Friday, January 7, 2011

Complete DHS Daily Report for January 7, 2011

Daily Report

Top Stories

• CNN reports small explosions at two Maryland government office buildings caused by packages sent via mail, left one person with minor injuries January 6. (See item 27)

27. January 6, CNN – (Maryland) Small explosions at Maryland state offices injure 1. Small explosions at two Maryland state government office buildings left one person with minor injuries January 6, a Maryland state government official with knowledge of the situation told CNN. No one suffered serious injuries or was hospitalized, a government source said. Both buildings were evacuated. Authorities responded to devices found in the mailroom of a state house office building in Annapolis, and at the Maryland Department of Transportation headquarters near Hanover, said a spokesman for the mayor of Annapolis. Reports of the incidents came in “not simultaneously, but close,” said the government source. “While the investigation is ongoing, it appears that two incendiary devices were transported through State government mail rooms,” the Maryland House speaker wrote in a statement. “We would encourage you to use reasonable caution in handling any packages that come to your office for the time being, and not open any mail until we have more complete information.” The Annapolis police bomb squad and firefighters, as well as the FBI and the state bomb squad responded. A Department of Homeland Security official said the department is closely monitoring the situation and is working with law enforcement agencies. Source:

• According to Associated Press, the son of a police detective opened fire at a high school in Omaha, Nebraska, January 5, fatally wounding the assistant principal and injuring the principal. (See item 49)

49. January 5, Associated Press – (Nebraska) Student kills 1, self at Omaha high school. The son of a police detective opened fire at a high school in Omaha, Nebraska, January 5, fatally wounding the assistant principal and forcing panicked students to take cover in the kitchen of the building just as they returned from holiday break. The gunman, who had attended the school for no more than 2 months, also wounded the principal before fleeing from the scene and fatally shooting himself in his car. The vice principal died at a hospital hours after the shooting, police said. The principal was listed in stable condition. In a rambling Facebook post filled with expletives, the shooter warned January 5 that people would hear about the “evil” things he did and said the school drove him to violence. He wrote that the Omaha school was worse than his previous one, and that the new city had changed him. He apologized and said he wanted people to remember him for who he was before affecting “the lives of the families I ruined.” The post ended with “goodbye.” The police chief provided no details on the weapon the gunman used or how he obtained it. The gunman’s father is a detective for the Omaha Police Department. Investigators were interviewing the 7-year veteran to try and discern a motive. Source:


Banking and Finance Sector

16. January 6, Columbus Dispatch – (Ohio) Woman FBI calls the ‘church lady bandit’ indicted in 12 robberies. The first bank robbery now attributed to the “church lady bandit” occurred January 10, 2006 — right around the time, auditor’s records show, the suspect lost her Northeast Side house in Columbus, Ohio in foreclosure. Three more robberies linked to the bandit occurred in October 2008, the same month the suspect embezzled $2,500 from her employer using a company credit card, according to court records. The bandit’s pace picked up in the fall, when she robbed seven banks and a motel, authorities said. Those robberies started in September, 4 months after the courts agreed the suspect owed $12,400 for defaulting on a car loan. On January 5, the Franklin County prosecutor announced a 24-count indictment against the suspect, saying the 46-year-old woman was responsible for 11 bank robberies, and one at a motel. Source:

17. January 6, Associated Press; Texarkana Gazette – (Arkansas) Police officers charged in armored car caper. Three Arkansas police officers have been charged with conspiracy to rob an armored car in Little Rock, and one of their two alleged accomplices was indicted for stealing $400,000 from an armored car driver in 2007, according to an indictment released January 5. Prosecutors would not say whether the conspiracy charges stemmed from the alleged heist or another plot, though all five men were named in the same terse, 2-page indictment. Source:

18. January 6, Help Net Security – (International) Undetectable fake ATM keyboard steals PINs in real time. Thieves and scammers are an inventive bunch, especially when it comes to stealing money indirectly. And the latest discovery of a fake keyboard placed over an ATM’s legitimate one that records the typed-in PIN — in conjunction with a fake magnetic strip reader that can be manufactured from cheap spare electronic parts — shows this kind of crime does not require a lot of funds and can bring in quite a lot of money. According to Gizmodo, the keyboard is virtually undetectable by anyone who is not an expert, and looks exactly like the real thing. It records the PIN as you type it in and sends this information, and that regarding the credit card magnetic strip, to the criminals in real time, so they can immediately proceed to empty an account. U.S. ATM users are particularly susceptible to these types of theft, since many ATMs work on the same principle. The chip-and-PIN technology used in Europe is harder to crack, so a number of U.S. banks have started adopting it. Source:

19. January 6, WFXT 25 Boston – (Massachusetts) FBI investigating possible bank robbery ring. One bank robbery January 5 in Burlington, Massachusetts could turn out to be a hit by a major organized crime crew. The FBI violent crimes task force has been chasing a group of organized bank robbers for nearly a month now. Since December 15, they have hit banks in Lynnfield, Reading, Malden, Westford, Salem, Westford, and, most recently, Burlington. At first authorities thought they were dealing with a single bank robber, but now they believe this is a bank robbery ring — one that is considered armed and dangerous. Surveillance from the latest bank robbery January 5 at about 9:30 a.m. at the Central Bank on Wilmington Road shows a black man wearing a gray hooded sweatshirt with the hood up walking into the bank, passing a demand note threatening he had a gun, and then walking out. The FBI and the Massachusetts Bankers Association have put up a $15,000 reward for information leading to the arrest and conviction of the suspects. Source:

20. January 6, Willoughby News-Herald – (International) Federal charges filed against man accused of defrauding St. Paul Croatian Federal Credit Union. A person who resides in both Eastlake, Ohio, and Skopje, Macedonia, is facing two charges of bank fraud and one charge of money laundering. The suspect is accused of fraudulently obtaining several loans totaling $2.5 million from St. Paul Croatian Federal Credit Union in Eastlake between July and August 2009, according to the United States attorney for the Northern District of Ohio. Authorities believe he obtained most of the loans by falsely listing the names of other persons as the applicants and intended recipients, he said. The suspect is also accused of not being eligible to receive any loans from the credit union at that time because he had already defaulted on more than $1 million he previously received. Source:

21. January 6, WLUK 11 Green Bay – (Wisconsin) Neenah police search for bank robbery suspect. A bomb threat, turned bank robbery had a Neenah, Wisconsin, grocery store evacuated for nearly 4 hours January 5. It began around 5:30 p.m. at the Pick ‘n Save on Fox Point Plaza. Authorities said a man wearing a black hooded sweatshirt pulled a package he claimed was a bomb from a grocery bag. He then demanded money from the Associated Bank inside the store. The Brown County Bomb Squad determined the package was harmless, but police said the robbery caused quite a scare. “We treated it as carefully as we could. We evacuated the building, got the employees out, and the patrons cleared, the parking lots and some of the other nearby buildings, then called for the bomb squad,” the Neenah police chief said. Employees were allowed back in the building shortly before 9 p.m. Source:

22. January 5, Orange County Register – (California) Fake-bomb bandit believed to be serial robber. A man who used a fake bomb to rob a Bank of America January 4 in Orange, California is believed to be a serial robber who has hit banks in Los Angeles County, officials said. At about 2:45 p.m., a man wearing a baseball cap sat down with an employee and opened what looked to be a day planner, authorities said. Inside was a device that looked like a bomb, complete with cylinder-shaped objects that resembled flares, wiring, and electronic components. A man law-enforcement officials have dubbed the “Scanner Bandit” is believed to be responsible for four robberies, including the January 4 heist. The serial bank robber is known for using devices that look like bombs. The object in the January 4 heist was determined to have been a fake bomb, and FBI officials said the robbery closely resembled similar incidents in banks in Torrance, Whittier, and Norwalk. Source:

For another story, see item 61 below in Information Technology

Information Technology

57. January 6, H Security – (International) Flash Player sandbox can be bypassed. Flash applications run locally can read local files and send them to an online server — something which the sandbox is supposed to prevent. Flash includes a number of sandboxes which impose restrictions depending on the origin of, and access rights for, the SWF file. Local SWF files, for example, run within the local-with-file-system sandbox, are permitted to access local files. They are not able to access the network, so a malicious SWF applet should not be able to send local data to a remote server. However, an H Security specialist has determined that Adobe controls access to the network using a blacklist of protocol handlers. Protocols such as HTTP and HTTPS are blacklisted. He reports it is in principle possible to send files to a server using the file: protocol handler, but that this is only possible within the local area network. He has identified another protocol handler which can be used to send data to remote servers — mhtml. Source:]

58. January 6, Help Net Security – (International) MediaWiki 1.16.1 fixes clickjacking issue. MediaWiki released version 1.16.1, which is a security and maintenance release. Wikipedia user PleaseStand pointed out MediaWiki has no protection against “clickjacking”. With user or site JavaScript or CSS enabled, clickjacking can lead to cross-site scripting (XSS), and thus full compromise of the wiki account of any user who visits a malicious external site. Clickjacking affects all previous versions of MediaWiki. The fix involves denying framing on all pages except normal page views and a few selected special pages. To be protected, all users must use a browser which supports X-Frame-Options. Source:

59. January 5, Softpedia – (International) Survey scammers and adware pushers target TRON fans. Security researchers warn of multiple scams that trick fans of the “TRON” movie into subscribing to premium rate services or infecting their computers with adware. Most of the scams offer to view the movie online at high quality. These are usually advertised through YouTube videos with titles among the lines of “Watch TRON : Legacy Online HD Blu-Ray Quality.” Clicking on the links listed in the descriptions of these videos leads users to Web sites that ask them to take a survey before being given access to the movie. These deceptive surveys usually attempt to subscribe users to premium rate services and collect their personal information for future targeted spamming in the process. Other TRON free streaming scams use the “required codec” social engineering trick to get users to download and install Adware programs like ClickPotato, ShopperReports, QuestBrowser, and blinkx Beat. Source:

60. January 5, Computerworld – (International) Researchers confirm Googler’s Internet Explorer bug. French security researchers at Vupen January 5 confirmed the presence of a bug in Internet Explorer (IE) that is at the center of a spat between Microsoft and a Google security engineer. According to Vupen, IE8 harbors a vulnerability that can be exploited to hijack a Windows system. Vupen said it confirmed the vulnerability and its exploitability in IE8 running on Windows XP Service Pack 3 (SP3), but believed it could also be leveraged on Windows Vista, Windows 7, Server 2003, Server 2008, and Server 2008 R2.The security company rated the bug as “critical,” its highest threat warning. In a follow-up tweet, Vupen said, “Reproducing was/is hard.” The bug was publicly reported by a Google security engineer, when he released a new “fuzzing” tool that had found more than 100 bugs in 5 major browsers. Source:

61. January 5, IDG News Service – (International) Alleged Miley Cyrus hacker arrested. The 21-year-old hacker who boasted about breaking into the Gmail account of a famous singer and actress has been arrested in Tennessee on fraud charges. The arrest comes more than 2 years after FBI agents raided the suspect’s home looking for evidence in the case. In court documents, the FBI said he was an accomplished spammer, who hacked a large number of Gmail and MySpace accounts. But the suspect has not been charged in the celebrity hack — instead, he faces more serious financial fraud charges for allegedly storing about 200 stolen credit card numbers on his computer. He could go to prison for 10 years and pay a $250,000 fine if convicted of the charges. Source:

Communications Sector

62. January 5, San Diego North County Times – (California) AT&T customers report service outages. Thousands of AT&T customers are reporting problems with their phone, Internet, and cable services throughout California, including some in North County. More than 70,000 customers statewide have reported connection problems since December, and many are likely caused by the recent storms, an AT&T spokeswoman said. No figures were available for San Diego County, she said. December was one of the wettest months on record for the state. In San Diego County, several days of nearly uninterrupted rain disrupted the region’s transit, power, and road systems. AT&T’s infrastructure was not spared, but the company is working to fix the problems, a spokesman said. The company could not provide an exact date when the problems would be resolved, but said public safety and customers with special needs are a priority. Source:

63. January 5, KHQA 7 Hannibal – (Iowa; Missouri) LeeComm 911 service out of reach to some communities. A fiber optics cable was cut just south of Houghton in Lee County, Iowa January 5. Windstream customers in the in that area were only be able to dial within their own prefix and could not dial long distance. This also meant that they could not dial 911. The communities affected included Donnellson, Farmington, Montrose, Argyle, Primrose, and in Missouri the community of Athens. Work crews responded and repaired the cable and restored service by the afternoon. Source:

Thursday, January 6, 2011

Complete DHS Daily Report for January 6, 2011

Daily Report

Top Stories

• Homeland Security Today reports that flu virus strains have begun to spread in Western Europe, the Middle East, and Southeast Asia. In the United States, the Centers for Disease Control and Prevention reported that flu activity is now rampant in New York, Alabama, Georgia, and Mississippi. (See item 39)

39. January 4, Homeland Security Today – (National) Myriad flu strains emerging worldwide. As confirmed cases of influenza in the United Kingdom over the last couple of weeks rose from 40 percent to 50 percent and at a level that qualifies as an epidemic, flu virus strains also have begun to spread elsewhere in Western Europe, the Middle East, and Southeast Asia. In the United States, the Centers for Disease Control and Prevention (CDC) reported that flu activity is now rampant in New York, Alabama, Georgia, and Mississippi. Moderate flu infections have been reported in Louisiana, Arizona, Florida, Illinois, Kentucky, and Nevada. ―The District of Columbia and 48 states from all ten surveillance regions have reported laboratory-confirmed influenza this season,‖ CDC stated, adding that ―while activity in other areas of the country is increasing, Region 4 in the Southeastern United States has accounted for 2,664 (54.8 percent) of all 4,864 reported influenza viruses this season, including 1,547 (78.9 percent) of the 1,961 influenza B viruses.‖ Disturbingly, CDC noted that ―high levels of resistance to the [antivirals] amantadine and rimantadine persist among 2009 influenza A H1N1 and A H3N2 viruses,‖ emphasizing that ―the adamantanes are not effective against influenza B viruses circulating globally.‖ Source:

• According to the Canadian Press, security has been increased at Coptic churches across Canada as they prepare to celebrate Christmas January 7, in the wake of a deadly terrorist attack in Alexandria, Egypt, January 1. Coptic Orthodox leaders in Canada have been contacted by the Royal Canadian Mounted Police due to concerns that extremists may target the Coptic diaspora abroad. (See item 62)

62. January 5, Canadian Press – (International) High alert for Coptic Christmas in Canada after terrorist attack in Egypt. Security has been increased at Coptic churches across Canada as they prepare to celebrate the birth of Christ this January 7, in the wake of a deadly terrorist attack in Alexandria, Egypt, January 1. Coptic Orthodox leaders in Canada have been contacted by the Royal Canadian Mounted Police (RCMP) due to concerns that extremists may target the Coptic diaspora abroad. The Head of the Canadian Coptic Association based in Montreal said the RCMP are taking every precaution to ensure no attacks are carried out as they celebrate the Orthodox Christmas. Officials said January 4 the attack in Egypt left at least 23 dead, and it sparked riots in Egypt and alarm across Europe and North America. Canada is believed to be home to the largest Coptic diaspora after the United States, with conservative estimates at nearly 250,000, mostly living in Eastern Canada. There are five Coptic Orthodox Churches in Montreal and more than 20 in the Greater Toronto Area. The Canadian Press reported last month on an al-Qaeda website, Shumukh al Islam, that has a list of more than 100 Copts living in Canada and others around the world. Source:


Banking and Finance Sector

16. January 5, Softpedia – (National) AOL customers targeted in new phishing attack. A new phishing attack is targeting AOL subscribers by claiming that they need to update their account billing information in order to avoid facing restrictions. The rogue emails have their header spoofed to appear as originating from ―AOL Member Billing Services‖ and bear a subject of ―Billing update on file must be performedz.‖ The body uses an AOL template which includes an AOL Member Services banner and the enclosed message reads: ―Our records indicate that your account hasn‘t been updated as a part of our regular account maintenance. Our new SSL servers check each account for activity and your information has been randomly chosen for verification. AOL Member Services strives to serve their customers with better and secure banking service. Notification: Failure to update your account information may result in account limitation at shopping on our portal.‖ A link called ―Update your information‖ is included and, if clicked, takes recipients to a phishing page which displays a form for inputting a wealth of information. This includes name, address, city, state, zip code, country, phone number, birth date, Social Security number, driver‘s license number, as well as credit card type, number, CVV2, PIN, expiration date, issuing bank, bank routing number, and bank check account. Information about the AOL account itself, such as screen name, password, security question, and answer are also required. Source:

17. January 4, Help Net Security – (International) The evolution of cyber criminal operations. There is a concerning evolutionary step cyber criminal operations are taking to more effectively diversify the distribution of their ill-gotten gains, according to Fortinet. The campaigns, which were seeded in a number of Asian and European countries, solicited local individuals who already have or had established relationships in the banking industry or were looking for work as ‗online sales administrators‘. To make these ―localized‖ campaigns even more effective, they incorporated regional-sounding domain names, such as,, and Upon closer scrutiny, Fortinet discovered all three domains were registered to the same Russian contact, and all contact addresses for worldwide recruitment used Google mail hosting. By using localized campaigns, criminals can obtain mule accounts internationally – each one falling under different banks and governing laws. Thus, if one is taken offline (due to increased enforcement activity), the others will remain online and business will be as usual. Cleverly engineered spam mail with malicious attachments/intentions can be much more damaging than non-effective spam by the masses. Source: 18. January 4, – (National) The evolution of check fraud. Despite an overall, albeit gradual, decline in check use, check fraud continues to plague the financial industry. And banks and credit unions are challenged to curb these evolving crimes. According to the new Faces of Fraud Survey, check fraud is one of the top three fraud forms plaguing banking institutions, joining the likes of phishing and vishing, and payment card fraud. Sixty-three percent of survey respondents say they experienced check fraud in 2010. Yet only 34 percent of banks and credit unions say they are well equipped to fight these crimes. ―Check fraud is so prevalent because it‘s easy,‖ said the vice president of the Center for Regulatory Compliance within the Financial Policy and Regulatory Affairs division of the American Bankers Association. ―This is low-tech crime, and a lot of fraud prevention in this area is focused on training frontline tellers to ask questions. ... When human interaction is involved, the human analysis is your best line of defense.‖ Source:

19. January 3, KY 3 Springfield – (Missouri) Thieves come up with new, easier way to steal credit card data. City police say they have learned criminals can swipe information on a credit card account without ever touching or even seeing the card. The police chief call it electronic pickpocketing. By getting within two or three feet of a purse or wallet, thieves can use a credit card reading device to steal personal bank information. It is a device that any thief can buy on the Internet. Credit card companies tout the new payWave or pay pass systems as the latest and greatest way to get in and out quickly. You can charge something to your credit card without ever swiping it by just holding it near a pay-out machine. ―It can scan your card through your wallet, through your purse, and capture your credit card, your expiration date and your name, and that‘s all they need to use it,‖ said the Osage Beach Police chief. The machines are handy as long as it is a legitimate business capturing your card. Sometimes it is not. Source:

20. January 3, Associated Press – (International) French trial for 8 suspects in terror finance ring. Eight men went on trial on January 3 in Paris for their alleged roles in an armed gang accused of using explosives and the threat of violence to finance Islamic terror operations. Prosecutors say the gang set up a restaurant and a cybercafe to try and hide their criminal activities — an ―elaborate strategy to promote and finance the cause‖ of terror, the indictment alleges. The trial, set to continue until Januay 28, takes place five years after the suspects‘ arrest in an anti-terror sweep. It is common in France for investigators to work on cases for years before they go to trial. Some of the suspects have acknowledged being members of a criminal gang, but all have denied that their goal was to finance terrorism, Le Figaro newspaper reported. The alleged ringleader has already spent time in prison from 2000-2004 for trafficking phony passports to radical groups. All of the men — a French-Algerian, four Tunisians, an Algerian, and two French citizens — are charged with ―criminal association in relation with a terrorist enterprise,‖ and some are also accused of terror financing and illegal possession of weapons. The gang is accused of using explosives to blast a hole in the wall of a warehouse of a money transport company in Beauvais, north of Paris, in 2005 — but the hole was not big enough for them to get inside, and they left empty-handed. After the suspects were rounded up, police discovered weapons and explosives in a storage space in the Paris suburbs. Some of the men are also accused in the theft of official French identity documents in northern France. Source:

For another story, see item 57 below in Information Technology

Information Technology

50. January 5, Computerworld – (International) Microsoft, Googler tussle over bug timeline. Microsoft and a Google security engineer are sparring over a bug the researcher reported to Microsoft in July 2010. A vulnerability researcher who works on Google‘s security team, publicly released a new ―fuzzing‖ tool January 1 called ―cross_fuzz‖ that he had used to find more than 100 bugs in 5 major browsers. He said he released cross_fuzzer and the crash dump because Chinese hackers were already investigating the vulnerability, and because Microsoft had not responded for months to his bug report. He first contacted Microsoft in July 2010, when he told the company‘s security team he had found ―multiple crashes and GDI [graphics device interface] corruptions,‖ and provided Microsoft with two early versions of cross_fuzz for them to use to verify the problems. He stated he had no contact with Microsoft between August 5 and December 20, when he told them he would release the fuzzer in early January 2011. When Microsoft asked that he delay its release, he declined. Microsoft chastised the Google security engineer January 3. ―Working with software vendors to address potential vulnerabilities in their products before details are made public reduces the overall risk to customers,‖ said a spokesman for the Microsoft Security Research Center. Source:

51. January 5, H Security – (International) Microsoft warns of thumbnail hole in Windows. In a security advisory, Microsoft warns of a new, previously unknown security hole in Windows which can be exploited to inject and execute arbitrary code. Sample code that demonstrates how to go about an exploit is already in circulation. In December 2010, two people gave a presentation entitled ―A Story about How Hackers‘ Heart Broken by 0-day‖ at the ―Power of Community‖ security conference. Their presentation documents describe a security hole in Windows that is connected to the display of thumbnails and can reportedly be exploited locally via Explorer as well as remotely via WebDAV. Displaying a file with a specially crafted thumbnail is all that is required for a successful attack. The vulnerability is exploited by setting a negative number of colour indexes in the colour table (biClrUsed). According to Microsoft‘s security advisory, all versions of Windows except Windows 7 and Server 2008 R2 are vulnerable. Microsoft say that they are currently not aware of any attacks which try to exploit the reported vulnerability. However, this could soon change, as a Metasploit module for creating suitable malicious files was released almost simultaneously with Microsoft‘s advisory. Source:

52. January 5, H Security – (International) Floating point DoS attack. A bug in the way the PHP scripting language converts certain numbers may cause it to tie up all system resources. For example, on 32-bit systems, converting the string ―2.2250738585072011e-308‖ into a floating point number using the function zend_strtod results in an infinite loop and consequent full utilisation of CPU resources. PHP 5.2 and 5.3 are affected, but apparently only on Intel CPUs which use x87 instructions to process floating point numbers. The x87 design has long been known to contains a bug which triggers just this problemPDF when computing approximations to 64-bit floating point numbers. By default, 64-bit systems instead use the SSE instruction set extension, under which the error does not occur. Processing the numbers 0.22250738585072011e-307, 22.250738585072011e-309 and 22250738585072011e-324 also triggers an infinite loop. It may also be possible to remotely disable some server systems merely by sending this value as a parameter in a GET request. The PHP development team has fixed this in the forthcoming version 5.3.5. A patch for version 5.2.16 is available from the repository. Source:

53. January 5, Europol – (International) The hidden risks of social media. Europol‘s new Internet facilitated organized crime (iOCTA) report examines how European Union citizens are risking their personal identities, privacy, and computer data through the use of social media tools which are increasingly a target for cybercriminal activity. In recent years the transition of the world wide web from a collection of websites to a platform for linked services such as social networking sites and real–time communication tools (‗Web 2.0‘), has provided the technical means for the expansion of social engineering. Cybercriminals exploit the trust of users — who consider themselves to be in a ‗safe‘ network of people they know — by injecting malicious software into posted items and sharing links to websites that are bogus and designed to extract personal information. The majority of organizations have come to accept the use of social networking sites in the workplace. But under the right circumstances, access to social media at work has the potential to infect corporate networks with spyware and other means to harvest large amounts of personal, corporate, and financial data for profit. Source:

54. January 4, Darkreading – (International) New stealth rootkit steals Windows 7, Server 2008 user privileges ‘on the fly’. A European researcher has created a rootkit that can evade detection in Windows 7 and Windows Server 2008 machines and reset user passwords. The rootkit was initially a project meant for training purposes. But its designer, a security expert for Deloitte in Hungary who works on penetration testing and forensic cases, says he eventually discovered he could perform new types of attacks with the rootkit, which he plans to deliver to antivirus firms as well as to the International Council of E-Commerce Consultants (EC-Council) for its certified hacker training program. He demonstrated the rootkit for the first time at the recent Hacker Halted conferences in Miami, Florida, and Cairo, Egypt. One particularly powerful module of the rootkit is based on the concept of a cached data attack. The cached data attack has to do with how the operating system caches data in physical memory. It lets an attacker clear and reset passwords in memory without being detected by the operating system. Source:

55. January 4, Federal Computer Week – (International) Microsoft issues IE advisory, warns on FTP flaw. Microsoft‘s security team announced late December 2010 that it is investigating two proof-of-concept flaws in Microsoft‘s Web-related software. One of the flaws offers a possible avenue for remote code execution attacks via Internet Explorer (IE). The other flaw could enable denial-of-service attacks by exploiting a vulnerability in Internet Information Services FTP 7.5, which runs as a part of Windows 7 and Windows Server 2008 R2. The IE proof-of-concept flaw potentially affects all versions of Microsoft‘s Web browser. It supposedly works by bypassing protections normally enabled by Microsoft‘s address space layout randomization (ASLR) and data execution prevention (DEP) technologies. Microsoft described the problem in a blog post in December 2010, suggesting that users could deploy Microsoft‘s Enhanced Mitigation Experience Toolkit (EMET) as a workaround. Source:

56. January 4, Federal Computer Week – (International) Exploit for critical vulnerability in Microsoft Office appears in the wild. An exploit has been discovered in the wild that can successfully attack a critical vulnerability in the way Microsoft Office handles Rich Text Format data, allowing remote execution of code on a victim computer. Microsoft released a patch for the vulnerability, known as CVE-2010-3333, in November 2010, and no widespread outbreaks of exploits have yet been reported. The public availability of an exploit lowers the bar for attackers, however, and increases the urgency for seeing that affected software is patched. Source:

57. January 3, Pittsburgh Post-Gazette – (International) Slots-theft case expands. A Swissvale, Pennsylvania, man who was to stand trial January 3 on charges of swindling the Meadows Racetrack & Casino in Pittsburgh out of nearly $430,000 instead was arrested by federal authorities for ―global prosecution‖ involving the theft of up to $1.4 million from slot machines. The man was charged with computer intrusion, conspiracy, and other federal offenses in what was allegedly a Las Vegas, Nevada-based, worldwide scheme to target a particular slot machine. ―From Las Vegas to Monaco, every casino that has these types of machines could be affected,‖ said the Washington County District Attorney. Authorities said the men were aware of a software glitch in a high-limit slot machine and entered a specific set of keystrokes to expose the weakness and cause the machine to generate false double jackpots. Source:

Communications Sector

58. January 5, KNBC 4 Los Angeles – (California) Long wait for phone repair. In late December, AT&T was saying it only had ―pockets‖ of service outages because of the rains. Now after questioning by NBCLA, the phone giant admits it has outages in every part of Southern California, but the company will not tell us exactly how many customers are without service. They are admitting that there is now a 17-day wait to get a repairman to your house. A spokesperson for AT&T told NBCLA that because of the rain they are working around the clock to restore service to customers. To deal with this current repair nightmare, AT&T brought in over 1,000 technicians from outside Southern California, just to fix the phones in the LA area. Verizon also told NBCLA that it is experiencing ―higher than normal‖ outages of landline service in the LA area. Verizon said it too has brought in technicians from out of state get a handle on the volume of service calls, and said its customers are experiencing about a week wait to get repairs. Source:

59. January 5, Honolulu Star Advertiser – (Hawaii) Phones still down for 1,100. There an estimated 1,100 Hawaiian Telcom land-line customers currently without phone service since December and through the holidays. A Hawaiian Telcom spokeswoman said trouble calls rose following the December 10-11 heavy rain and again December 19, following another bout of heavy rainfall. The company reported about 2,200 current trouble tickets, with problems ranging from static to outages. It includes multiple calls from the same customers and non-rain-related issues. The company was unable to provide the number of customers with rain-related problems since the flood of calls began. The company‘s repair crews have been working overtime and holidays, and neighbor island crews were brought in to help. Some repairs require cutting sections of cable damaged by short circuits due to water infiltration, then painstakingly splicing in hundreds of lines on both ends. Small pockets of isolated problems affecting one or a few customers have occurred across the island. Equipment failure occurred in some areas caused by prolonged loss of power and water infiltration, the spokeswoman said. In the Punahou and Aina Haina areas, a concentration of customers were hit, 140 and 70, respectively, she said. In the Punahou area, construction crews from other companies damaged Hawaiian Telcom cables, causing small holes or cuts, without notifying the phone company. Source: