Friday, September 24, 2010

My apologies for the delay. Once again DHS was late publishing their report!

Complete DHS Daily Report for September 24, 2010

Daily Report

Top Stories

 According to the Charleston Daily Mail, executives from the DuPont plant in Belle, West Virginia indicated that more than 160,000 pounds of methanol liquid was dumped into the Kanawha River over a 24-hour period. (See item 9)

9. September 22, Charleston Daily Mail – (West Virginia) Methanol leak into Kanawha larger than first reported. While West Virginia state officials continue to reassure the public there is no immediate danger following a large chemical leak from the DuPont plant in Belle, Kanawha County commissioners are criticizing the state for failing to inform local emergency services the leak had occurred. DuPont officials are now saying more than 160,000 pounds of methanol liquid was dumped into the Kanawha River over a 24-hour period, instead of over several weeks, according to a new statement from the company. According to a DuPont statement released September 22, workers at the Belle plant discovered the leak in a heat exchanger in the Methylamines production unit while conducting regular sampling of the plant’s water outfall September 21. A DuPont spokesman said the leak had traveled through the unit’s steam system into the outfall and was discharged into the Kanawha River. The leak was stopped about 8 p.m. September 21. Officials with the DuPont plant first notified the state of the leak September 21. At first, it was reported by media outlets that only 5,000 pounds had flowed into the river. However, that amount reflected only the minimum regulatory requirement for reporting a leak, according to the spokesman. “The plant notified regulatory authorities as required,” he said in a statement. “In those immediate notifications, we reported that the leak exceeded the regulatory threshold reportable quantity of 5,000 pounds. Our preliminary investigation indicates that approximately 160,000 pounds of methanol was released in the 24-hour period prior to identifying the leak,” he said. Source: http://www.dailymail.com/News/Kanawha/201009220306

 Associated Press reports that a man shot and wounded three people at Americold Logistics,a cold-storage facility in Crete, Nebraska, where he worked, before apparently shooting and killing himself September 22, authorities said. (See item 29)

29. September 23, Associated Press – (Nebraska) Authorities: Gunman wounds 3, kills self in Neb. A man shot and wounded three people at Americold Logistics, a cold-storage facility in Crete, Nebraska, where he worked, before apparently shooting and killing himself September 22, authorities said. The Saline County sheriff said that about 35 people were at the Americold facility when the gunman opened fire at about 10 p.m. The gunman worked at the plant, he said. About 50 officers responded to reports of the shooting, unsure of whether the shooter was still a threat. “When we first came across him, it appeared that it was a self-inflicted wound that ended it,” the sheriff said, referring to the gunman. Two of the wounded were taken to a Lincoln hospital. The other was treated at the Crete Area Medical Center. Their names and conditions were not available, and it was unclear whether they also worked for Americold. The Americold facility is a few miles south of Crete and next to a Farmland Foods plant. Both were locked down immediately after the shooting, although authorities do not believe the gunman ventured onto Farmland property. By early September 23, Farmland had reopened and Americold workers were allowed to leave. Source: http://news.yahoo.com/s/ap/us_nebraska_storage_shooting;_ylt=Ar8kogksbVsraOEm.jlKHLas0NUE;_ylu=X3oDMTQwOGNpaDFxBGFzc2V0A2FwLzIwMTAwOTIzL3VzX25lYnJhc2thX3N0b3JhZ2Vfc2hvb3RpbmcEY2NvZGUDbW9zdHBvcHVsYXIEY3BvcwM2BHBvcwMzBHB0A2hWVfY29rZQRzZWMDeW5faGVhZGxpbmVf

Details

Banking and Finance Sector

15. September 23, Washington Post – (National) Under piles of paperwork, a foreclosure system in chaos. The nation’s overburdened foreclosure system is riddled with faked documents, forged signatures and lenders who take shortcuts reviewing borrower’s files, according to court documents and interviews with attorneys, housing advocates and company officials. The problems, which are so widespread that some judges approving the foreclosures ignore them, are coming to light after Ally Financial, the country’s fourth-biggest mortgage lender, halted home evictions in 23 states this week. During the housing boom, millions of homeowners got easy access to mortgages while providing virtually no proof of their income or background. Now, as millions of Americans are being pushed out of the homes they can no longer afford, the foreclosure process is producing far more paperwork than anyone can read, and making it vulnerable to fraud. Ally Financial is now double-checking to make sure all documents are in order after lawsuits uncovered that a single employee of the company’s GMAC mortgage unit signed off on 10,000 foreclosure papers per month without checking whether the information justified an eviction. Many of the homeowners in fact, might have been in default. Some might have been unfairly targeted. But the flawed process is creating an opening for borrowers to contest some of the more than 2 million foreclosures that have taken place since the real estate crisis began. Source: http://www.washingtonpost.com/wp-dyn/content/article/2010/09/22/AR2010092206146.html

16. September 23, Denver Post – (Colorado) Corporate ID thieves mining the store. Dozens of businesses in Colorado, and probably thousands more nationally, are victims of a new and easy form of identity theft where corporate data is hijacked and millions of dollars in phony credit purchases are made. All it takes is an Internet connection and, in some cases, as little as a $10 fee to alter the name of a corporate officer or the address of a company’s registered agent on public records. Once that is done, thieves acquire corporate credit in multiples much higher than the average consumer can get. And most companies might never know it is happening until it is too late and credit ratings have been trashed. The nation’s secretary of state offices — the agencies that usually register corporations and maintain public databases on them — have few protections to stop the Internet-based theft. In Colorado, for example, anyone can access the online databases and make changes since there is no password protection. “We’re just now getting a handle on the problem,” said a spokeswoman for the National Association of Secretaries of State. Such inaction has business owners fuming and, in turn, scratching their heads. Thieves are also relying on Dunn & Bradstreet — the business equivalent of a consumer credit reporting bureau — as unwitting accomplices. The company provides credit ratings on businesses and corroborates any reported changes through secretary of state offices — where the fraud occurs in the first place. Police investigators have so far identified 48 Colorado businesses — many of them easily recognized — affected by the crime and expect to find dozens more. Source: http://www.denverpost.com/business/ci_16149416

17. September 22, WDIV 4 Detroit – (New York) Man tries to rob bank with bomb threat. Redford, Michigan police said a man who claimed to have a bomb tried to rob a Chase bank branch on Telegraph Road September 22. Police said the man entered the bank at about 11 a.m. and slipped a note to a teller that demanded money and stated he had a bomb. The teller told police the man flashed a small black book that, when opened, had a timer and what appeared to be a bomb. Police said the teller did not react and just looked at the man for several seconds before he turned and left the bank. Police said the man is also suspected of being responsible for a previous attempt to rob the bank last month. Surveillance pictures of the man from the bank’s security cameras have been released by police. Source: http://www.clickondetroit.com/news/25118073/detail.html

18. September 22, LoanSafe.org – (Ohio) Email phishing scam feeds on credit union trust. Credit unions are trusted community organizations and the latest victim of a recent phishing scam. Customers in Ohio have reported receiving deceptive e-mails that appear to be from their credit union and include a request to take a survey that requires they enter personal information. According to a July 2010 complaint filed with the Ohio Attorney General’s Office, a Columbus woman received an e-mail from her credit union that stated: “You have been randomly selected to take part in this survey to let us know what we are doing well and where we need to do better. In return we will credit $50.00 to your account — Just for your time!.” The e-mail featured the credit union’s logo and listed the correct contact information, so the woman clicked on the provided link. The survey prompted her to enter her account number, but she knew her credit union would never ask for this information on the Internet, so she closed the link. If she had proceeded, her financial information would have been in the hands of scammers. Be skeptical of offers similar to this one. Never enter personal information online when unsure of where it is being sent. People who receive suspicious e-mails are are advised to call their credit union. Source: http://www.loansafe.org/email-phishing-scam-feeds-on-credit-union-trust

For another story, see item 55 below in Information Technology

Information Technology

50. September 23, The Register – (International) Uber-zombie cookies give us the fear. Privacy activists got hot under the collar about the use of flash cookies to respawn traditional Web site cookies but an even more persistent type of cookie that’s almost impossible to kill off may lie just around the corner. So-called invulnerable evercookies use eight different techniques and locations to hide on tagged systems, including Web history, HTML5 session storage and even the “RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out” as well as in flash or regular cookies. Providing just one copy of the cookie remains, the other locations are rebuilt. A developer explains the point of his idea: “Evercookie is designed to make persistent data just that, persistent. By storing the same data in several locations that a client can access, if any of the data is ever lost (for example, by clearing cookies), the data can be recovered and then reset and reused. Simply think of it as cookies that just won’t go away.” The developer reckons using Private Browsing in Safari will stop ALL evercookie methods following a browser restart. He has not tested whether this approach work with other browsers. Source: http://www.theregister.co.uk/2010/09/23/invulnerable_evercookies/

51. September 23, Associated Press – (International) Twitter hack: Made in Japan? The recent Twitter attack that caused a widespread headache for the micro-blogging service appears to have been triggered by a Japanese computer hacker who said he was only trying to help. The attack, which emerged and was shut down within hours September 21, involved a “cross-site scripting” flaw that allowed users to run JavaScript programs on other computers. The originator is believed to be someone who uses the name “Masato Kinugawa” in cyberspace and acknowledges creating the Twitter account “RainbowTwtr” that demonstrated the vulnerability. Through his Twitter account and personal blog, Kinugawa regularly tracks down possible computer security loopholes and notifies companies of their existence. Earlier this year, he pointed out several scripting problems to Japanese Internet company Livedoor, which thanked him with a 15,000 yen ($177) gift certificate. Kinugawa said he contacted Twitter about the weakness August 14 — but in vain. “Twitter had not fixed this critical issue long after it had been notified,” Kinugawa tweeted. “Twitter left this vulnerability exposed, and its recognition of this problem was low. Rather than have someone maliciously abuse this under the radar, I decided it would be better to urgently expose this as a serious problem and have it be addressed.” Source: http://news.yahoo.com/s/ap/20100923/ap_on_hi_te/tec_twitter_hack

52. September 23, Techworld – (International) OAuth 2.0 API security tool used by Facebook too easy to crack. The emerging OAuth 2.0 Web API authorization protocol, already deployed by Facebook, Salesforce.com and others, is coming under increased criticism for being too easy to use, and therefore to spoof by malicious hackers. “The OAuth community has made a big mistake about the future direction of the protocol,” wrote the Yahoo director of standards development in a blog post recently. His criticism may carry more weight than the usual naysayer, because he is actually one of the creators of OAuth. “What makes this more frustrating is that the people behind [OAUTH 2.0] are some of the brightest security minds on the Web. These guys know exactly what they are doing, and it’s not like they don’t care,” the director wrote. “They just gave up and decided that the best they can do is maintain the status quo. They are also representing a large and powerful coalition of big companies too lazy to work a little harder.” His words may strike an ominous chord, given how public and enterprise-based Web services are rapidly adopting the draft IETF (Internet Engineering Task Force) standard as a way for Web services to share data. The final version of the specification, which has been authored by engineers at Google, Microsoft, Yahoo, Facebook and others, is expected this fall. Source: http://news.techworld.com/security/3240746/oauth-20-api-security-tool-used-by-facebook-too-easy-to-crack/

53. September 22, Sophos – (International) Out-of-the-blue empty emails bring redirecting malware danger. E-mail’s are arriving randomly with no message body, but with a file called “_inv.html” attached. This is part of a new malware attack that has been widely spammed out around the world. If users make the mistake of opening the attached HTML file, their computer will be redirected to a fake anti-virus attack on a third party site. That means that they will begin to see bogus security warnings trying to trick them into handing over credit card details, or to download further dangerous software to their computer. A significant challenge emerges in that it is difficult to warn the public about these attacks because the e-mail address where the malware is coming from changes each time, the subjects appear to be pretty randomly chosen, and even the attached filename has a random component. Also, the message body is no use because there is nothing to see. Source: http://www.sophos.com/blogs/gc/g/2010/09/22/empty-emails-bring-malware-danger/

54. September 22, CNET News – (International) Report: Half of apps have security problems. More than half of software used in enterprises has security problems, according to a new report to be released September 22 from Veracode, an application security company. Veracode looked at more than 2,900 applications over an 18-month period that were used by its cloud-based customers and found that 57 percent of all the apps were found to have unacceptable application security quality. Eight out of 10 Web apps failed to meet the OWASP (Open Web Application Security Project ) Top 10 requirement that is necessary to achieve PCI (payment card industry) compliance for use in financial and e-commerce sites, Veracode said. The report finds that third-party code, which is growing in use by enterprises, is often insecure. Third-party suppliers failed to achieve acceptable security standards 81 percent of the time, the report said. Meanwhile, cross-site scripting remains the most common of all application vulnerabilities, and .NET applications showed “abnormally high” numbers of flaws, Veracode said. Source: http://news.cnet.com/8301-27080_3-20017011-245.html

55. September 22, Help Net Security – (International) Breakdown of security weaknesses by industry and organization size. WhiteHat Security released the tenth installment of its Security Website Security Statistics Report, providing a first-time breakdown of the state of Web site security by industry and company size. Compiled using data from more than 2,000 production Web sites across 350 organizations, this latest issue shines a spotlight on the need for organizations to focus on improving responsiveness in remediating vulnerabilities in order to reduce risk and improve the effectiveness of the SDLC over time. Until now, no metrics have been available for organizations to apply as a benchmark for evaluating themselves against their industry peers. WhiteHat’s research findings give executives the insight they need to determine whether the resources that are invested in source code reviews, threat modeling, developer training and security tools are making a measureable impact in reducing their Web site security risk. Furthermore, the industry breakdown allows them to see how their efforts compare to their peers, and if any significant changes need to be made to strengthen Web site security. For example, the data shows that financial services organizations have learned that quick identification and remediation of SQL Injection vulnerabilities, which if exploited give attackers access to corporate databases, are imperative. And yet, that industry still struggles with overall remediation rates. Source: http://www.net-security.org/secworld.php?id=9897

56. September 22, Help Net Security – (International) Trojan stealing private key certificates. Symantec warns about Infostealer.Nimkey, a Trojan that is designed to collect private key certificates, keystrokes, and clipboard data and send it to a Web site where the authors can collect them. This Trojan targets PKCS#12 public key certificate files, which also contain the private keys that the attackers need to steal the key owner’s signature. Spam e-mail messages containing links to a malicious site that distributes this Trojan are the typical first step towards infection. Sometimes these messages also contain a file attachment with a .com extension in order to look like a link, but it is actually malware. Another smoke-and-mirror tactic employed by this particular Trojan is the display of a form for af ederal tax return. While the user is trying to make sense of it, the Trojan goes to work and downloads other malicious files. Some of them record URLs a user visits, others search for the PKCS#12 certificate files. An incorporated keylogger records keystrokes and clipboard data. And then it all gets shipped to a server in China. Source: http://www.net-security.org/malware_news.php?id=1469

57. September 22, IDG News Service – (International) Canada ends Facebook privacy probe. Canada’s privacy commissioner has ended an investigation into Facebook’s privacy practices by saying the social-networking site has resolved issues raised in a May 2008 complaint. Facebook has made changes to its service that resolve privacy concerns raised in a Canadian Internet Policy and Public Interest Clinic complaint, the commissioner said September 22. The privacy group complained that Facebook had violated Canadian privacy law by not explaining to users its policies on sharing information with third-party developers. The complaint also accused Facebook of not identifying all the purposes for which it collects users’ information, of not getting express consent to collect sensitive information, and of not allowing users who have deactivated their accounts to easily withdraw consent to share information. The complaint also accused Facebook of failing to destroy the personal information of users who deleted their accounts and of failing to safeguard personal information from unauthorized access. Facebook has made “extensive” changes to its privacy protections in response to Canadian concerns, the commissioner said in a statement. Source:

Friday, September 24, 2010

My apologies for the delay. Once again DHS was late publishing their report!

Complete DHS Daily Report for September 24, 2010

Daily Report

Top Stories

 According to the Charleston Daily Mail, executives from the DuPont plant in Belle, West Virginia indicated that more than 160,000 pounds of methanol liquid was dumped into the Kanawha River over a 24-hour period. (See item 9)

9. September 22, Charleston Daily Mail – (West Virginia) Methanol leak into Kanawha larger than first reported. While West Virginia state officials continue to reassure the public there is no immediate danger following a large chemical leak from the DuPont plant in Belle, Kanawha County commissioners are criticizing the state for failing to inform local emergency services the leak had occurred. DuPont officials are now saying more than 160,000 pounds of methanol liquid was dumped into the Kanawha River over a 24-hour period, instead of over several weeks, according to a new statement from the company. According to a DuPont statement released September 22, workers at the Belle plant discovered the leak in a heat exchanger in the Methylamines production unit while conducting regular sampling of the plant’s water outfall September 21. A DuPont spokesman said the leak had traveled through the unit’s steam system into the outfall and was discharged into the Kanawha River. The leak was stopped about 8 p.m. September 21. Officials with the DuPont plant first notified the state of the leak September 21. At first, it was reported by media outlets that only 5,000 pounds had flowed into the river. However, that amount reflected only the minimum regulatory requirement for reporting a leak, according to the spokesman. “The plant notified regulatory authorities as required,” he said in a statement. “In those immediate notifications, we reported that the leak exceeded the regulatory threshold reportable quantity of 5,000 pounds. Our preliminary investigation indicates that approximately 160,000 pounds of methanol was released in the 24-hour period prior to identifying the leak,” he said. Source: http://www.dailymail.com/News/Kanawha/201009220306

 Associated Press reports that a man shot and wounded three people at Americold Logistics,a cold-storage facility in Crete, Nebraska, where he worked, before apparently shooting and killing himself September 22, authorities said. (See item 29)

29. September 23, Associated Press – (Nebraska) Authorities: Gunman wounds 3, kills self in Neb. A man shot and wounded three people at Americold Logistics, a cold-storage facility in Crete, Nebraska, where he worked, before apparently shooting and killing himself September 22, authorities said. The Saline County sheriff said that about 35 people were at the Americold facility when the gunman opened fire at about 10 p.m. The gunman worked at the plant, he said. About 50 officers responded to reports of the shooting, unsure of whether the shooter was still a threat. “When we first came across him, it appeared that it was a self-inflicted wound that ended it,” the sheriff said, referring to the gunman. Two of the wounded were taken to a Lincoln hospital. The other was treated at the Crete Area Medical Center. Their names and conditions were not available, and it was unclear whether they also worked for Americold. The Americold facility is a few miles south of Crete and next to a Farmland Foods plant. Both were locked down immediately after the shooting, although authorities do not believe the gunman ventured onto Farmland property. By early September 23, Farmland had reopened and Americold workers were allowed to leave. Source: http://news.yahoo.com/s/ap/us_nebraska_storage_shooting;_ylt=Ar8kogksbVsraOEm.jlKHLas0NUE;_ylu=X3oDMTQwOGNpaDFxBGFzc2V0A2FwLzIwMTAwOTIzL3VzX25lYnJhc2thX3N0b3JhZ2Vfc2hvb3RpbmcEY2NvZGUDbW9zdHBvcHVsYXIEY3BvcwM2BHBvcwMzBHB0A2hWVfY29rZQRzZWMDeW5faGVhZGxpbmVf

Details

Banking and Finance Sector

15. September 23, Washington Post – (National) Under piles of paperwork, a foreclosure system in chaos. The nation’s overburdened foreclosure system is riddled with faked documents, forged signatures and lenders who take shortcuts reviewing borrower’s files, according to court documents and interviews with attorneys, housing advocates and company officials. The problems, which are so widespread that some judges approving the foreclosures ignore them, are coming to light after Ally Financial, the country’s fourth-biggest mortgage lender, halted home evictions in 23 states this week. During the housing boom, millions of homeowners got easy access to mortgages while providing virtually no proof of their income or background. Now, as millions of Americans are being pushed out of the homes they can no longer afford, the foreclosure process is producing far more paperwork than anyone can read, and making it vulnerable to fraud. Ally Financial is now double-checking to make sure all documents are in order after lawsuits uncovered that a single employee of the company’s GMAC mortgage unit signed off on 10,000 foreclosure papers per month without checking whether the information justified an eviction. Many of the homeowners in fact, might have been in default. Some might have been unfairly targeted. But the flawed process is creating an opening for borrowers to contest some of the more than 2 million foreclosures that have taken place since the real estate crisis began. Source: http://www.washingtonpost.com/wp-dyn/content/article/2010/09/22/AR2010092206146.html

16. September 23, Denver Post – (Colorado) Corporate ID thieves mining the store. Dozens of businesses in Colorado, and probably thousands more nationally, are victims of a new and easy form of identity theft where corporate data is hijacked and millions of dollars in phony credit purchases are made. All it takes is an Internet connection and, in some cases, as little as a $10 fee to alter the name of a corporate officer or the address of a company’s registered agent on public records. Once that is done, thieves acquire corporate credit in multiples much higher than the average consumer can get. And most companies might never know it is happening until it is too late and credit ratings have been trashed. The nation’s secretary of state offices — the agencies that usually register corporations and maintain public databases on them — have few protections to stop the Internet-based theft. In Colorado, for example, anyone can access the online databases and make changes since there is no password protection. “We’re just now getting a handle on the problem,” said a spokeswoman for the National Association of Secretaries of State. Such inaction has business owners fuming and, in turn, scratching their heads. Thieves are also relying on Dunn & Bradstreet — the business equivalent of a consumer credit reporting bureau — as unwitting accomplices. The company provides credit ratings on businesses and corroborates any reported changes through secretary of state offices — where the fraud occurs in the first place. Police investigators have so far identified 48 Colorado businesses — many of them easily recognized — affected by the crime and expect to find dozens more. Source: http://www.denverpost.com/business/ci_16149416

17. September 22, WDIV 4 Detroit – (New York) Man tries to rob bank with bomb threat. Redford, Michigan police said a man who claimed to have a bomb tried to rob a Chase bank branch on Telegraph Road September 22. Police said the man entered the bank at about 11 a.m. and slipped a note to a teller that demanded money and stated he had a bomb. The teller told police the man flashed a small black book that, when opened, had a timer and what appeared to be a bomb. Police said the teller did not react and just looked at the man for several seconds before he turned and left the bank. Police said the man is also suspected of being responsible for a previous attempt to rob the bank last month. Surveillance pictures of the man from the bank’s security cameras have been released by police. Source: http://www.clickondetroit.com/news/25118073/detail.html

18. September 22, LoanSafe.org – (Ohio) Email phishing scam feeds on credit union trust. Credit unions are trusted community organizations and the latest victim of a recent phishing scam. Customers in Ohio have reported receiving deceptive e-mails that appear to be from their credit union and include a request to take a survey that requires they enter personal information. According to a July 2010 complaint filed with the Ohio Attorney General’s Office, a Columbus woman received an e-mail from her credit union that stated: “You have been randomly selected to take part in this survey to let us know what we are doing well and where we need to do better. In return we will credit $50.00 to your account — Just for your time!.” The e-mail featured the credit union’s logo and listed the correct contact information, so the woman clicked on the provided link. The survey prompted her to enter her account number, but she knew her credit union would never ask for this information on the Internet, so she closed the link. If she had proceeded, her financial information would have been in the hands of scammers. Be skeptical of offers similar to this one. Never enter personal information online when unsure of where it is being sent. People who receive suspicious e-mails are are advised to call their credit union. Source: http://www.loansafe.org/email-phishing-scam-feeds-on-credit-union-trust

For another story, see item 55 below in Information Technology

Information Technology

50. September 23, The Register – (International) Uber-zombie cookies give us the fear. Privacy activists got hot under the collar about the use of flash cookies to respawn traditional Web site cookies but an even more persistent type of cookie that’s almost impossible to kill off may lie just around the corner. So-called invulnerable evercookies use eight different techniques and locations to hide on tagged systems, including Web history, HTML5 session storage and even the “RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out” as well as in flash or regular cookies. Providing just one copy of the cookie remains, the other locations are rebuilt. A developer explains the point of his idea: “Evercookie is designed to make persistent data just that, persistent. By storing the same data in several locations that a client can access, if any of the data is ever lost (for example, by clearing cookies), the data can be recovered and then reset and reused. Simply think of it as cookies that just won’t go away.” The developer reckons using Private Browsing in Safari will stop ALL evercookie methods following a browser restart. He has not tested whether this approach work with other browsers. Source: http://www.theregister.co.uk/2010/09/23/invulnerable_evercookies/

51. September 23, Associated Press – (International) Twitter hack: Made in Japan? The recent Twitter attack that caused a widespread headache for the micro-blogging service appears to have been triggered by a Japanese computer hacker who said he was only trying to help. The attack, which emerged and was shut down within hours September 21, involved a “cross-site scripting” flaw that allowed users to run JavaScript programs on other computers. The originator is believed to be someone who uses the name “Masato Kinugawa” in cyberspace and acknowledges creating the Twitter account “RainbowTwtr” that demonstrated the vulnerability. Through his Twitter account and personal blog, Kinugawa regularly tracks down possible computer security loopholes and notifies companies of their existence. Earlier this year, he pointed out several scripting problems to Japanese Internet company Livedoor, which thanked him with a 15,000 yen ($177) gift certificate. Kinugawa said he contacted Twitter about the weakness August 14 — but in vain. “Twitter had not fixed this critical issue long after it had been notified,” Kinugawa tweeted. “Twitter left this vulnerability exposed, and its recognition of this problem was low. Rather than have someone maliciously abuse this under the radar, I decided it would be better to urgently expose this as a serious problem and have it be addressed.” Source: http://news.yahoo.com/s/ap/20100923/ap_on_hi_te/tec_twitter_hack

52. September 23, Techworld – (International) OAuth 2.0 API security tool used by Facebook too easy to crack. The emerging OAuth 2.0 Web API authorization protocol, already deployed by Facebook, Salesforce.com and others, is coming under increased criticism for being too easy to use, and therefore to spoof by malicious hackers. “The OAuth community has made a big mistake about the future direction of the protocol,” wrote the Yahoo director of standards development in a blog post recently. His criticism may carry more weight than the usual naysayer, because he is actually one of the creators of OAuth. “What makes this more frustrating is that the people behind [OAUTH 2.0] are some of the brightest security minds on the Web. These guys know exactly what they are doing, and it’s not like they don’t care,” the director wrote. “They just gave up and decided that the best they can do is maintain the status quo. They are also representing a large and powerful coalition of big companies too lazy to work a little harder.” His words may strike an ominous chord, given how public and enterprise-based Web services are rapidly adopting the draft IETF (Internet Engineering Task Force) standard as a way for Web services to share data. The final version of the specification, which has been authored by engineers at Google, Microsoft, Yahoo, Facebook and others, is expected this fall. Source: http://news.techworld.com/security/3240746/oauth-20-api-security-tool-used-by-facebook-too-easy-to-crack/

53. September 22, Sophos – (International) Out-of-the-blue empty emails bring redirecting malware danger. E-mail’s are arriving randomly with no message body, but with a file called “_inv.html” attached. This is part of a new malware attack that has been widely spammed out around the world. If users make the mistake of opening the attached HTML file, their computer will be redirected to a fake anti-virus attack on a third party site. That means that they will begin to see bogus security warnings trying to trick them into handing over credit card details, or to download further dangerous software to their computer. A significant challenge emerges in that it is difficult to warn the public about these attacks because the e-mail address where the malware is coming from changes each time, the subjects appear to be pretty randomly chosen, and even the attached filename has a random component. Also, the message body is no use because there is nothing to see. Source: http://www.sophos.com/blogs/gc/g/2010/09/22/empty-emails-bring-malware-danger/

54. September 22, CNET News – (International) Report: Half of apps have security problems. More than half of software used in enterprises has security problems, according to a new report to be released September 22 from Veracode, an application security company. Veracode looked at more than 2,900 applications over an 18-month period that were used by its cloud-based customers and found that 57 percent of all the apps were found to have unacceptable application security quality. Eight out of 10 Web apps failed to meet the OWASP (Open Web Application Security Project ) Top 10 requirement that is necessary to achieve PCI (payment card industry) compliance for use in financial and e-commerce sites, Veracode said. The report finds that third-party code, which is growing in use by enterprises, is often insecure. Third-party suppliers failed to achieve acceptable security standards 81 percent of the time, the report said. Meanwhile, cross-site scripting remains the most common of all application vulnerabilities, and .NET applications showed “abnormally high” numbers of flaws, Veracode said. Source: http://news.cnet.com/8301-27080_3-20017011-245.html

55. September 22, Help Net Security – (International) Breakdown of security weaknesses by industry and organization size. WhiteHat Security released the tenth installment of its Security Website Security Statistics Report, providing a first-time breakdown of the state of Web site security by industry and company size. Compiled using data from more than 2,000 production Web sites across 350 organizations, this latest issue shines a spotlight on the need for organizations to focus on improving responsiveness in remediating vulnerabilities in order to reduce risk and improve the effectiveness of the SDLC over time. Until now, no metrics have been available for organizations to apply as a benchmark for evaluating themselves against their industry peers. WhiteHat’s research findings give executives the insight they need to determine whether the resources that are invested in source code reviews, threat modeling, developer training and security tools are making a measureable impact in reducing their Web site security risk. Furthermore, the industry breakdown allows them to see how their efforts compare to their peers, and if any significant changes need to be made to strengthen Web site security. For example, the data shows that financial services organizations have learned that quick identification and remediation of SQL Injection vulnerabilities, which if exploited give attackers access to corporate databases, are imperative. And yet, that industry still struggles with overall remediation rates. Source: http://www.net-security.org/secworld.php?id=9897

56. September 22, Help Net Security – (International) Trojan stealing private key certificates. Symantec warns about Infostealer.Nimkey, a Trojan that is designed to collect private key certificates, keystrokes, and clipboard data and send it to a Web site where the authors can collect them. This Trojan targets PKCS#12 public key certificate files, which also contain the private keys that the attackers need to steal the key owner’s signature. Spam e-mail messages containing links to a malicious site that distributes this Trojan are the typical first step towards infection. Sometimes these messages also contain a file attachment with a .com extension in order to look like a link, but it is actually malware. Another smoke-and-mirror tactic employed by this particular Trojan is the display of a form for af ederal tax return. While the user is trying to make sense of it, the Trojan goes to work and downloads other malicious files. Some of them record URLs a user visits, others search for the PKCS#12 certificate files. An incorporated keylogger records keystrokes and clipboard data. And then it all gets shipped to a server in China. Source: http://www.net-security.org/malware_news.php?id=1469

57. September 22, IDG News Service – (International) Canada ends Facebook privacy probe. Canada’s privacy commissioner has ended an investigation into Facebook’s privacy practices by saying the social-networking site has resolved issues raised in a May 2008 complaint. Facebook has made changes to its service that resolve privacy concerns raised in a Canadian Internet Policy and Public Interest Clinic complaint, the commissioner said September 22. The privacy group complained that Facebook had violated Canadian privacy law by not explaining to users its policies on sharing information with third-party developers. The complaint also accused Facebook of not identifying all the purposes for which it collects users’ information, of not getting express consent to collect sensitive information, and of not allowing users who have deactivated their accounts to easily withdraw consent to share information. The complaint also accused Facebook of failing to destroy the personal information of users who deleted their accounts and of failing to safeguard personal information from unauthorized access. Facebook has made “extensive” changes to its privacy protections in response to Canadian concerns, the commissioner said in a statement. Source: http://www.computerworld.com/s/article/9187381/Canada_ends_Facebook_privacy_probe 58. September 21, Help Net Security – (International) Trojan posing as installer wants your money. A Trojan masquerading as an installer for well-known applications such as DivX, Torrent, LimeWire, Avast! Antivirus, and others has been popping up on users’ computers lately and is trying to get them to send an SMS to a premium number in order to “unlock” the application in question, Microsoft said. Somewhat similar to the “Ransom” Trojans that take control of the system by locking the user’s screen and unlocking it only after they enter the passcode they received upon sending a text message to the provided premium number, this Trojan is less disruptive, but still bent on taking user money. The Trojan is distributed from a number of domains named after those programs. To avoid falling for these types of scams, users are advised to download software from the Web site of the developer or from reputable download sites. Source: http://www.net-security.org/secworld.php?id=9892

Communications Sector

59. September 23, Daily Princetonian – (New Jersey) Outage hits University wireless network. Princeton University in Princeton, New Jersey faced an unscheduled wireless network outage September 22 that lasted at least 7 hours, forcing students to rely upon Ethernet cables to connect to the Internet. The issue began at 3:27 p.m. due to “an unknown cause,” according to a statement posted on the Office of Information Technology (OIT) Web site at 11:26 p.m. It was partially resolved at the time this article went to press. The associate chief information officer and director of support service for OIT said in an e-mail that all of the “1,000-plus” wireless service access points stopped working at about the same time September 22. Hard-wired Ethernet connections on campus were not affected by the problem. OIT networking staff and engineers from Cisco, the provider of the access points, were working to solve the problem, but that there was no estimate for when they would resolve the issue. Source: http://www.dailyprincetonian.com/2010/09/23/26321/

60. September 23, IDG News Service – (National) Facebook fixes glitch, says access back to normal. A problem that affected account access for some Facebook users September 22 has been fixed, Facebook said via its Twitter feed. “We’ve fixed the issue with a third-party networking provider, and anyone impacted should be able to access Facebook normally,” the company said. Facebook did not say what the problem was or which company caused it. The social networking company also did not give figures for the number of people affected by the problem. Earlier that day, Facebook said users may have trouble accessing the site due to a problem with a network provider. “Some people can’t connect to Facebook because of an issue with a third-party network provider. We’re working to fix it ASAP,” Facebook wrote in a Twitter message around noon Pacific Time. That message followed user complaints that started popping up on Twitter earlier in the day. Facebook seems to have less frequent outages than Twitter, a rival in social networking. However, it had one notable failure last year, when around 150,000 people were unable to use the site for more than 1 week. Source: http://www.computerworld.com/s/article/9187382/Facebook_fixes_glitch_says_access_back_to_normal?taxonomyId=16

61. September 22, Associated Press – (South Carolina; National) SC gov: Feds should let prisons jam cell phones. Flanked by dozens of wardens and a prison officer authorities say was nearly killed in an attack planned with a smuggled cell phone, South Carolina’s governor September 22 implored federal regulators to let the state jam the signals of cell phones being used illicitly by prisoners. “If we leave the things the way that they are, the federal government is fundamentally perpetuating an injustice, on the people of this state, and frankly, the people of this nation,” he said at a maximum security prison in Columbia. He urged the Federal Communications Commission (FCC) to act on a nearly 2-year-old request from the corrections department director to conduct a pilot jamming program inside a state prison. The director said 30 other states signed on to that request. The FCC has taken no action on the petition. Regulators say a 1934 law allows only federal agencies, not state or local ones, to jam public airwaves, a position reiterated September 22 by the FCC’s public safety and homeland security chief. “The problem with the South Carolina petition is, we can’t waive federal statutes,” he said. “As long as Congress has mandated that jamming is illegal, we have to abide by that law, and so does South Carolina.” Source: http://www.businessweek.com/ap/financialnews/D9ID7C483.htm

62. September 22, The Register – (International) Vodafone shares subscriber info with world. Vodafone, a global telecommunications company headquartered in England, has been caught taking liberties with customers’ e-mail accounts, and it seems at least some of the customers are not happy about the practice. The problem is with the password reminder feature on the “My account” section of the carrier’s Web site. All one has to do is enter the phone number of the person someone is interested in. If they have an online account, Vodafone gladly gives up their e-mail address. The Register was able to test the feature and it worked as described. “There is nothing to stop a determined spammer from entering thousands of numbers and getting a long list of email addresses,” a Vodafone subscriber wrote. “Nothing to stop a fraudster from sending you an email to an address you only use with Vodafone.” Source: http://www.theregister.co.uk/2010/09/22/vodafone_email_address_giveaway/

63. September 22, CNET News – (Oregon) Hunters shoot down Google cables. Hunters in Oregon have been using Google for target practice. According to IT News, Google has been driven underground by the highly accurate shooting from Oregon’s finest marksmen. More accurately, its cables have been forced to go 6 feet underground. It appears that hunters are shooting at the fiber that connects its vast data centers merely for the fun of being able to shoot them down. “Every November when hunting season starts, invariably we know that the fiber will be shot down, so much so that we are now building an underground path [for it],” a Google engineering manager said. Source: http://news.cnet.com/8301-17852_3-20017134-71.html

64. September 22, Chicago Tribune – (Illinois) Service returns to Comcast customers in west suburbs. Comcast customers in Chicago’s western suburbs experienced a service outage September 22 when Union Pacific Railroad damaged a fiber optic cable near railroad tracks at First and Poplar avenues in Elmhurst, Illinois. The service outage affected customers in the company’s western area, a Comcast spokeswoman said. “There was an outside party that affected a number of customers,” she said. Ninety percent of the affected customers had their service restored by 4:30 p.m., and all customers were scheduled to have their service restored by 6 p.m. She said the company does not provide the number of customers when it has a service outage for proprietary reasons. Union Pacific has been working on signals at the railroad crossing. Source: http://www.chicagobreakingnews.com/2010/09/service-returns-to-comcast-customers-in-west-suburbs.html

58. September 21, Help Net Security – (International) Trojan posing as installer wants your money. A Trojan masquerading as an installer for well-known applications such as DivX, Torrent, LimeWire, Avast! Antivirus, and others has been popping up on users’ computers lately and is trying to get them to send an SMS to a premium number in order to “unlock” the application in question, Microsoft said. Somewhat similar to the “Ransom” Trojans that take control of the system by locking the user’s screen and unlocking it only after they enter the passcode they received upon sending a text message to the provided premium number, this Trojan is less disruptive, but still bent on taking user money. The Trojan is distributed from a number of domains named after those programs. To avoid falling for these types of scams, users are advised to download software from the Web site of the developer or from reputable download sites. Source: http://www.net-security.org/secworld.php?id=9892

Communications Sector

59. September 23, Daily Princetonian – (New Jersey) Outage hits University wireless network. Princeton University in Princeton, New Jersey faced an unscheduled wireless network outage September 22 that lasted at least 7 hours, forcing students to rely upon Ethernet cables to connect to the Internet. The issue began at 3:27 p.m. due to “an unknown cause,” according to a statement posted on the Office of Information Technology (OIT) Web site at 11:26 p.m. It was partially resolved at the time this article went to press. The associate chief information officer and director of support service for OIT said in an e-mail that all of the “1,000-plus” wireless service access points stopped working at about the same time September 22. Hard-wired Ethernet connections on campus were not affected by the problem. OIT networking staff and engineers from Cisco, the provider of the access points, were working to solve the problem, but that there was no estimate for when they would resolve the issue. Source: http://www.dailyprincetonian.com/2010/09/23/26321/

60. September 23, IDG News Service – (National) Facebook fixes glitch, says access back to normal. A problem that affected account access for some Facebook users September 22 has been fixed, Facebook said via its Twitter feed. “We’ve fixed the issue with a third-party networking provider, and anyone impacted should be able to access Facebook normally,” the company said. Facebook did not say what the problem was or which company caused it. The social networking company also did not give figures for the number of people affected by the problem. Earlier that day, Facebook said users may have trouble accessing the site due to a problem with a network provider. “Some people can’t connect to Facebook because of an issue with a third-party network provider. We’re working to fix it ASAP,” Facebook wrote in a Twitter message around noon Pacific Time. That message followed user complaints that started popping up on Twitter earlier in the day. Facebook seems to have less frequent outages than Twitter, a rival in social networking. However, it had one notable failure last year, when around 150,000 people were unable to use the site for more than 1 week. Source: http://www.computerworld.com/s/article/9187382/Facebook_fixes_glitch_says_access_back_to_normal?taxonomyId=16

61. September 22, Associated Press – (South Carolina; National) SC gov: Feds should let prisons jam cell phones. Flanked by dozens of wardens and a prison officer authorities say was nearly killed in an attack planned with a smuggled cell phone, South Carolina’s governor September 22 implored federal regulators to let the state jam the signals of cell phones being used illicitly by prisoners. “If we leave the things the way that they are, the federal government is fundamentally perpetuating an injustice, on the people of this state, and frankly, the people of this nation,” he said at a maximum security prison in Columbia. He urged the Federal Communications Commission (FCC) to act on a nearly 2-year-old request from the corrections department director to conduct a pilot jamming program inside a state prison. The director said 30 other states signed on to that request. The FCC has taken no action on the petition. Regulators say a 1934 law allows only federal agencies, not state or local ones, to jam public airwaves, a position reiterated September 22 by the FCC’s public safety and homeland security chief. “The problem with the South Carolina petition is, we can’t waive federal statutes,” he said. “As long as Congress has mandated that jamming is illegal, we have to abide by that law, and so does South Carolina.” Source: http://www.businessweek.com/ap/financialnews/D9ID7C483.htm

62. September 22, The Register – (International) Vodafone shares subscriber info with world. Vodafone, a global telecommunications company headquartered in England, has been caught taking liberties with customers’ e-mail accounts, and it seems at least some of the customers are not happy about the practice. The problem is with the password reminder feature on the “My account” section of the carrier’s Web site. All one has to do is enter the phone number of the person someone is interested in. If they have an online account, Vodafone gladly gives up their e-mail address. The Register was able to test the feature and it worked as described. “There is nothing to stop a determined spammer from entering thousands of numbers and getting a long list of email addresses,” a Vodafone subscriber wrote. “Nothing to stop a fraudster from sending you an email to an address you only use with Vodafone.” Source: http://www.theregister.co.uk/2010/09/22/vodafone_email_address_giveaway/

63. September 22, CNET News – (Oregon) Hunters shoot down Google cables. Hunters in Oregon have been using Google for target practice. According to IT News, Google has been driven underground by the highly accurate shooting from Oregon’s finest marksmen. More accurately, its cables have been forced to go 6 feet underground. It appears that hunters are shooting at the fiber that connects its vast data centers merely for the fun of being able to shoot them down. “Every November when hunting season starts, invariably we know that the fiber will be shot down, so much so that we are now building an underground path [for it],” a Google engineering manager said. Source: http://news.cnet.com/8301-17852_3-20017134-71.html

64. September 22, Chicago Tribune – (Illinois) Service returns to Comcast customers in west suburbs. Comcast customers in Chicago’s western suburbs experienced a service outage September 22 when Union Pacific Railroad damaged a fiber optic cable near railroad tracks at First and Poplar avenues in Elmhurst, Illinois. The service outage affected customers in the company’s western area, a Comcast spokeswoman said. “There was an outside party that affected a number of customers,” she said. Ninety percent of the affected customers had their service restored by 4:30 p.m., and all customers were scheduled to have their service restored by 6 p.m. She said the company does not provide the number of customers when it has a service outage for proprietary reasons. Union Pacific has been working on signals at the railroad crossing. Source: http://www.chicagobreakingnews.com/2010/09/service-returns-to-comcast-customers-in-west-suburbs.html