Tuesday, October 19, 2010

Complete DHS Daily Report for October 19, 2010

Daily Report

Top Stories

•According to Homeland Security Newswire, several federal agencies are working with first responders and the U.S. military to create the first nationwide standard for minimum bomb suit performance requirements. (See item 48)

48. October 15, Homeland Security Newswire – (National) Uniform bomb suits standard being developed. Federal agencies are looking to protect the first responders and soldiers who check out and defuse potentially explosive devices with improved bomb suits. Bomb suit manufacturers run tests on their protective suits to ensure they can withstand an explosion, but there currently is no single set of requirements that the suits must meet before they can be sold. TechNewsDaily reported that several federal agencies are now working with first responders to create the first nationwide standard for minimum bomb suit performance requirements. To develop the standard, federal agencies first researched the most common types of explosives bomb squads encounter, according to the deputy director of the Office of Standards at DHS’s Science and Technology Directorate (S&T) Test & Evaluation and Standards Division. Personnel at the U.S. Army Natick Soldier Research Development and Engineering Center blew up, burned, and projected fragments at suits to determine what kinds of tests the suits would need to pass to ensure they protect bomb technicians adequately. Having a standard will give some assurance of quality to DHS and other agencies that award grants to bomb squads for equipment purchases. If the standard is adopted, DHS will change its grants process to ensure awards are spent on bomb suits that meet the requirements. Source: http://homelandsecuritynewswire.com/uniform-bomb-suits-standard-being-developed

•Homeland Security Newswire reports the U.S. government is reviewing an Australian program that would allow Internet service providers to alert customers if their computers were taken over by hackers, and could limit online access if people do not fix the problem. See item 57 below in the Communications Sector

Details

Banking and Finance Sector

13. October 18, WDTN 2 Dayton – (Ohio) Suspicious package found outside bank. The Dayton Bomb Squad was called to downtown Xenia, Ohio October 18 after a suspicious package was found outside a bank. A witness told police he saw someone leaving a container with foil and rubber bands on it outside the Huntington Bank on North Detroit Street. The bomb squad was called out to investigate and the intersection was shutdown for several hours. The contents were later determined to be pedialyte for cats, a substance to help keep cats hydrated. Source: http://www.wdtn.com/dpp/on_air/sunrise/suspicious-package-found-outside-bank

14. October 16, 7th Space Interactive – (New Jersey) Former CEO pleads guilty in New Jersey to $11 million fraudulent loan scheme. The former CEO of Worldwide Financial Resources, a New Jersey-based mortgage origination firm, pled guilty October 16 to wire fraud in connection with an $11 million fraudulent loan scheme, a U.S. attorney announced. The 45-year-old suspect entered his guilty plea before the United States District Court Judge to an information charging him with wire fraud. Worldwide worked with borrowers to prepare mortgage applications and qualify borrowers for home mortgages. After originating loans, Worldwide would re-sell them to another financial institution in the secondary mortgage marketplace. The suspect admitted he prepared and sold fake mortgage loans from 2008 through September 2009. Specifically, after Worldwide originated a loan and sold it to a third-party lender, the suspect would create a second set of fake loan documents for the same property. He would then sell those fake documents to another third-party lender, even though the actual mortgage loan for that property already had been sold. Source: http://7thspace.com/headlines/360419/former_ceo_pleads_guilty_in_new_jersey_to_11_million_fraudulent_loan_scheme.html

15. October 16, Computerworld – (National) Zeus botnet gang targets Charles Schwab accounts. Criminals are using a Zeus botnet to pillage Charles Schwab investment accounts, a security researcher said October 15. The attacks show that while authorities were arresting more than 100 members of one Zeus gang, rivals were adding lucrative investment accounts to their usual targets of online banks. “They’re expanding their horizons,” said a project manager for cybersecurity and threat research at Sunnyvale, California-based Fortinet. After sneaking onto a PC via an exploit, the Zeus bot watches for, then silently captures log-in credentials for a large number of online banks, as well as usernames and passwords for Schwab accounts. The attack code also injects a bogus form that asks victims to provide additional information the thieves can later use to confirm that they are the legitimate owner of the Schwab investment account. The security researcher speculated that the criminals based the original infection on fake LinkedIn messages because they expected a high correlation between LinkedIn membership and investment account ownership. Source: http://www.computerworld.com/s/article/9191479/Zeus_botnet_gang_targets_Charles_Schwab_accounts

16. October 15, San Diego Union Tribune – (California) Scruffy bandit hits 2 San Diego banks. A robber with a scruffy beard apparently hit two banks in 20 minutes in San Diego, California October 15, police said. The robber held up a Wells Fargo bank on Montezuma Road in the College area about 4:40 p.m. by showing a teller a note demanding cash, a police spokesman said. Witnesses described the robber as white, possibly in his 40s, 5 feet 9 inches tall, 170 pounds, with a scruffy, short beard, and wearing a blue hat, blue sweat shirt, and jeans. At 5 p.m., a man of similar description robbed Bank of America on Mission Gorge Road in Grantville, again using a demand note, the police spokesman said. Source: http://www.signonsandiego.com/news/2010/oct/15/scruffy-bandit-hits-2-san-diego-banks/

17. October 15, The Register – (International) ZeuS baddies copy Conficker tactics. Variants of the infamous ZeuS cybercrime toolkit have begun using the tactics of the infamous Conficker worm in a bid to get ahead of security defenses. The so-called Licat worm, which is “strongly linked” to ZeuS, represents a likely attempt to reinforce botnets following recent arrests of suspected bank fraud money mules, as well as hackers tied to ZeuS in the U.K., United States and Ukraine over the last month or so. Licat infects .EXE, .DLL and .HTML files on infected systems. The malware also generates around 800 pseudo-random domains a day, which it contacts in order to attempt to download new malware code. A security consultant at Trend Micro told El Reg that the latter phone-home technique was most notably applied by Conficker, and new for variants of ZeuS. The Licat-A malware strain targets a number of U.K. banks, including Barclays, HSBC, and Alliance & Leicester. Source: http://www.theregister.co.uk/2010/10/15/zeus_conficker_assault/

18. October 15, Reuters – (National) Mozilo settles Countrywide fraud case at $67.5 million. The former Countrywide chief agreed to a settlement of $67.5 million October 15 to resolve charges of duping the home lender’s investors while lining his own pockets, but Bank of America Corp. will pick up two-thirds of the tab. The flamboyant poster boy of the subprime mortgage market’s boom and bust struck a last-minute deal with the U.S. Securities and Exchange Commission before his trial on civil fraud charges was to start the week of October 18. The most prominent executive charged by regulators with wrongdoing linked to the housing market collapse, the former CEO October 15 became the recipient of the highest fine ever dished out to a public corporation executive. Some would argue the former CEO — accused of hiding risks in Countrywide’s portfolio, then selling off stock before it became public — is getting off lightly, amid outrage over the financial industry’s role in bringing about the crisis. Source: http://www.reuters.com/article/idUSTRE69E4KN20101016

19. October 15, Reno Gazette-Journal – (Nevada) 20-year-old tells police he robbed Wells Fargo bank in Reno. A suspect in the October 14 robbery of the Wells Fargo at 200 S. Virginia St. in Reno, Nevada was arrested October 15 after he told police he wanted to turn himself in, authorities said. The suspect was interviewed by FBI agents and Reno detectives. “He described intimate details of the crime not released to the public,” Reno police said in a statement. “He said that he believed he was going to be captured and therefore, decided to turn himself in.” The suspect was arrested and charged with armed robbery and a bomb threat-related count. About 9:50 a.m. October 14, a man walked into the bank and said he had an explosive device, although no bomb was seen, police said. He displayed no other weapons. Source: http://www.rgj.com/article/20101015/NEWS01/101015062/1321/NEWS/20-year-old-tells-police-he-robbed-Wells-Fargo-bank-in-Reno

Information Technology

50. October 18, Reuters – (International) Firms lose more to electronic than physical theft. Companies for the first time report they are losing more through electronic theft of data than physical stealing of assets, risk consultancy Kroll said October 18 in an annual report on international fraud trends. Fraud was most often an “inside job” carried out by a company’s own employees, the poll of more than 800 senior executives worldwide showed. The 2010 study showed the amount lost by businesses to fraud rose to $1.7 million per billion dollars sales worldwide from $1.4 million a year earlier, the report said — although this might in part be due to better detection and awareness. Previous Global Fraud Reports showed physical theft of cash, assets, and inventory as the most widespread form of fraud by a considerable margin. This year’s findings showed electronic and information theft at 27.3 percent of total fraud losses, marginally above physical theft at 27.2 percent. Information-based industries. particularly financial services, had by far the highest level of electronic theft followed by professional services and then technology, media, and telecoms. Source: http://www.reuters.com/article/idUSTRE69H25820101018

51. October 18, Wall Street Journal – (International) Facebook in privacy breach. Many of the most popular applications, or “apps,” on the social-networking site Facebook Inc. have been transmitting identifying information — in effect, providing access to people’s names and, in some cases, their friends’ names — to dozens of advertising and Internet tracking companies, a Wall Street Journal investigation has found. The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings. The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure. The problem has ties to the growing field of companies that build detailed databases on people in order to track them online. It is unclear how long the breach was in place. On October 17, a Facebook spokesman said it is taking steps to “dramatically limit” the exposure of users’ personal information. Source: http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html

52. October 18, DarkReading – (International) Newly discovered evasion method for targeted attacks silently bypasses network, application security. CERT-Finland has reported a newly discovered technique that evades network and security devices — namely IDS/IPS systems, could also work against network firewalls and Web application firewalls — and lets attackers sneak in and conduct targeted attacks against an enterprise network. The threat, which was discovered by researchers at Stonesoft’s Helsinki labs, is based on vulnerabilities inherent in several vendors’ IDS/IPS products, according to CERT-Finland, which has alerted the affected IDS/IPS vendors. The names of the vendors and their products have not been released publicly. The head of vulnerability coordination at CERT-FI, which first issued an alert on the threat October 4, will update its vulnerability alert on the threat October 18. “[The attack method] takes advantage of the fact that the TCP protocol allows conservative creation of packets, but liberal receiving of packets,” said the director of U.S. product management at Stonesoft. He said it lets the attacker work his way inside the network without being noticed. Source: http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=227900122

53. October 18, V3.co.uk – (International) F-Secure blocks spying app for Windows and Android. F-Secure is blocking a sophisticated mobile phone spying application, despite being ambivalent about the creator’s motives. Phone Creeper is a Windows Mobile application that lets an outside user access a mobile phone’s calls, SMS logs, contacts, calendar information, and GPS data that tracks location. The developer has said an Android version will be released shortly. “This is a phone espionage suite. It can be silently installed by just inserting an SD card with the files below on it,” said the Phone Creeper creator from XDA-Developers in the latest update. However, in an ethical statement, he said he created the code to show what was possible with the handset, and because it was fun to develop something unique. He said he will work with other XDA developers to find a solution to blocking the flaws and will release it as open source code. F-Secure said it is blocking the application with its mobile security software because of its functionality, but does not believe the creator’s motives are in question. Source: http://www.v3.co.uk/v3/news/2271661/f-secure-blocks-mobile-spying

54. October 15, Softpedia – (International) Destructive trojan poses as Microsoft Stuxnet removal tool. Security researchers from Symantec warn that a destructive Trojan virus, which wipes all data from the system partition, poses as a Stuxnet removal tool developed by Microsoft. The Trojan — which Symantec has named Trojan.Fadeluxnet — has no apparent monetary motives behind it. It was being passed around on forums where people discussed Stuxnet clean-up solutions, suggesting that it might target the worm’s victims. It comes with a name of “Microsoft Stuxnet Cleaner,” in a likely attempt to leverage Microsoft’s known active involvement in Stuxnet research. When executed, it makes registry modifications to prevent exe, mp3, jpg, bmp and gif files from opening. And as if that does not cripple the system enough, it also starts deleting all files from the system partition. “The tool will certainly remove Stuxnet if it was on the C drive, but it will also take with it any other content including your valuable data,” a researcher at Symantec warned. Source: http://news.softpedia.com/news/Destructive-Trojan-Poses-as-Microsoft-Stuxnet-Removal-Tool-161290.shtml

55. October 15, SC Magazine UK – (International) Underground development of malware leads to ‘Crimeware-as-a-Service’ model. According to a report by CA Technologies’ Internet security business unit, “Crimeware-as-a-Service” is now an emerging trend, with almost all Trojans (96 percent) now developed as a result of this tactic. It claimed that cyber criminals are also increasingly reliant on cloud-based Web services and applications, such as Google Apps, Flickr and Microsoft Office Live, as well as real-time mobile Web services to target general users. The report said that Crimeware-as-a-Service is an on-demand and Internet-enabled service that highlights cloud computing as a new delivery model and is primarily designed to target data and identity theft. The report also named rogue anti-virus as a notable threat and trend of 2010, specifically when the “scareware” uses a template that constructs its product name based on the infected system’s Windows operating system. Source: http://www.scmagazineuk.com/underground-development-of-malware-leads-to-crimeware-as-a-service-model/article/181025/

56. October 13, IT Pro – (International) Hackers waiting for IP addresses to run out. U.K. businesses should prepare for the day when the current generation of IP addresses runs out as the shift to new systems could leave them open to attack. This was the warning of MWR InfoSecurity, which has suggested the Internet Assigned Numbers Authority is running out of addresses that it can issue. Hackers have been watching the situation closely and looking at ways they can exploit companies when firms have to link their old IPv4 systems with the new protocol IPv6. “The UK will run out of addresses in the existing IPv4 system some time in the next 300 days and the rest of the world is not far behind,” explained the managing director of InfoSecurity. “Addresses will then have to be issued in a new protocol IPv6. The problem is that the old systems will not talk to the new ones and vice-versa easily. Firms will have to put in middlemen to link current and new systems and this will increase the risk of attack and business complication hugely.” Thus far, only limited investment has gone into migration to the new address system and not many businesses have quite grasped the severity and proximity of the problem, according to the managing director of InfoSecurity. Source: http://www.itpro.co.uk/627655/hackers-waiting-for-ip-addresses-to-run-out

For another story, see item 57 below in the Communications Sector

Communications Sector

57. October 18, Homeland Security Newswire – (International) U.S. considering Aussie Internet security program. The U.S. government is reviewing an Australian program that will allow Internet service providers to alert customers if their computers are taken over by hackers, and could limit online access if people do not fix the problem. Presidential administration officials have met with industry leaders and experts to find ways to increase online safety while trying to balance securing the Internet and guarding people’s privacy and civil liberties. ReportersLive reported that experts and U.S. officials are interested in portions of the plan, set to go into effect in Australia in December 2010. Any move toward Internet regulation or monitoring by the U.S. government or industry, however, could trigger fierce opposition from the public. The discussions come as private, corporate, and government computers across the United States are increasingly being taken over and exploited by hackers and other computer criminals. The White House cybercoordinator told the Associated Press that the United States is looking at a number of voluntary ways to help the public and small businesses better protect themselves online. Possibilities include provisions in the Australia plan that enable customers to get warnings from their Internet providers if their computer gets taken over by hackers through a botnet. Source: http://homelandsecuritynewswire.com/us-considering-aussie-internet-security-program

58. October 18, Homeland Security Newswire – (National) Collaborators sought for emergency communications network demo. The U.S. National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA) are seeking partners in the telecommunications industry to help create a demonstration broadband communications network for the U.S. emergency services agencies. The demonstration network, currently being developed by the joint NIST-NTIA Public Safety Communications Research (PSCR) program, will provide a common site for manufacturers, carriers, and public safety agencies to test and evaluate advanced broadband communications equipment and software tailored specifically to the needs of emergency first responders. Alcatel-Lucent is the first vendor of public safety broadband equipment to formally join the PSCR demonstration network project, signing a Cooperative Research and Development Agreement (CRADA) with NIST and NTIA in September 2010. The two agencies hope that other companies will follow suit, creating a multivendor environment for testing and evaluating the demonstration network, as well as the eventual building of the system. Partners may participate in many ways, such as donating equipment, providing access to infrastructure, or supporting tests. PSCR provides objective technical support — research, development, testing, and evaluation — in order to foster nationwide public safety communications interoperability. Source: http://homelandsecuritynewswire.com/collaborators-sought-emergency-communications-network-demo

59. October 18, Broadband Genie – (International) Chilean miner rescue caused surge in broadband use. It has been reported that the recent rescue of 33 Chilean miners caused a surge in broadband usage, which had a knock on effect on businesses. The rescue mission was being closely followed around the world, with people watching what was going on via their televisions, radios, and via the Internet. According to data, the demand for broadband in the U.K. was much higher during the rescue mission, as many people went online using their PCs, laptops, and even smart phones in order to see what was happening and keep on top of developments. Many people were logging onto sites such as BBC and MSN news to see what was going on, and some were streaming news directly to their computers. The surge in broadband began October 13, as interested consumers quickly went online to try and see what was happening with the rescue mission as developments unfolded. The demand for high speed streaming during the rescue mission surged to a point where it affected businesses, and also put additional strain on Internet provider networks. Source: http://www.broadband-expert.co.uk/blog/broadband-news/chilean-miner-rescue-caused-surge-in-broadband-use/779912

For another story, see item 56 above in the Information Technology Sector