Wednesday, December 22, 2010

Complete DHS Daily Report for December 22, 2010

Daily Report

Top Stories

• Hackers broke into the Web site of a New York tour company and stole about 110,000 bank card numbers, according to IDG News Service. See item 9 below in the Banking and Finance Sector

• CNN reports U.S. officials confirmed an al Qaeda group contemplated spreading poison on salad bars and buffets at U.S. hotels and restaurants. (See item 21)

21. December 21, CNN – (National) Al Qaeda group contemplated poisoning food in U.S., officials say. The al Qaeda group that built two toner-cartridge bombs in an unsuccessful attempt to blow up planes in October also has contemplated spreading poison on salad bars and buffets at U.S. hotels and restaurants, U.S. officials told CNN December 21. But U.S. officials sought to downplay the threat — first reported by CBS News — saying it was months old, and that it was more in the nature of a discussion of “tactics” than an actual plot. Officials implied the tactic is beyond the capabilities of the terrorist organization, which is based in the Middle East. The United States has received information that al Qaeda was considering the tactic of placing ricin and cyanide poisons into food supplies, DHS officials confirmed to CNN. In response to that information, U.S. officials met through regular channels with representatives of the hotel and restaurant businesses to discuss the possibility that terrorists could target the food supply, and to reiterate “best practices” to ensure the food supply is safe. Officials, however, likened the threat to numerous others discussed in jihadist publications such as the online magazine Inspire, where al Qaeda members and sympathizers discuss various ways to attack Western countries. “We’re talking months, not weeks (ago), that this came into the threat stream,” one official said. Another U.S. official said, “We’re aware that terrorists have been interested in doing this kind of thing for a long time. They’ve said as much and, as a result, we take all of this very seriously. But we don’t know of any current plotting along these lines.” Source:


Banking and Finance Sector

8. December 21, Softpedia – (National) New phishing campaign targets Netflix users. Security researchers from Trend Micro warn of a phishing campaign targeting Netflix customers, which produces e-mails claiming their accounts were suspended. The rogue e-mails cite credit card problems and instruct users to log into their accounts via the included link to update their payment information. The messages are titled “Your Account Has Been Suspended” and read “We are sending this email to let you know that your credit card has been expired. To update your account information, please visit Your Account.” Phishers used a real Netflix e-mail template when creating the campaign in order to add credibility. It bears the company’s logo, disclaimer, contact information and color scheme. The phishing attack works in two steps. The first one is meant to steal Netflix account credentials, the advertised link taking users to a Web site mimicking the Netflix log-in page. Once victims input credentials, they are redirected to a second page displaying a form to input credit card details and other financial data. Source:

9. December 20, IDG News Service – (National) Hackers hit New York tour firm, access 110,00 bank cards. Hackers have broken into the Web site of the New York tour company, CitySights NY, and stolen about 110,000 bank card numbers. They broke in using an SQL Injection attack on the Web server, CitySights said in a December 9 breach notification letter published by New Hampshire’s attorney general. The company learned of the problem in late October, when, “a web programmer discovered [an] unauthorized script that appears to have been uploaded to the company’s web server, which is believed to have compromised the security of the database on that server,” the letter said. CitySights believes the SQL injection compromise occurred about a month earlier, on September 26. In a SQL injection attack, hackers find ways to sneak real database commands into the server using the Web. They do this by adding specially crafted text into Web-based forms or search boxes used to query the back-end database. The company began notifying customers about the incident the week of December 6. Victims are being offered 1 year free credit monitoring and a 50 percent off coupon, for another CitySights tour. Source:

10. December 20, Fox News Latino – (International) Bomb damages Spanish bank’s branch in Argentine capital. A bomb damaged ATMs and shattered windows December 20 at a branch of BBVA-Banco Frances, a unit of Spanish banking giant BBVA, in Buenos Aires, Argentina but no one was injured, Argentine police said. They said this was the seventh attack of this type this year. The bomb dispersed anarchist pamphlets at the bank branch in the Recoleta district about 220 yards from the French and Brazilian embassies. The pamphlets criticized repression against the Qom Indians in Formosa, a province in northern Argentina, and the death of a young man during a protest a few months ago in the southern province of Rio Negro, police said. The pamphlets also referred to the leftist Movimiento Todos por la Patria, a group whose January 1989 attack on an army base outside Buenos Aires left 39 police, soldiers and assailants dead. The bombing is being investigated by a federal judge in Buenos Aires, police said. Previous attacks, all committed in the early morning hours and resulting in no injuries, targeted Santander Rio, a unit of Spanish bank Grupo Santander, U.S.-based Citibank and state-owned Banco de la Nacion Argentina, the country’s largest bank. The judge investigating the bombings is focusing on Chilean anarchist group Celulas Revolucionarias Brigada Andrea Salsedo. The Chilean anarchist group claimed responsibility for the bombing in July of the BBVA-Banco Frances branch in Flores, a neighborhood in the western part of the capital. Source:

11. December 18, – (Tennessee) Metro Police, FBI search for serial bank robber. Metro Police and the FBI are searching for a man they think has robbed at least three banks in Nashville, Tennessee in December. Agents believe the same man who robbed the Regions Bank branch at 2409 Lebanon Pike branch December 17 is also responsible for robbing the SunTrust Bank branch at 530 Murfreesboro Pike December 16 and December 6. In all three robberies, the robber approached the teller and indicated he had a weapon. Metro Police and the FBI’s Violent Crimes Task Force are asking for the public’s assistance in identifying the man. The robber is described as a white man in his late 40s or early 50s with long graying brown hair worn in a ponytail and a beard. He is approximately 5’10” tall and weighs approximately 170 pounds. He entered the Regions bank wearing a black jacket with an orange T on the front and a red ballcap. Source:

12. December 17, WEWS 5 Cleveland – (Ohio) Three men rob Cleveland bank at gunpoint. Authorities are looking for information after three men robbed a Cleveland, Ohio, bank at gunpoint. The robbery happened around 2:30 p.m. December 17 at the Fifth Third Bank in the 3500 block of Lorain Avenue in Cleveland. The FBI said three men, armed with handguns, entered the bank and demanded money. The men were wearing dark clothing and masks. An official with the FBI said this style of bank robbery is called a takeover. That’s when the robbers come into the bank with guns drawn and order everyone on the ground. They also hit multiple tellers. The FBI official said each of the men had different roles in the robbery. While one man stood by the door, another man jumped the counter and the third man went to three different tellers. The FBI official said they are also looking for a person of interest who was acting suspiciously inside the bank right before it was robbed. Source:

Information Technology

39. December 21, Help Net Security – (International) Worm blocks access to Facebook. A relatively new worm Symantec named “W32.Yimfoca” presents a never before seen modus operandi. A variant of the worm spreads via Yahoo! Messenger and, once installed, downloads and installs W32.Yimfoca on the target system. Lately, it has been noticed it specifically targets Facebook users by denying them access to their accounts if they do not complete a survey. Every time a user lands on the Facebook homepage, a window offering the surveys pops up. Also, while the victim fills out the survey, a progress bar is shown accompanied by a “threat” — “You have only 3 minutes to fill out the selected survey or you will not have access to your account.” Once the user has completed a survey he/she can access his/her account. If the user does not complete the survey within 3 minutes, the worm will not allow him/her to access the account while it is running — and it resets even after a reboot of the infected computer. The worm blocks access to Facebook only if Internet Explorer is being used. Using any other browser fails to trigger the worm and a user can access his/her Facebook account without being sidetracked by pop-ups. Source:

40. December 21, Softpedia – (International) New URL shortener hijacks browsers for DDoS. In order to outline the dangers of implicitly trusting shortened URLs, a student has launched a service which generates links that take users to their destination, but also hijack their browsers for DDoS. Called, the service is the creation of a computer science major at the University of Tulsa, who describes himself as a security enthusiast. This recently created JavaScript-based LOIC allows people to voluntarily join a DDoS effort by visiting a Web page instead of installing an application on their computers. The tool works by modifying an image tag’s src attribute in order to force the browser to continuously send HTTP requests to the targeted server. was released as a proof-of-concept and works by loading the destination page in a transparent iframe. The source code is freely available under GPL. To use the service, attackers must specify the destination link and the URL to be targeted. The title of the page can also be configured. The resulting short URL can then be spread on social media Web sites in order to attract as many visitors as possible. People who click on the link will have no indication that something is wrong, except for the url in the address bar, which does not change from Meanwhile, in the background, their computer will send hundreds of requests per minute to the target URL. The more time spent on the legit destination page, the more effective the attack is. Source:

41. December 21, Help Net Security – (International) Database of routers’ embedded private SSL keys published. The recent publishing of a database containing over 2,000 private SSL keys hard-coded into various routers — with their corresponding public certificates and hardware/firmware versions — has made an attack that involves decrypting the traffic going through the device very easy to execute. “While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link, and Netgear,” said a member of the /dev/ttyS0 group that is behind this project called LittleBlackBox. “Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device’s firmware. Private keys can be recovered by supplying LittleBlackBox with the corresponding public key. If the public key is not readily available, LittleBlackBox can retrieve the public certificate from a pcap file, live traffic capture, or by directly querying the target host,” he wrote. He offered the LittleBlackBox’s code for download. Source:

42. December 20, H Security – (International) Phrack hole closed in ProFTPD. The development team behind ProFTPD has released version 1.3.3d, which closes a critical security hole in the SQL module of all previous versions. The flaw was reported roughly 1 month ago in Phrack, the hacker magazine. A buffer overflow in the function sql_prepare_where() allows attackers to remotely execute arbitrary code on the server. The developers themselves suffered when this vulnerability was exploited by still unknown parties, who entered the project server and installed a back door in the source code. The new version also fixes a number of additional bugs; as a result, the GPL-licensed server is reportedly now more stable. At the same time, the developers have also published the first release candidate for version 1.3.4. Source:

43. December 20, Softpedia – (International) Defrag scareware distributed through compromised OpenX servers. Scammers behind the new family of scareware programs that pose as hard disk drive defragmentation utilities are using vulnerable OpenX servers to launch drive-by downloads and infect users. This new attack was spotted by security researchers from Web application security solutions vendor Armorize Technologies, who revealed the week of December 12 that the same cyber criminals managed to get malicious ads onto Google’s and Microsoft’s advertising networks. This piece of scareware goes by different names including “HDD Tools”, “HDD Plus”, “Ultra Defragger”, “Smart Defragmenter”, “HDD Defragmenter”, “System Defragmenter”, “Disk Defragmenter”, “Quick Defragmenter”, “Check Disk”, or “Scan Disk.” The attackers begin by exploiting known vulnerabilities in outdated OpenX ad servers to inject rogue code into the /www/delivery/ajs.php banner serving script. The code generates an iframe on the public facing pages, which points to an externally hosted instance of the BleedingLife v2 exploit pack. This toolkit serves exploits for two vulnerabilities in older Flash Player versions, two affecting Adobe Reader, and two Java. “The exploitation success rate is 28 percent, which is very high,” said Armorize’s CTO. Antivirus detection rate for these reliably written exploits is very low on VirusTotal, while detection for the dropped scareware is around 63 percent. Source:

44. December 20, United Press International – (International) Most hacker attacks are quietly blocked. The WikiLeaks battle has put the spotlight on cyberattacks, but most hacker blitzes are foiled and pass without public notice, U.S. experts said. Hackers assaulted five big online retailers as the holiday shopping season began November 30. But a global network run by Akamai Technologies of Cambridge, Massachusetts, intercepted the data deluge, The Boston Globe reported. Akamai, an Internet infrastructure company, is one of many that defend the Internet against distributed denial of service, or DDOS, attacks like the one employed by the WikiLeaks backers. When a DDOS attack hit the retailers November 30, the spike in traffic was spotted immediately at Akamai’s operations center in India. Akamai, with about 80,000 servers in 70 countries, instantly assigned extra ones to handle the traffic, ensuring that the retailers would not be overwhelmed. The sites were assaulted for 3 days, but not knocked offline. Akamai would not reveal who the retailers were. Source:

45. December 20, CSO – (International) Researchers create botnet to learn how it works. A team of researchers in Canada recently released results of a study where they created a botnet strictly for experimental purposes. The simulation allowed the researchers at Ecole Polytechnique de Montreal, with collaborators at Nancy University in France, and Carlton University in Ottawa, to observe the botnet’s behavior while keeping it from infecting other machines. In order to gain more insight into what the researchers called “one of the most worrying computer security threats,” the experiment recreated an isolated version of the Waledac botnet. Waledac, which was taken down by Microsoft earlier this year, at one point consisted of an estimated 70,000-90,000 infected computers and was responsible for as much as 1.5 billion spam messages per day. For the research, approximately 3,000 copies of Windows XP were loaded onto a cluster of 98 servers at Ecole Polytechnique. Nodes were infected with the Waledac worm by loading it onto them from DVDs, instead of connecting to other machines. The goal was to gather information about the botnet in order to understand as much as is possible about its architecture and modes of operation. The attack managed to stop the botnet from sending out spam within an hour, researchers said. Source:

Communications Sector

46. December 21, Arizona Daily Sun – (Arizona) Weather knocks out second station. A combination of rain and strong gusts of wind took two different Flagstaff, Arizona radio stations off the air December 19. Radio transmitters based on Mount Elden for The WOLF (KWMX) and KNAU (91.7) lost power due to severe weather, Arizona Public Service officials said. A member of Northland Radio, located at 96.7, said APS officials told him power to the transmitters should be restored by December 22 or December 23. A third transmitter for KNAU’s 88.7 FM channel also lost power December 19, but power was restored December 20. Source:

47. December 21, Watertown Daily Times – (New York) Fiber-optic line cuts disrupt telephone service around state. Two levels of telephone service were interrupted in the north country of New York December 20 when one or more fiber-optic lines were cut. The emergency services director of St. Lawrence County said a “major” fiber-optic line cut in the Rochester area left areas around the state without standard telephone service. A sheriff said the county’s phone system is down, but anyone with an emergency can call 911. The sheriff said the problem resides with PAETEC, a Rochester-area telecommunications provider. County fire officials requested that all fire stations be staffed because of the outage. In Jefferson County, New York meanwhile, nearly all of the AT&T cell towers were experiencing technical difficulty. Company officials said full phone service should be restored between 9 a.m. and 10 a.m. December 21. Source:

48. December 21, Watertown Daily Times – (New York) Fiber-optic line cuts disrupt telephone service around state. Two levels of telephone service were interrupted in the north country of New York December 20, when one or more fiber-optic lines were cut. The St. Lawrence County emergency services director said a “major” fiber-optic line cut in the Rochester area left areas around the state without standard telephone service. A sheriff said the county’s phone system is down, but anyone with an emergency can call 911. He said the problem resides with PAETEC, a Rochester-area telecommunications provider. The interim county information technology office director said anyone having trouble calling 911 from a land line phone should be able to get through on a cell phone. County fire officials requested that all fire stations be staffed because of the outage. In Jefferson County, meanwhile, nearly all of the AT&T cell towers were experiencing technical difficulty. Company officials said full phone service should be restored between 9 and 10 a.m. December 21. Source: