Tuesday, August 30, 2011

Complete DHS Daily Report for August 30, 2011

Daily Report

Top Stories

 Hurricane Irene was blamed for at least 20 deaths, downed power lines, flooding, and travel delays, involving airports, train stations, and roadways along the East Coast, and economic losses are estimated at up to $10 billion. – USA Today (See item 20)

20. August 29, USA Today – (National) Even weakened Irene’s wake to be felt for weeks. Hurricane Irene lost much of its bluster by the time it was downgraded to a tropical storm August 28, but as it continued to course up the Eastern Seaboard, its destructive wake — which left more than 20 dead — will be felt for weeks. Irene claimed victims from Florida to Connecticut, economic losses are already estimated at up to $10 billion, and problems from downed power lines, flooding, and snarled travel. Thousands of weekend flights were canceled, promising air-travel delays for much of the week of August 29. New Jersey Transit, which carries train passengers into New York across the Hudson River, planned to operate on a modified schedule August 29 after completing checks of tracks and infrastructure. The New York mayor lifted an evacuation order allowing 370,000 residents of low-lying areas to return to their apartments and houses. PATH train service linking New York City with Newark and Hoboken, New Jersey, was scheduled to resume at 4 a.m. August 29. The Port Authority and the Federal Aviation Administration said late August 28 that John F. Kennedy Airport and Newark Liberty Airport would reopen at 6 a.m, while LaGuardia Airport would open at 7 a.m. In New Jersey, officials were shifting attention from the state’s battered coastline to inland areas, where record-breaking flooding is expected along the Passaic and Ramapo rivers through August 30. Evacuations of some communities along both waterways were planned even as residents of the state’s coastal communities were cleared to return August 28. In Vermont, where Wilmington and Dover were hit hard, more than 80 main and secondary roads are shut down, including parts of Interstate 91. In Rhode Island, where half the state’s 1 million residents were without power August 28, there were scores of reports of fallen trees, limbs, and downed power lines. Source: http://www.11alive.com/news/article/203292/40/Even-weakened-Irenes-wake-to-be-felt-for-weeks

 About 70 homes and 2 campgrounds were ordered to evacuate August 28 as a wildfire, which was burning 4,700 acres, spread outside Yosemite National Park in California, fire officials said. – San Francisco Chronicle (See item 53)

53. August 29, San Francisco Chronicle – (California) Yosemite fire grows - 2 campgrounds evacuated. About 70 homes and 2 campgrounds were ordered to be evacuated August 28 as a wildfire spread outside Yosemite National Park in California, fire officials said. The Motor Fire, which spread from a motor home blaze August 25 in the Merced River Canyon, was 35 percent contained after burning more than 4,700 acres on both sides of the river. The evacuation order for homes in and around Cedar Lodge affects two commercial buildings and 35 outbuildings, a National Park Service spokeswoman said. The Incline and Merced River Canyon Campgrounds were also evacuated. Officials said homes in the nearby community of Rancheria Flats may need to be evacuated as well. A 15-mile stretch of Highway 140, a main entrance into Yosemite, has been closed indefinitely, starting about 4 miles west of the park entrance and continuing east of Midpines. The fire was spreading toward nearby Trumbull Peak, threatening a historic fire lookout tower, officials said. A DC-10 aircraft was dispatched to the fire August 28 and made multiple drops of flame retardant on the fire’s eastern edge. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/08/29/BAL11KT3TO.DTL


Banking and Finance Sector

16. August 28, Associated Press – (Arkansas; Oklahoma; Missouri) Arrest made in ‘Fake Beard Bandit’ case. Fort Smith, Arkansas investigators said late August 26 that they were notified by the FBI that an anonymous tip was received identifying a 39-year-old man as the so-called ―fake beard bandit.‖ Investigators said the suspect, a resident of Tulsa, Oklahoma, was identified as the man in surveillance video by witnesses from two recent incidents at banks in Fort Smith, as well as robberies in the Kansas City area, Oklahoma, and Joplin, Missouri. The most recent robbery was on August 23 at Liberty Bank in Fort Smith. Source: http://www.kmbc.com/r/28998687/detail.html

17. August 28, Bloomberg News – (New York; New Jersey; North Carolina) Exchanges to shed sandbags as Irene passes. Goldman Sachs Group Inc. and Citigroup Inc., whose offices in New York’s evacuation zone for Hurricane Irene escaped major damage, are among Wall Street banks that will resume business August 29 as exchanges open. Sandbags remained piled around the entrance to Goldman Sachs’s headquarters at 200 West Street August 28, with security guards standing by. The firm’s buildings are ―functioning normally‖ and will be open, a Goldman Sachs spokesman, said in a phone interview. Across the street, American Express Co.’s (AmEx) headquarters will remain closed today. AmEx advised its New York-based employees to work from home. The buildings that house Citigroup’s main trading floors at 388-390 Greenwich Street ―are fully functional,‖ a spokeswoman for the firm, said August 28 in an e-mail. JPMorgan Chase & Co. said it was contacting workers after its Midtown headquarters avoided serious damage. Bank of America Corp.sustained minimal impact to its facilities in downtown New York and expects its headquarters in Charlotte, North Carolina, to be open for business, said a spokeswoman for the firm. The Times Square headquarters of Morgan Stanley, operator of the world’s biggest retail brokerage, was not damaged and the company is prepared for ―business as usual,‖ a spokesman for the firm, said in an e-mail. NYSE Euronext, Nasdaq OMX Group, Bats Global Markets, and Direct Edge Holdings LLC said in statements that they plan normal trading sessions August 29. The Securities Industry and Financial Markets Association recommended no change to bond-market schedules, and CME Group Inc. (CME) said the New York Mercantile Exchange will open. Security guards were posted at the entrances and exits of Goldman Sachs and American Express headquarters buildings August 28, as well as in front of the Federal Reserve Bank of New York. There was little visible evidence of flooding, downed trees, or other damage in the area. Source: http://www.bloomberg.com/news/2011-08-28/citigroup-s-downtown-new-york-offices-fully-functional-as-irene-passes.html

18. August 26, KNTV 13 Las Vegas – (Nevada) Police capture bank robber dubbed ‘Bilingual Bandit’. An accused robber known for holding up banks in two languages was arrested August 26 in Las Vegas, Nevada. Metro Las Vegas officers and FBI agents were after the suspect, also known as ―The Bilingual Bandit.‖ He is believed to have burst into four banks with a gun, yelling in Spanish for everyone to get down. It was the same story the morning of August 26 when he robbed a Wells Fargo on North Nellis and Charleston. By taking a look at previous bank robbery scenes, police were able to make a pretty good guess on where he was going to hit next. ―It’s one of those things where he developed his own pattern, and because of his own pattern we were able to catch him,‖ police said. Source: http://www.ktnv.com/news/local/128504433.html

19. August 26, Security News Daily – (International) Cyber crime gang steals $13 million in a day. A coordinated cyber criminal network pulled off one of the largest and most complex banking heists ever, withdrawing $13 million in 1 day from ATMs in 6 countries. The massive breach hit Fidelity National Information Services Inc. (FIS), a Jacksonville, Florida-based firm that processes prepaid debit cards. FIS disclosed the breach May 5. According to a security researcher, the attackers first broke into FIS’s network and gained unauthorized access to the company’s database, where each debit card customer’s balances are stored. FIS’s prepaid debit cards include a fraud protection policy that limits the amount cardholders can withdraw from an ATM with a 24-hour period. Once the balance on the cards is reached, the cards cannot be used until their owners put more money back onto the cards. Then, the criminals obtained 22 legitimate cards, eliminated each card’s withdrawal limit, and cloned them, sending copies to conspirators in Greece, Russia, Spain, Sweden, Ukraine, and the United Kingdom. When the prepaid limit on each card got too low, the hackers simply reloaded the fraudulent cards remotely. At the close of the business day March 5, the criminals began taking out money from ATMs. By March 6, the scam was over, and the attackers had stolen $13 million. It is not clear who is behind the attack on FIS, although the characteristics of the scheme put it in line with similar crimes perpetrated by cyber criminals in Estonia and Russia. Source: http://www.msnbc.msn.com/id/44291945/ns/technology_and_science-security/#.Tlu1K12PzAw

Information Technology Sector

44. August 29, Softpedia – (International) Sophisticated file infector powers click fraud scam. Security researchers from Symantec uncovered a click fraud scam instrumented with the help of a sophisticated file infector. It was the infector, W32.Xpaj.B, that attracted the attention of malware analysts with its complex detection-evading techniques. W32.Xpaj.B infects executable files on computers and network drives which then query the command and control servers every time they are run. Despite resembling a general purpose downloader, W32.Xpaj.B has only been used as part of this click fraud scheme that hijacks legitimate search engine queries and returns ad-laden results. The infrastructure supporting this operation spans several countries, but unlike the file infector, the server-side code is unsophisticated. This has led researchers to believe that the dropper might have been bought from a third-party. The scam itself is similar to the one that recently led to Google displaying malware warnings on its search site. The search queries are passed through a series of proxies and when results are returned, they are accompanied by rogue ads. Symantec’s researchers managed to reverse-engineer the encrypted code and obtain access to the ―accounting‖ back-end which held logs going back as far as September 2010.The extracted data shows that fraudsters intercepted an average of 241,000 searches per day until June 2011, which resulted in profits of $170 per day. Source: http://news.softpedia.com/news/Sophisticated-File-Infector-Used-in-Click-Fraud-Scam-219190.shtml

45. August 29, H Security – (International) Hacker steals user data from Nokia developer forum. A vulnerability in its forum software has been exploited by a hacker to compromise mobile phone maker Nokia’s developer forum. The attacker used SQL injection to access the forum database at developer.nokia.com and, according to Nokia, obtained e-mail addresses of registered users. Where configured to be publicly available, the table also includes details such as the user’s date of birth, Web site URL and Skype, ICQ or other IM username; this is reported to be the case for around 7 percent of users. The database did not contain passwords or credit card information. The issue does not, according to Nokia, affect any other Nokia accounts. The attacker, calling himself pr0tect0r AKA mrNRG, temporarily redirected the developer forum to a site containing a message for Nokia. Nokia apologized for the incident and has temporarily taken the forum offline. The company states that, although the vulnerability was fixed immediately, it is still investigating the incident. Source: http://www.h-online.com/security/news/item/Hacker-steals-user-data-from-Nokia-developer-forum-1332867.html

46. August 28, threatpost – (International) New worm Morto using RDP to infect Windows PCs. A new worm called Morto has begun making the rounds on the Internet in the last couple of days, infecting machines via Remote Desktop Protocol (RDP). The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003. The SANS Internet Storm Center August 28 reported a huge spike in RDP scans in the last few days, as infected systems have been scanning networks and remote machines for open RDP services. One of the actions that the Morto worm takes once it is on a new machine is that it scans the local network for other PCs and servers to infect. Researchers at F-Secure said that Morto is the first Internet worm to use RDP as an infection vector. Once it is on a new machine and has successfully found another PC to infect, it starts trying a long list of possible passwords for the RDP service. Source: http://threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811

47. August 26, Softpedia – (International) Malvertizing spotted on Google’s DoubleClick. Security researchers from Web security vendor Armorize spotted malicious ads on Google’s DoubleClick network that lead to drive-by download exploits. ―In the past few days, our scanners noticed malvertising on Google DoubleClick. The malvertisement is being provided to DoubleClick by Adify (Now a part of Cox Digital Solutions), and to Adify by Pulpo Media, and to Pulpo Media by the malicious attackers pretending to be advertisers: indistic.com,‖ the Armorize experts warn. ―The malvertisement causes visitor browsers to load exploits from kokojamba.cz.cc (the exploit domain), which is running the BlackHole exploit pack. Currently, 7 out of 44 vendors on VirusTotal can detect this malware,‖ they add. Source: http://news.softpedia.com/news/Malvertizing-Spotted-on-Google-s-DoubleClick-218988.shtml

Communications Sector

48. August 29, Associated Press – (National) Irene takes out some East Coast cellphone service. Wireless networks fell quiet August 29 in some coastal areas of North Carolina and southern Virginia, but calls were going through in most areas affected by Tropical Storm Irene, the FCC said. In Lenoir, Greene, and Carteret counties of North Carolina, 50 percent to 90 percent of cell towers went offline, said the head of the public safety bureau of the FCC. About 400 cell towers were offline in North Carolina and Virgina, with power outages the chief reason. Another 200 towers were running on backup power by the evening of August 27 and could go silent as their backup batteries or generators run dry, the head of the public safety bureau said. Landline phone service failed for about 125,000 households on the coast, the FCC said. Another 250,000 have lost cable service, and some of them could have phone service from the cable company, which would then also be out. The FCC Chairman said the 911 system has held up well. There were no reports of call-center outages or call congestion, he told The Associated Press. Public-safety networks for police, firefighters, and ambulance crews also were working. Networks in the biggest population center in the path of the storm, the greater New York metropolitan area, were largely spared. In New York City itself, the FCC said, only 1 percent of cell towers went off the air. Time Warner Cable Inc., one of the city’s two cable companies, said it had reports of sporadic outages. Verizon Communications Inc., the local phone company, was running some switching centers on backup power. Source: http://www.forbes.com/feeds/ap/2011/08/29/technology-broadcasting-amp-entertainment-us-irene-phone-service_8648024.html

49. August 28, City News Service – (California) Time-Warner Internet service restored. Internet and telephone service for thousands of Southern California homes and businesses went out for more than six hours August 28, as one of the largest Internet providers grappled with a system-wide failure in its network serving San Diego and large areas in the Los Angeles, Orange County, and Palm Springs areas. Time-Warner Cable engineers said they found a malfunctioning piece of equipment at an undisclosed location ―outside the state of California‖ and at about 1 p.m. began reprogramming routers to avoid the bottleneck, said a company spokesman. Repairs began to take effect in some locations immediately, and the entire system should be functioning normally by mid-afternoon, he said. The spokesman said the data interruption, which he said was intermittent, also cut telephone service for customers who use a Time-Warner cable or fiber line for bundled Time-Warner dial-tone phone service. VOIP service like Skype or Vonage was also affected. The company has concentrations of customers in San Diego, Los Angeles, Orange counties, and Coachella Valley, and all were affected August 28, a spokesman said. Source: http://www.10news.com/news/29006825/detail.html

Monday, August 29, 2011

Complete DHS Daily Report for August 29, 2011

Daily Report

Top Stories

• On August 25, energy suppliers from North Carolina to Maine secured equipment, activated emergency plans, and warned customers about potential power disruptions as Hurricane Irene threatened the East Coast. – Reuters (See item 5)

5. August 25, Reuters – (National) U.S. energy sector braces for direct hit from Irene. From nuclear plants to pipelines and refineries, energy companies braced August 25 for a potentially devastating Hurricane Irene that barreled toward the most populated part of the United States. The storm prompted energy suppliers from North Carolina to Maine to secure equipment, activate emergency plans, and warn customers about potential power disruptions. While the East Coast region has no major offshore oil and gas production like the hurricane-prone Gulf Coast, the stakes were still daunting. The region has around a dozen nuclear plants, a massive oil delivery hub at New York Harbor, and its pipelines and power networks serve more than 100 million Americans. The Colonial Pipeline, a 2.37-million-barrels-per-day refined oil product supply line, stretches 5,500 miles from Texas to the New York Harbor, with “spurs” to other fuel hubs that could be in the storm’s path, including in Maryland and Virginia. The agency warned of potentially long power outages, including in New York City, which predicted winds of more than 75 miles per hour. National Grid, which supplies electricity and natural gas to some 3 million customers in the Northeast, enacted a plan that included racing crews and emergency equipment into place, and warning hospitals to prepare backup power for patients on life support, in case of outages. Kinder Morgan, another pipeline and terminal operator, was busy fueling vehicles, generators and pumps, and securing equipment. It had plans to shut two terminals that handle products including fertilizer and coal in Virginia for 24 hours, starting August 27. Source: http://news.yahoo.com/east-coast-energy-firms-brace-irene-impact-183819323.html

• According to a report issued by the Institute for Safe Medication Practices the week of August 15, 52 percent of hospital purchasing agents and pharmacists reported they have bought drugs from so-calNews (See item 35)

35. August 26, MSNBC News – (National) Half of hospitals buy back-door drugs. Amid growing reports of price-gouging for life-saving drugs, 52 percent of hospital purchasing agents and pharmacists reported they have bought drugs from so-called “gray market” vendors during the previous 2 years, according to a just-released survey of 549 hospitals by the Institute for Safe Medication Practices (ISMP), an advocacy group. Gray-market suppliers are those that operate outside official channels, often buying drugs from uncertain sources and reselling them at a steep profit. A report issued the week of August 15 by one hospital association found their average mark-up was 650 percent. Pressures from demanding doctors and desperate patients helped fuel the transactions, making hospital staffers feel like they had no choice but to buy drugs in short supply at steep prices. More than half of respondents to the ISMP survey, some 56 percent, said they were bombarded daily with solicitations from up to 10 gray market vendors, with requests coming by phone, e-mail and fax. About a third of respondents from critical access and community hospitals who had purchased drugs from gray-market sources said they paid at least 10 times the contract price for the medications. Source: http://www.msnbc.msn.com/id/44280296/ns/health-health_care/#.TlfCEF0g1kA


Banking and Finance Sector

17. August 25, Philadelphia Daily News – (Pennsylvania) Man in $7 million shore mortgage scam: I’m guilty. A Las Vegas, Nevada man who formerly worked as a mortgage broker in Chester County, Pennsylvania, pleaded guilty August 25 for his role in a $7 million mortgage scam, which involved conspiracy, wire fraud, and money laundering. He was a mortgage broker who bilked at least 7 banks or financial institutions in the scam, which lasted from May 2005 to October 2008. Court papers said he found buyers, including family members, to purchase homes, primarily in North Wildwood, for inflated prices, so that buyers would get kickbacks of between $30,000 and $50,000 at closing. He helped buyers qualify for mortgages using fraudulent information, such as inflated income or asset information and false employment information. Most of the buyers made few or no payments on their mortgages, causing lenders to forcelose on the properties and attempt to resell them to recoup some of their losses, authorities said. He profited from the scam by making inflated commissions on the transactions, by receiving kickbacks on his own purchases and by receiving other kickbacks from the sellers of properties for finding them willing buyers. Source: http://www.philly.com/philly/news/128408203.html

18. August 25, Southwest Times Record – (Kansas; Missouri; Oklahoma) Police eye tie to FBI’s bank bandit. A man sporting a fake beard during an August 23 bank robbery could be a man wanted by the FBI, but police have not ruled out other possibilities, according to a police spokesman. The FBI refers to him on their website as the “Fake Beard Bandit,” and they believe he is responsible for 7 bank robberies in Oklahoma, Kansas, and Missouri dating back to May 24. A public information officer for the Fort Smith Police department, said there are a lot of similarities to the 7 bank robberies allegedly committed by the Fake Beard Bandit and the robbery that occurred August 23 at Liberty Bank, 4625 Old Greenwood Road. The August 23 suspect suspect came into the bank through the building’s east entrance while four clerks were working, brandished a black handgun, and demanded money. He then ordered everyone in the bank to lie on the floor for five minutes before he left with an undisclosed amount of money. The man the FBI is looking for usually comes to the bank 2 hours before each robbery to get a deposit slip or other paper work, but police said they have not identified anyone doing that on the bank’s security footage. Source: http://www.swtimes.com/news/article_c744940a-cf2b-11e0-ae29-001cc4c002e0.html

19. August 25, Forbes – (International) JPMorgan paying $88.3M over alleged violations. JPMorgan Chase Bank is paying $88.3 million in an agreement with the Treasury Department, which says the bank violated regulations that prohibit lending money for entities linked to countries engaged in illicit nuclear trade and that cover dealings with Cuba and Sudan. Treasury’s Office of Foreign Assets Control (OFAC) announced the agreement August 25 with the big Wall Street bank. The office said some of JPMorgan Chase’s “apparent violations” of the regulations were serious. In one case JPMorgan Chase Bank in December 2009 made a $2.9 million trade loan to another bank, which extended credit to a ship that had been identified as linked to the Iranian government’s shipping lines, OFAC said. It said JPMorgan managers knew the loan violated the regulations against helping nations such as Iran that proliferate weapons of mass destruction but did not notify the government until March 2010. In the Cuban case, OFAC said the bank processed 1,711 wire transfers totaling $178.5 million between December 2005 and March 2006 involving Cubans, in an apparent violation of the U.S. Cuban assets control regulations. Although JPMorgan managwere given the results of an internal investigation of the transfers, the bank “failed take adequate steps to prevent further transfers,” the agency said. OFAC said the rinvolved were the Cuban Assets Control Regulations, the Weapons of Mass Destruction Proliferators Sanctions Regulations, the Global Terrorism Sanctions Regulations, the Iranian Transactions Regulations, the Sudanese Sanctions Regulatand the Former Liberian Regime of Charles Taylor Sanctions Regulations. Source: http://www.forbes.com/feeds/ap/2011/08/25/general-financials-us-jpmorgtreasury-penalty_8643440.html

Information Technology Sector

44. August 26, Help Net Security – (International) Illegal keygen for well-known AV solution leads to infection. An illegal key generator for the recently released latest version of the TrustPort Internet Security solution brings trouble to unsuspecting users, warns BitDefender. Bundled with the keygen is a trojan that injects itself into explorer.exe and adds a list of exceptions to the locally installed firewall, in order to finally deploy a backdoor on the targeted computer. The trojan is capable of stealing passwords cached in a variety of Web browsers and information regarding Internet banking and online financial transactions, recording video and audio streams generated by the computer’s Webcam, and logging conversations executed via IM applications and social networks. It is also capable of downloading a other malicious software, including the eus trojan and a number of remote administration tools. The keygen in question is equipped to spread via a variety of means, including IM services, e-mail clients, P2P sharing, and USBs. Source: http://www.net-security.org/malware_news.php?id=1818

45. August 26, Help Net Security – (International) Bitcoin mining botnet also used for DDoS attacks. A recently discovered P2P Bitcoin mining botnet has acquired DDoS capabilities, warns a Kaspersky Lab researcher. Its main reason of existence has so far been Bitcoin mining, as the bot installs three trojans with that function (Ufasoft, RCP, and Phoenix), but it also functions as a way of delivering other malicious software to the infected machines. Among the delivered files are two DDoS programs. According to H Security, their targets change as different victim lists are delivered to it by the botnet operators. Currently, the first module — which uses HTTP flooding — is attacking 31 German and 2 Austrian estate agency portals and food industry sites. The second one, using UDP flooding, is targeting the IP addresses of companies that offer anti-DDoS services. Among the food industry sites targeted is pizza.de, which confirmed that it had been suffering an attack for three 3, during which it was bombarded with 20,000 – 30,000 HTTP requests per second, coming from some 50,000 IP addresses. Given the P2P architecture, this botnet will be extremely hard to take down. Currently, the number of infected machines taking part in the botnet is increasing. As its targets are easily updated by its operators, the next ones will likely be determined by the people who will rent its services in the future. Source: http://www.net-security.org/malware_news.php?id=1817

46. August 26, Softpedia – (International) Remote code execution vulnerability patched in F-Secure Antivirus. F-Secure patched a remote code execution vulnerability that affected several of its security products and exposed users to drive-by download attacks. The buffer overflow vulnerability is located in the F-Secure Gadget Resource Handler ActiveX Control (fsresh.dll). According to vulnerability management vendor Secunia, which rates this vulnerability as highly critical, the flaw is caused by a boundary error in the handling of the “initialize()” method. The vulnerability can be exploited by tricking victims into visiting a specially-crafted Web page using Internet Explorer. F-Secure Anti-Virus 2010 and 2011, F-Secure Internet Security 2010 and 2011, as well as products based on F-Secure Protection Service for Consumers version 9 and F-Secure Protection Service for Business — Workstation security version 9 are affected by this flaw. Source: http://news.softpedia.com/news/Remote-Code-Execution-Vulnerability-Patched-in-F-Secure-Antivirus-218906.shtml

47. August 26, Softpedia – (International) SecurID secrets stolen with Poison Ivy. Security researchers managed to obtain a copy of the APT used against RSA Security and found it dropped a variant of the Poison Ivy backdoor. The March RSA Security intrusion which resulted in the theft of data related to the company’s popular SecurID two-factor authentication product was widely covered in the media. This was partially because of RSA’s silence following the breach and the fact that it resulted in attacks against Lockheed Martin and possibly other U.S. military contractors. The company eventually offered to replace all SecurID tokens for their customers, which are estimated at 40 million, and has already reported losses of $60 million resulting from the incident. RSA previously revealed that the attack involved an e-mail sent to its employees which carried an Excel file called “2011 Recruitment plan.” This file bundled a zero-day Flash Player exploit. Security researchers have been trying to track down the file in question for months and finally, the week of August 15, a malware analyst from F-Secure had a breakthrough. He wrote a tool that analyzed malware samples for Flash objects most likely associated with an exploit for this vulnerability. One of the identified samples was an Outlook file and when he opened it, he realized it was the exact e-mail sent to RSA employees. Source: http://news.softpedia.com/news/RSA-Secret-Data-Stolen-Using-Poison-Ivy-218880.shtml

48. August 26, Softpedia – (International) Zeus offspring distributed from compromised osCommerce sites. Security researchers warn that variants of a zeus spin-off trojan called Ice-IX are being distributed from osCommerce Web sites compromised during a recent mass injection attack. The attack targeting osCommerce installations vulnerable to a flaw that dates from November 2010 began at the end of July 2011. The code injection campaign escalated quickly and the number of infected pages jumped from 90,000 to over 3.8 million within a week and 8 million 2 weeks later. The code injected into the pages leads to externally-hosted drive-by download exploits that target vulnerabilities in unpatched versions of Java, Adobe Reader, Internet Explorer, and Windows XP. If exploitation is successful, a trojan is installed on the victim’s computers. According to the Malware Domain List, a non-commercial community project that tracks malicious URLs, that trojan is now Ice-IX. Source: http://news.softpedia.com/news/ZeuS-Offspring-Distributed-from-Compromised-osCommerce-Sites-218839.shtml

49. August 25, Help Net Security – (International) Bogus emails delivering scanned documents carry malware. E-mails posing as scanned documents sent from a Xerox WorkCentre Pro photocopier are being sent out by malware peddlers, warns Sophos. This is not the first time that such e-mails have been delivered to inboxes around the world. In February, almost identical e-mails were carrying a booby-trapped PDF file as the attachment, meant to ultimately allow the installation of the information-stealing zeus trojan. This time, the attached ZIP file carries a downloader trojan. Sophos does not mention whether the e-mail is sent from legitimate (but compromised) e-mail accounts known to the potential victims. If it does, this spam run could be very effective. Source: http://www.net-security.org/malware_news.php?id=1815

50. August 25, Softpedia – (International) Remote UPnP scanner puts home routers at risk of abuse. A security specialist released a tool that is capable of launching attacks against home networking devices that support Universal Plug and Play (UPnP) on their WAN interfaces. He revealed entire series of routers, cable modems, and other networking devices from big manufacturers are vulnerable to UPnP attacks over the Internet. The Universal Plug and Play technology was developed by Microsoft in 1999 as a solution for automated NAT traversal. It allows applications to discover network gateways automatically and ask them to forward traffic on special ports back to the computers they are running on. The researcher found many home networking devices allow UPnP requests to be received on the WAN (Internet) interface, despite this technology having been primarily designed for LAN use. However, unlike LAN environments where multicast is used, the WAN UPnP traffic uses exact URLs and ports hard-coded into each device. These are all built into the Umap scanning tool created and freely distributed by the researcher. According to H Security, the researcher claims to have identified over 150,000 potentially vulnerable devices in a short period of time by using Umap. The scanner is also capable of sending requests containing AddPortMapping or DeletePortMapping commands to the exposed UPnP interfaces. Source: http://news.softpedia.com/news/Remote-UPnP-Scanner-Puts-Home-Routers-at-Risk-of-Abuse-218728.shtml

Communications Sector

51. August 26, WTVJ 6 Miami – (Florida) AT&T service down in south Florida again. For the second time this summer, South Florida AT&T customers can not reach out and touch anyone because their service was down. The wireless carrier said an equipment issue knocked out service to some customers August 26. “Some AT&T wireless customers from mid-Broward County south to Key West may not be able to make mobile-to-mobile calls or receive calls to their mobile from a landline due to an equipment issue,” a spokeswoman said. The outage impacts mobile broadband and 3G service only, she said. In June, customers were without service for more than 4 hours. Source: http://www.nbcmiami.com/news/local/ATT-Service-Down-in-South-Florida--128467673.html

52. August 25, Erie Times-News – (International) WQLN-TV to be off air over weekend. A transmitter damaged during a storm-related power outage August 25 has knocked WQLN-TV off the air until at least August 29, said the director of creative services for WQLN Public Media. The equipment failure blocked the broadcast signal from WQLN-TV August 25, interrupting local showings of “Curious George” and other programs. New said technicians made several attempts to restore broadcasting before they determined the transmitter tube was damaged beyond repair. Technicians from the Axcera Corp., which manufacturers the transmitter, also are expected help with its installation, the director of creative services for WQLN-TV today said. WQLN Radio broadcasts from a different transmitter and remains on the air, a spokesman said. WQLN airs on Time-Warner cable in Erie County and on Rogers Cable in southern Ontario. Source: http://www.goerie.com/apps/pbcs.dll/article?AID=/20110825/NEWS02/308259871/-1/NEWS

53. August 25, Maui Now – (Hawaii) Verizon wireless service restored after disruption. The Verizon Wireless outage reported on Maui August 25, was also felt by customers on Oahu, Kauai, and parts of the Big Island, according to the company’s media spokesperson for the region that includes Hawaii. The spokesperson said the network outage to voice and data services occurred when the company encountered unexpected issues with a software upgrade. “As soon as it was discovered, it was addressed by technicians,” she said. The network in Hawaii was 99 percent back to normal performance by 2:40 p.m., with full capacity anticipated shortly, according to the spokesperson. Customers on the Valley Isle tell Maui Now that they experienced problems from as early as 6 a.m., with some wireless internet users reporting connectivity issues from August 24. Source: http://mauinow.com/2011/08/25/verizon-wireless-service-disruption-on-maui-under-investigation/