Tuesday, March 1, 2011

Complete DHS Daily Report for March 1, 2011

Daily Report

Top Stories

• BankInfoSecurity.com reports a preliminary draft of new online authentication guidance from the Federal Financial Institutions Examination Council puts greater responsibility on financial institutions to enhance their security and prevent fraud. See item 20 below in the Banking and Finance Sector.

• According to the Associated Press, public health officials are warning travelers and workers present at four U.S. airports on two recent days that they may have been exposed to measles. (See item 34)

34. February 28, Associated Press – (National) Air travelers may have been exposed to measles. Public health officials are warning travelers and workers present at four U.S. airports on two recent days that they may have been exposed to measles from a traveler arriving from London, England. Authorities said February 26 that a New Mexico woman later confirmed to have measles arrived at Washington Dulles International Airport in Dulles, Virginia late in the afternoon of Feb. 20. Two days later, the measles-infected traveler departed from BWI Thurgood Marshall Airport near Baltimore, Maryland on an evening flight to Denver, Colorado, and then on to Albuquerque, New Mexico. The traveler became sick and was subsequently diagnosed with measles in New Mexico, a spokesman for the Centers for Disease Control and Prevention (CDC) said. He said February 26 that authorities in those states are trying to notify travelers who sat close to the infected passenger on the flights. The New Mexico Department of Health’s scientific laboratory division said the traveler was a 27-year-old Santa Fe woman who had not been immunized against measles. “The appropriate steps are being taken to reach out to those passengers on the plane that were in close enough proximity,” the CDC spokesman said of those seated five rows in front or behind the infected passenger. Although most Americans have been vaccinated for measles or are immune because they’ve had the disease, public health officials are concerned about those not immunized, including babies. Pregnant women and those with weakened immune systems are also more at risk. Authorities say people who were at the airports at the same time as the infected traveler and develop a fever or other symptoms should contact their doctors. An infectious disease specialist at the Vanderbilt University School of Medicine in Nashville said the potential exposure of so many travelers in airport terminals is a cause for concern. He said measles is “highly communicable” and can be associated with complications leading to death. “We don’t want measles to be imported back into the U.S. once it gets a foothold.” Source: http://www.cbsnews.com/stories/2011/02/28/travel/main20037210.shtml


Banking and Finance Sector

15. February 28, NBC New York – (New Jersey) Brazen bank bandit branches out to NJ. The audacious bank bandit who robbed 7 New York City, New York banks in the last 3 months, including 2 in one week in February, has struck again –- this time across the Hudson River. The bank robber — dubbed “the Holiday Bandit” because of the season in which the robberies began – robbed a Sovereign Bank in Woodbridge, New Jersey, February 25, the FBI confirmed. While cops said the February 25 heist marked the man’s first robbery in the Garden State, he has allegedly menaced tellers throughout the Big Apple since December. And police believe he is getting bolder. Source: http://www.nbcnewyork.com/news/local/Brazen-Bank-Bandit-Branches-Out-to-NJ--117055108.html

16. February 26, Softpedia – (International) New banking trojan targets all major browsers. Spanish security firm S21sec has identified a new banking trojan capable of injecting HTML into all popular browsers which uses a rootkit to hide its components. Dubbed Tatanga, the trojan is written in C++ and is organized in modules with different functionality which are decrypted in memory as needed. Like other banking trojans, Tatanga executes Man-in-the-Browser (MitB) attacks in order to perform unauthorized transactions from the accounts of its victims. The trojan currently targets banks from Western European countries, particularly the United Kingdom, Germany, Spain, and Portugal. It currently has a very low detection rate. A signature-based Virus Total scan revealed that only 9 in 43 antivirus engines currently detect the infector as malicious and most of them do it under generic names. Microsoft calls it Trojan:Win32/Mariofev(dot)B and first added detection for it in September. However, the definition was updated the week of February 21, probably to account for new variants. According to S21sec researchers, the trojan comes with an e-mail harvesting module, one that handles encrypted communication, another for the removal of competing trojans, including ZeuS, a module for blocking antivirus programs, one handling the encrypted configuration file, the HTML injector, and a file patcher. Source: http://news.softpedia.com/news/New-Banking-Trojan-Targets-All-Major-Browsers-186443.shtml

17. February 25, Los Angeles Daily Breeze – (California) Suspicious package leads to evacuation of San Pedro bank. A suspicious package found in a San Pedro, California bank’s night-deposit drop prompted a bomb squad response and forced people to evacuate February 25 from neighboring businesses, police said. The package turned out to be benign. An employee at the Bank of America branch at Ninth Street and Pacific Avenue contacted police about 8:30 a.m. after discovering a small package that contained no name or return address on it. “It seemed suspicious, so she notified us,” a spokesman said. Police called for a bomb squad, and asked bank employees to evacuate. Residents at neighboring apartment complexes and businesses also were forced to evacuate. Bomb squad officers X-rayed the box and determined it was not an explosive, the spokesman said. Business returned to normal at 11 a.m. Source: http://www.dailybreeze.com/news/ci_17485772

18. February 25, Associated Press – (New Mexico) NM real estate executive faces federal charges. A prominent New Mexico businessman was arrested February 25 on numerous charges stemming from an alleged multi-million-dollar Ponzi scheme that involved several hundred investors, the U.S. Attorney said. The 63 -year-old suspect was taken into custody without incident at a home in Albuquerque’s north valley after a federal grand jury returned a 30-count indictment that accused the former real estate executive of wire fraud, mail fraud, money laundering, and other charges. The indictment came after more than a year of investigation by state and federal authorities. If convicted, the suspect faces up to 20 years in prison on some of the counts, and as many as 10 years on others, the U.S. Attorney said. The indictment also seeks forfeiture of a home in Las Vegas, Nevada, as well as a money judgment in excess of $74 million. Federal investigators allege in the 34-page indictment that the suspect began a promissory note investment program in 1993 to generate revenue to grow his real estate business. The typical note had a 3-year term, an interest rate ranging from 8 to 40 percent and provided for interest to be paid in monthly installments. The indictment covers the suspect’s actions from 2005 through 2010, when the alleged scheme collapsed. Federal investigators said at that time, the suspect owed more than $76 million in unpaid principal and interest payments to approximately 600 investors. Source: http://www.businessweek.com/ap/financialnews/D9LK36180.htm

19. February 25, Softpedia – (National) Fake ACH transfer failure notifications spread ZeuS. A new wave of spam e-mails are targeting business users and attempt to infect them with a variant of the ZeuS banking trojan by posing as ACH transfer failure notifications. According to researchers from antivirus vendor Trend Micro who analyzed the campaign, the e-mails purport to come from NACHA — The Electronic Payments Association, the regulatory agency for the Automated Clearing House (ACH) network. The ACH network is commonly used by companies to process large volumes of credit and debit transactions, such as payroll or vendor payments, in batches. According to the director of research in computer forensics at the University of Alabama at Birmingham, the e-mails have subjects such as “ACH transaction cancelled”, “ACH Transfer rejected”, “Your ACH transaction,” and other such variations. Source: http://news.softpedia.com/news/ACH-Transaction-Failure-Notifications-Spread-ZeuS-186368.shtml

20. February 22, BankInfoSecurity.com – (National) FFIEC draft puts more responsibility on banks. A preliminary draft of new online authentication guidance from the Federal Financial Institutions Examination Council (FFIEC) puts greater responsibility on financial institutions to enhance their security and prevent fraud. The FFIEC has yet to formally unveil its long-awaited update to 2005’s authentication guidance, but a December 2010 draft document entitled “Interagency Supplement to Authentication in an Internet Banking Environment” was distributed to FFIEC’s member agencies — the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration, and Office of Thrift Supervision — for review and comment. Copies of this draft circulated within the banking and security communities recently, and two were sent separately and anonymously to Information Security Media Group. While it is likely this draft will be amended before the final release of the new guidance, the current document calls for five key areas of improvement: (1) Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers; (2) Widespread use of multifactor authentication, especially for “high-risk” transactions; (3) Layered security controls to detect and effectively respond to suspicious or anomalous activity; (4) More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions; (5) Heightened customer education initiatives, particularly for commercial accounts. Source: http://www.bankinfosecurity.com/articles.php?art_id=3374

Information Technology

48. February 28, H Security – (International) Security update for Foxit Reader. Foxit Software has announced the release of version of its PDF Reader product, a maintenance update that addresses a “highly critical” security vulnerability. According to Foxit, the patch corrects an issue that could, when opening a specially crafted document, cause an integer overflow error when processing specific ICC profiles, in turn leading to a heap-based buffer overflow. This could be used, for example, by an attacker to compromise a user’s system by terminating the application or executing arbitrary code. Versions up to and including Foxit Reader and Foxit Phantom are reportedly affected. Foxit said it plans to release an update for its Phantom PDF Suite later the week of February 28 – the latest version is 2.2.3. All users are advised to upgrade. Source: http://www.h-online.com/security/news/item/Security-update-for-Foxit-Reader-1199247.html

49. February 28, Softpedia – (International) Popular Websites hit by malvertizing attack. Internet users were prompted by security alerts when browsing popular Web sites the weekend of February 26 and 27 because of a malvertizing campaign pushed exploits onto their pages. It is unclear where the attacks originated, but many reports seem to focus on a domain called stripli(dot)com from where the malicious advertisements were loaded. This domain is currently blacklisted by Google’s Safe Browsing service, which means Web sites trying to load content from it could end up being blocked in Chrome and Firefox. The site in this case was www(dot)londonstockexchange(dot)com, and attempting to visit it from Google Search and these two browsers resulted in a Safe Browsing error. The diagnostic page for stripli(dot)com stated “this site has hosted malicious software over the past 90 days. It infected 7 domain(s), including reviewcentre(dot)com, londonstockexchange(dot)com, viamichelin(dot)com/.” But, according to reports on Yahoo! Answers, the impact was much more extensive, with IMDb(dot)com and eBay(dot)com being among the affected domain names. Google’s Safe Browsing service did not have time to blacklist these domains until they resolved the problem, but some users were alerted by their antivirus programs about malicious code being served from them. On some forums people reported being infected with a fake antivirus program after browsing through the affected sites.

Source: http://news.softpedia.com/news/Several-Popular-Websites-Hit-by-Malvertizing-Attack-186660.shtml

50. February 28, Help Net Security – (International) 150,000 Gmail accounts reset and contents deleted. Word about the accidental resetting of G-mail accounts has been spreading on the Internet in the last 2 days as users Tweeted that their e-mail accounts were stripped clean of all e-mails, attachments, and chat logs collected in them over the years. Google confirmed the glitch and its results, saying that less than 0.08 percent (around 150,000) of the Google Mail user base has been affected. The issue has still not been resolved and some users still cannot access their accounts. Google confirmed “users may be temporarily unable to sign in while we repair their accounts”, but did not say if the content would be restored. Source: http://www.net-security.org/secworld.php?id=10671

51. February 25, IDG News Service – (International) Hacker writes easy-to-use Mac Trojan. Researchers at Sophos said they have spotted a new trojan horse program written for the Mac. It is called the BlackHole remote access trojan, and it is easy to find online in hacking forums, a Sophos researcher said. Sophos has not seen the Trojan used in any online attacks — it is more a bare-bones, proof-of-concept beta program now — but the software is easy to use, and if a criminal could find a way to get a Mac user to install it, or write attack code that would silently install it on the Mac, it would give him remote control of the machine. BlackHole is a variant of a Windows Trojan called darkComet, but it seems to have been written by a different developer. The darkComet source code is freely available, so it appears BlackHole’s author took it and tweaked it so it would run on the Mac, the researcher said. Source: http://www.computerworld.com/s/article/9211659/Hacker_writes_easy_to_use_Mac_Trojan

52. February 25, Softpedia – (International) Spear phishing attacks leverage Libya crisis to deliver exploit. Security researchers from Symantec warned of highly targeted attacks that leverage the crisis in Libya to deliver an exploit via e-mail and infect computers. The e-mails pose as replies to previous messages about the current situation in the Arab country. Their body contains a very short message reading “I agree with this point,” however, a formatting error results in a broken html tag to also appear at the end. The short message has the purpose of diverting recipients’ attention towards the attached document called “EconomicStakes in Libya’s Crisis(dot)doc.” If opened, the document tries to exploit an Office RTF stack buffer overflow vulnerability, identified as CVE-2010-3333 and patched by Microsoft in November. Successful exploitation allows the attacker to execute arbitrary code on the system. In this case a piece of malware is installed. According to Symantec, the attacks intercepted by the company targeted 27 individuals within 6 different organizations involved in human rights activism, humanitarian aid, or the analysis of foreign affairs and economic development. Source: http://news.softpedia.com/news/Spear-Phishing-Attacks-Leverage-Libya-Crisis-to-Deliver-Malware-186441.shtml

Communications Sector

Nothing to report