Friday, November 26, 2010

Complete DHS Daily Report for November 26, 2010

Daily Report

Top Stories

• According to the Associated Press, a woman charged with making threats that caused 300 Broward County, Florida schools to be locked down was arrested November 23, federal authorities said. (See item 43)

43. November 23, Associated Press – (Florida) Fla. woman accused in school threats arrested. A woman charged with making threats that caused 300 Florida schools to be locked down and a congressman-elect’s top aide to step down was arrested November 23, federal authorities said. FBI agents apprehended the 48-year-old suspect of New Port Richey, Florida, near Los Angeles, the U.S. Attorney’s Office in Miami said. She is accused of sending an e-mail on November 10 to a WFTL 850 AM conservative talk show host, who was tapped to be a U.S. Representative-elect’s chief of staff. The suspect called the Pompano Beach station later that morning and claimed that her husband was going to go to a school in Pembroke Pines and start shooting, according to federal authorities who said they traced the call. Authorities responded by placing all 300 Broward County schools in lockdown for several hours. The talk show host has been on South Florida radio for nearly 20 years. She stepped down as chief of staff a day after the lockdown, saying she wanted to avoid any repercussions against the U.S. Representative. Source:

• According to BBC News, one fifth of Facebook users are exposed to malware contained in their news feeds, claim researchers at security firm BitDefender.

See item 49 below in the Information Technology sector.


Banking and Finance Sector

19. November 24, Krebs on Security – (International) Crooks rock audio-based ATM skimmers. Criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers, devices designed to be attached to cash machines and siphon card + PIN data, a new report warns. The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs. EAST said it also discovered that a new type of analog skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs). Source:

20. November 24, Krebs on Security – (Missouri) Escrow Co. sues bank over $440K cyber theft. An escrow firm in Missouri is suing its bank to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines. The attack against Springfield, Missouri based title insurance provider Choice Escrow and Land Title LLC began late in the afternoon on St. Patrick’s Day, when hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus. The following day, when Choice Escrow received a notice about the transfer from its financial institution — Tupelo, Mississippi based BancorpSouth Inc. — it contacted the bank to dispute the transfer. But by the close of business on March 18, the bank was distancing itself from the incident and its customer, said the director of business development for Choice Escrow. “What they really were doing is contacting their legal department and figuring out what they were going to say to us. It took them until 5 p.m. to call us back, and they basically said, ‘Sorry, we can’t help you. This is your responsibility.’” A spokesman for BancorpSouth declined to discuss the bank’s security measures or the specifics of this case, saying the institution does not comment on ongoing litigation. Source:

21. November 24, Tallahassee Democrat – (Florida) Capital Circle NE remains closed after bomb threat. Capital Circle Northeast in Tallahassee, Florida, remained closed in both directions between Raymond Diehl and Lonnbladh roads on November 24 as police officers and bomb squad technicians investigate a bomb threat made by a bank robber. A 56-year-old man entered Premier Bank, 3110 Capital Circle NE, said that he had a bomb and demanded money from a teller, said a spokesman for Tallahassee Police Department (TPD). There were customers in the bank at the time of the robbery, but no injuries have been reported. Capital Circle should be reopened within an hour, the spokesman said. Police officers arrived before the man could exit the bank, and he was taken into custody without incident. The man then claimed the bomb threat was merely a bluff, but law-enforcement officials are required to take the threat seriously. The Big Bend Regional Bomb Squad, comprised of officials from TPD, the Tallahassee Fire Department, Florida Capital Police, and other local law-enforcement agencies, deployed a robot to the bank earlier in the morning. Investigators also examined a secondary search site, the parking lot of Gold’s Gym, 2695 Capital Circle NE, where they think the man may have parked his car. Source:

Information Technology

48. November 24, Help Net Security – (International) Kids lured to scam site by promises of parental control bypassing. The latest scam to hit Facebook users is one that supposedly offers a completely free proxy service for those who want to bypass parental controls and blocks set up by schools and at workplaces that prevent users from accessing certain sites such as Facebook. The campaign is specifically targeting kids, luring them into trying out the service located at hxxp:// to access Facebook in school. Sunbelt researchers have have poked around the site and discovered a veritable trove of various scamming attempts. The victims are faced with an affiliate site containing malware, surveys, quizzes, and offers for free iPhones that will try to get them to subscribe to a premium rate service or sign up for spam. Source:

49. November 24, BBC News – (International) Facebook news feeds beset with malware. One fifth of Facebook users are exposed to malware contained in their news feeds, claim security researchers. Security firm BitDefender said it had detected infections contained in the news feeds of around 20 percent of Facebook users. Facebook said it already had steps in place to identify and remove malware-containing links. BitDefender arrived at its figures by analyzing data from 14,000 Facebook users that had installed a security app, called safego, it makes for the social network site. In the month since safego launched, it has analyzed 17 million Facebook posts, said BitDefender. The majority of infections were associated with apps written by independent developers, which promised enticements and rewards to trick users into installing the malware. These apps would then either install malware used for spying on users or to send messages containing adverts to the users’ contacts. Facebook said it had processes and checks in place to guard against the risk of malware. “Once we detect a phony message, we delete all instances of that message across the site,” the site said in a statement. Source:

50. November 24, PCWorld – (International) Android browser flaw exposes user data. A vulnerability in the Android browser could permit an attacker to steal the user’s local data, according to a report November 23 from a security expert. Specifically, a malicious Web site could use the flaw to access the contents of files stored on the device’s SD card as well as “a limited range of other data and files stored on the phone,” the expert explained. In essence, the problem arises because the Android browser does not prompt the user when downloading a file. “This is a simple exploit involving JavaScript and redirects, meaning it should also work on multiple handsets and multiple Android versions without any effort,” he noted. The Android Security Team responded within 20 minutes of the expert’s notification about the flaw and is planning a fix that will go into a Gingerbread maintenance release after that version becomes available, he said. An initial patch has already been developed and is now being evaluated. In the meantime, the security expert suggests a few steps users can take to protect themselves, including disabling JavaScript in the browser. Source:

51. November 24, Help Net Security – (International) Korean cross-border attacks exploited to spread malware. The recent cross-border shellings between North and South Korea have left many people wondering what has been going on and what triggered the attacks, and scareware and malware pushers have been very prompt at poisoning related search results. Search combinations such as “north korea bombs/attacks south korea”, “kim jong il”, “korean war”, “world war 3”, “yeonpyeong island” and “korean news” have been producing results that take users to pages where warnings about infection on their computers are shown and the users are offered to download rogue antivirus solutions, to pages that attempt to hijack their browser through JavaScript or pages that offer Trojans disguised as codecs and bogus updates for Mozilla’s Firefox. The Tech Herald reports that all of the offending compromised domains are using open source CMS software which was not updated and, consequently, vulnerable to attack. They also noted that topics related to Black Friday, Dancing with the Stars, and others have been targeted by the same black hat SEO campaign. Source:

52. November 23, Network World – (International) HTTPS Everywhere gets Firefox “Firesheep” protection. The Electronic Frontier Foundation (EFF) November 23 said it rolled out a version of HTTPS Everywhere that offers protection against “Firesheep” and other tools that seek to exploit Web page security flaws. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors’ log-in credentials. EFF says the new version of HTTPS Everywhere (0.9.x) is a direct response to growing concerns about Web site vulnerability in the wake of Firesheep on social networking sites or Web mail systems, for example — if the browser’s connection to the Web application either does not use cryptography or does not use it thoroughly enough. EFF says that HTTPS Everywhere now protects sites such as, Cisco, Dropbox, Evernote, and GitHub. Source:

53. November 23, The Register – (International) Network card rootkit offers extra stealth. Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card. A reverse engineer at French security firm Sogeti ESEC was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards. He used publicly available documentations and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where firmware code is stored, as well as the bootstrap process of the device. Using the knowledge gained from this process, he was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors. Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card. Source:

Communications Sector

See item 50 above in Information Technology