Tuesday, December 21, 2010

Complete DHS Daily Report for December 21, 2010

Daily Report

Top Stories

• In a new study, the Environmental Working Group reports tests it commissioned detected carcinogenic hexavalent chromium in 31 of 35 tap water samples — 89 percent — from cities across the country. (See item 30)

30. December 20, Environmental Working Group – (National) Chromium-6 is widespread in U.S. tap water. Tests commissioned by the Environmental Working Group (EWG) detected carcinogenic hexavalent chromium in 31 of 35 tap water samples — 89 percent — collected in cities across the country as described in the report, released December 20. EWG targeted a mix of large cities and some smaller ones where testing by local water utilities had previously detected potentially significant amounts of “total chromium.” This less specific measurement includes trivalent chromium, an essential mineral that regulates glucose metabolism, as well the cancer-causing hexavalent form, also called chromium-6. Chromium widely contaminates U.S. tap water. Hexavalent chromium (or chromium-6) gets into water supplies after being discharged from steel and pulp mills as well as metal-plating and weather-tanning facilities. It can also pollute water through erosion of soil and rock. In California, the only state that requires water utilities to test for hexavalent chromium, the state’s Environmental Protection Agency (California EPA) has proposed a “public health goal,” or maximum safe concentration, of 0.06 parts per billion (ppb) in tap water to protect against excess cancer risk. Nationally, samples from 25 cities tested by EWG had levels of hexavalent chromium higher than the safe limit proposed in California. EWG recommended the U.S. EPA set a legal limit for hexavalent chromium in drinking water as quickly as possible, and require all water utilities to test for it. Source: http://www.ewg.org/chromium6-in-tap-water/findings

• The U.S. State Department has begun evacuating dependents and non-emergency personnel from its embassy in Cote d’Ivoire after escalating violence that included a rocket strike against the embassy. (See item 36)

36. December 20, News Agency of Nigeria – (International) U.S. begins evacuation of embassy staff in Cote d’Ivoire. The United States has begun evacuating dependents and non-emergency personnel from its embassy in Abidjan, the capital of Cote d’Ivoire. A U.S. State department spokesperson said December 17 the undersecretary for management approved the authorized departure of its citizens. The North America Correspondent of the News Agency of Nigeria (NAN) reported post-presidential election violence in the West African country had escalated in the previous 2 days. The Ivorien incumbent leader has refused to concede electoral defeat in spite of pressures from the international community. On December 16, the U.S. government said a rocket strike hit the outer perimeter of its embassy in Cote d’Ivoire, with only slight damage and no injuries. The outbreak of violence the same day around the capital killed more than a dozen people. Source: http://234next.com/csp/cms/sites/Next/News/Metro/Politics/5655590-146/u.s._begins_evacuation_of_embassy_staff.csp


Banking and Finance Sector

15. December 20, Softpedia – (International) Bank of America bans WikiLeaks-related transactions. Bank of America has joined the list of companies who refuse to do business with WikiLeaks, a decision that might attract the anger of hacktivists. The ostracizing of WikiLeaks by financial companies as a result of “Cablegate,” started in early December when PayPal, closed the organization’s donations account. PayPal cited terms of service violations as a result of “activities that encourage, promote, facilitate or instruct others to engage in illegal activity.” PayPal’s decision was soon followed by MasterCard and Visa, who announced blocking all credit-card-based donations to WikiLeaks for similar reasons. Bank of America, the largest bank in the United States, said WikiLeaks was inconsistent with its own rules. According to the BBC, the company announced it will block “transactions of any type that we have reason to believe are intended for Wikileaks,” because the organization “may be engaged in activities that are inconsistent with our internal policies for processing payments.” Following the announcement, WikiLeaks and Anonymous, the group of hacktivists who pledged allegiance to the whistleblower site, advised people to close their Bank of America accounts. Source: http://news.softpedia.com/news/Bank-of-America-Bans-WikiLeaks-Related-Transactions-173696.shtml

16. December 20, HedgeCo.Net – (New York) Two arrested in $20 million hedge fund fraud scheme. Federal prosecutors in New York have charged two more hedge fund hedge fund managers with fraud, according to Courthouse News Services. The 4-count indictment said two New Jersey hedge fund managers shipped $18 million in ill gotten gains to the Ukraine after taking $20 million for nonexistent investments of the A.R. Capital Globe Fund. The two hedge fund managers are alleged to have concealed their identities using names other than their own, and to have distributed inflated annual returns to investors to coerce investors to place more money into the ARC Global Fund, the FBI said. Source: http://www.hedgeco.net/news/12/2010/two-arrested-in-20-million-hedge-fund-fraud-scheme.html

17. December 19, PCWorld – (National) Zeus botnet targets holiday shoppers. As holiday shoppers take advantage of the convenience of online shopping, a Zeus botnet is targeting credit-card account holders who shop several major U.S. retailers including Macys and Nordstrom. Researchers with security firm Trusteer captured and analyzed malware samples designed to steal credit card information, probably to conduct card-not-present (CNP) fraud, an analyst said in a blog post. The attack is using a Zeus botnet, the latest and most sophisticated version of the Zeus malware platform, the analyst said. CNP fraud takes place when a credit card is not physically present at the point of sale, as in an Internet, mail, or phone purchase. In this particular attack, social engineering is used after an infected user logs onto one of the targeted retailer’s card services Web site and the botnet causes a man-in-the-middle-style pop up that says: “In order to provide you with extra security, we occasionally need to ask for additional information when you access your account online. Please enter the information below to continue.” In the pop-up window, the user is asked to enter several pieces of sensitive data, such as Social Security number and mother’s maiden name. Source: http://www.pcworld.com/article/214187/

18. December 18, Softpedia – (National) Fannie Mae attempted saboteur gets 41-month prison sentence. A former UNIX engineer was sentenced to 41 months in prison for planting a logic bomb with the purpose of bringing Fannie Mae’s entire computer network down. The 36-year-old male, who hails from Montgomery County, Maryland, was sentenced by the U.S. District Judge December 17 after a federal jury found him guilty of computer intrusion at the beginning of October. The man worked as a contractor at Fannie Mae’s Urbana Technology Center between 2006 and October 24, 2008, when he was fired. His job gave him administrative access to the mortgage giant’s servers. On October 29, 2008, during a routine check, a senior Fannie Mae systems engineer noticed a hidden unauthorized script scheduled to execute January 31, 2009. The script’s purpose was to propagate through the entire computer network, delete data from all its 5,000 servers and lock administrators out with the message “Server Graveyard.” Investigators estimated that, had the program ran as intended, Fannie Mae’s network would have been disabled for a week, leading to millions of dollars in losses. Source: http://news.softpedia.com/news/Fannie-Mae-Attempted-Saboteur-Gets-41-Month-Prison-Sentence-173589.shtml

19. December 18, UPI – (California) Man suspected of five California robberies. The FBI and the Los Angeles County Sheriff’s Department said a man called the “Trojan horse bandit” might be responsible for five robberies in southern California since September. The slightly built Latino bandit got the nickname because he has worn clothing featuring the logo of the University of Southern California Trojans, the Los Angeles Times reported. Witnesses said the robber is between the ages of 20 and 30, weighs between 120 and 160 pounds, and is 5 feet 2 inches to 5 feet 9 inches tall. He is linked to robberies of Bank of America branches in Bellflower and Downey, a Chase Bank in Bellflower, and Union Bank branches in Bellflower. Officials said no gun was seen during the holdups, but the suspect has threatened to shoot people in the banks. Source: http://www.upi.com/Top_News/US/2010/12/18/Man-suspected-of-five-California-robberies/UPI-95581292692184/

Information Technology

46. December 20, IDG News Service – (International) Gawker CTO outlines post-hack security changes. Gawker Media’s CTO outlined a series of security changes designed to shore up the company’s IT operations following an attack the week of December 12 that compromised up to 1.4 million accounts. The company was unprepared to respond to an attack where user data and passwords were posted to peer-to-peer file-sharing networks, said the CTO’s December 17 e-mail memo to Gawker staff. A group called Gnosis claimed responsibility for the hack, which exploited a flaw in the source code of Gawker’s Web servers. As a result, Gawker has done a security audit of the sites affected, including Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. Gawker is now mandating the use of SSL (Secure Sockets Layer) encryption for employees with company accounts using Google Apps. Also, if those employees have access to sensitive legal, financial or account data, two-factor authentication must be used. Gawker also will not allow employees to discuss sensitive information on chat applications, including AOL’s Instant Messenger and Campfire. For users of its Web sites, the CTO wrote Gawker wants to move away from storing information such as e-mail and passwords and use systems such as OAuth. OAuth is an authentication protocol that allows people to use the same log-in information for multiple services and share data through an API (application programming interfaces). OAuth provides a token that grants access to different applications, which do not see users’ original log-in credentials. It is being used now by Google, Twitter and Facebook, among other services. Gawker will also allow people to create a “disposable” account with its sites in order to leave comments. Source: http://www.computerworld.com/s/article/9201719/Gawker_CTO_outlines_post_hack_security_changes

47. December 20, Infosecurity – (International) Symantec researcher spots C&C botnet toolkit in the wild. Security researchers from Symantec claim to have spotted a new crimeware toolkit being sold in the underground marketplace. The toolkit — known as Dream Loader — generates a Trojan exclusively used to distribute malware. According to a security researcher with Symantec, the toolkit is a command-and-control (C&C) botnet engine that is flagged up as Trojan.Karagany by Symantec’s software. The malware generated by the toolkit is already circulating in the wild. The engine itself is said to come in a pack that contains both a builder to build an executable bot, as well as a Web interface to control all a hacker’s bots by sending commands across the Internet. The security researcher said the pack — now into version 0.3 — is relatively new and seems to have originated from Russia. The first edition of the toolkit, he said, was discovered in November and is designed to be modular and load plugins. Source: http://www.infosecurity-magazine.com/view/14771/symantec-researcher-spots-cc-botnet-toolkit-in-the-wild/

48. December 19, Computerworld – (International) Microsoft yanks Outlook 2007 update. Microsoft the week of December 13 pulled an update for Outlook 2007 issued just 2 days earlier, citing connection and performance problems for the unusual move. The update was issued mid-day December 14 as part of the monthly Patch Tuesday. Within hours, users reported trouble with retrieving e-mail and major delays when switching folders. Some said they could not send or receive e-mail, including Gmail messages, through Outlook after installing the update. By December 16, support forum moderators were telling users to uninstall the update. According to Microsoft, the December 14 update contained three flaws related to Secure Password Authentication (SPA), a Microsoft protocol used to authenticate mail clients like Outlook to a mail server; sluggish folder switching when Outlook wasn’t configured to grab mail from an Exchange server; and a broken AutoArchive feature. Source: http://www.computerworld.com/s/article/9201638/Microsoft_yanks_Outlook_2007_update

49. December 17, Softpedia – (International) Rogue Profile Spy Facebook app reinvents itself as Creeper Tracker. Facebook scammers are at work again trying to capitalize on people’s desire to know who viewed their profiles by promoting a rogue app called Creeper Tracker Pro. The “find out who is watching you” spam messages direct users to an external page claiming that to install the application they must complete one of several offers or surveys. “The links above will open a new window. The Profile Creeper window will remain open and tracking your completion of one of our surveys or offers above,” the scammers note. “Once one of these forms has been filled out, the button below will become unlocked and you will be able to see you top ten creepers,” they add. This feature does not exist on Facebook and the Web site is clear about it in its FAQ section. Many past scams promoted an app called “Profile Spy,” but since users started realizing it was fake, scammers adopted a new name. Security researchers from GFI Software reported a rogue app called “VIP Access Now” is involved in this attack, however, its purpose is to send spam from people’s accounts. It does this by asking users for permission to post on their wall, access their chat feature, and manage their events. Source: http://news.softpedia.com/news/Rogue-Profile-Spy-Facebook-App-Reinvents-Itself-as-Creeper-Tracker-173496.shtml

50. December 17, Softpedia – (International) New wave of fake Amazon emails spreads malware. Security researchers from Sophos warned a new wave of fake e-mails posing as shipment updates from Amazon are distributing an autorun worm. The rogue e-mails bear a subject of “Shipping update for your Amazon.com order” and their header is spoofed to appear as if they originate from an order-updateATamazon.com address. The contained message consists of the same text as the subject, plus an alleged order number and instructions to “check the attachment and confirm your shipping details.” In addition, the body contains an Amazon advertising banner and an image of an opened box, which were probably copied from a legit e-mail. The attached file is called “Shipping documents.zip” and according to Sophos, it contains a malicious executable detected as W32/AutoRun-BHY. Source: http://news.softpedia.com/news/New-Wave-of-Fake-Amazon-Emails-Spreads-Malware-173495.shtml

51. December 17, Infosecurity – (International) One-quarter of consumers have turned off their anti-virus software. Twenty-five percent of consumers surveyed by anti-virus software provider Avira turned off their anti-virus software because it was slowing down the computer, while 12 percent considered abandoning the Internet because of safety concerns. In addition, 63 percent of consumers have tried multiple anti-virus security products in a 1-year span on the same computer, according to the survey of 9,091 Avira customers worldwide. “It’s not surprising that consumers try multiple security products each year since everyone is trying to find the right security product which can effectively balance protection and a computer’s resource usage”, said a data security expert with Avira. “The scary take-away from this survey is that 25 percent of the respondents admitted to turning off their security products because they feel that it hurt the performance of the machine.” He said vendors must be careful not to overload anti-virus software with features that could have a significant effect on system performance. Anti-virus vendors should focus on offering products providing the minimum necessary protection, rather than protection “with all the whistles and bells” that users deactivate to use their computers. Source: http://www.infosecurity-us.com/view/14755/onequarter-of-consumers-have-turned-off-their-antivirus-software-/

Communications Sector

52. December 18, Vancouver Columbian – (Washington) Severed phone cable in Washougal may be repaired today. A contractor inadvertently cut a major phone cable December 17 in Washougal, Washington, creating a widespread service outage. The cable was cut by a contractor working near 17th and E streets, according to Frontier Communications, the local phone service provider. Between 700 and 900 phone numbers beginning with 335- and 835- were affected. According to the company, emergency 911 service was not interrupted, nor were customers who have fiber-optic FiOS telephone, Internet, and cable TV services. Frontier recently bought the traditional phone service business that for many years had been provided to Washougal by Verizon Communications. Source: http://callcenterinfo.tmcnet.com/news/2010/12/18/5202761.htm

53. December 18, TorrentFreak – (International) BitTorrent domain exodus continues as Torrentz dumps .com. The Internet’s second biggest BitTorrent site is dumping its .COM domain. In an apparent response to the U.S. Government’s Department of Homeland Security and Immigration and Customs Enforcement recent seizures of domain names, the site moved to a new home. Despite being only a meta-search engine, Torrentz.com appears to be taking no chances with an immediate .EU domain migration. The fallout from the November domain name seizures carried out by U.S. authorities continues to spread in the file-sharing community. Torrent-Finder, which shifted to a .INFO domain to continue its operations, is fighting back with legal representation. Others, unsettled by the developing atmosphere of uncertainty, are taking steps to mitigate potential future action against their sites. Already several private trackers have invested in alternative domain names that are at least currently believed to be outside U.S. control or influence. The popular Demonoid tracker showed its hand with a shift from a .COM to a .ME domain. Source: http://torrentfreak.com/bittorrent-domain-exodus-continues-as-torrentz-dumps-com-101218/

54. December 17, IDG News Service – (International) Google adds site hacking notifications in search results. Google has started notifying its search engine users of sites in their list of query results that may have been compromised by hackers. For sites that Google believes have been hacked, search engine users will see a warning pop up, giving them the option to go back to the results page, get more information from Google or continue on to their intended destination. Google determines a site may have been hacked based on certain signs that it detects automatically while it is crawling and indexing its pages for its search engine. In those cases, Google will also attempt to contact the sites’ Webmasters to alert them, in case they are unaware of the potential problem. Google will stop showing the warning once it verifies the problems have been fixed. Webmasters will be able to request expedited reviews of their previously compromised sites. Google also provides similar warnings for sites it believes infect visitors with malware. In December 2010, cybercriminals infected online ad networks from Google and Microsoft, placing ads on them that, when clicked on, took users to sites that infected their PCs with malware, according to security consultancy Armorize. Source: http://www.computerworld.com/s/article/9201539/Google_adds_site_hacking_notifications_in_search_results