Wednesday, September 14, 2011

Complete DHS Daily Report for September 14, 2011

Daily Report

Top Stories

• The Federal Aviation Administration has proposed a $1.1 million fine against a Southwest Airlines contractor for improperly inspecting and repairing fuselages on 44 planes. – USA Today (See item 13)

13. September 13, USA Today – (National) FAA: $1.1M fine for Southwest maintenance. The Federal Aviation Administration (FAA) has proposed a $1.1 million fine against a company for alleged maintenance violations involving 44 Southwest Airlines planes. The fine proposed September 12 against Aviation Technical Services of Everett, Washington, was for improperly inspecting and repairing the fuselages on Southwest's Boeing 737-300 aircraft. The Southwest jet whose roof was ripped open in April 2011 with 118 people aboard was not among the planes in the FAA complaint. That plane landed safely in Yuma, Arizona. A Southwest spokesman said the airline has improved maintenance since the problems alleged in the complaint, which were from December 2006 to September 2009. FAA fines are typically negotiated with companies as they remedy any violations. The company has 30 days to reply. The complaint said Aviation Technical Services failed to accomplish five repetitive inspections, and a one-time inspection to find and repair cracks in the planes' skins. After the inspections, it allegedly failed to install fasteners in rivet holes in the time specified as sealant dried. This is the second proposed fine against the company in the past year. The FAA proposed a $530,250 fine in November 2010 for improper work to detect skin cracks while maintaining 14 Southwest planes. Source:

• Three Transportation Security Administration agents and at least two police officers were arrested in connection with a massive oxycodone trafficking operation between Connecticut, New York, and Florida. – NBC Connecticut (See item 30)

30. September 13, NBC Connecticut – (National) TSA agents, cops arrested for drug trafficking. Three Transportation Security Administration (TSA) agents and at least two police officers have been arrested, accused of being involved in a massive oxycodone trafficking operation between Connecticut, New York, and Florida, according to the U.S. Department of Justice. The arrested officers include three TSA officers based at airports in Florida and New York, a Westchester County, New York, police officer, and a Florida State Trooper. Officials said the suspects are accused of receiving cash to help move tens of thousands of oxycodone pills from Florida to New York and Connecticut as well as transport cash proceeds from the sale of the drugs back to Florida. A U.S. attorney, the U.S. Drug Enforcement Agency, and Stamford police chief were scheduled to participate in a news conference September 13 in Stamford to discuss the arrests. Source:


Banking and Finance Sector

12. September 12, Computerworld – (National) Vending machine company announces major data breach. Vacationland Vendors, a company that supplies vending machines and games to entertainment venues, has disclosed a data breach affecting about 40,000 people who visited waterpark resorts in Wisconsin and Tennessee between December 2008 and May 2011. In a statement, Vacationland Vendors said an unknown intruder had broken into parts of its point-of-sale systems used to process payment-card transactions at Wilderness Resorts locations in Tennessee, and in the city of Wisconsin Dells, Wisconsin. The statement does not specify how many people were affected by the breach, but a report in The Credit Union Times Web site pegged the number at 40,000 victims. The company's investigations show that, "a computer hacker improperly acquired credit card and debit information," the vendor said on its Web site. The company did not disclose how it discovered the breach or when. The statement did not say if those affected by the breach have been notified. It said the breach had not resulted from any internal security weakness at either of the Wilderness Resorts. "Vacationland Vendors has learned that other businesses just like its own have been affected by this computer hacker," the statement said. Breaches of point-of-sale networks have typically involved the use of malicious software to sniff out and intercept payment card data as the information is transmitted to the bank for authorization. Source:

For more stories, see items 32 below in the Information Technology Sector and 40 below in the Communications Sector

Information Technology Sector

32. September 13, Help Net Security – (International) Improved SpyEye variant actively attacking Android devices. Help Net Security reported September 13 the first SpyEye variant, called SPITMO, has been spotted attacking Android devices in the wild. According to Trusteer’s chief technology officer, the threat posed by DriodOS/Spitmo has escalated the danger of SpyEye now that this malicious software has been able to shift its delivery and infection methods. Looking at the attack vector in action, he explained, “When a user browses to the targeted bank, a message is injected presenting a 'new' mandatory security measure, enforced by the bank, in order to use its online banking service. The initiative pretends to be an Android application that protects the phone’s SMS messages from being intercepted and will protect the user against fraud.” Once the user clicks on "set the application" he is given further instructions to walk him though downloading and installing the application. To complete the installation, the user is instructed to dial a certain number, the call is intercepted by the Android malware and an alleged activation code is presented, to be submitted later into the "bank’s site." Besides concealing the true nature of the application, this "activation code" does not serve any legitimate purpose. Once the trojan has successfully installed, all incoming SMS messages are intercepted and transferred to the attacker’s Command and Control server. A code snippet is run when an SMS is received, creating a string, which will later be appended as a query string to a GET HTTP request, to be sent to the attacker's drop zone. Source:

33. September 13, Help Net Security – (International) Facebook tool automates syphoning of user data. Help Net Security reported September 13 a group of security researchers has developed a proof-of-concept Java-based tool, called Facebook Pwn, that could allow malicious individuals to automatize the syphoning of information from a target's Facebook profile that would otherwise be inaccessible to them. To do that, the attacker must only create a new Facebook account, and the tool practically does the rest of the work. The "friending" plugin tries to befriend the target's friends. Once it has managed to do that, the "cloning" plugin asks the user to choose one of those friends, whose displayed picture and name will be replicated on the newly opened Facebook account. After that, a friend request is sent to the victim's account. "As soon as the victim accepts the friend request, the 'dumper' starts to save all accessible HTML pages (info, images, tags, etc.) for offline examining," explain the developers. Even if the target realizes the scam after a few minutes and un-friends the fake account, the action is completed and the information is stolen, and can be misused to mount spearphishing or other attacks that rely on social engineering to gain a foothold into computer systems. Source:

34. September 13, H Security – (International) Return of the BIOS trojans. Chinese AV vendor 360 has discovered a virus in the wild that makes its home in a computer's BIOS, where it remains hidden from conventional virus scanners, H Security reported September 13. The contaminant, called Mebromi, first checks to see whether the victim's computer uses an Award BIOS. If so, it uses the CBROM command-line tool to hook its extension into the BIOS. The next time the system boots, the BIOS extension adds additional code to the hard drive's master boot record (MBR) to infect the winlogon.exe/winnt.exe processes on Windows XP and 2003 / Windows 2000 before Windows boots. The next time Windows launches, the malicious code downloads a rootkit to prevent the drive's MBR from being cleaned by a virus scanner. But even if the drive is cleaned, the whole infection routine is repeated the next time the BIOS module is booted. Mebromi can also survive a change of hard drive. If the computer does not use an Award BIOS, the contaminant simply infects the MBR.


35. September 12, The Register – (International) MS inadvertently offers early peep at September patches. Microsoft inadvertently published details of the patches it plans to publish September 13 following a slip-up by its security personnel the week of September 5. Patch Tuesday pre-alerts normally reveal little more than the applications Microsoft intends to update, and the severity of the vulnerabilities addressed. However, this month, the software giant leaked details of the security holes it plans to close: five ordinary updates that affect Office and Windows and have a maximum severity rating of "important." Vulnerability management experts and Microsoft downplayed the significance of the leak. Source:

36. September 12, threatpost – (International) QR tags can hide malicious links, experts warn. Quick Response (QR) tags have become the next big thing in interactive marketing. But as smart phone users flock to the trendy, postage-stamp sized bar codes, researchers are warning that they could be used to hijack mobile phones by directing them to malicious Web pages. In a September 10 post on the mobile security blog Kaotic Neutral, a researcher demonstrated a practical attack that would link a malicious QR tag to an Internet based attack server running an instance of the Metasploit penetration testing. Similar attacks could be used to push malicious programs to vulnerable mobile devices that scan the QR tag, he said. Source:

37. September 12, Infosecurity – (International) Reverse engineering specialist dissects the Morto worm. A reverse engineering specialist with Imperva has successfully dissected the operation of the Morto worm, a malware executable notable for being the only worm seen to date that exploits Microsoft's remote desktop protocol (RDP). Infosecurity reported September 12 that according to the researcher, the code does not exploit any specific vulnerability, but simply relies on people installing the worm and then uses a brute force password attack to gain access to systems. This is, he said, the first time he and his team have seen a worm like this, and the malware itself is sophisticated — even if the method of proliferation is not. "Blocking the spread of this worm relies on using a sophisticated password that isn't on the worm's dictionary list”, he said in his latest security posting. Nearly 2 years after being published, he notes, the RockYou password list continues to be used by hackers in brute force password dictionaries. “One thing we determined from looking at the worm was origin. Looking at DNS information, the worm seems to have originated from China, Hong Kong, and Australia,” he said. After dumping the code from Morto using the MoonSols win32dd.exe utility, he said RDP port 3389 with PID 1064 are one of the attack vectors used by the worm. In addition, what is also notable about the malware, he said, is that during the infection process, Morto creates four new files on the infected system and then deletes itself. This may, Infosecurity notes, be one of the reasons why the Morto worm — which appeared on the malware scene earlier this summer — has infected so many systems. Once executed, it attempts to propagate itself to additional computers via the RDP and spreads by forcing infected systems to scan for servers allowing an RDP login. Once Morto finds an RDP-accessible system, it attempts to log in to a domain or local system account named Administrator using a number of common passwords. Source:

38. September 8, CNET News – (International) DIY flying robo hacker threatens wireless networks. Researchers created a device dubbed SkyNET, which combines a toy helicopter and a computer configured to attack Wi-Fi networks. The result is a drone that can compromise computers on wireless networks and turn them into botnets. Botnets are widely used for hacking, denial-of-service attacks, and spamming. By controlling the botnet from a drone rather than an Internet connection, the botmaster is harder to track down. To catch the miscreant, someone would have to figure out a drone is involved, spot the drone, and follow it back to its owner. The prototype SkyNET drone is a Parrot AR.Drone quadrocopter modded with a lightweight Linux computer, 3G mobile broadband connection, GPS receiver, and a pair of Wi-Fi cards — one for controlling the drone and one for attacking wireless networks. SkyNET was developed by researchers at Stevens Institute of Technology. Source:

Communications Sector

39. September 13, WJAR 10 Providence – (Rhode Island) Fire knocks out phone service to businesses. Many businesses in Rhode Island lost their phone service for a time September 13, including quite a few police departments around the state. A spokesperson for Cox Communications told NBC 10 there was a fire over the weekend that damaged equipment in Warwick. When crews began working on it at about 1 a.m. September 13, phone and data services for businesses were knocked out across the state. Full service has now been restored. Source:

40. September 12, Ravalli Republic – (Montana) Bitterroot phone, Internet service restored after daylong outage. A damaged fiber-optic cable caused a massive cellphone, landline, and Internet outage in Montana's Bitterroot Valley September 12, affecting everything from 9-1-1 calls to credit card machines for more than 8 hours. A contractor working in Victor accidentally cut the CenturyLink cable about 8:30 a.m., according to a company spokesman. "From Stevensville all the way to Darby, most long distance was affected on landlines," he said. Cell phone users with a wide variety of service providers found they could no longer make calls, and Internet access was also affected. The company had repaired the cable by about 4:30 p.m., but the Ravalli County sheriff said the accident created a lot of problems. "You cut a fiber-optic cable in Victor and it shut down business in the Bitterroot for a day," he said. "We still had radio communications, but this affected more than just us obviously. Banks couldn't do business, and I think everybody had a hectic day with this." The Missoula County 9-1-1 Center took calls from Ravalli County during the outage, and the company spokesman said there were other contingency plans in place to keep emergency services going. "Since local calling was primarily not affected, we rerouted the 9-1-1 number to different local emergency services," he said. Source:

For more stories, see items 32, 33, and 38 above in the Information Technology Sector