Monday, October 18, 2010

Complete DHS Daily Report for October 18, 2010

Daily Report

Top Stories

•Reuters reports that a U.S. Senator said a planned New York-New Jersey Hudson River rail tunnel — whose future now is in jeopardy — is vital for the security of the surrounding area where 12 million people live. (See item 18)

18. October 14, Reuters – (New York; New Jersey) Senator says new Hudson tunnel vital for security. A planned New York-New Jersey Hudson River rail tunnel — whose future now is in jeopardy — is vital for the security of the surrounding area where 12 million people live, a U.S. Senator said October 14. After the deadly September 11, 2001, air attacks, “the only (mass) transportation that was really viable was rail,” the New Jersey Senator said at a news conference in Newark, New Jersey’s Pennsylvania Station. Amtrak, the national rail passenger service, kept running though airports were shut, he noted. “We have to have that available access to permit us to react in the event of an attack or a national disaster,” the Senator continued. The assessment by the Senator, who chairs a subcommittee on homeland security, raised the stakes for the Hudson River rail tunnel project midway through a 2-week review period of its $8.7 billion budget. One day after the New Jersey governor canceled the project, saying New Jersey cannot afford an estimated $2 billion to $5 billion of extra costs, the Senator agreed to review the finances at the request of the U.S. Transportation Secretary. “I have not ruled it out; I have not ruled it in,” the Senator said, explaining that first the budget must be finalized. Source:

•According to the Associated Press, West Virginia regulators plan to investigate amultiple-county phone outage, after it was informed by the Kanawha County Commission president that FiberNet did not notify Metro 911 or other agencies about the outage. See item 48 below in the Communications Sector


Banking and Finance Sector

11. October 15, Sun-Times Media Wire – (Illinois) Two women stole $6M in mortgage scheme: Cops. Two women have been charged with stealing more than $6 million through a mortgage escrow scheme. The two suspects were charged in a 55-count indictment handed down by a DuPage County, Illinois grand jury October 12, a release from the DuPage County State’s Attorney’s office said. The fraud was allegedly run through PLM Title Co., which one suspect owned with the other suspect as a silent partner between November 2007 and April 2008, the release said. The indictment alleges the thefts took place during closings on new real estate purchases and refinancing transactions. According to the indictment, the new mortgage holder would wire money into a PLM Title escrow account, the release said. Instead of using the money to pay off the client’s former mortgage holder, the suspects would use it for personal expenses or business operating costs, the indictment said. Source:

12. October 14, Associated Press – (New York) Police: NYC officer shot bank robber in Manhattan. A knife-wielding robber targeted a bank in one of the busiest spots in Manhattan, New York October 14, his escape halted by a police officer’s bullet that sent pedestrians ducking for cover, police and witnesses said. A uniformed police officer who happened to be in the area saw the man in his 60s fleeing from the Chase Bank branch located next to entrances to Madison Square Garden and Pennsylvania Station and shot him in the leg, police said. The shooting happened in front of an Amtrak loading dock, down the block from a heavily trafficked stretch of street. The suspect was taken to a hospital, where he was conscious and speaking to doctors, police said. Source:

13. October 14, ABC News – (New York) As terror alert continues, NYPD holds drill to prep for Mumbai style attack. As U.S. officials proclaim an alleged European terror plot still active, New York City police conducted a drill October 14 that simulated a Mumbai, India-style attack on civilians on a crowded street in Manhattan’s financial district. The drill simulated an attack near Wall Street and Ground Zero, on a mock block that contained a department store, a hotel, and a federal regulatory agency. The New York police commissioner addressed the media before the drill which began with two large explosions. “This is what we do,” he explained. “We think the unthinkable.” The drill simulated multiple bombs and shooters, including a bomb under a vehicle, and police responded with helicopters, dogs, automatic weapons, and an armored car. In the immediate aftermath of the 2008 Mumbai assault that claimed 175 lives, the New York Police Department (NYPD) revised its tactics to deal with a terrorist commando assault. During October 14’s drill in the Bronx, heavily armed Emergency Service Unit officers were backed by officers from the Organized Crime Control Bureau (OCCB) trained to respond to such an attack. The OCCB officers are intended to beef up the NYPD response and prevent multiple simultaneous attacks from overwhelming the responding force. Source:

14. October 14, Gov Info Security – (International) Bugat is new malware of choice. Last week’s LinkedIn phishing attack did not deliver Zeus, the best-known and widely distributed Trojan, said malware researchers, but instead delivered its less well-known cousin, Bugat. This move is important said researchers who point to the emergence of Bugat as an attempt by cyber criminals to diversify attack tools, using a platform similar to Zeus, but harder to detect. While Zeus, Clampi and Gozi may be better known malware, Bugat’s attack is similar, said a SecureWorks’ technical director for malware analysis, Bugat can function as a SOCKS proxy server, upload files from the infected computer to a remote server, or download and execute programs. The Bugat Trojan communicates with a command and control server from where it receives instructions and updates to the list of financial Web sites it targets. This communication can be encrypted in order to thwart traffic inspection tools. Malware researchers at Trusteer sakd the new version of the Bugat malware is used to commit online fraud. This version targets Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen online banking credentials are used to commit fraudulent ACH and wire transfer transactions mostly against small to midsized businesses, which result in high-value losses. Bugat is three times more common in the United States than Europe, but its distribution is still fairly low. Source:

15. October 14, IDG News Service – (International) Europe’s ATM skimming attacks rise, but losses fall. European banks reported a record number of skimming attacks, where payment card details were captured by criminals as bank customers tried to withdraw cash from ATMs. Banks reported 5,743 attacks in the first 6 months of 2010, according to the European ATM Security Team (EAST), a nonprofit group composed of national payment organizations, financial institutions, and law enforcement. The figure represents a record high since EAST first began keeping statistics in 2004. The number of attacks was 3 percent higher than the second half of 2009, and up 24 percent over the first half of 2009. But despite the higher number of attacks, losses fell. Skimming losses were $202.1 million for the first half of this year, down 7 percent from the $216.9 million reported in the last half of 2009. The decline is likely due to a few factors, said the EAST coordinator who prepared the report. Nearly 95 percent of cash machines in 31 countries in the Single European Payments Area (SEPA) are chip-and-PIN (Personal Identification Number) cards or EMV (Europay, MasterCard, Visa) cards. An EMV-compliant ATM will confirm the card’s PIN via the microchip in order to let a transaction proceed. But most payment cards still have a magnetic stripe on the back containing the card’s account details. That is the target of fraudsters. By attaching an external recording device near where a bank card is inserted into an ATM, a fraudster can “skim” those details and encode them onto a dummy or clone card. Source:

16. October 14, Minneapolis Star Tribune – (Florida; Minnesota) SEC sues Florida hedge fund managers in Ponzi scam. On October 14, the Securities and Exchange Commission (SEC) charged two Florida-based hedge fund managers and their funds with defrauding investors out of $1 billion, or nearly one-third of the total losses in the $3.65 billion fraud that was carried out by another individual based in Minnesota. The two Palm Beach Capital Management and fund managers were accused by the SEC in a civil action of violating federal securities laws by misleading investors about the quality and status of their funds invested with the other alleged Ponzi scheme mastermind. The SEC complaint said the fund managers “pocketed” $58 million in fees between 2004 and 2008 when they were making the investments. Investors with Palm Beach Capital Management and an affiliate fund were characterized by the SEC as individuals, foundations, family trusts, and other hedge funds from across the United States. Source:

Information Technology

40. October 15, The Register – (International) Anonymous plants pirate flag on MPAA Web site. Hacktivists used DNS cache poisoning to deface a Motion Picture Association of America (MPAA) Web site, according to security analysts. The attack on — a MPAA Web site that reports violations of the copy protection controls on DVDs and Blu-ray discs — is the latest in a string of assaults against the entertainment business organized by the loosely affiliated Anonymous groups. The defaced page carried the logo of the Pirate Bay after the site itself was the victim of a DNS cache poisoning attack. “Someone managed to hijack the DNS registration for such that it points to an IP with their own web server displaying their own page,” said a security researcher. The server displaying the defacement is run by WareNet. It seems the organization was unwittingly roped into the attack and might itself have been a victim. “I wonder if the Anonymous folks are DDoS’ing WareNet to keep them distracted while they’re quietly using a server in WareNet’s second IP block for their own purposes,” the researcher added. Source:

41. October 15, Softpedia – (International) Serious vulnerability fixed in Ruby on Rails. The Ruby on Rails development team has released security updates for the Web application framework, which address a serious vulnerability facilitating unauthorized record manipulation. The issue stems from the way nested attributes were handled in the latest Ruby on Rails versions, 3.0.0 and 2.3.9. “An attacker could manipulate form parameters and make changes to records other than those the developer intended,” the official advisory explains. The vulnerability is identified as CVE-2010-3933 in the Common Vulnerabilities and Exposures database. Older versions of the framework are not affected because the bug was accidentally introduced in version 2.3.9. It is also present in the first stable release from the 3.0.x series, 3.0.0, which was launched at the end of August. Source:

42. October 15, IDG News Service – (International) Google adds phishing alerts to network services. Google said October 14 it has added notification of phishing URLs to the e-mail warnings it sends to administrators. Despite advances in detecting the sites, there usually is a short window of time the site is active before it is either blacklisted or shut down. Google’s Chrome browser has the “safe browsing” technology built in, which will block users from going to potentially harmful Web sites on the blacklist. The notification can also be sent in an XML data format, which allows administrators to process the notification using scripts to automate other functions, wrote a Google security team member. Source:

43. October 15, Softpedia – (International) Facebook sued for exposing people’s names to advertisers. According to a complaint filed by two Facebook users in California Northern District Court, the company knowingly violated its privacy policy by sharing personally-identifiable information with advertisers. From February 2010, following a Web site update, Facebook began including user IDs and/or usernames in Referer headers, therefore allowing advertisers to identity people who clicked on their adds. Both the user ID and username can be used to access a person’s Facebook profile, which contains their name. Knowing these identifiers, advertising companies can build automated scripts to associate people with ad clicks. Source:

44. October 14, Softpedia – (International) Avira temporarily blocks Google, CNN and others. On October 14, Avira users were unable to access Google, CNN, and other popular Web sites, because of bogus detections triggered by the WebGuard component. “For a short time this morning (between 7a.m. and 8:45 a.m. MEST), some domains slipped through into our WebGuard filtering system which caused some users to not be able to visit some regular web sites,” the German antivirus vendor announced on its blog. Apparently, the links were improperly detected as phishing URLs by new filters introduced as a result of a recent spam campaign, which employed special techniques. The junk e-mails used HTML-based tricks to advertise rogue online pharmacies. They also included hidden links for several major Web sites like Google, Yahoo!, Amazon, or AOL, in an attempt to evade spam filters. Source:

45. October 14, The New New Internet – (International) Stuxnet spreads to Finland. Corporate espionage is spreading in Finland, and the country was recently targeted by the infamous Stuxnet worm, Finnish newspaper Helsingin Sanomat reports. The complex malware has been found in at least one institution that uses the industrial equipment targeted by the worm. It has not caused any damage. In addition, Finnish state institutions have also been attacked. According to the Finnish Security Police, spyware has been spreading both through e-mail and via USB flash drives. Source:

For more stories, see item 14 in the Banking and Finance Sector above and item 50 below in the Communications Sector

Communications Sector

46. October 15, SPAMfighter – (National) Security experts fear attack of Comcast botnet notification system. Security experts fear that U.S. Internet Service Provider (ISP), Comcast’s latest botnet notification system will be abused by hackers. Details show in the last few months, Comcast will roll out service called “Constant Guard” to all 16 million subscribers. Customers will receive information about the working of Botnet Identification and Notification service, and data on how hackers circulate malware through e-mails with harmful attachments, and Web links that make botnets out of many infected systems. The botnets are then controlled to circulate spam or initiate distributed denial-of-service attacks made to hit Web sites. Comcast’s plan is being rejected by security experts as they foresee it as an exciting opportunity for forged AV/scareware hackers. A senior security advisor at Sophos cautions that these banners get injected into sites and spam customers with the messages leading them to standard fake AV installers. And customers who get a notice but are using a wireless router behind their cable modem, will not be able to figure out which system is infected with malware. The security experts suggested that ISPs who find infected machines on their networks disconnect the customer’s Internet access until the infection is cleaned up properly. This would reduce botnet traffic tremendously and could make users more aware of good security practices. Also, the disconnection of Internet would immediately capture the user’s attention. Source:

47. October 14, PC Advisor UK – (International) Half of home Wi-Fi networks vulnerable to hacking. Nearly half of all home Wi-Fi networks in the U.K. could be hacked within 5 seconds, according to CPP. The life assistance company employed the services of an ethical hacker to roam six major cities and use specially developed software to identify home networks that were at risk of “Wi-Fi jacking.” Wi-Fi jacking involves hackers piggybacking on a net connection, which allows them to illegally download files, purchase illegal goods or pornography, or even sell stolen goods, without being traced. It also permits them to view the private transactions made over the Internet, providing them with access to passwords and usernames that can subsequently be used to commit identity fraud. CPP’s research revealed 40,000 home Wi-Fi networks were at risk. CPP also said that despite the fact 82 percent of Web users believe their Wi-Fi connection is secure, nearly a quarter of private wireless networks are not password protected. Furthermore, nearly one in five Web users said they regularly use public networks. During his research, the hacker was able to “harvest” usernames and passwords from users of the public Wi-Fi networks at a rate of more than 350 an hour. He also revealed more than 200 web users unsuspectingly logged onto a fake Wi-Fi network over the course of an hour during the experiment, putting themselves at risk from fraudsters who could harvest their personal and financial information. Source:

48. October 14, Associated Press – (West Virginia) State regulators to investigate recent FiberNet outage. State regulators plan to investigate a recent FiberNet phone outage that affected several West Virginia counties. The Kanawha County Commission requested the investigation in a letter sent October 11 to the Public Service Commission (PSC). In the letter, the county commission president said FiberNet did not notify Metro 911 or other agencies about the October 10 outage. He said a general review is needed of all telephone landline providers’ notifications to public safety agencies during significant outages. The PSC said in an order issued October 13 that it will investigate the matters set forth in the county’s letter. FiberNet issued an apology to customers October 11. Source:

49. October 13, WLS 7 Chicago – (National) FBI agent warns of Wi-Fi cyber-theft. For the first time in Internet history, free Wi-Fi hot spots in the United States outnumber the sites where people have to pay for access. The FBI is warning this may be actually be bad news for computer users. The latest market research reveals there are more than 71,000 wireless hotspots in the United States, a list that is growing each day. Chicago has almost 800 sites, just behind New York and San Francisco. The FBI’s top cyber-security agent in Chicago warns that when one connects at the corner coffee shop, electronic thieves may be lurking. “Using coffee shop wireless or free Wi-Fi or especially hotel Internet is not safe,” said a Special Agent of the FBI cyber-security unit. “You shouldn’t be checking your personal emails and you definitely shouldn’t be checking your personal bank accounts. Unless you are going to go ahead and change an email password as soon as you return home. They’re unsecure. A lot of people just sit on them and they collect information and they’re just looking for you to log into your bank account or they’re looking for you to log into your emails and they’re going to look through there to see if there is anything that can be used against you,” he said. Source:

50. October 11, SPAMfighter – (International) U.K. domain registrar targeted by mass injection attack. Security firm Sucuri (a provider of Web integrity monitoring solutions and an operator of a Web site malware scanner) has reported a new mass injection attack that infected many Web sites harbored at, one of the biggest domain providers in the U.K. Malicious code embedded in these sites directs visitors to scareware. In the past few days, Sucuri has found many sites compromised with the same code used to inject malicious java script on many sites harbored at Go Daddy. All of them include a java script loading malware (the famous fake AV). The attack redirects users of the compromised Web sites to a scareware page that impersonates an anti-virus scan and displays fake alerts regarding malware infections on their machines. The objective of this trick is to scam users into downloading and installing a rouge anti-virus program that further attacks users’ machine with several fake alerts and warnings to persuade them to buy a license. Users who purchase the license will not only pay a great amount for a worthless application, but will also compromise their credit card details in the procedure. Remarkably, the domain is not blacklisted. Hence, it has the ability to infect a very large number of computers, particularly the ones with outmoded AV signatures and definitions. Source: