Thursday, April 12, 2012
Complete DHS Daily Report for April 12, 2012
Daily Report
Top Stories
• Cybercrooks forged a Zeus-based trojan that enables them to siphon funds from businesses using cloud-based payroll service providers. – The Register. See item 9 below in the Banking and Finance Sector
• A federal court suspended operations of two debt-collecting businesses a man reportedly used to swindle $5 million from hundreds of thousands of U.S. consumers. – U.S. Federal Trade Commission. See item 11 below in the Banking and Finance Sector
• An audit revealed the Department of Veterans Affairs failure to fully comply with federal information security laws resulted in more than 15,000 outstanding risks. – Federal Computer Week
33. April 6, Federal Computer Week – (National) IG report finds flaws in VA’s information security program. An inspector general audit revealed that the Department of Veterans Affairs (VA) failure to fully comply with the Federal Information Security Management Act (FISMA) resulted in more than 15,000 outstanding security risks, Federal Computer Week reported April 6. The fiscal year 2011 performance audit examined the extent to which VA’s information security program complied with FISMA requirements and National Institute for Standards and Technology guidelines. Substantial inadequacies were discovered in areas related to access controls, configuration management controls, continuous monitoring, and services continuity practices. Also, VA has not effectively implemented procedures to identify and correct system security flaws on network devices, database and server platforms, and Web applications. Deficiencies were also found in reporting, managing, and closing plans of action and milestones. The report accentuated a larger compliance issue government-wide. A March 7 review by the Office of Management and Budget showed that only 7 out of 24 agencies are more than 90 percent compliant with FISMA directives. Source: http://fcw.com/articles/2012/04/06/fisma-compliance-va-failure.aspx
• Microsoft released security bulletins April 10 that addressed many bugs that could be exploited by attackers to remotely inject and execute malicious code. – H Security. See item 38 below in the Information Technology Sector
• Firefighters battled wildfires that consumed thousands of acres in 9 states on the East Coast April 10. – CBS News (See item 50)
50. April 10, CBS News – (National) Dry, windy conditions fuel wildfires in East. Along the Eastern Seaboard, firefighters are battling a string of wildfires after weeks of unusually warm and dry weather, CBS News reported April 10. Fires burned in nine states, from New Hampshire to Florida. Wildfires broke out up and down the East Coast, April 9, fueled by whipping winds and dry conditions. On New York’s Long Island, hundreds of firefighters raced to keep flames from closing in on Brookhaven National Lab, a nuclear physics facility. The fire swallowed up 1,000 acres, destroyed at least two homes, and sent three firefighters to the hospital. Officials said the fire was 50 percent contained, but they warned homes were still in jeopardy. Firefighters said they had no idea when they would have the fire under control. In New Jersey, another fire — which officials were calling suspicious — was on track to burn through 1,000 acres. The dry, windy weather also helped feed flames in Pennsylvania and Connecticut where a brush fire lined a railroad track. Nearby homes and businesses were evacuated. In Virginia, helicopters dumped water to try to douse flames. The wildfire outbreak stretched all the way down to Miami where a fast-moving fire caught residents by surprise. Source: http://www.cbsnews.com/8301-505263_162-57411672/dry-windy-conditions-fuel-wildfires-in-east/
Details
Banking and Finance Sector
9. April 11, The Register – (International) New Zeus-based trojan leeches cash from cloud-based payrolls. Cybercrooks have forged a Zeus-based trojan that targets cloud-based payroll service providers. A new attack, detected by transaction security firm Trusteer, shows crooks are going up the food chain. Researchers captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll services provider. The trojan works by capturing a screenshot of the payroll services Web page when a malware-infected PC visits the site. This data is uploaded, allowing crooks to obtain user ID, password, company number, and the icon selected by the user for the image-based authentication system – enough information to siphon funds from compromised accounts into those controlled by money mules. Trusteer thinks crooks are targeting the small cloud service provider to get around the tougher problem of how to bypass industrial strength security controls typically maintained by larger businesses. Cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by Zeus-style financial malware. Source: http://www.theregister.co.uk/2012/04/11/zeus_based_trojan_targets_payrolls/
10. April 11, Santa Fe New Mexican – (New Mexico) FBI: Bank robbery suspect arrested. The FBI April 10 arrested a Santa Fe, New Mexico man they say is connected to the April 2 robbery of U.S. Bank. The FBI said the suspect in the April 2 robbery is believed to be the man responsible for three other robberies in Santa Fe in the past year. Santa Fe olice and FBI investigators worked together on the case and arrest, according to an FBI spokesman. Video surveillance of the bank robbery showed a man displaying a hand gun and robbing the bank of an undisclosed amount. The same description matched video of a man who robbed other banks in Santa Fe in recent months. Source: http://www.santafenewmexican.com/Local%20News/bank-robbery-arrest
11. April 11, U.S. Federal Trade Commission – (California; International) Court halts alleged fake debt collector calls from India, grants FTC request to stop defendants who posed as law enforcers. In response to charges from the U.S. Federal Trade Commission (FTC), a federal court halted an operation the agency alleges collected phantom payday loan debts that consumers either did not owe to the defendants or did not owe at all, the FTC announced April 11. The scheme involved more than 2.7 million calls to at least 600,000 different phone numbers nationwide, the FTC said. In less than 2 years, they fraudulently collected more than $5.2 million from consumers, many of whom were strapped for cash and thought the money they were paying would be applied to loans they owed, according to FTC documents filed with the court. The agency charged an individual, a California-based man, and two companies he controls with violating the FTC Act and the Fair Debt Collection Practices Act. Often pretending to be American law enforcement agents or representatives of fake government agencies, callers from India who were working with the defendants would harass consumers with back-to-back calls, the FTC said. The defendants typically demanded hundreds of dollars and, in violation of federal law, routinely used obscene language and threatened to sue or have consumers arrested, the FTC’s complaint alleged. They also threatened to tell the victims’ employers, relatives, and neighbors about the bogus debt, and sometimes followed through on these threats. Once victims were pressured into paying, the callers instructed them to use a pre-paid debit card such as a WalMart MoneyCard, another debit card, a credit card, or Western Union so the money could be deposited into one of the defendants’ merchant processing accounts, the FTC charged. Source: http://www.marketwatch.com/story/court-halts-alleged-fake-debt-collector-calls-from-india-grants-ftc-request-to-stop-defendants-who-posed-as-law-enforcers-2012-04-11
12. April 11, Reuters – (National; International) U.S. SEC sues AutoChina for securities fraud. U.S. securities regulators sued AutoChina International Ltd, its executives, and others for securities fraud April 11. The U.S. Securities and Exchange Commission (SEC) said the company’s employees, board members, and other Chinese citizens unlawfully bought and sold AutoChina stock to boost its trading volume as the company sought loans. AutoChina, which is based in China and owns and operates a commercial vehicle leasing business there, traded its shares on the NASDAQ stock market until October 2011. Its listing was suspended for failing to file required documents with the SEC. The defendants opened brokerage accounts beginning in October 2010, deposited some $60 million in the accounts, and bought and sold millions of shares of AutoChina stock, the SEC said. The lawsuit comes as the SEC steps up its inquiries into Chinese companies whose shares trade in the United States for accounting violations and other misconduct. The SEC lawsuit, filed in federal court in Massachusetts, is seeking civil penalties and other sanctions. Source: http://www.reuters.com/article/2012/04/11/sec-autochina-idUSL2E8FB75S20120411
13. April 10, St. Louis Post-Dispatch – (Missouri) US Fidelis co-founder admits federal tax evasion, fraud. Four days after pleading guilty to state fraud charges, the co-founder of US Fidelis appeared April 9 in a U.S. district court in St. Louis, Missour to admit he also broke federal laws in cheating customers and failing to declare or pay taxes on $13 million received from the company in just 1 year. He pleaded guilty of conspiracy to commit mail and wire fraud and filing a false tax return. In his plea, he admitted he failed to declare $13 million in “distributions” from Fidelis on his 2006 federal tax return. That year, in fact, he reported a negative income, an assistant U.S. attorney said. He also acknowledged tricking consumers into believing auto service contracts Fidelis peddled by phone and mail were actually extended warranties from the vehicles’ manufacturers. When customers canceled and asked for a refund, as up to 60 percent did, he admitted telling Fidelis staffers to withhold up to 40 percent of the amount due. He also admitted he and his brother used the latter’s credit card to make payments for customers who they thought were likely to cancel or refuse to pay. The payments triggered full payment for Fidelis’ share of the contract from a financing company, his plea says. Some of the admissions were similar to what was contained in his guilty plea April 5 to state charges of insurance fraud, stealing and unlawful merchandising practices. Prosecutors allege that the man and his brother funneled millions of dollars of profits into lavish homes, luxury goods, and payments on behalf of relatives. Fidelis, once one of the nation’s largest sellers of auto service contracts, collapsed in 2009. Source: http://www.loansafe.org/us-fidelis-co-founder-admits-federal-tax-evasion-fraud
Information Technology
36. April 11, Computerworld – (International) Apple promises Flashback malware killer. April 10, Apple for the first time publicly acknowledged a malware campaign that has infected an estimated 600,000 Macs, and said it would release a free tool to disinfect users’ machines. Although Flashback has circulated since September 2011, it was only in March that the newest variant began infecting Macs using an exploit of a Java bug Oracle patched in mid-February. Apple maintains its own version of Java for Mac OS X, and is responsible for producing security updates. It issued a Java update April 3 that quashed the bug Flashback has been using to infect Macs. In the 7 weeks between Oracle’s and Apple’s updates, hackers responsible for Flashback managed to insert their software — designed for, among other things, password theft — onto an estimated 2 percent of all Macs. Apple said it was working with Internet service providers to “disable [the Flashback] command and control network,” referring to the practice of asking hosting firms to pull hacker-operated command-and-control servers off the Internet so infected computers cannot receive further orders. The company promised to issue a special tool to “detect and remove the Flashback malware.” Apple did not set a timetable for its release. Source: http://www.computerworld.com/s/article/9226084/Apple_promises_Flashback_malware_killer?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+computerworld/s/feed/topic/17+(Computerworld+Security+News)&utm_content=Google+Reader
37. April 11, The H – (International) Samba fixes critical remote code execution vulnerability. The Samba developers patched a critical security vulnerability that effects all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 that was released in January, The H reported April 11. The hole allows an attacker to gain complete access to a Samba server from an unauthenticated connection. The GPLv3 licensed Samba is used by many Unix and Linux systems with the ability to share files with Windows systems by implementing the SMB, SMB2, and CIFS protocols. The vulnerability was discovered by two security researchers working for the Zero Day Initiative. The flaw, which is located in the code generator for Samba’s remote procedure call interface, makes it possible for clients on the network to force the server to execute arbitrary code. This attack can be performed over an unauthenticated connection, granting the attacker root user privileges and thus complete access to the Samba server. The fact the problem was located in the Perl-based DCE/RPC compiler Samba uses to generate code for handling remote requests has, presumably, made it very hard to detect with automated code auditing methods and caused it to stay hidden for such a long time. Source: http://www.h-online.com/security/news/item/Samba-fixes-critical-remote-code-execution-vulnerability-1518580.html
38. April 11, H Security – (International) Patch Tuesday closes critical Windows, Office and IE holes. April 10, Microsoft released 6 security bulletins that addressed 11 vulnerabilities in its products, 8 of which are considered to be critical. Four of the bulletins address critical holes in all supported versions of Windows, Internet Explorer (IE), the .NET Framework, Office and SQL Server, as well as Microsoft Server and Developer tools. All of these bugs could be exploited by attackers to remotely inject and execute malicious code on a victim’s system via a specially crafted file. One critical bulletin, MS12-024 notes a privately reported vulnerability that could allow attackers to modify existing signed executable files. Another, MS12-027, is an issue in Microsoft’s common controls, used in numerous Microsoft applications, which can be exploited when a user visits a malicious site or opens an e-mail attachment to allow remote code execution. An Internet Explorer bulletin, MS12-023, affects all supported versions of IE, closes five holes, one when printing a specially crafted HTML page and four when IE accesses deleted objects in various situations. The rating for these holes is either critical or moderate depending on the combination of operating system and IE version. Finally, MS12-025 closes a vulnerability in the .NET framework that allows attackers to “take complete control of an affected system.” Source: http://www.h-online.com/security/news/item/Patch-Tuesday-closes-critical-Windows-Office-and-IE-holes-1518553.html
39. April 11, H Security – (International) Adobe fixes critical vulnerabilities in Reader and Acrobat. Adobe released versions 10.1.3 and 9.5.1 of its Acrobat and Reader products to address high priority security vulnerabilities that could be used by an attacker to cause the application to crash and potentially take control of an affected system. These include memory corruption in the JavaScript API and JavaScript handling, an integer overflow in the True Type Font handling, and a security bypass via the Adobe Reader installer, all of which could lead to arbitrary code execution. Adobe Acrobat and Reader 10.1.2 and earlier 10.x versions, as well as 9.5 and earlier 9.x versions for Windows and Mac OS X are affected — on Linux, Reader 9.4.6 and earlier 9.x versions are vulnerable. Source: http://www.h-online.com/security/news/item/Adobe-fixes-critical-vulnerabilities-in-Reader-and-Acrobat-1518711.html
40. April 11, The Register – (International) Malware-infected flash cards shipped out with HP switches. HP sent out a warning to customers after the vendor found it inadvertently shipped virus-laden compact flash cards with its networking kit. The unnamed malware appeared on flash cards that came bundled with HP ProCurve 5400zl switches. The flash card would not have any effect on the switch itself but “reuse of an infected compact flash card in a personal computer could result in a compromise of that system’s integrity,” HP warned in a bulletin issued April 10. It is unclear how the unknown malware got onto the Flash cards that come bundled with the 10 Gbps-capable line of LAN switches, but an infected computer somewhere in the manufacturing process — possible in a factory run by a third-party supplier — is the most obvious suspect. Source: http://www.theregister.co.uk/2012/04/11/hp_ships_malware_cards_with_switches_oops/
41. April 10, Threatpost – (International) No permissions Android application can harvest, export device data. April 9, a researcher was able to demonstrate Android applications without permissions can still access files used by other applications, including which applications are installed and a list of any readable files used by those applications. That capability could be used to identify applications that have weak permissions vulnerabilities and exploit those, he warned. He unveiled a proof of concept Android application, dubbed “NoPermissions” that works with Android phones running version 4.0.3 and 2.3.5 of the operating system. Among the data he found on his own Android phone were certificates from his mobile Open VPN application. Not only could an attacker take advantage of the lack of strict permissions to collect data, he wrote, they could also export it from the phone without permissions. The URI ACTION-VIEW Intent network access call is supported without permissions, which will open a browser on the Android device. An attacker could then pass data to the browser in the form of a URI with GET parameters to pass it to an Internet accessible server or device using successive browser calls. Source: http://threatpost.com/en_us/blogs/no-permissions-android-application-can-harvest-export-device-data-041012
For more stories, see items 9 above in the Banking and Finance Sector and 33 above in Top Stories
Communications Sector
42. April 11, Dayton Beach News-Journal – (Florida) Bright House phone outage irks customers. Bright House Networks phone service disconnected for nearly 4 hours April 9, leaving as many as 49,000 central Florida customers without service. Cable and Internet service was not affected, a spokesman said. The phone customers who were impacted were on one switch that failed, and not all of the 49,000 customers on that switch were affected, he said. Most of those on the switch were residential customers and because of the timing of the disruption — 12:37 p.m. to 4:20 p.m. — most would not have been impacted, he said. Customers had lost and delayed dial tones, he said. Source: http://www.news-journalonline.com/business/local-business/2012/04/11/bright-house-phone-outage-irks-customers.html
43. April 10, Boston Globe – (Massachusetts) Downed Boston TV stations back on the air. Three Boston television (TV) stations that were knocked off the air April 8 by a technical glitch returned to service April 10. Over-the-air broadcasts from CBS Corp. stations WBZ-TV 4 and WSBK-TV 38, ABC network affiliate WCVB-TV 5, and PBS station WGBX-TV 44 shut down at about 8 p.m. All four stations share the same antenna, located atop a 1,200-foot tower in Needham, Massachusetts. WCVB-TV quickly resumed broadcasting through a backup antenna but the other three stations stayed off the air. The outage had no effect on most viewers, because the stations continue to feed their signals to cable and satellite TV providers, who serve about 98 percent of viewers in the Boston area. At 1 p.m. April 10, engineers at the affected stations briefly shut down WGBH, then moved its signal to the backup antenna being used by WCVB. Then WCVB, WSBK, WBZ, and WGBX all began broadcasting from the WGBH antenna. The director of broadcast operations and engineering for WBZ and WSBK, said the outage was due to a breakdown in a “five-way power divider,” an electronic component that separates the signals from multiple stations before feeding them to the antenna. Fixing the problem will require a complete shutdown of the antenna. To accomplish this, each station will install a temporary antenna on the tower. After that, the WGBH antenna will be completely shut down. The power divider can then be repaired. Source: http://www.boston.com/Boston/businessupdates/2012/04/downed-boston-stations-back-the-air/7zbd3Z288EU6pmBpwgaHxM/index.html
For more stories, see item 41 above in the Information Technology Sector
No comments:
Post a Comment