Friday, December 3, 2010

Complete DHS Daily Report for December 3, 2010

Daily Report

Top Stories

• According to the Associated Press, a new report found actions to disinfect the Washington D.C. water supply and repair lead pipes may have exposed 15,000 homes to lead-contaminated water. (See item 39)

39. December 1, Associated Press – (District of Columbia) CDC: Water in 15,000 DC homes still contaminated. The Centers for Disease Control and Prevention (CDC) said as many as 15,000 homes in Washington, D.C. may have dangerous, lead-contaminated water despite removal of lead pipes. In a report released December 1, the CDC said homeowners who had pipes partially replaced may have made the problem worse. The CDC also said that children in Washington, D.C. were exposed to lead poisoning from 2000 to 2006 as an unintended result of moves to disinfect the water supply. The CDC initially claimed it found no evidence that increases in the level of lead in the water had harmed D.C. residents. The director of D.C. Water said if young children, pregnant women or those with a compromised immune system live in the affected homes, the water should be tested. Source:

• Reuters reports the Presidential administration has created a panel to develop new ways for federal agencies to keep classified documents secret. (See item 50)

50. December 1, Reuters – (International) U.S. initiates post-WikiLeaks security crackdown. The White House has set up a special committee to assess the damage from the flood of classified cables leaked by WikiLeaks, and to organize efforts to tighten security measures in government agencies. White House officials said the U.S. President’s national security staff had created an interagency panel to coordinate the response to the leaks and come up with new ways to keep classified documents secret. The State Department cables, which follow similar document leaks by the WikiLeaks on the Iraq and Afghan wars, cast a glaring, and sometimes embarrassing light on the inner workings of U.S. diplomacy when they were leaked starting November 27. An Army private who worked as an intelligence analyst in Iraq has been charged by military authorities with unauthorized downloading of more than 150,000 State Department cables, though U.S. officials declined to say whether they are the same ones released by WikiLeaks. Source:


Banking and Finance Sector

18. December 2, Softpedia – (International) Shell Vacations investigating credit card breach. Shell Vacations, a company that operates a chain of resorts across the United States, Canada, and Mexico, is currently investigating a possible security breach that resulted in credit card details being compromised. An announcement posted on the Shell Vacations Hospitality and Shell Vacations Club Web sites, the company’s two subsidiaries, revealed the suspected incident occurred between June and October. “Despite employing multiple safeguards, we were not made aware of the possible security breach until just recently,” the company’s president wrote. At this point, the circumstances in which the breach occurred are not clear, but it apparently affected employees and customers. Shell is working with credit card companies to resolve the issue and has contracted a team of forensic experts to investigate. Shell also published a FAQ regarding the breach. Customers are advised to monitor their credit card statements for unauthorized activity and report it to the card issuer immediately. Source:

19. December 2, CRN – (National) Three people sentenced in Cisco SMARTnet gray market scheme. Three people, including a husband and wife, have been found guilty of bilking Cisco System out of more than $20 million in revenue in a money-laundering scheme. A 33-year-old male suspect was sentenced to 12 and one-half years in prison, according to the U.S. Attorney in the Eastern District of North Carolina, Raleigh, North Carolina. His wife, a 29-year-old from Oro Valley, Arizona, received a 9-year prison sentence, and a 34-year-old male accomplice, who hails from Hendersonville, North Carolina, received a 4-year sentence. In addition, all three were ordered to pay $21.7 million in restitution to Cisco. All three pled guilty to money laundering, and the two males also pled guilty to conspiring to commit mail fraud. The scheme first came to light when the lead suspect and his wife were arrested by the FBI in October of 2009 after a lengthy investigation. According to the indictment, the defendants submitted fraudulent claims to Cisco to receive replacement parts under the vendor’s SMARTnet contract program from January 2003 to July 2005. They then sold the replacement parts on the gray market and deposited the money into a Synergy bank account. The defendants reportedly created more than 50 fictitious company names and 35 fictitious people and instructed Cisco to ship replacement parts to mailboxes at UPS stores, residential addresses, and commercial addresses in seven states. Source:;jsessionid=EsirOG43uggKHdmaSkC4Nw**.ecappj01

20. December 2, The New New Internet – (National) FBI warns consumers about bogus lottery notifications. The FBI’s cyber crime center IC3 continues to receive reports of consumers receiving letters and e-mails declaring them as winners of sweepstakes and lottery schemes. These schemes employ counterfeit checks with legitimate-looking logos of financial institutions to fool victims into sending money to the fraudsters. Crooks tell victims they won a sweepstakes or lottery, but to receive a lump sum payout, they must pay taxes and processing fees upfront. The e-mail recipients are instructed to start the process by calling a phone number. The letter says the victim may choose to take an advance on the winnings to make the required upfront payment. The letter also includes a check in the amount of the alleged taxes and fees, along with processing instructions. Ultimately, victims believe they are using the advance to make the required upfront payment. The victim deposits the check into their own bank, which credits the account for the amount of the check before the check clears. The victim then immediately withdraws the money and wires it to the fraudsters. Afterward, the check turns out to be bogus and the bank pulls the respective funds from the victim’s account, leaving him or her liable for the amount of the counterfeit check plus any additional fees that may have occurred. Source:

21. December 1, Softpedia – (International) Fraud gang infects all ATMs in a Russian city. The Russian Ministry of Internal Affairs (MVD) has dismantled a fraud ring whose members managed to infect all ATMs in the city of Yakutsk with malware designed to steal credit card data. According to the authorities, the organized crime group made up of three men contracted a hacker from Moscow, who they met on an underground forum, to build a custom ATM virus for them. The gang paid 100,000 rubles (almost $3,200) for the malware, and infected ATMs with it. Everyone got assigned tasks based on their expertise. For example, one of them who worked as the head of an IT department, took care of obtaining access to the targeted ATMs. A system administrator, who also acted as the group’s leader, handled the infection part, while a third man acted as a money mule. The suspects were arrested simultaneously and their apartments were searched. The police claimed they found copies of ATM malware, as well as stolen credit card information and other evidence of the fraud. Source:

22. December 1, WSMV 4 Nashville – (Tennessee) 3 arrested in Aug. White House bank robbery. Police said December 1 they have arrested three people in connection with a bank robbery last summer in White House, Tennessee. The First State Bank of White House, located on Raymond Hirsch Parkway, was robbed at gun point by two men wearing skeleton masks August 31. After the robbery, police said the robbers fled in an older model Oldmobile, but an exchange of vehicles occurred prior to the thieves fleeing toward Nashville. A 3-month investigation resulted in three arrests by the FBI. Source:

23. November 30, Portland Oregonian – (Oregon) Portland man sentenced in federal court in 2009 bank robbery spree. A Portland, Oregon, man was sentenced to more than 12 years behind bars in federal court November 30. The 40-year-old suspect pleaded guilty to seven counts of unarmed bank robbery. In 2009, the suspect had just been released from a 12 year stint in federal custody on a trio of 1998 bank robbery convictions when investigators say he began to rob again. From November 2009 to December 2009, the suspect hit seven banks across the Portland metro area, using verbal commands and intimidation to get cash, rather than a weapon. The November 30 sentencing carries a “career offender” enhancement due to the suspect’s 1998 robberies, and a first-degree burglary conviction in 1994 in Multnomah County Circuit Court. Source:

24. November 30, Augusta Chronicle – (National) ‘Limping Bandit’ gets 25 years. A man known as the “Limping Bandit” because of the way he walked away from a string of 23 bank robberies, including 2 in the Augusta, Georgia, area has been sentenced in Charleston to 25 years in federal prison. The U.S. attorney’s office in South Carolina said in a news release that the 52-year-old suspect was sentenced November 30 after pleading guilty earlier this year to robberies in Alabama, Florida, Georgia, and South Carolina. The suspect was arrested in July 2009 after witnesses followed him from his 13th South Carolina bank robbery. The spree started 3 years earlier in Tifton, Georgia. At the time, the suspect was still on parole for a 1987 robbery conviction.


Information Technology

59. December 2, PC Pro – (International) Google to sandbox Flash in Chrome. Google is working on sandboxing Adobe’s Flash Player to better protect users of the Chrome browser. Adobe’s products have come under fire as “easy pickings” for online attackers, and the company has already sandboxed its own Reader software. The Chrome Flash sandbox has now been released on the developers channel for users of Windows XP, Vista, and 7. It uses the same system as Chrome’s current sandbox tech, which blocks applications from accessing “sensitive resources,” said software engineers in a post on the Google Chrome blog. Now, that system is being extended to the third-party app. “This implementation is a significant first step in further reducing the potential attack surface of the browser and protecting users against common malware,” they added. Source:

60. December 2, Help Net Security – (International) main FTP server compromised. A warning has been issued by the developers of ProFTPD, the popular FTP server software, about a compromise of the main distribution server of the software project that resulted in attackers exchanging the offered source files for ProFTPD 1.3.3c with a version containing a backdoor. It is thought the attackers took advantage of an unpatched security flaw in the FTP daemon to gain access to the server. “The fact that the server acted as the main FTP site for the ProFTPD project ( as well as the rsync distribution server ( for all ProFTPD mirror servers means that anyone who downloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28 to 2010-12-02 will most likely be affected by the problem,” wrote the ProFTPD maintainer. Users who have downloaded the source files during those 4 days are urged to download the source files again and run it. To confirm their integrity, they are advised to verify the MD5 sums and PGP signatures of the downloaded files and compare them to that of the legitimate source tarballs. Source:

61. December 2, Help Net Security – (International) The golden hour of phishing attacks. Trusteer conducted research into the attack potency and time-to-infection of e-mail phishing attacks. One of their findings was that 50 percent of phishing victims’ credentials are harvested by cyber criminals within the first 60 minutes of phishing e-mails being received. Given that a typical phishing campaign takes at least 1 hour to be identified by IT security vendors, which does not include the time required to take down the phishing Web site, they have dubbed the first 60 minutes of a phishing site’s existence as the critical “golden hour.” During the golden hour, the research suggested more than 50 percent of stolen credentials are harvested; within 5 hours, more than 80 percent are collated and become usable by cybercriminals; the first 10 hours produce more than 90 percent of the total credentials that will be stolen by any given phishing site. Therefore, blocking a phishing site after 5-10 hours is almost irrelevant. A more effective model would prevent users from being directed to a phishing site and/or prevent them from entering their credentials if they do end up on a criminal site. Source:

62. December 2, – (International) Siberia exploit toolkit gets update to evade antivirus. The creators of the Siberia Exploits Kit have recently given it an update, enabling attackers to design more custom malware that can bypass antivirus and remain virtually undetectable on systems. The new automated features in Siberia can test malware success rates against signature-based antivirus engines. It uses a service called Scan4you, which does not report malware samples to security vendors. “Siberia is another exploit kit catching up to some of its competitors in what is quite a busy market space,” said a researcher at U.K.-based M86 security. “We frequently suspect that it is the same criminal gangs at it as they sell off their toolkits using a channel of resellers.” Source:,289142,sid14_gci1524521,00.html

63. December 1, CRN – (International) Facebook hit with likejacking, Zeus malware attack. Facebook users have once again been hit with a Likejacking ploy and Zeus variant. In the latest scam, detected by researchers at Sophos, users receive a message, allegedly coming from a friend, coupled with a link to a YouTube knock-off site called “FouTube.” However, the Facebook “Like” option leads to a likejacking scam. Instead of spreading malware, the attack displays a survey and tricks users to subscribe to an exorbitant SMS services rate on their mobile phones. Meanwhile, a Trend Micro anti-spam research engineer warned another malware attack is circulating on the site, entailing spammed messages appearing to come from Facebook and falsely warning users their IP addresses were sending numerous spam messages to different e-mail addresses. The message then suggests that users download an offered freeware tool, called FB IPsecure, which claims to be from Facebook so they can put a stop to the spammed messages coming from their machine. The download is actually a malicious Zeus variant, aimed at taking control of a user’s computer once installed. Source:

64. December 1, Infosecurity – (International) Facebook being subverted for phishing attacks and open redirects. IT security vendor Websense is reporting Facebook is now being used to display phishing pages for different services, as well as to redirect to phishing pages hosted on the general Internet. In one example, an e-mail message appears to come from Facebook Security, and requests that users confirm their account. This is just like other phishing attacks users see every day, but with the twist that the phishing page itself gets loaded from within the Facebook site using an iframe. In a second example, there is a URL at the end of the phishing e-mail that sends the user to www.facebook(dot)com, where a script redirects the user to another Web site that contains the phishing page. “Both of these attacks make it harder for the user to spot the malicious content directly from the e-mail. Both messages do point to a valid Facebook URL”, a Websense security researcher said. Source:

65. December 1, Senate Committee on Homeland Security and Governmental Affairs – (International) Amazon severs ties with Wikileaks. The Senate Homeland Security and Governmental Affairs Committee Chairman December 1 issued the following statement after Amazon(dot)com decided to terminate its relationship with Wikileaks. After reading press reports that Amazon was hosting the Wikileaks Web site, Committee staff contacted Amazon November 30 for an explanation. “This morning Amazon informed my staff that it has ceased to host the Wikileaks website. I wish that Amazon had taken this action earlier based on Wikileaks’ previous publication of classified material. The company’s decision to cut off Wikileaks now is the right decision and should set the standard for other companies Wikileaks is using to distribute its illegally seized material...I will be asking Amazon about the extent of its relationship with Wikileaks and what it and other web service providers will do in the future to ensure that their services are not used to distribute stolen, classified information.” Source:

66. November 30, Help Net Security – (International) Malicious Kodak galleries used for serving Trojan. A variant of a highly specialized Trojan has appeared on fake sites mimicking Kodak Gallery pages, where potential victims are urged to download software that would supposedly allow them to watch the offered slideshow, but actually creates a folder with configuration files and copies a few executables into the System32 folder. But before doing that, it actually does show the users a slideshow of car pictures, which acts as a smokescreen in order to hide the malicious activity. Further research by Sunbelt’s experts revealed the fact the pictures are of a car might not be so random. The Bayrob Trojan — of which this is a variant — has had a history of targeting eBay users, especially those buying motors and cars since that means that bigger amounts of money are involved. The Trojan spoofs various eBay pages and tries to trick the users into parting with their money. Source:

Communications Sector

67. December 2, Help Net Security – (National) The impact of online shopping on corporate networks. A survey from Ipswitch shows that more than 50 percent of IT administrators expected to lose more than 20 percent of their company’s network bandwidth from employees shopping on the job during Cyber Monday. Ipswitch recently conducted an online poll of IT administrators asking how much network bandwidth they anticipated their company losing to Cyber Monday shopping. Of those polled, one-third of respondents expected to lose more than 30 percent of network bandwidth November 29. Conversely, 28.5 percent, the next largest group, expected to lose less than 10 percent of their network resources to online shopping during the work day. The smallest group of administrators, 17.6 percent, expected to lose between 10 and 20 percent of their network bandwidth. “Cyber Monday continues to grow and is clearly the largest online shopping day of the year,” said the president of Ipswitch Inc.’s Network Management Division. “However, big savings for consumers can translate to less network bandwidth and lost productivity for employers. We expect many organizations to track and calculate the impact of Cyber Monday to make sure that their critical business operations have the bandwidth needed in the future to handle this ‘peak day’ of network usage.” Source: