Monday, September 10, 2012

Complete DHS Daily Report for September 10, 2012

Daily Report

Top Stories

• The Saginaw Correctional Facility in Freeland, Michigan, was under quarantine after nearly 100 prisoners and staff members contracted E-coli infections. – WNEM 5 Bay City

40. September 5, WNEM 5 Bay City – (Michigan) Prison still under quarantine as illnesses spread. Nearly 100 people, counting prisoners and staff at the Saginaw Correctional Facility in Freeland, Michigan, were battling E-coli infections. The outbreak was first noticed the week of August 27, and shortly after that the facility was quarantined to prevent the spread. Eighty-nine prisoners and seven staff members were suffering from nausea and diarrhea. Local and State health departments were investigating and said this strand of E-coli is particularly nasty, and there is no treatment. Four people have been hospitalized. The illness is usually spread through food. A representative for the Corrections Department said all food is prepared on-site in the prison kitchen. No new cases have been reported recently, but the incubation period for the illness is 3 to 7 days. Once a week passes without a new diagnosis, the quarantine will be lifted and normal activity and visiting hours at the prison will resume. Source: http://www.wnem.com/story/19456646/prison-under-quarantine-as-illnesses-spread?hpt=us_bn9

• Symantec reported that the hacker group that hit Google in 2010 has been targeting companies in many sectors -- including energy, defense, and finance -- with zero-day attacks to gather intelligence and steal intellectual property. – Wired See item 41 below in the Information Technology Sector

• Malware writers went on a record-breaking tear in the second quarter of 2012, generating 100,000 new samples per day, said a new McAfee report. – Dark Reading See item 48 below in the Information Technology Sector

• One person died and another was critically injured in a shooting at a Louisville, Kentucky church. – WLEX 18 Lexington

49. September 7, WLEX 18 Lexington – (Kentucky) One killed, one injured in shooting at Louisville church. One person died and another was critically injured in a shooting at a Louisville, Kentucky church September 6. WAVE 3 Louisville reported the suspect opened fire inside the Springdale Community Church during a homeowners’ association meeting. Neighbors said the man was involved in a dispute over his home. One victim was pronounced dead at the scene. EMS took the second victim to the hospital. Officials called that person’s injuries life threatening. A retired police officer managed to subdue the shooter and hold him until police arrived. Court documents indicate the man and the members of the neighborhood association were arguing over a driveway the man installed at his home. Source: http://www.lex18.com/news/one-killed-one-injured-in-shooting-at-louisville-church

• Robbery suspects fired shots and took hostages inside a RadioShack store in Denver, forcing officials to evacuate many businesses, close streets, and lock down area schools. – Denver Post

51. September 7, Denver Post – (Colorado) Denver RadioShack Standoff: Hostage held in Colfax store, shots fired. Denver police swarmed a RadioShack store where an armed suspect took hostages and held at least one person hostage for many hours, September 7. A police officer was inside the store and in contact with SWAT officers and negotiators, officials said early the afternoon of September 7. SWAT officers with riot shields entered the store late in the morning. Denver police threw a phone into the store for the suspect to use. Witnesses at the scene noted a second man in the store, who was not a hostage, after the second suspect spoke over the phone. They said that person said the suspects did not want to come out because they would go to jail for the rest of their lives because they ―shot at cops.‖ A Denver police spokesman said a robbery was reported and officers responded within minutes. Shots were fired, but he said there is no confirmation anyone was injured. Businesses in the adjacent strip mall and nearby streets were evacuated. Traffic on East Colfax Avenue was blocked by 40 to 50 police and emergency vehicles. About 15 to 20 police officers, including SWAT-team members, were positioned in front of the RadioShack. Four Denver Public schools (DPS) were on lockdown. A DPS spokeswoman said the schools would remain on lockdown until police deem the area safe. Source: http://www.denverpost.com/recommended/ci_21490473

• An earthen dam in the Lake Serene chain in Mississippi, damaged by Hurricane Isaac, showed erosion, forcing the draining of Oak Grove Lake and a precautionary evacuation. – Hattiesburg American

61. September 5, Hattiesburg American – (Mississippi) Weakened dam prompts evacuation. An earthen dam in the Lake Serene chain in Mississippi, damaged by the heavy rains of Hurricane Isaac, showed further surface erosion September 4, forcing the draining of Oak Grove Lake and a precautionary evacuation. The Lamar County Emergency Management Agency director said that two 12-inch pumps brought in by the Mississippi Emergency Agency were in operation since midnight September 5, helping displace water into Stump Lake to take pressure off the compromised barrier. He estimated the depth of Oak Grove Lake was 10 to 12 feet and would have to drop 10 feet. The pumps were redistributing 6,000 to 8,000 gallons of water a minute. For a stretch of about 100 yards along the western edge of the dam, the top layers of earth sloughed off September 3. Once discovered, the spillway valve on Oak Grove Lake was opened, beginning the draining process and Buccaneer Drive that runs across the spillway and along the lake’s shore was closed. A county engineer said, ―The cracks that we’re seeing (along the surface) have not made their way to the core of the dam.‖ Source: http://www.clarionledger.com/article/20120906/NEWS01/209060355/Weakened-dam-prompts-evacuation?nclick_check=1

Details

Banking and Finance Sector

13. September 6, WXIA 11 Atlanta – (Georgia) Bank robbery suspect ‘Dreaded Bandit,’ 3 others caught. FBI officials announced September 6 that they had arrested four people, including one they described as the ―Dreaded Bandit‖ in Austell, Georgia. The man was given the nickname for the dreadlocks seen in surveillance videos. The four men were arrested by Austell police during a traffic stop September 5. The FBI said the group was acting in a suspicious manner at a PNC Bank branch in Austell, and that the men were riding in a car that had been described as the vehicle in an earlier robbery. The FBI said they believe the suspects are the armed robbery crew responsible for three bank robberies in August — one at a BB&T branch in Marietta, a second at the PNC Bank branch in Dunwoody, and another at a Fifth Third Bank branch in Buckhead. Source: http://www.11alive.com/news/article/255512/40/Bank-robbery-suspect-Dreded-Bandit-3-others-caught

14. September 6, NetworkWorld – (National) Insider security threat gets a serious look by US security agencies. A study, ―Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector‖ funded by the DHS in collaboration with the U.S. Secret Service and the U.S. Computer Emergency Readiness Team Insider Threat Center, part of Carnegie Mellon University’s Software Engineering Institute looked at what they called technical and behavioral patterns from 67 insider and 13 external fraud cases that occurred between 2005 and 2012 to develop ―insights and risk indicators of malicious insider activity,‖ NetworkWorld reported September 6. The study developed findings on insider threats to financial institutions including methods of insider fraud and theft. These included that most insiders did not use very technically sophisticated methods, that more than half of the cases used some form of authorized access, and that most incidents were detected through an audit, customer complaint, or coworker suspicion, among other findings. Source: http://www.networkworld.com/community/node/81342

15. September 6, Reuters – (New York) New York State tax department attacks fraud on new front. New York State has a new weapon in its arsenal — data collected from debit and credit card purchases that will help it detect retailers who are under-reporting sales, Reuters reported September 7. By checking customer data against retailer tax returns, wholesaler records, and other sources, the State hopes to find retailers who either fail to collect or remit sales taxes. New York’s approach to mining data began in 2003 with a goal of improving tax return audits. In the near-decade since, its systems have saved more than $2 billion, of which $442 million came in during 2011, the taxation department said. Over the years, the systems have expanded to include fact-checking of withholdings information reported on income tax returns against that reported by employers, and helping the collections agency focus on cases with the best chance of significant recovery. The system cannot track and analyze cash transaction however, since there is little third-party verification in the cash economy. The taxation department has seen a climb in merchants demanding cash payments in the few months since New York started mining credit card sales tax trends, the commissioner of taxation and finance said. Source: http://www.reuters.com/article/2012/09/06/usa-tax-newyork-crackdown-idUSL2E8JQ00320120906

For another story, see item 41 below in the Information Technology Sector

Information Technology Sector

41. September 7, Wired – (International) Sleuths trace new zero-day attacks to hackers who hit Google. According to a report by Symantec, the hacker group that hit Google in 2010 has been targeting other companies and organizations, using some of the same methods of attack, as well as a remarkable set of valuable zero-day vulnerabilities. The attackers used at least eight zero-days in the last 3 years, including ones that targeted the ubiquitous software plugin Flash and Microsoft’s Internet Explorer browser. Researchers at Symantec traced the group’s work after finding many similarities between the Google attack code and methods and those used against other firms and organizations over the last few years. The researchers say the group — which they dubbed the ―Elderwood gang‖ based on the name of a parameter used in the attack codes — appears to have breached more than 1,000 computers in companies throughout several sectors, including defense, shipping, oil and gas, financial, technology, and Internet service providers. The group also targeted non-governmental organizations. The majority of victims were in the United States, with the attacks focused on gathering intelligence and stealing intellectual property, such as product design documents and trade secrets, infrastructure details, and contact information. Many of the attacks involved supply-chain companies that provide services or electronic and mechanical parts. Symantec says it appears the attackers used victims in the supply-chain as stepping-stones to breach firms they are really targeting. In some cases, the group used spear-phishing to infect targets through an exploit embedded in an email attachment or a link to a malicious Web site. Also, they increasingly used a technique that involves breaching Web sites that cater to a particular audience they want to target and injecting an exploit into Web pages, waiting for victims to visit the pages and be infected. Source: http://www.wired.com/threatlevel/2012/09/google-hacker-gang-returns/

42. September 7, The H – (International) WordPress 3.4 update fixes security vulnerabilities. The WordPress developers released an update to their open source publishing platform that closes important security holes. Version 3.4.2 of WordPress addresses two privilege escalation vulnerabilities that could potentially be exploited by a malicious user to bypass certain security restrictions. Source: http://www.h-online.com/security/news/item/WordPress-3-4-update-fixes-security-vulnerabilities-1702501.html

43. September 6, The Register – (International) UPEK fingerprint scanners insecure, says Elcomsoft. According to security software company Elcomsoft, fingerprint scanners from UPEK take users’ Windows passwords and dump them in near-plain-text in the registry. The security hole was turned up in the UPEK Protector Suite, which until recently shipped with laptops using the company’s scanners. While the software was replaced following the merger of UPEK and Authentec, Elcomsoft’s notes most users will not have installed the new software. Elcomsoft identifies Dell, Acer, ASUS, Gateway, Lenovo, MSI, Samsung, Sony, NEC, Toshiba, and others as current or former UPEK customers. Lenovo says in a support forum post that it is investigating the issue. There are two requirements for the vulnerability to be exploited: The user has to be using the fingerprint scanner as their default Windows login, and an attacker would need physical access to the machine. Elcomsoft recommends that users disable ―Windows login‖ in the UPEK Protector Suite. Source: http://www.theregister.co.uk/2012/09/06/dumb_security_in_biometrics/

44. September 6, SecurityWeek – (International) Microsoft plans quiet Patch Tuesday. Microsoft is planning a relatively small release for Patch Tuesday September 11 with only a pair of security updates. Both security bulletins address privilege escalation issues and are rated ―Important.‖ According to Microsoft, one of the bulletins is focused on Microsoft Developer Tools, while the other is focused on Microsoft Server Software. The update could be the calm before the storm for some organizations, argued a security researcher at Rapid7, given Microsoft’s plans to release an update through Windows Update in October that will increase the requirements for certificates. For users who find they are using certificates with RSA key lengths of less than 1024 bits, those certificates will be required to be reissued with at least a 1024-bit key length, according to a member of Microsoft’s Trustworthy Computing Group. Source: http://www.securityweek.com/microsoft-plans-quiet-patch-tuesday

45. September 6, Threatpost – (International) Virtual machine escape exploit targets Xen. Details of a dangerous virtual machine escape exploit were revealed September 5 by French research outfit VUPEN Security. The attack exploits a recently reported vulnerability in Xen hypervisors and allows an attacker within a guest virtual machine to escape to the host and execute code. VUPEN’s exploit would escalate an attacker’s local privileges to the most privileged domain, essentially giving the outsider control over the host and other guest virtual machines, a VUPEN researcher indicated. The exploit targets a vulnerability reported in June that affects the way Intel processors implement error handling in the AMD SYSRET instruction. Source: http://threatpost.com/en_us/blogs/virtual-machine-escape-exploit-targets-xen-090612

46. September 6, SC Magazine – (International) New Pushdo variant infects more than 100k computers. A new variant of the revived Pushdo trojan has infected more than 100,000 computers since the beginning of August, and it is using a new technique to confuse researchers trying to study the botnet. As is the case with most botnet scenarios, computers that are infected with Pushdo attempt to communicate with their command-and-control server for instructions. However, the botmasters customized the malware so it simultaneously delivers HTTP requests to some 300 lesser known, but legitimate, Web sites, which mixes in with traffic meant for the command-and-control hub, said a senior security researcher at the Dell SecureWorks Counter Threat Unit. Source: http://www.scmagazine.com/new-pushdo-variant-infects-more-than-100k-computers/printarticle/257666/

47. September 6, eWeek – (International) Phone-focused cyber-criminals move to premium scams. Mobile devices are typically of limited value to online criminals who are driven by money. However, criminals in China, Russia, and Eastern Europe have found a model that appears to be particularly effective: Using malware to charge for fraudulent premium services. Known as toll fraud, the technique has increased exponentially, accounting for 79 percent of all malware detected by mobile security firm Lookout, the company stated in a report released September 6. Fake installers are the primary method for infecting users and have likely brought in millions of dollars from victims in Eastern Europe and Russia, according to Lookout. In the United States, malicious Web links and aggressive advertising are far more common, Lookout found. Source: http://www.eweek.com/c/a/Security/PhoneFocused-CyberCriminals-Move-to-Premium-Scams-513272/

48. September 4, Dark Reading – (International) McAfee: Close to 100k new malware samples per day in Q2. Malware writers went on a record-breaking tear in the second quarter of 2012, generating some 100,000 new samples per day, according to a new report from McAfee. McAfee says there was a 1.5 million increase in malware since the first quarter of 2012, closing in on a rate of nearly 100,000 unique malware samples per day. The hot new threats emerging in the second quarter were drive-by mobile downloads, mobile ransomware, and using Twitter to control mobile botnets. Android malware, by far, accounted for most of the new malware McAfee detected, and it was a combination of SMS-borne malware, mobile botnets, spyware, and trojans. Another trend is an increase in ransomware attacks, where cyber criminals are holding computers and data hostage in exchange for money or some forms of payment. Twitter is increasingly being used as a command-and-control infrastructure for mobile botnets, using tweets for commands, up from close to 90,000 new variants in the first quarter to more than 120,000 in the second quarter. Meanwhile, McAfee also found 2.7 million new bad URLs each month in the second quarter, with some 10,000 new malicious domains each day. Of the bad-reputation URLs, nearly 95 percent were housing malware for hijacking victim machines. Source: http://www.darkreading.com/security/attacks-breaches/240006702/mcafee-close-to-100k-new-malware-samples-per-day-in-q2.html

For more stories, see item 14 above in the Banking and Finance Sector

Communications Sector

See items 41 and 47 above in the Information Technology Sector

No comments: