Tuesday, February 7, 2012

Complete DHS Daily Report for February 7, 2012

Daily Report

Top Stories

• Most families returned to a housing complex outside a remote U.S. Marine training base February 5 in Coleville, California, 2 days after a propane gas explosion that killed 1, and displaced 38 families. – Associated Press (See item 32)

32. February 6, Associated Press – (California) Most families return after Calif. base explosion. Most families returned to a military housing complex outside a remote U.S. Marine training base February 5 in Coleville, California, 2 days after a propane gas explosion that killed a Marine’s wife and critically burned two other people. A total of 38 families were displaced from the military neighborhood that serves the U.S. Marine Corps Mountain Warfare Training Center. Twenty families had returned by February 5, and 18 remained displaced, a Marine Corps spokesman said. The explosion destroyed only one house at the center of the blast, but left 11 uninhabitable. The explosion was related to the housing area’s propane distribution system and was not associated with activities at the Marine base, which is about 30 miles away. After safety inspections February 4, inspectors began testing the propane distribution system house-by-house for leaks or any other signs of trouble, and ensuring that gas-powered appliances are re-lit and functioning properly. Source: http://www.huffingtonpost.com/huff-wires/20120206/us-marine-base-explosion/

• The basic security model for supervisory control and data acquisition systems for industrial processes is completely inadequate, researchers said in findings presented at a recent security analyst conference. – eWeek, See item 41 below in the Information Technology Sector.


Banking and Finance Sector

13. February 6, The Register – (International) Hackers may be able to ‘outwit’ online banking security devices. An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Hackers could set up a fake banking Web site and prompt users attempting to log into their account for both their online log-in credential and, for example, a PINSentry code. This information would allow cybercrooks to log onto the genuine banking Web site, posing as a customer, before authorizing fraudulent transfers or other payments. This variant of a classic man-in-the-middle-attack is know in security circles as a man-in-the-browser attack. Isolated incidents of this type of fraud have cropped up over recent years. While the attack is not new, it is doubtful that many consumers are aware of it. Source: http://www.theregister.co.uk/2012/02/06/online_banking_security/

14. February 3, New York Times – (International) Anonymous says it knocked Citigroup sites offline. Hackers claiming to be members of the loose hacking collective Anonymous took credit for knocking the Citigroup and Citibank Web sites offline February 3. At times the sites were only sporadically available, and some attempts to log into banking accounts were met with an error message. A Citigroup spokesman confirmed Citigroup’s consumer site had experienced a temporary outage, but said the bank was able to restore Web site operations within ` hour and was continuing to monitor its systems. This was part of a recent string of attacks by hackers who call themselves Anonymous Brazil. In posts on Twitter, the hackers said their attacks were intended to fight corruption. By February 3, they had at various times taken down the Web sites of Banco BMG, Banco Bradesco, Banco de Brasil, Banco Panamericano, Citigroup, HSBC Holdings, Itau Unibanco Banco Multiplo, and Febraban, Brazil’s banking federation. Source: http://bits.blogs.nytimes.com/2012/02/03/anonymous-says-it-knocked-citigroup-sites-offline/

Information Technology

39. February 6, Softpedia – (International) PHP 5.3.9 regression allows HTTP header attacks and 32/64-bit OS detection. After the PHP Group fixed the hash collision issue by releasing a patch to mitigate attacks, the fix turned out to be problematic, with xperts identifying a remote code execution vulnerability. Now, it turns out the same variant opened up the possibility of a new class of HTTP header attacks. The security expert who found the remote code execution flaw also uncovered this second issue. He believes the max_input_vars variable initially limited to a maximum number of 1,000 to mitigate hash collision attacks allows the identification of 32-bit and 64-bit operating systems introducing the possibility of this header attack that eventually leads to remote code execution. Knowing this information, allows attackers of remote memory corruption vulnerabilities to better prepare for the target he said. While the issue affects nearly all PHP applications, he claims Suhosin Extension users are safe from this issue, and a new feature will be added to protect against HTTP header attacks. Source: http://news.softpedia.com/news/PHP-5-3-9-Regression-Allows-HTTP-Header-Attacks-and-32-64-Bit-OS-Detection-250872.shtml

40. February 6, H Security – (International) Backdoor in TRENDnet IP cameras. Consolecowboys blogger someLuser identified a security vulnerability in some TRENDnet IP cameras that permits inquisitive Web users access without authentication. He discovered the vulnerability while exploring the firmware on his TV-IP110w camera using a tool called binwalk. Lengthy lists of freely accessible video streams are already circulating. Random sampling by H Security’s associates at heise Security found most of the cameras were freely accessible, providing views of offices, living rooms, and children’s bedrooms. For demonstration purposes, someLuser put together a Python scriptDirect download that uses server search engine Shodan to find cameras. Navigating to a camera Web server URL displays the video stream recorded by the camera — this occurs whether or not a password is set. TRENDnet already responded by providing a firmware update promising “improved security,” which can be downloaded from its support page. Many other TRENDnet cameras also appear to be affected — according to someLuser, the firmware for the company’s TV-IP121W, TV-IP252P, TV-IP410WN, TV-IP410, TV-IP121WN, and TV-IP110WN models was updated. Source: http://www.h-online.com/security/news/item/Backdoor-in-TRENDnet-IP-cameras-1428896.html

41. February 5, eWeek – (International) State of SCADA security worries researchers. Recent reports painted a bleak picture of the security issues plaguing industrial control systems, but the situation is exacerbated by the fact administrators are naive about the dangers, researchers said. Researchers presented some alarming findings about the state of security for supervisory control and data acquisition (SCADA) systems at the Kaspersky Security Analyst Summit February 3. SCADA systems are used across varied industries such as oil, water systems, electric grids, controlling building systems, and the basic security model underlying these systems is completely inadequate, they said. Source: http://www.eweek.com/c/a/Security/State-of-SCADA-Security-Worry-Researchers-234517/

42. February 4, Softpedia – (International) Hijacked sites redirect to scam in DreamHost hack aftermath. The week of January 30, DreamHost notified customers the firm suffered a data breach. It appears the information obtained by the hackers was put to use and some sites were already compromised and altered to redirect visitors to a Russian scam. Zscaler researchers identified many sites hosted by DreamHost that contained a PHP file designed to redirect users to a scam page. The scam site, otvetvam(dot)com, advertises a “make money from home” scam by displaying several fake testimonials allegedly written by people who already made a lot of money. The site even features Google ads that lead to a YouTube-style site that promotes other schemes, including an online gambling site. The site replicates a popular Russian site, mail.ru, to make everything more legitimate looking. Furthermore, other malicious domains were recently set up to serve the same purpose. Source: http://news.softpedia.com/news/Hijacked-Sites-Redirect-to-Scam-in-DreamHost-Hack-Aftermath-250711.shtml

43. February 4, Softpedia – (International) Kelihos not resurrected, new malware used to create botnet. After Kaspersky revealed the Kelihos botnet they terminated back in September in partnership with Microsoft and Kyrus Tech Inc. may have returned, Microsoft came forward with clarifications, arguing it is actually a new version of Kelihos being used to create a new botnet. The new malware variant is called “Backdoor:Win32/Kelihos.B” and appears to be based on the initial malware’s code, but it is slightly updated and there is no evidence that the botnet that was taken down previously returned to the control of the cybercriminals. Further, it is believed this variant is based partly on Waledac, a botnet ended by Microsoft at the beginning of 2010. “Analysis of these samples and continuing observations of Kelihos-infected computers have demonstrated no known re-employment of the original Kelihos botnet by botherders,” a senior attorney at Microsoft Digital Crimes Unit said. Currently, neither Microsoft nor Kaspersky can provide precise numbers on the size of this potentially new botnet, but Kaspersky’s analysis reveals the size of the old botnet dropped by 25 percent in the past 2 months. It is estimated that the old botnet’s size is far smaller than initially thought, less than 10,000 computers being infected. Source: http://news.softpedia.com/news/Kelihos-Not-Resurrected-New-Malware-Used-to-Create-Botnet-250738.shtml

44. February 3, IDG News Service – (International) Facebook malware scam takes hold. A large number of Facebook users were sharing a link to a malware-laden fake CNN news page reporting the United States attacked Iran and Saudi Arabia, security firm Sophos said February 3. If users who follow the link click to play what purports to be video coverage of the attack, they are prompted to update their Adobe Flash player with a pop-up window that looks like the real thing. Those who accept the prompt unwittingly install malware. Within 3 hours of the scam’s appearance, more than 60,000 users followed a link to the spoofed CNN page, according to a Sophos senior security adviser. Facebook removed that link, but others were still being shared. In a statement, Facebook said it was “in the process of cleaning up this spam now, and remediating any affected users.” Source: http://www.computerworld.com/s/article/9223976/Facebook_malware_scam_takes_hold?taxonomyId=17

For more stories, see items 13 and 14, above in the Banking and Finance Sector and item 45 below in the Communications Sector

Communications Sector

45. February 6, V3.co.uk – (International) Firms could see PCs lose internet access in DNSChanger switch off. Firms were warned that some of their users could shortly lose the ability to connect to the Internet or access e-mails, as law enforcers turn off a DNS-rerouting system. The system was established to help victims of the Rove Digital cybercrime syndicate, which distributed malware capable of changing victims’ DNS settings to point to rogue servers run by the group. The FBI managed to close down the DNSChanger criminal operation, and secured funding to run the malicious servers until March 8, using the servers to point those with infected machines to their intended destination. The DNSChanger Working Group (DCWG) is currently deliberating whether to seek an extension to its funding. A decision to withdraw the service could see 450,000 users — many of them in large multinational enterprises — losing their ability to connect to the Internet. Source: http://www.v3.co.uk/v3-uk/news/2144194/firms-pcs-lose-internet-access-dnschanger-switch

46. February 5, Richmond Times-Dispatch – (Virginia) Transmitter problems beset WCVE (88.9 FM). Transmitter problems put the public radio station WCVE (88.9 FM) off the air for many listeners. The problems began February 3 around 4:45 p.m., said an operations manager for WCVE Public Radio. “Engineers were able to restore the signal but at a greatly reduced power setting,” the station said in a statement. “Because of this you may be experiencing a very weak signal or, in some cases, no signal at all.” WCVE’s vice president and general manager said the station probably would not be back at full strength until February 6 or 7, after transmitter parts arrive from an out-of-town supplier. Listeners can still hear the station online at IdeaStations.org. Source: http://www2.timesdispatch.com/news/2012/feb/05/tdmet06-transmitter-problems-beset-wcve-889-fm-ar-1664857/

For another story, see item 44 above in the Information Technology Sector

No comments: