stories

• TechWorld reports that weeks after Microsoft added anti-Zeus Trojan detection to its free Malicious Software Removal Tool, it is unable to detect the latest versions of the malware designed to steal banking information, a rival security company has claimed. See item 22 below in the Banking and Finance Sector

• Missing security features designed to prevent terrorism on the new rail line linking Loudoun County, Virginia, to the Washington D.C. region’s Metro system were identified in a triennial audit, according to the Washington Post. (See item 28)

28. November 4, Washington Post – (Virginia) Metro’s Silver Line in need of post-9/11 security upgrade. Missing security features on the new rail line linking Loudoun County, Virginia, to the Washington D.C. region’s Metro system were identified in a triennial audit by the Tri-State Oversight Committee. Released last month, the nearly 300-page report noted dozens of problems at Metro, but it also highlighted the lapse in planning for the new rail line to include the “additional processes, design features, and equipment necessary in a ‘post-9/11’ environment.” The Metropolitan Washington Airports Authority, which oversees Reagan National and Dulles airports, is supervising construction, but Metro will own and operate the line. Rail project officials said they are awaiting word from Metro about what security elements to include. Among those missing features and policies cited in the audit: closed-circuit televisions currently in use at all Metro stations; technology used to detect weapons of mass destruction and outside intruders on rail tracks; and routine threat and vulnerability assessments, which are used by Metro to gauge how likely or imminent an attack is. A full accounting of Metro’s required security features, which are now being updated, is not publicly available because of its highly sensitive content, officials said. But the failure to include Metro’s security construction and technical guidelines in the plan for the Silver Line could have a substantial impact on the project’s ballooning costs. Source: http://www.washingtonpost.com/wp-dyn/content/article/2010/11/04/AR2010110406989.html?hpid=newswell


Banking and Finance Sector

16. November 8, InformationWeek – (National) Financial data at risk in development: A call for data masking. An Informatica sponsored study conducted by the Ponemon Institute surveyed 437 senior IT professionals in the financial services industry whose firms have been engaged in application testing and development in order to better understand if the risk of using real data in development is being addressed. An overlooked privacy risk is the vulnerability of personal and business information used for testing and application development. During the test and development phase of new software, real data — including financial records, transactional records, and other personally identifiable information (PII) — is being used by as many as 80 percent of organizations. Further, test environments are less secure because data is exposed to a variety of unauthorized sources, including in-house testing staff, consultants, partners and offshore development personnel. The study found security decision-making may be motivated more by achieving business objectives than by addressing data security risks. Given the potential for heavy fines and penalties, customer churn, reputation damage, and overall costs associated with a data breach, financial services firms should proceed with great caution before outsourcing to third parties. This should include a vigorous evaluation of prospective partners’ security policies and procedures, and implementation of detailed contractual provisions. Source: http://www.informationweek.com/whitepaper/Risk-Management-Security/Privacy/financial-data-at-risk-in-development-a-call-for-wp1288885160847;jsessionid=GKHQN5E55EBILQE1GHPCKH4ATMY32JVN?cid=iwhome_wp_Risk+

17. November 8, PrisonPlanet.com – (National) ATMs crash across the country after ‘Bank Holiday’ warning. Following rumors of a “bank holiday” that could limit or prevent altogether cash withdrawals later the week of November 8, Twitter and other Internet forums were raging November 7 about numerous ATMs across the United States that crashed early November 7, preventing customers from performing basic transactions. It is unknown whether the crashes were partly a result of a surge of people trying to withdraw money in preparation for any feared bank shutdown, or if mere technical glitches were to blame. The fact that the problem affected numerous different banks in different parts of the United States would seem to indicate the former. The Orange County Register reported that the problems were “part of a national outage” which prevented people from performing simple transactions such as cashing checks and withdrawing money. “Computer issues” were blamed for similar issues in Phoenix, Arizona, while in Birmingham, Alabama, Wells Fargo customers’ online banking accounts and ATMs displayed incorrect balances. The banks primarily affected were Wells Fargo, Chase, and Bank of America, but according to a blogger who studied Twitter feeds and other Internet message boards that were alight with the story, numerous other financial institutions were also affected, including US Bank, Compass, USAA, Sun Trust, Fairwinds Credit Union, American Express, BB&T on the East Coast, and PNC. Source: http://www.prisonplanet.com/atms-crash-across-the-country-after-bank-holiday-warning.html

18. November 8, Associated Press – (Ohio) Ohio State bank robber suspected in another holdup. The FBI said a woman suspected of robbing several banks, including one at Ohio State University, appears to have struck again. A Special Agent said the latest hold-up was at a Charter One Bank branch November 7 inside a Kroger supermarket in Columbus, Ohio. The woman approached the teller counter while appearing to talk on a cell phone. She then told the teller she needed cash and was robbing the bank. The FBI said the teller gave the woman some money though there was no sign of a weapon. The Special Agent said the same woman is suspected in seven other robberies around Columbus since January 2006, including three earlier this year. The last was October 20 at a US Bank branch inside Ohio State’s new student union building. Source: http://www.daytondailynews.com/news/ohio-news/ohio-state-bank-robber-suspected-in-another-holdup-997799.html

19. November 8, KOCO 5 Oklahoma City – (Oklahoma) Police: Robber barricades self in hotel before surrender. A bank robbery suspect in Oklahoma City, Oklahoma was arrested after barricading himself in a hotel room for 2 hours, police said November 8. Surveillance video shows the heist of the bank on North May Avenue. Oklahoma City police said they worked closely with the FBI to track down the suspect. Investigators said they found the suspect hiding in a southwest Oklahoma City hotel November 8. Police said the suspect barricaded himself inside one of the rooms at the hotel near Southwest 8th Street and MacArthur Boulevard. After 2 hours, police said, the suspect surrendered inside the hotel room. Investigators said the robbery was not the suspect’s first crime. In the 1980s, he spent time in a state prison for armed robbery. Police said the suspect also faces time for escaping from prison. Source: http://www.koco.com/r/25669571/detail.html

20. November 6, Birmingham News – (Alabama) Computer glitch hits Wells Fargo customers. Wells Fargo & Co., Birmingham, Alabama’s third-largest bank by deposits, said November 6 that computer problems that afternoon led to some account information not being displayed correctly on the Internet and on automated teller machines. “We had some issues that affected some customers across our operating area,” the spokesman said. The San Francisco-based banking giant operates nationwide. The spokesman said the problems meant the company did not correctly reflect the account balances of some customers. “We are sorry for the inconvenience and are now back up and running at 100 percent,” the spokesman said at 7:30 p.m., November 6. Other banks, including Bank of America, also were affected by a computer glitch November 6, according to a report by the Orange County Register. Source: http://blog.al.com/businessnews/2010/11/computer_glitch_affects_wells.html

21. November 5, Denver Post – (Colorado) Bank robber’s bomb threat bogus. A well-dressed robber left what he claimed was a bomb on the counter of an Edgewater, Colorado bank November 4. The metal box, however, contained nothing dangerous, the Jefferson County bomb squad determined. The robbery happened just before 9:30 a.m. at a TCF Bank at 1709 Sheridan Blvd., when a man in a dress shirt, slacks and a tie entered the bank and took the metal box from his backpack, Edgewater police told 9News. He told a bank teller, “This is a bomb. Touch it, it will go off,” police said. He jumped over a counter, took cash, reminded bank employees the box would explode if they touched it, then left the bank on a purple bicycle, police said. The man was described as black, 25 to 30 years old, about 5 feet, 8 inches tall and about 150 pounds. Witnesses said his black hair contained some gray, and he had “spotty facial hair,” the FBI said. Source: http://www.denverpost.com/news/ci_16528461

22. November 5, TechWorld – (International) Zeus Trojan defeats Microsoft security tool. Only weeks after Microsoft added anti-Zeus Trojan detection to its free Malicious Software Removal Tool (MSRT), it is unable to detect the latest versions, a rival security company has claimed. The analysis by Trusteer is a reminder that ordinary users face a battle to keep state-of-the-art Trojans such as Zeus (or Zbot or Wnspoem), which targets online bank accounts, off their PCs. According to Trusteer, MSRT detected and removed Zeus version 2.0 about 46 percent of the time in its tests, but failed to spot updated versions, which are now circulating. The company also thinks that such Zeus detection is seriously flawed because it relies on the user downloading and running a tool when it might already be too late — Zeus typically steals banking logins soon after infection. Ironically, because MSRT’s effectiveness is still superior to many antivirus products, it might cause criminals to up their game once again, shortening the infection-to-theft period and even attacking MSRT itself. Source: http://www.networkworld.com/news/2010/110510-zeus-trojan-defeats-microsoft-security.html

For another story, see item 53 below in the Information Technology sector

Information Technology

51. November 8, IDG News Service – (International) Zscaler develops free tool to detect Firesheep snooping. A security company has developed a free Firefox add-on that warns when someone on the same network is using Firesheep, a tool that has raised alarm over how it simplifies an attack against a long-known weakness in Internet security. Firesheep, which was unveiled at the ToorCon security conference in San Diego October 2010, collects session information that is stored in a Web browser’s cookie. The session information is easily collected if transmitted back and forth between a user’s computer and an unencrypted Wi-Fi router while a person is logged into a Web service such as Facebook. While most Web sites encrypt the traffic transmitted when logging into a Web site, indicated by the padlock on browsers, many then revert to passing unencrypted information during the rest of the session, a weakness security analysts have warned of for years, particularly for users of public open Wi-Fi networks. Firesheep identifies that unencrypted traffic and allows an interloper to “hijack” the session, or log into a Web site as the victim, with just a few clicks. The style of attack has been possible for a long time, but because of its simple design, Firesheep has given less-sophisticated users a powerful hacking tool. Zscaler’s The Blacksheep add-on, however, will detect when someone on the same network is using Firesheep, allowing its users to make a more informed security decision about their behavior while on an open Wi-Fi network, for example. Source: http://www.computerworld.com/s/article/9195398/Zscaler_develops_free_tool_to_detect_Firesheep_snooping

52. November 8, Computerworld – (International) Danger to IE users climbs as hacker kit adds exploit. An exploit of an unpatched Internet Explorer vulnerability has been added to a popular crimeware kit, a move that will likely push Microsoft to fix the flaw with an emergency update, a security researcher said November 7. Microsoft has warned users of its IE6, IE7, and IE8 browsers that hackers were already exploiting a vulnerability in the programs by tricking them into visiting malicious or compromised Web sites. Once at such sites, users were subjected to “drive-by” attacks that required no action by them to succeed. Symantec was the first to report the IE bug to Microsoft after the antivirus vendor captured spam posing as hotel reservation notifications sent to select individuals within several organizations. On November 7, the chief research officer of AVG Technologies said an exploit for the newest IE flaw had been added to the Eleonore attack kit, one of several readily-available toolkits that criminals plant on hacked Web sites to hijack visiting machines, often using browser-based attacks. Microsoft has promised to patch the vulnerability, but said the threat didn’t warrant an “out-of-band” update, the company’s term for a fix outside the usual monthly Patch Tuesday schedule. Microsoft will deliver three security updates November 9, but will not fix the IE bug then. Microsoft has urged IE users to enable DEP, or data execution prevention, for IE7, use IE8 or IE9, or run one of its automated “Fix-it” tools to add a custom CSS template to their browsers as protection until a patch is available. Source: http://www.computerworld.com/s/article/9195380/Danger_to_IE_users_climbs_as_hacker_kit_adds_exploit

53. November 8, ITWeb – (International) PayPal network problems worsen. PayPal’s recent outage was the result of a network hardware failure, and the problem worsened when the failover systems did not spring into action as designed, reported Fierce CIO. PayPal has more than 87 million active accounts in 24 currencies around the world. It is owned by e-Bay, who acquired the company for $1.5 billion in 2002. The outage illustrates the challenges inherent to maintaining a cloud-based system in which zero downtime is tolerated, with merchants and customers globally relying on PayPal to be able to complete orders and transfer funds. Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=38514:paypal-network-problems-worsen&catid=69

54. November 8, The Register – (Ohio; National) Former student jailed for U.S. political hack attacks. A U.S. student began a 30-month sentence November 5 after he was convicted of using a network of compromised PCs he established to flood the Web sites of conservative politicians and pundits. The convict, 23, of Bellevue, Ohio, had earlier admitted launching denial of service (DoS) attacks against the sites between 2006 and March 2007, Security Week reported. He also copped to launching a DOS attack on the University of Akron, the university where he was enrolled at the time of the March 2007 attack. The assault knocked Akron offline for more than 8 hours, obliging a subsequent clean-up operation that cost the university $10,000. The convict was ordered to pay $10,000 in restitution to the university and a further $40,000 to BillO’Reilly.com. After he gets out of jail, he will spend a further 3 years on parole. The former student also admitted to harvesting personal data from compromised machines including user names, passwords, and credit card numbers. It is unclear how much, if anything, he raked in via fraudulent abuse of this information. It could be the compromised details were used to buy and facilitate his politically motivated hack attacks. Source: http://www.theregister.co.uk/2010/11/08/us_hacktivist_jailed/

55. November 8, Techworld – (International) Boonana Mac Trojan was ‘not Koobface’, says Microsoft. The widely-reported “Boonana” Trojan was a new piece of malware and had nothing directly to do with “Koobface,” Microsoft and other security companies reported 1 week after the event. However, according to Microsoft, ESET, and SecureMac, the similarity with Koobface does not appear to stretch beyond its general tactics and the fact that it attacks using Facebook and other social media sites. At a code level, what Microsoft now identifies as Trojan:Java/Boonana is a distinct piece of malware. The main significance of Boonana could be its Java design allows it to attack Windows PCs and Apple Mac computers, and at least run on Linux. Where the software hails from is unknown although one of its first actions on infecting computers is to try to contact a Russian FTP server. The fact Boonana is a distinct family of malware rather than a variant matters in a small but important way. A new branch of malware capable of attacking across operating systems suggests a new direction in malware innovation. If Boonana was a simple variant it might count more as a one-off experiment. Programming and platforms apart, Boonana’s use of Facebook shows social engineering skill is its real forte. Originally pushed with basic “watch this video” lures, the malware has subsequently tried more sophisticated messages, including one based on an apparent suicide notice. Source: http://news.techworld.com/security/3247749/

56. November 8, Phnom Penh Post – (International) Hacker hits state website. The Web site of the General Department of Mineral Resources of Cambodia has been periodically defaced by hackers, the latest in a number of similar attacks conducted against government Web sites since early 2010. A picture claiming “Hacked by Ashiyane” overlaying an image of Iran appeared on the department’s Web site November 7, before the site returned to normal by early afternoon. The director of ASC Information Security Consulting and Training, said a more aggressive stance by the public and private sectors towards information security would send more “reassuring signals”. Cambodia is presently conducting consultations on a cyber-crime law, but it would be difficult to prosecute hacking in the kingdom until a law was in place, the National ICT Development Authority secretary general said. “Not much can be done yet,” he said. “No law, no crime.” The latest vandalism follows a number of similar attacks staged against Cambodian government Web sites earlier this year. Source: http://www.phnompenhpost.com/index.php/2010110844562/National-news/hacker-hits-state-website.html

Communications Sector

57. November 8, IDG News Service – (National) FCC warns of looming wireless spectrum shortage. Mobile data traffic in the United States will be 35 times higher in 2014 than it was in 2009, leading to a massive wireless spectrum shortage if the government fails to make more available, the Federal Communications Commission (FCC) said in a paper released October 2010. About 42 percent of U.S. mobile customers now own a smartphone, up from 16 percent 3 years ago, and between the first quarter of 2009 and the second quarter of 2010, data use per mobile line grew by 450 percent, the paper said. The FCC expects smartphone use — and a corresponding increase in mobile data use — to continue to skyrocket, the FCC Chairman said. “If we don’t act to update our spectrum policies for the 21st century, we’re going to run into a wall — a spectrum crunch — that will stifle American innovation and economic growth and cost us the opportunity to lead the world in mobile communications,” he warned. In a national broadband plan released in March 2010, the FCC called for 300 MHz of spectrum to be made available for mobile broadband uses in the next 5 years, and an additional 200 MHz in the subsequent 5 years. Much of that spectrum would come from bands now controlled by the FCC or other government agencies, but 120 MHz would come from spectrum now owned but unused by U.S. television stations. Under the broadband plan, the stations would give back unused spectrum in exchange for part of the profits when the spectrum is sold at auction. The FCC would need congressional approval to hold these so-called incentive auctions. Source: http://www.computerworld.com/s/article/352502/FCC_Wireless_Spectrum_Shortage_Looms?taxonomyId=70

58. November 8, Bend Bulletin – (Oregon) Hackers chat for 26 hours on town’s dime. The city of Coos Bay, Oregon, has learned that hackers accessed the City Hall phone system and racked up more than 26 hours of phone calls to an overseas location last month. The city just found out about the breach two weeks ago. Police say an investigation showed the city’s previous security systems were inadequate but they have since been reinforced. Source: http://www.bendbulletin.com/apps/pbcs.dll/article?AID=/20101108/NEWS0107/11080311/1001/NEWS01&nav_category=NEWS01

59. November 6, Gaithersburg Gazette – (Maryland) Montgomery Village residents without phone, Internet. Verizon promised to have 240 landlines and Internet lines back in service by November 7 in Montgomery Village, Maryland. An outside contractor accidentally cut the lines while digging during traffic signal maintenance at Montgomery Village Avenue near Lost Knife Road, at the entrance to Lakeforest mall November 6, a Verizon spokeswoman said. The affected neighborhoods were Stedwick, Whetstone, and South Village. Verizon workers were able to find the completely severed cable about 5 feet underground, after pumping water from two manholes. Workers replaced about 15 feet of cable. The spokeswoman said the area should have been marked prior to digging, but apparently was not. Source: http://www.gazette.net/stories/11062010/montnew90715_32591.php

60. November 5, IDG News Service – (International) Report: Sprint rejected Huawei, ZTE for security concerns. Sprint Nextel turned down bids from ZTE and Huawei Technologies because of U.S. government concerns over possible dangers to national security from the Chinese vendors building critical infrastructure in the United States, the Wall Street Journal reported November 5. Sprint, the nation’s third-largest mobile operator, rejected ZTE and Huawei’s bids to modernize its network even though they were lower than those of three rival companies, the Journal reported. The other bidders were Ericsson of Sweden, Samsung Electronics of South Korea, and Alcatel-Lucent, which is based in Paris and incorporates the former U.S. telecom vendor Lucent. Some U.S. lawmakers have expressed concern over letting Huawei or ZTE participate in major infrastructure projects because of concerns over possible links with the Chinese government and military. They worry the Chinese military could use equipment from the companies to disrupt U.S. communications. The Journal reported that the U.S. Secretary of Commerce had called the Sprint CEO the week of November 1 to voice concerns about possible deals between Sprint and the two companies, though not to ask him to reject the companies’ bids. Source: http://www.computerworld.com/s/article/9195278/Report_Sprint_rejected_Huawei_ZTE_for_security_concerns

No comments: