Thursday, October 21, 2010

Complete DHS Daily Report for October 21, 2010

Daily Report

Top Stories

•Today’s Sunbeam reports that for the first time in more than 7 years, all three reactors at PSEG Nuclear’s Artificial Island generating complex in Lower Alloways Creek Township,New Jersey were off line at the same time October 17. (See item 7)

7. October 19, Today’s Sunbeam – (New Jersey) All 3 Artificial Island reactors shut down at same time for first time in more than seven years. For the first time in more than 7 years, all three reactors at PSEG Nuclear’s Artificial Island generating complex in Lower Alloways Creek Township, New Jersey were off line at the same time October 17. An outage at one of the plants had been scheduled, but the shutdowns at the other two were unplanned and are both being blamed on a problem with voltage regulators on the non-nuclear side of the facilities. “We will conduct a review to look at that piece of equipment and there will be a thorough examination of both reactor trips and what led up to them,” a spokesman for PSEG Nuclear said October 18. The utility’s Hope Creek reactor was shut down at 8 p.m. October 15 for a planned refueling outage. Later on October 15, at 11:21 p.m., Salem Unit I automatically tripped off line, according to the spokesman. The shutdown was caused by a problem with a voltage regulator which controls the amount of power being sent out over the regional power grid. Operators of the grid had requested a reduction in the amount of power coming from the plant, and Salem 1 control room operators had manually taken control of the regulator just before the shutdown occurred, the spokesman said. Source: http://www.nj.com/sunbeam/index.ssf?/base/news-7/1287471008318730.xml&coll=9

•Federal investigators said they have evidence an Oregon defense contractor sold phony replacement parts to the military that could cause attack helicopters to crash, according to the Associated Press. (See item 15)

15. October 18, Associated Press – (Oregon) Oregon company target of helicopter parts probe. Federal investigators said they have evidence an Oregon defense contractor sold phony replacement parts to the military that could cause attack helicopters to crash. In affidavits filed in federal court in Eugene, U.S. Department of Defense investigators said they have evidence Coos Bay-based Kustom Products Inc. and related companies sold fake replacement parts to the military. The affidavits said the companies provided lock nuts meant for tanks and trucks in place of more expensive and differently designed lock nuts that secure the rotors on Kiowa attack helicopters. Source: http://www.businessweek.com/ap/financialnews/D9IUDSCO0.htm

Details

Banking and Finance Sector

16. October 20, WMBF 13 Myrtle Beach – (National) FBI warning targets work-from-home schemes. The FBI has issued a consumer warning October 13 as thousands of consumers continue to lose money from work-from-home scams. Officials claim scam victims are often recruited by organized cybercriminals through a variety of outlets, ranging from newspaper ads to online employment services, and unsolicited e-mails. Once a person is recruited for the job, officials said often times the consumer becomes a “mule” for cyber criminals to steal and launder money. Now, federal officials are warning consumers to be on the lookout for these types of scams and to take precautions to avoid becoming a victim. Those looking for work are asked to be wary of work-from-home opportunities and to research a company before signing on for work. Source: http://www.wmbfnews.com/story/13355810/fbi-warning-targets-work-from-home-schemes

17. October 20, msnbc.com – (National) FBI stepping into foreclosure-document mess. The foreclosure-document crisis just keeps on growing, and now the FBI is getting into the fray. A federal law enforcement official told the Associated Press the agency is in the initial stages of trying to determine whether the financial industry may have broken criminal laws in the mortgage foreclosure crisis. The official said the question is whether some in the industry were acting with criminal intent or were simply overwhelmed by events in the wake of the housing market’s collapse. The official spoke on condition of anonymity because the investigation is just getting under way. Big lenders are trying to move past the foreclosure-document crisis, saying they are now confident their paperwork is accurate. But they are facing so much organized resistance that they can not just snap up their briefcases, declare the crisis over and move on. Consider the opposition: (1) Attorneys general in all 50 states are jointly investigating whether lenders violated state laws (2) Lawyers for evicted homeowners are preparing lawsuits against major lenders (3) State judges have signaled they will review the banks’ foreclosure documents with skepticism and (4) Lawmakers on Capitol Hill plan to hold hearings. Source: http://www.msnbc.msn.com/id/39757497/ns/business-real_estate/

18. October 19, Associated Press – (Maryland) Md. court approves emergency rules on foreclosures. An emergency measure approved October 19 by a Maryland court clarifies what methods state courts can use to review the paperwork behind foreclosures, including bringing in attorneys to explain questionable documents, and hiring outside experts to examine them at a bank’s expense. The measure approved by the state’s highest court spells out how state judges can review foreclosures and stop them if the documents are found to be invalid. However, it is still up to individual judges to decide how to use the tools. The head of the state judicial committee that drafted the measure told the court of appeals that it will send a clear message that courts will scrutinize paperwork. “Nothing in this rule mandates any particular action by the court,” said the chairman of the Maryland Standing Committee on Rules of Practice and Procedure. “This flexibility is essential, because the context and circumstances may be different from case to case.” Unfair foreclosure practices are being investigated around the country because of questionable paperwork. Preliminary audits have found that hundreds of bogus affidavits have been filed in Maryland courts. Source: http://www.forbes.com/feeds/ap/2010/10/19/general-md-foreclosure-mess-maryland_8026823.html?boxes=Homepagebusinessnews

19. October 19, KPTV 12 Portland – (Oregon) Reward offered in strolling hat bandit case. The Oregon Financial Institutions Security Taskforce and the FBI are offering a combined reward of up to $6,000 for information leading to the arrest of a woman believed to robbing banks in the Eugene area. Investigators have nicknamed her the “Strolling Hat” bandit because she has worn a hat in each of the three robberies that have occurred. The robberies took place over the last 3 weeks. In each case, the woman walked into the bank, approached a teller, demanded cash and left with an undisclosed amount of money. Witnesses describe her as being white with shoulder-length brown and/or dyed maroon hair. Investigators believe the robber is in her late teens to early 20s, between 5 feet 2 inches and 5 feet 6 inches, and between 110 and 125 pounds. The FBI and the Eugene Police Department are working together on the investigation. Source: http://www.kptv.com/news/25440889/detail.html

20. October 19, Northwest Cable News – (Washington) ‘Bicycle Bandit’ accused of stealing $17,000 from Spokane bank. Spokane, Washington police released the identity of the alleged “Bicycle Bandit,” the man suspected of robbing half a dozen banks around Spokane over the last year. Police say he is a 33-year-old. The suspect was arrested October 14 after allegedly robbing the Washington Trust Bank near Francis and Ash. He was on a bicycle when he was hit by a Spokane police sergeant’s patrol car on his way to the crime scene. Police said a witness saw a gun fly out of the victim’s hand after he was hit, and the witness kicked the gun away while the officer made the arrest. The suspect appeared in U.S. District Court in Spokane October 15. According to federal court documents, he forcibly took approximately $17,479.30 from the Washington Trust Bank October 14 and put the bank tellers in danger by pointing a handgun at them. The suspect is also being investigated for six other robberies, starting in December. Police and the FBI have been tracking the “Bicycle Bandit” for months. In each robbery, tellers reported the suspect got away on a bicycle. Source: http://www.nwcn.com/news/washington/Bicycle-Bandit-accused-of-stealing-17000-from-Spokane-bank-105296933.html

21. October 18, Reuters – (North Carolina; New York) Man pleads guilty in $80 million ATM Ponzi scheme. A man pleaded guilty October 18 to helping orchestrate what prosecutors called an $80 million Ponzi scheme that lured victims into investing in automated teller machines that were never purchased. The suspect, a Raleigh, North Carolina resident, pleaded guilty in federal court in Manhattan, New York to nine counts of wire fraud and one count of conspiracy, his lawyer said. The suspect is in custody and could face 8 to 10 years in prison when he is sentenced January 20, the lawyer said. The defendant also agreed to forfeit $50 million, court records show. Prosecutors in September 2009 accused the suspect and a co-defendant of soliciting investments for the purchase of about 4,000 ATMs, promising that the machines would generate fees from cash withdrawals. In fact, about 3,600 of the ATMs did not exist or were never owned by the suspects, and the men used proceeds to enrich themselves and further their scheme, prosecutors said. Source: http://www.reuters.com/article/idUSTRE69H5AD20101018

For another story, see item 53 below in Information Technology

Information Technology

52. October 20, Softpedia – (International) Fake Firefox and Chrome warning pages distribute malware. Security researchers warn a new malware distribution campaign uses fake versions of the malicious site warnings commonly displayed by Firefox and Google Chrome. Both Chrome and Firefox tap into Google’s Safe Browsing service to check if the accessed URLs are known attack sites. Security researchers from F-Secure now warn malware pushers are increasingly abusing the trust users associate with these warnings to infect them. Malicious Web sites that mimic both Firefox’s “Reported Attack Page” alert, as well as Chrome’s “this site may harm your computer” warning, have been spotted. The pages look exactly the same as the real thing, except for a button that reads “Download Updates,” suggesting that security patches are available for the browsers. The executable files served when these buttons are pressed install rogue antivirus programs, which try to scare users into paying a license fee. However, the users who land on these latest sites discovered by F-Secure are also exposed to drive-by downloads via a hidden IFrame, which loads the Phoenix exploit kit. Source: http://news.softpedia.com/news/Fake-Firefox-and-Chrome-Warning-Pages-Distribute-Malware-162022.shtml

53. October 20, Trusteer – (International) Trusteer reports hackers improve Zeus Trojan to retain leadership in crimeware race. Trusteer reported October 20 it has captured and analyzed a new version (2.1) of the Zeus financial malware. New capabilities include: URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus’s configuration to define targets. The injection mechanism now uses sophisticated regular expressions based on PCRE as well, which helps avoid detection. Zeus now has a fine-grained “grabbing” mechanism, again based on PCRE, which can extract very specific areas of the page (e.g. the account balance) and report them to the Command &Control (C&C) host. As other researchers have already pointed out, Zeus 2.1 completely changed the way it communicated with its C&C servers with a daily list of hundreds of C&C hostnames, through which it cycles trying to find a live one which is a considerable improvement over the previous scheme. Zeus has added a 1024-bit RSA public key, which will probably be used for one-way encryption of data and authenticating the C&C server to Zeus clients. Source: http://www.trusteer.com/company/press/trusteer-reports-hackers-improve-zeus-trojan-retain-leadership-crimeware-race

54. October 20, CNET News – (International) China pledges to crack down on pirated software. The Chinese government is starting a new campaign against the production and distribution of counterfeit and pirated software and DVDs, according to the country’s official news service. Citing comments made at a state council meeting at which the Chinese premier presided, the Xinhua News Agency reported the week of October 18 that the goal is to clamp down on both the import and export of phony software, DVDs, publications, and other products that violate trademarks and patents. Scheduled to start the end of October, the campaign will run for 6 months and will also target Internet piracy and fake goods sold online. The news report said the government would “mete out stern punishment to businesses involved in the import and export of such goods.” To launch the new initiative, Chinese government agencies have been ordered to use only authorized software, said Xinhua. Source: http://news.cnet.com/8301-1023_3-20020138-93.html

55. October 20, Softpedia – (International) Fake Battle.net emails direct gamers to phishing site. Security researchers from McAfee warn that gamers are targeted in new Battle.net and World of Warcraft phishing campaigns, which produce very convincing e-mails purporting to come from Blizzard. The attack comes in the form of fake e-mail address change notifications, which attempt to scare users into logging in on a fake Battle.net site. The messages come with a subject of “New Request Notification - Change the Login Address.” Clicking on the link takes users to a fake Battle.net log-in page, hosted on a domain that is not associated with Blizzard Entertainment. Source: http://news.softpedia.com/news/Fake-Battle-net-Emails-Direct-Gamers-to-Phishing-Site-161987.shtml

56. October 19, Softpedia – (International) Phishers target Xbox players via fake Gamertag changer. Security researchers from Sunbelt warn that phishers are trying to steal Live IDs from Xbox users, through a fake program which promises a free Gamertag change. According to a senior threat researcher at Sunbelt (now part of GFI Software), there is a program called “Gamertag Changer” going around that does nothing more than steal Windows Live credentials from Xbox gamers. The application claims that it will file numerous complaints regarding the user’s Gamertag in order to trigger an automatic change from the system. Users who fall for the trick and input their credentials will see a message asking them to leave the application open for at least 2 minutes and then try to re-login on Xbox LIVE. Meanwhile in the background, the program sends the captured Gamertag, Live ID, and password to an e-mail address controlled by the phisher. Source: http://news.softpedia.com/news/Phishers-Target-Xbox-Players-via-Fake-Gamertag-Changer-161812.shtml

57. October 19, Computerworld – (International) Mozilla quashes 12 Firefox bugs. Mozilla patched 12 vulnerabilities in Firefox, including a second patch for a “binary planting” problem in Windows that researchers publicized last year. Two-thirds of the vulnerabilities patched October 19 were rated “critical.” Of the remaining vulnerabilities, two were labeled “high” and one each was judged “moderate” and “low.” Some have dubbed the “binary planting” problem “DLL load hijacking.” The flaw existed in Windows applications that do not call DLLs (dynamic linked libraries) or executable files using a full path name. Instead, they rely on the filename alone. The latter can be exploited by attackers, who can trick the program into loading a malicious file with the same title as a required DLL or executable. Source: http://www.computerworld.com/s/article/9191958/Mozilla_quashes_12_Firefox_bugs

58. October 19, The H Security – (International) Trojan trouble at Lenovo. Lenovo’s Web site for service and support-related training is infected and is spreading the hackload.AD trojan. Although Lenovo was informed of the issue October 18, the vendor appears to have difficulties with solving the problem or even officially warning its users. At least the page has now been marked as dangerous in Google’s Safe Browsing API, which allows browsers such as Firefox or Chrome, to block the page. The virus scanners by ESET, Kaspersky, and Avast all reportedly now detect the attack and prevent an infection from the site. First analyses have shown that the trojan is retrieved from an external server via a link to some JavaScript code in the Lenovo page. However, it remains unclear whether the link, which leads to a marketing firm, was injected by criminals in order to act as a retrieval mechanism for the malicious code. The code for loading the trojan uses a multi-stage approach and tries to obscure the actual origin of the malware. Source: http://www.h-online.com/security/news/item/Trojan-trouble-at-Lenovo-1110581.html

59. October 19, The H Security – (International) Root privileges through vulnerability in GNU C loader. A vulnerability in the library loader of the GNU C library can be exploited to obtain root privileges under Linux and other systems. Attackers could exploit the hole, for instance, to gain full control of a system by escalating their privileges after breaking into a Web server with restricted access rights. Various distributors are already working on updates. The loading of dynamically linked libraries when starting applications with Set User ID (SUID) privileges has always been a potential security issue. The new problem is rooted in the way in which the loader expands the $ORIGINS variable submitted by the application. While the researcher who discovered the hole said that the ELF specification recommends that the loader is to ignore $ORIGIN with SUID and SGID binaries, it appears that the glibc developers have not implemented this recommendation. Using various tricks involving hard links, redirected file descriptors, and environment variables, the researcher managed to exploit the vulnerability and open a shell at root privilege level. According to the developer’s tests, at least glibc versions 2.12.1 under Fedora 13, and 2.5 under Red Hat Enterprise Linux 5, are vulnerable. Source: http://www.h-online.com/security/news/item/Root-privileges-through-vulnerability-in-GNU-C-loader-1110182.html

For another story, see item 62 below in the Communications Sector

Communications Sector

60. October 19, Bloomberg – (National) U.S. lawmakers request FCC to review China’s Huawei, ZTE. U.S. lawmakers asked the Federal Communications Commission (FCC) to review the security risks of domestic companies ordering network equipment from China’s Huawei Technologies Co. and ZTE Corp. The Chinese companies are in “active” discussions to supply at least two U.S. companies, Sprint Nextel Corp. and Cricket Communications Inc., an Arizona Senator wrote in a letter co-signed by three other lawmakers October 18. It is at least the second time in 2 months that U.S. lawmakers have prodded the Presidential administration to review the risks of buying Chinese telecommunications equipment. Eight U.S. lawmakers August 18 warned that a Sprint contract with Huawei would “undermine U.S. national security.” In September, the Chinese equipment maker said it hired a U.S. company to audit its programs and allay security concerns as it seeks greater market access. The latest letter to the FCC “unfairly characterizes ZTE,” the president of ZTE Solutions in the United States said in an e-mail October 19. Source: http://www.bloomberg.com/news/2010-10-20/u-s-lawmakers-request-fcc-to-review-china-s-huawei-zte-on-security-risks.html

61. October 19, The Hill – (National) FCC workshop will address critical cybersecurity threats. The Federal Communications Commission (FCC) will hold a workshop November 5 to discuss the most critical cyber threats to the communications grid. The National Broadband Plan tasked the FCC with developing a Cybersecurity Roadmap that identifies and addresses the five most critical cyber threats to the communications infrastructure and its users. Participants in the workshop will provide input on what should be included in the roadmap and how those threats can be mitigated. The commission’s workshop is open to the public, but seating is limited and the deadline to register is November 3. The event will also be broadcast live over the Web. Source: http://thehill.com/blogs/hillicon-valley/technology/124867-fcc-workshop-will-address-critical-cybersecurity-threats

62. October 19, CKWX Vancouver – (International) Privacy Commissioner wants Google to delete data. Google may have picked up personal information through Wi-Fi while it created Street View. Now, Canada’s Privacy Commissioner is demanding that data be deleted.A UBC Internet and Privacy expert said if one’s Wi-Fi is unsecured, Google’s Street View camera cars may have picked up things a person would not want the company to see. Blame a glitch in the imaging software. The data included complete e-mails, the addresses, user names, passwords, names and residential phone numbers, et cetera. The privacy commissioner called it a careless error that likely affected thousands of Canadians and the company should have addressed privacy concerns before developing Street View. She added if the data cannot be deleted right away, it should be secured with restricted access. Source: http://www.news1130.com/news/local/article/117075--privacy-commissioner-wants-google-to-delete-data

63. October 19, FierceTelecom – (International) BT strikes back at copper theft. Anyone that thinks of stealing copper from BT’s network should think twice about their actions. While many U.S.-based service providers have posted rewards for information that leads to arrests of copper thieves, the United Kingdom headquartered BT has taken an even more extreme action by placing “smartwater” bombs that spray not only the culprits, but also the copper itself. This SmartWater liquid carries a DNA fingerprint that links the thief to the crime scene, and makes stains on the thief that can be detected by police carrying ultra-violet light detectors. What’s contributed to the increase in copper theft in recent years has been the rising price of copper. “There’s a direct correlation between the price of copper and the level of theft,” said the head of security for BT Openreach. Copper theft is not just a U.K. problem, however. AT&T and Frontier have in the past year reported various incidences of copper theft-crimes that also caused outages on their respective networks. Source: http://www.fiercetelecom.com/story/bt-strikes-back-copper-theft/2010-10-19

64. October 18, Nextgov – (National) Researcher reveals GPS vulnerabilities. GPS timing signals that control base stations in some cellular networks, and other gadgets the size of small refrigerators that power the smart electric grid can fall prey to sophisticated spoofing attacks, according to a University of Texas researcher. He said he successfully spoofed a type of laboratory time reference receiver of the code division multiple access — network technology Sprint and Verizon use that relies on GPS time — with a transmitter he built for about $1,000. He said the spoof, which took about 1 hour, literally dragged the time of the reference receiver backward, inducing a 10-microsecond delay in an hour that could incapacitate the base stations. He also spoofed a type of timing receiver that provides precise signals to synchrophasors, which measure voltages and currents at diverse locations on a power grid so operators can assess the state of the electrical system. The North American SynchroPhasor Initiative, a partnership of the Energy Department and the North American Electric Reliability Corp., plans to install synchrophasors in power systems nationwide to help manage the smart grid; in turn the grid will use communications systems to manage distribution of power from generator to home or office. A spoofing attack against synchrophasors today would not bring down the power system, but “it would make the smart grid less smart,” the researcher said. Attacks against multiple cellular base stations in any city could shut down the network, he added. Source: http://www.nextgov.com/nextgov/ng_20101018_4273.php?oref=topnews

65. October 14, FierceWireless – (National) The Android IM app that brought T-Mobile’s network to its knees. According to T-Mobile’s filings with the Federal Communications Commission (FCC), close to 1 year ago an Android-based instant messaging application “caused an overload of T-Mobile’s facilities for an entire city.” the director of T-Mobile’s national planning and performance engineering, described in a statement filed with the FCC in January 2010. “T-Mobile network service was temporarily degraded recently when an independent application developer released an Android-based instant messaging application that was designed to refresh its network connection with substantial frequency,” the director wrote in the filing. “One study showed that network utilization of one device increased by 1,200 percent from this one application alone. These signaling problems not only caused network overload problems that affected all T-Mobile broadband users in the area; it also ended up forcing T-Mobile’s UMTS radio vendors to re-evaluate the architecture of their Radio Network Controllers to address this never-before-seen signaling issue. Ultimately, this was solved in the short term by reaching out to the developer directly to work out a means of better coding the application.” Source: http://www.fiercewireless.com/story/android-im-app-brought-t-mobiles-network-its-knees/2010-10-14

Wednesday, October 20, 2010

Complete DHS Daily Report for October 20, 2010

Daily Report

Top Stories

•The Minneapolis Star Tribune reports that about 250 people were evacuated from their homes, and students on a college campus were advised to stay indoors October 18, after anhydrous ammonia leaked from a farm tractor tank in Morris, Minnesota. (See item 28)

28. October 19, Minneapolis Star Tribune – (Minnesota) Ammonia leak prompts evacuation in Morris. Part of Morris, Minnesota, was evacuated October 18 after anhydrous ammonia leaked from a tank attached to a farm tractor, a city official said. No one was reported injured. The director of emergency response in Morris said five or six blocks were evacuated on the north end of the city as a precaution. Stevens County sheriff’s officials said about 250 people were evacuated from their homes. At midnight, the leak had been stopped and officials were waiting for the cloud of gas to dissipate, but it was taking a long time because there was nearly no wind in the area, the emergency response director said. KSAX-TV reported residents were allowed to return to their homes about 1 a.m. October 19 after the gas dissipated. The University of Minnesota, Morris, sent an alert advising students not to go outside. Source: http://www.startribune.com/local/105233963.html?elr=KArksLckD8EQDUoaEyqyP4O:DW3ckUiD3aPc:_Yyc:aUvckD8EQDUX

•According to CNN, at least five shots were fired at the Pentagon in Arlington, Virginia October 19, authorities said, striking a building window, causing a partial lockdown of parking lots, and forcing the temporary closure of a busy highway. (See item 42)

42. October 19, CNN – (Virginia) Shots fired at the Pentagon, police say. Shots were fired at the Pentagon in Arlington, Virginia October 19, authorities said, striking a window of the building. A Pentagon police spokesman said it is not known who fired the shots. Pentagon police officers heard at least five shots around 4:50 a.m. According to another Pentagon Force Protection Agency spokesman, two bullets hit the Pentagon on the south side of the building — one striking a window and the other hitting the building itself. This is an unoccupied part of the building that is being renovated. The spokesman said a fragment of one of the bullets is lodged in the window. The windows, which are bullet-proof, did not shatter. There was a partial lockdown of the Pentagon’s south parking lot and south entrance for about 1 hour after the shooting, and authorities briefly shut down a portion of Interstate 395 going out of the capital — which runs along the south side of the Pentagon — to conduct a search in the investigation. Source: http://www.cnn.com/2010/CRIME/10/19/dc.pentagon.shots.fired/index.html?hpt=T1

Details

Banking and Finance Sector

11. October 19, Softpedia – (International) Multi-bank phishing attack targets Indian taxpayers. Security researchers warn of a new phishing attack exploiting the tax return filing period in India, which uses fake pages for a large number of banks. Floods in certain parts of India led the country’s Central Board of Direct Taxes to extend the due date for filing income tax returns from September 30 to October 15. According to a security researcher with Symantec, this decision attracted phishing attacks, which distributed links to a fake version of the Indian Income Tax Department Web site. The rogue page instructed visitors to select their bank from a list of over a dozen financial institutions to complete the refund request. “Once a bank was selected from the list, the customer was redirected to a phishing site spoofing the log-in page of the selected bank. “After the log-in credentials were entered into the phishing site, the customer was redirected back to the legitimate bank’s Web site,” the security researcher explained. Phishing e-mails claiming to originate from tax collection agencies are common during tax filing periods, especially in countries like the United States, U.K., Canada, or Australia. However, attacks targeting so many banks at once are relatively rare. Source: http://news.softpedia.com/news/Multi-Bank-Phishing-Attack-Targets-Indian-Taxpayers-161682.shtml

12. October 19, Softpedia – (International) Phishers use mobile credit bait. Security researchers from Symantec warn of a phishing campaign, which promises free mobile credits in order to trick online banking users into exposing their credentials and phone numbers. This particular attack targeted customers of an Italian bank, but it’s a good indication of the various methods used by phishers to lure victims. The phishing page was hosted on a domain that was a typo of the bank’s real Web address, a technique known as typosquatting. The site claimed that if the users recharged their mobile credit through the bank system with 10 euros, they would receive an additional 40 euros as a bonus. This attack is a double phishing attempt, because the users are first asked to log in to their accounts, which exposes online banking credentials, and then they must input mobile phone numbers. Source: http://news.softpedia.com/news/Phishers-Use-Mobile-Credit-Bait-161597.shtml

13. October 18, WIAT 42 Birmingham – (Alabama) Mountain Brook bank robbed; employees evacuated. The chief of Mountain Brook Police tells CBS42 that employees of Wells Fargo, located at 100 Office Park Drive in Mountain Brook, Alabama, were evacuated due to a robbery October 18. A police spokesman said the suspect arrived at the location in a vehicle, passed a note to a teller claiming there was a bomb on the roof and then drove off. Officials think the man got away with some money. The suspect is a black male in a white Chevrolet; the police spokesman said he is still on the loose. Officials from the Hoover Police Department were called to the scene and determined there was no bomb at the bank. Source: http://www.cbs42.com/content/localnews/story/Mountain-Brook-Bank-Robbed-Employees-Evacuated/4_nLqVtOdUSScYhhply9hw.cspx

14. October 18, Softpedia – (International) Number of fake electronic tax payment emails has spiked. Security researchers warn that a ZeuS distribution campaign producing e-mails about failed electronic tax payments, has significantly increased its aggressiveness the weekend of October 16-17. The rogue e-mails started hitting in-boxes from October 11-15 and come with a subject of “Your Tax Payment ID ######### is failed. Update information.” The from field is spoofed to appear as if the e-mail is originating from “EFTPS Tax Payment,” and it tells users their tax payments submitted through the Electronic Federal Tax Payment System (EFTPS) has failed. Also, the messages claim the payment failed with an R21 error code and provide a link to obtain additional information. Clicking on the link takes recipients through a series of redirects until they land on a drive-by download page, where their computers are targeted with exploits for outdated versions of many popular applications. Successful exploitation results in a variant of the ZeuS banking Trojan being installed. This malware is commonly used by fraudsters to steal online banking credentials, credit card details and other sensitive data. According to researchers from e-mail security provider AppRiver, the number of these ZeuS distribution e-mails spiked October 16, with over 100 new domains being used in the attack. Source: http://news.softpedia.com/news/Number-of-Fake-Electronic-Tax-Payment-Emails-Has-Spiked-161368.shtml

15. October 18, IDG News Service – (International) U.K. arrests man accused of organizing money ‘mules’. United Kingdom police arrested a 34-year-old man October 18 on suspicion of creating counterfeit credit cards and organizing a network of people involved in money laundering, officials said. Authorities from the Metropolitan Police’s .Central e-crime Unit also seized data and equipment believed to be used to created fraudulent payment cards, including blank dummy cards with magnetic strips, during a raid October 18 in London. The man is also accused of organizing money “mules” — people recruited to accept stolen funds and transfer them to other bank accounts for a small share of the amount. The latest action follows a spate of arrests in the United Kingdom, United States and Ukraine in one of the largest coordinated computer crime actions by law enforcement. Source: http://www.computerworld.com/s/article/9191618/U.K._arrests_man_accused_of_organizing_money_mules_

16. October 16, BankInfoSecurity.com – (National) Three banks closed on Oct. 15. Federal and state banking regulators closed three banks October 15. These closures raise the total number of failed institutions to 152 so far in 2010. The latest failed banks include: Security Savings Bank, F.S.B, Olathe, Kansas was closed by the Office of Thrift Supervision, and the Federal Deposit Insurance Corporation (FDIC) was appointed receiver. FDIC arranged for Simmons First National Bank, Pine Bluff, Arkansas, to assume all deposits. The nine branches of Security Savings Bank will reopen as branches of Simmons. Security Savings had $508.4 million in assets. The estimated cost to the Deposit Insurance Fund (DIF) will be $82.2 million. WestBridge Bank and Trust Company, Chesterfield, Missouri was closed by the Missouri Division of Finance. FDIC was appointed receiver. FDIC arranged for Midland States Bank, Effingham, Illinois, to assume all deposits. The sole branch of WestBridge will reopen as a branch of Midland States. WestBridge had $91.5 million in total assets. The estimated cost to the DIF will be $18.7 million. Premier Bank, Jefferson City, Missouri, was closed by the Missouri Division of Finance, and the FDIC was appointed receiver. FDIC arranged with Providence Bank, Columbia, Missouri, to assume all the deposits. The nine branches of Premier will reopen as branches of Providence. Premier had $1.18 billion in assets. The estimated cost to the DIF will be $406.9 million. Source: http://www.bankinfosecurity.com/articles.php?art_id=3015

17. October 15, DataBreaches.net – (Illinois) Illinois AG sues Payday Loan Store over improper disposal of customer data. The Illinois attorney general filed a lawsuit in Cook County Circuit Court October 15 against The Payday Loan Store of Illinois, Inc. (PLS), for allegedly failing to safeguard customer data. The attorney general filed the suit after learning that documents containing customers’ personal information had turned up in trash bins outside four store locations. “Data security is absolutely critical to protecting consumers from identity theft,” the attorney general said. PLS, which sells high-cost, short-term loans throughout Illinois, provides customers with a privacy policy that promises the company will protect personal information by maintaining physical, electronic and procedural safeguards in compliance with federal regulations. The attorney general’s complaint alleges, however, that PLS did not maintain those safeguards and instead disposed of customers’ personal data in publicly accessible trash containers. The complaint alleges a concerned individual alerted Bolingbrook police that he had found documents containing sensitive information in a trash container behind the PLS location in Bolingbrook. The police retrieved approximately two boxes of documents containing nonpublic personal information, including Social Security numbers, driver’s license numbers, financial account numbers and PLS loan account numbers. Source: http://www.databreaches.net/?p=14735

For another story, see item 55 below in the Information Technology Sector

Information Technology

48. October 19, Help Net Security – (International) Kaspersky download site hacked, redirecting users to fake AV. For three and a half hours October 17, the Kaspersky’s USA download site provided download links that redirected users to a malicious Web page where windows telling them their computer was infected were popping up and they were encouraged to buy a fake AV solution. The fact was noted by various users on three separate forums. Among those was Kaspersky’s own forum, and judging by the comment left by someone with the username “Micha” — who appears to be an employee of the security firm stationed in Japan — the problem was solved. According to ITPro, the incident was first denied, then confirmed by Kaspersky. They said they took the server offline as soon as they found out about the breach, that the compromise was caused by a vulnerability in a third party application for Web site administration, and that customer details contained on company servers were not compromised. Source: http://www.net-security.org/malware_news.php?id=1499

49. October 19, V3.co.uk – (International) RealPlayer receives critical security update. Real Networks has issued a security update for RealPlayer, addressing flaws in versions 1.1.4 and earlier of the application. The company said RealPlayer 1.1.5 and later for Windows is not believed to be vulnerable to attack, neither is the Mac RealPlayer 12.0.0.144 and later release, or the latest RealPlayer Enterprise and RealPlayer for 11.0.2.1744 for Linux release. The update patches seven vulnerabilities ranging from buffer overflow and injection flaws to issues that could allow an attacker to remotely execute code on a targeted system. Real Networks advised administrators to upgrade RealPlayer installations to the most current stable version. No active exploitations of the flaw have been reported in the wild. Source: http://www.v3.co.uk/v3/news/2271764/realplayer-receives-critical

50. October 19, IDG News Service – (International) Tests show consumer antivirus programs falling behind. The latest tests of consumer of antivirus software released October 19 show the products are declining in performance as the number of malicious software programs increases. NSS Labs tested 11 consumer security suites and found that the products are less effective than 1 year ago as far as blocking the download and execution of malicious software programs. The company also tested if those programs detected and blocked malicious Web sites. The download and execution blocking rate for the top performing product, Trend Micro’s Titanium Maximum Security, fell from 96.4 percent to 90.1 percent from the third quarter of 2009 to the same period this year. All of the rates were lower except for two products: McAfee’s Internet Security and F-Secure’s Internet Security 2010, which upped their detection and blocking rates by 3.6 percent and .4 percent respectively. The biggest drop occurred for AVG’s Internet Security 9, which fell 18.5 percent, and Kaspersky’s Internet Security 2011, which fell 16.5 percent. The tested security products have not necessarily fallen in quality, but rather the threats are evolving at a rapid pace, said the president of NSS Labs. Source: http://www.computerworld.com/s/article/9191718/Tests_show_consumer_antivirus_programs_falling_behind?taxonomyId=17&pageNumber=1

51. October 18, Softpedia – (International) Scammers impersonate Adobe employees to sell fake Reader upgrade. Security researchers warn of scam e-mails purporting to come from Adobe employees, who advise users to buy a fake upgrade for Adobe Reader. The e-mails bear a subject of “Action Required : Active Your New Adobe PDF Reader” and come from an “Adobe Support” address. A link is included and receipients are advised to open it in order to download the upgrade. The domain has been registered through a Russian registrar and redirects to a professionally looking Web site that advertises a program called PDF Pro 2010, which asks for registration and money. It appears this campaign has been running for weeks. There are reports about it on Adobe’s forum dating back to September 27, but an ESET blogger wrote about one sent October 17. “Adobe doesn’t send out unsolicited stuff like this, even when it concerns security patches and the like. If you’re not subscribed to one of their lists, that’s red flag number one,” the researcher warned. Source: http://news.softpedia.com/news/Scammers-Impersonate-Adobe-Employees-to-Sell-Reader-Upgrade-161580.shtml

52. October 18, Softpedia – (International) Drive-by kit generates fake Twitter home pages. Security researchers warn of the increasing popularity of a drive-by kit, which allows attackers to create fake copies of the Twitter home page and use them to distribute malware. The real Twitter main page currently promotes a video about the site’s new design. The malware toolkit, which was discovered by researchers from Sunbelt Software (now part of GFI), allows attackers to edit the part of the page where the video is located and change it with whatever their wish. In some live examples, the malware pushers used a video thumbnail depicting a scantily-dressed woman. Clicking the image prompted the execution of a malicious Java applet. The applet tried to exploit a vulnerability in older versions of Java to install malware on the victim’s computer. The attackers upload these pages to free Web hosting accounts and then target users on Twitter via shortened URLs included in spam messages. They hope that when users open them, they will click on the intriguing picture without verifying the URL in the address bar. Source: http://news.softpedia.com/news/Drive-By-Kit-Creates-Fake-Twitter-Home-Pages-161536.shtml

53. October 18, Computerworld – (International) ‘Unprecedented wave’ of Java exploits hits users, says Microsoft. Microsoft said October 18 that an “unprecedented wave” of attacks are exploiting vulnerabilities in Oracle’s Java software. According to a manager at Microsoft’s Malware Protection Center, attempts to exploit Java bugs have skyrocketed in the past 9 months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter. She noted that the bulk of the attacks in the quarter that ended September 30 were exploiting just three Java vulnerabilities, all of which had been patched months or even years ago. “IDS/IPS vendors ... have challenges with parsing Java code,” she alleged. “Think about incorporating a Java interpreter into an IPS engine. ... [T]he performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness.” Source: http://www.computerworld.com/s/article/9191640/_Unprecedented_wave_of_Java_exploits_hits_users_says_Microsoft

54. October 18, Softpedia – (International) Exploit toolkit infects one in ten users via outdated Java. While analyzing a live drive-by download attack, researchers from M86 Security found that 1 in 10 users visiting the compromised pages were being infected because they had an outdated version of Java installed. The exploit toolkits used in drive-by download attacks target known arbitrary code execution vulnerabilities in older versions of popular applications, such as Adobe Flash Player, Adobe Reader, Java, or even the browsers themselves. The exploit pack used in this attack is called Zombie Infection Kit and is neither the most popular, nor the most sophisticated. The toolkit exploits two Java vulnerabilities, four Adobe Reader ones (via a single PDF document), the Windows XP Help Center (HCP) flaw discovered earlier this year, an old one in IE6, and two in Adobe Flash Player. According to its control panel, the two Java vulnerabilities accounted for a bit over 60 percent of all successful infections. This is consistent with numbers seen in other exploit toolkits. Given that the overall infection rate achieved by this installation of Zombie Infection Kit was 15.39 percent, it can be concluded that 9 percent of users, who landed on the infected pages, were compromised through Java exploits. Source: http://news.softpedia.com/news/Exploit-Toolkit-Infects-One-in-Ten-Users-via-Outdated-Java-161579.shtml

55. October 18, Computerworld – (International) Microsoft’s anti-Zeus tool cleans quarter-million PCs. Microsoft said its free malware cleaning tool had scrubbed the money-stealing Zeus bot from nearly 275,000 Windows computers in under 1 week. On October 12, Microsoft added Zeus/Zbot detection to its Malicious Software Removal Tool (MSRT), a free malware-removal program that the company updates each month and distributes alongside its Patch Tuesday security fixes. MSRT does not prevent attack code from getting on a Windows machines. Instead, it detects infected machines and then deletes the malware. Since October 12, MSRT has removed 281,491 copies of Zeus from 274,873 PCs, Microsoft announced in a post to a company blog October 17. Those numbers put the Zeus bot into the top spot on MSRT’s hit list. Zeus infections accounted for 20.4 percent of all machine cleanings since October 12, said the director of Microsoft’s Malware Protection Center. Source: http://www.computerworld.com/s/article/9191599/Microsoft_s_anti_Zeus_tool_cleans_quarter_million_PCs

56. October 18, Commtouch – (International) Report: Malware delivery technique focus on HTML attachments. Use of malicious HTML e-mail attachments increased significantly in the third quarter, Commtouch reported October 18 in its third quarter Internet Threats Trend Report. The HTML attachments displayed phishing pages on the user’s local computer or redirected users to sites hosting malware or spam products. The Q3 report examines the methodology within blended attacks, such as the “Here You Have” worm, which spread widely in September using Outlook contact lists from infected PCs. Both Here You Have and numerous fake LinkedIn invitations relied on a combination of social engineering and masked hyperlinks to lead users to Web sites with malware scripts. During Q3, the PayPal, LinkedIn, CraigsList, Bell Canada, NewEgg, and Amazon brands were used by spammers to inspire action by consumers. The report also features the unusual bedfellows of a pharmacy spam campaign based on solidarity with several European politicians and celebrities. The increased use of HTML attachments shows how prominent the multi-stage attack vector has become, said a Commtouch vice president. Source: http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=227900192&subSection=Application+Security

Communications Sector

57. October 19, TMCnet – (Pennsylvania) AT&T helps Philadelphia businesses prepare for potential disasters. AT&T announced the results of a new study conducted on how Pennsylvania businesses prepare to ensure business continuity and save their businesses from unforeseen natural or manmade disasters. According to the 2010 Business Continuity Study, businesses are proactively preparing to face these challenges and protect their operations and maintain communications in times of disruption. Many businesses in Philadelphia and Pittsburgh are preparing for potential disasters and investing in additional technology, according to AT&T. About 81 percent of AT&T survey participants in these metro areas said they have business continuity plans, and two-thirds of executives indicated their companies are investing in new technologies in 2010. The survey found business continuity is essential as these businesses allowed most employees to work from home or remote locations, and use communications facilities like automated calling systems to reach employees by telephone or cell phone outside of work. A majority (78 percent) of survey participants were concerned about the increasing use of mobile networks and devices and their impact on security threats. AT&T also announced it is working with officials and business leaders to conduct a full-scale disaster recovery simulation — a Network Disaster Recovery or “NDR” exercise — in King of Prussia, Pennsylvania, October 19 to 20. The company conducts NDR several times a year as part of its strategies to test, refine and strengthen the business continuity and disaster recovery services to minimize network downtime. Source: http://mpls.tmcnet.com/topics/business-continuity/articles/109843-att-helps-philadelphia-businesses-prepare-potential-disasters.htm

58. October 18, Network World – (International) Gap between IPv4 depletion, IPv6 adoption widens. With the Internet’s largest-ever upgrade looming, network operators are using up address space based on the current standard — known as IPv4 — much faster than they are adopting IPv6, the next-generation standard. The Internet’s regional registries, which dole out blocks of IPv4 and IPv6 address space to carriers, will announce October 18 that less than 5 percent of the world’s IPv4 address space remains unallocated. IPv4 is the Internet’s main communications protocol. It uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, on the other hand, uses 128-bit addresses and supports a virtually unlimited number of devices — 2 to the 128th power. Overall, more than 200 million IPv4 addresses have been allocated from the so-called free pool of available IPv4 addresses since January 2010, with most of the addresses being snapped up by Asian carriers. Allocation of the remaining blocks of IPv4 addresses is “imminent,” according to the chairman of the Number Resource Organization (NRO), which represents the five regional registries. “It is critical that all Internet stakeholders take definitive action now to ensure the timely adoption of IPv6,” he said in a statement. The NRO warned the last IPv4 address blocks will be allocated from the free pool to the regional registries in early 2011. Experts predict the registries will hand out these addresses to network operators by the end of 2011, leading to full-fledged depletion of IPv4 addresses. Once IPv4 addresses are depleted, ISPs must give their new customers IPv6 addresses or use carrier-grade network address translation to share a single IPv4 address among multiple customers. Source: http://www.computerworld.com/s/article/9191761/Gap_between_IPv4_depletion_IPv6_adoption_widens

59. October 18, Wired.com – (International) Outage forces Peek to upgrade older devices. An unexpected glitch felled older models of Peek, the email-only device, and has forced the company to offer a free replacement upgrade to users. The outage, which started October 14, bricked Peek models — the Pronto and Classic. “Unfortunately, one of the connectivity providers we were using went down for good. That’s the bad news,” wrote the Peek CEO on the company blog. But Peek said its customers will gain because it is replacing existing bricked out devices with its latest model Peek 9. Peek 9 offers push e-mail, access to Facebook, Twitter, weather and maps for $69 and a monthly service plan of $20. However, the device does not require long term contracts with the wireless carrier. Source: http://www.wired.com/gadgetlab/2010/10/outage-forces-peek-to-upgrade-older-devices/

60. October 18, McClatchy-Tribune Information Services – (International) Airline may let fliers use cellphones. Early next year, Singapore Airlines will begin to install technology in dozens of planes to let passengers surf the Internet and send e-mail from 35,000 feet in the air, the airline has announced. The circuitry it plans to install in at least 40 long-haul jets by 2013 would also allow passengers to make airborne cellphone calls. But Singapore Airlines remains undecided whether to allow cellphone calls. “As we get closer to the launch date, we will decide whether voice calling in the cabin will be activated,” said a Singapore Airlines spokesman. One consideration, he said, is whether passengers want to make calls in flight. The hesitation is not surprising. Although a handful of airlines in the Middle East and Europe allow cellphone calls, U.S. regulators prohibit the practice, saying the calls may interfere with navigation systems. But the problem may not be the technology. After all, Emirates airline has allowed cellphone calls since 2008. Cathay Pacific announced plans in July to let passengers use their cellphones in the plane by 2012. A bigger issue may be that passengers and airline crews hate the idea of turning a crowded, airborne cabin into a flying phone booth. The Federal Communications Commission considered lifting the ban in 2004, but it stopped looking into the idea after being inundated with letters, e-mails and calls in opposition. The pending reauthorization bill for the Federal Aviation Administration includes a proposal to ban all cellphone calls on U.S. commercial planes — except by airline crews and law enforcement. In a 2005 survey by the National Consumers League and the Association of Flight Attendants, 63 percent of airline passengers said they opposed cellphone use on planes. Source: http://voices.washingtonpost.com/dr-gridlock/2010/10/early_next_year_singapore_airl.html