Wednesday, September 19, 2012


Daily Report

Top Stories

 • A FBI report shows cybercriminals targeted banks and credit unions, using spam, phishing emails, and malware, to illegally transfer money in amounts between $400,000 and $900,000. – Softpedia See item 7 below in the Banking and Finance Sector

 • Peregrine Financial Group’s CEO pleaded guilty in court in Iowa to carrying out a 20-year fraud that stole $200 million from about 24,000 customers. – Associated Press See item 9 below in the Banking and Finance Sector

 • Al Qa’ida’s branch in North Africa is calling for attacks on U.S. diplomats in many countries, and an escalation of protests against an anti-Islam video that triggered a wave of demonstrations. – Associated Press

25. September 18, Associated Press – (International) Al Qaeda branch in North Africa calls for attacks on US diplomats. Al Qa’ida’s branch in North Africa is calling for attacks on U.S. diplomats and an escalation of protests against an anti-Islam video that triggered a wave of demonstrations in Muslim countries. In a statement released September 18, al Qa’ida in the Land of the Islamic Maghreb praised the killing of the U.S. ambassador to Libya, in an attack on the U.S. consulate in Benghazi September 11. The group threatened attacks in Algeria, Tunisia, Morocco, and Mauritania in response to the movie that denigrates the Prophet Muhammad. Yemen-based al Qa’ida in the Arabian Peninsula recently issued a similar call for attacks on U.S. diplomatic facilities. The group is al Qa’ida’s most active branch in the Middle East. Source: http://www.foxnews.com/world/2012/09/18/al-qaeda-branch-in-north-africa-calls-for-attacks-on-us-diplomats/

 • Students at Louisiana State University returned to their dorms September 17, many hours after a bomb threat. Police spoke to counterparts in other States hit during a recent spate of bomb threats against colleges. – Reuters

29. September 17, Reuters – (Louisiana) Students return to Louisiana State University after bomb scare. Students at Louisiana State University (LSU) in New Orleans were allowed to return to their dorms late September 17 after police swept residential halls on the campus following a bomb threat. Dining and recreational facilities also were reopened, LSU said in a statement. The university was evacuated following a telephoned threat to the East Baton Rouge Parish emergency center at 10:32 a.m. and the center relayed the information to campus police, said a university spokesman. The university chancellor made the decision to evacuate the campus, and LSU alerted students, faculty, and staff via text message at about 11:30 a.m., he said. As word of the threat spread, public school officials placed three nearby elementary schools and one high school on lockdown, according to the East Baton Rouge Parish School System. Louisiana State Police were talking to their counterparts in other areas of the nation where university bomb threats were reported the week of September 10 of to determine whether there were similarities. Source: http://www.reuters.com/article/2012/09/18/us-usa-louisiana-evacuation-idUSBRE88G15820120918?feedType=RSS&feedName=domesticNews

 • Microsoft issued a security advisory September 17 that confirmed in-the-wild attacks are exploiting an unpatched bug in Internet Explorer (IE), which comprises 53 percent of all browsers used worldwide. – Computerworld See item 39 below in the Information Technology Sector

 • Firefighters continued to battle wildfires in Washington that scorched dozens of square miles of acreage, burned or threatened thousands of structures, and forced hundreds of evacuations. – Associated Press; Yakima Herald-Republic (See item 48)

48. September 17, Associated Press; Yakima Herald-Republic – (Washington) Crews labor away on Yakima Complex blazes. Work to prevent a fire burning west of Yakima, Washington, from growing went well September 17 as crews continued to establish fire breaks. But fire officials were unsure when it will be fully contained. Firefighters dug fire lines on the west end of the Wild Rose Fire, which is part of the Yakima Complex Fire burning east of Rimrock Lake. That fire was last reported at about 1,300 acres, but growth was minimal, said a Yakima Complex Fire spokesman. Meanwhile, another State team of roughly 350 firefighters that took over the Table Mountain Fire burning on about 2,500 acres near Blewett Pass in Kittitas County worked toward containment. Evacuations in the area remained in place September 17. That fire forced the closure of all land east of U.S. Highway 97 and south of U.S. Highway 2 in the Okanogan Wenatchee National Forest, according to a news release from fire officials overseeing the Yakima Complex Fire. Two firefighters suffered minor injuries. Both were treated at area hospitals and released, the news release said. Meanwhile in the Wenatchee area, an inversion moved in September 16, holding smoke in the region where 1,700 people were fighting a complex of wildfires burning on about 51 square miles. Hundreds of people have been evacuated. The Wenatchee complex was about 17 percent contained as of September 17. No homes had burned, but nearly 800 houses and other structures were threatened. The firefighting effort had so far cost an estimated $8.1 million. Source: http://www.yakima-herald.com/stories/2012/09/17/crews-labor-away-on-yakima-complex-blazes

Details

Banking and Finance Sector

7. September 18, Softpedia – (International) FBI: Networks of financial institutions targeted with malware, RATs, and keyloggers. A FBI report shows that cybercriminals have started focusing their efforts on targeting the networks of financial institutions, Softpedia reported September 18. Cybercriminals are relying on spam, keyloggers, Remote Access Trojans (RATs), phishing, and other malicious elements to steal employee log-in credentials. The Internet Crime Complaint Center (IC3) reported that the stolen information has been utilized to perform unauthorized wire transfers for amounts between $400,000 and $900,000. In the first phase of these operations, the criminals use spam and phishing emails. Once they compromise the machine of an employee, they plant RATs, keyloggers, and other pieces of malware to gain access to internal networks and the details needed to access third party systems. Most of the victims appear to be small to medium-sized banks and credit unions, but major financial institutions have also been targeted. In some cases, the crooks launched distributed denial-of-service attacks against the bank’s Web site, most likely to cover up their fraudulent transactions. Source: http://news.softpedia.com/news/FBI-Networks-of-Financial-Institutions-Targeted-with-Malware-RATs-and-Keyloggers-293126.shtml

8. September 18, The Register – (International) ‘How I crashed my bank, stole PINs with a touch-tone phone’. Miscreants can crash or infiltrate banks and help desks’ touch-tone and voice-controlled phone systems with a single call, a security researcher warned, according to The Register September 18. A researcher who works for iSight Partners said audio processing algorithms in office telephone networks and speech-driven command software are liable to crash when bombarded with unusual data in ―fuzzing‖ attacks. Certain DTMF (Dual-Tone Multi-Frequency) signals can cause private branch exchanges (PBX) and interactive voice response (IVR) systems to raise exceptions and bail out, much in the same way unexpected input data can disrupt applications running on a desktop computer or server. PBX and IVR machines are often used to run phone banking, call centers, and other interactive telephone systems. Given the appropriate DTMF input, it may be possible to crash backend application servers or convince them to cough up sensitive data. Repeating the trick to bring down a machine effectively launches a denial-of-service attack on the phone line as a paper by the researcher explained. ―We would be able to extract sensitive information about the application’s hosted environment with these sorts of bugs. Since applications that use DTMF algorithms are mainly phone-based, it was possible to extract output in the form of audio data‖, he said. He also claimed it was possible to extract customer PINs from an unnamed Indian bank. Source: http://www.theregister.co.uk/2012/09/18/dtmf_phone_system_hack_attack/

9. September 18, Associated Press – (Iowa; National) Peregrine CEO pleads guilty in scandal. Peregrine Financial Group’s CEO pleaded guilty in court in Iowa, September 17 to carrying out a 20-year, $200 million fraud that he first confessed to in a note found on him after an unsuccessful suicide attempt in July. The CEO pleaded guilty to charges of mail fraud, embezzling customer funds, and making false statements to two regulatory agencies. He acknowledged that he secretly withdrew funds from about 24,000 customers starting in the 1990s, and used computers to make phony bank statements to conceal the theft. He gave fraudulent statements to his accounting department showing fictitious deposits and balances. The false numbers were used to generate monthly reports to regulators showing the company was holding more than $200 million in customer funds than it actually had. He fooled auditors with the National Futures Association by changing the bank’s address in the statements to a post office box he controlled. The auditors would mail forms asking the bank to verify Pergrine’s account balances; the CEO would send back false documents purporting to be from the bank. Source: http://www.omaha.com/article/20120918/MONEY/709189965/1707

10. September 18, The Register – (International) Romanians plead guilty to credit card hack on U.S. Subway shops. Two Romanian nationals who were extradited to the United States in May confessed their involvement in a $10 million scam aimed at stealing credit and debit card data from payment terminals at hundreds of Subway restaurants and other merchants across the country, according to a U. S. attorney’s office, The Register reported September 18. They were among four Romanian nationals extradited in May after being charged in December 2011 with hacking into Subway vulnerable point-of-sale (POS) computers between 2009 and 2011. The scheme led to the compromise of more than 146,000 payment cards. The hack against POS terminals relied on identifying machines running exploitable remote desktop software applications. The U.S. Department of Justice said one of the men hacked into these systems to install keystroke logging applications, which subsequently recorded card data from swiped cards before transferring this information to dump sites. In some cases he had to crack passwords to circumvent the remote desktop applications, which in normal use were used to update the software on POS terminals. The other individual admitted to attempting to make fraudulent transactions using the stolen credit card data as well as selling the data to co-conspirators. Source: http://www.theregister.co.uk/2012/09/18/romanian_cybercrooks_plead_guilty/

Information Technology Sector

39. September 18, Computerworld – (International) Microsoft confirms hackers exploiting critical IE bug, promises patch. September 17, Microsoft issued a security advisory that confirmed in-the-wild attacks are exploiting an unpatched bug in Internet Explorer (IE). The software maker is working on a fix. The advisory addressed the zero-day vulnerability that was found and disclosed by a researcher the weekend of September 15. September 17, the Metasploit open-source penetration framework published an exploit module for the bug. All but one supported edition of IE are affected: 2001’s IE6, 2006’s IE7, 2009’s IE8, and 2011’s IE9. Together, those browsers accounted for 53 percent of all browsers used worldwide in August. The only exception was IE10, the browser bundled with the new Windows 8, which does not contain the bug. Microsoft acknowledged it was investigating reports of a vulnerability but it did not promise a patch. The bug, when Microsoft patches it, will be rated ―critical.‖ Exploiting the flaw allows hackers to execute code and opens Windows XP, Vista, and Windows 7 to drive-by attacks that only require getting victims to visit a malicious or compromised Web site. Until a patch is available, Microsoft recommends users block attacks with EMET 3.0 (Exploit Mitigation Experience Toolkit), boost IE’s security zone settings to ―high, and configure the browser to display a warning before executing scripts. Source: http://www.computerworld.com/s/article/9231396/Microsoft_confirms_hackers_exploiting_critical_IE_bug_promises_patch

40. September 18, The H – (International) Apple fixes VNC security problem in Remote Desktop 3.5. September 17, Apple released an update to the 3.5.x branch of its Apple Remote Desktop (ARD) administration application to close a known security hole. Version 3.5.3 of the desktop management solution for remotely managing Mac OS X systems corrects an information disclosure vulnerability (CVE-2012-0681) when connecting to third-party VNC servers that could result in data not being encrypted when the ―Encrypt all network data‖ setting is enabled. When this happens, no warning is presented to alert users that the connection could be insecure. Source: http://www.h-online.com/security/news/item/Apple-fixes-VNC-security-problem-in-Remote-Desktop-3-5-1710538.html

41. September 17, Infoworld – (International) Jenkins integration server suffers security vulnerabilities. Jenkins, the open source continuous integration server, faced several security vulnerabilities September 17, with the Jenkins project leader recommending upgrades to the Jenkins core and some plug-ins to fix the problems. A security advisory posted by the project leader cites four vulnerabilities, including two affecting the Jenkins core. The first vulnerability was deemed critical. It allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins,‖ the security advisory said. The second vulnerability in the core involves a cross-site scripting vulnerability, allowing an attacker to craft a URL that points to Jenkins, with an attacker able to hijack a legitimate user’s session. Two other vulnerabilities, also involving cross-site scripting, affect the Violations and Continuous Integration Game plugins. The Violations plug-in scans for violation XML files in the build workspace; the Game plug-in offers tips on improving builds. Source: http://www.computerworld.com/s/article/9231372/Jenkins_integration_server_suffers_security_vulnerabilities

42. September 17, eSecurity Planet – (International) Mobile emphasis at HP’s Pwn2Own. September 19, HP planned to host its first mobile Pwn2Own hacking competition at the EUSecWest event in Amsterdam, Netherlands. The event will challenge security professionals to find and exploit flaws in mobile technology for cash and prize awards. The contest will take aim at mobile Web browsers, near field communication (NFC), and Short Message Service (SMS), as well as cellular baseband technologies. Apple iOS, Blackberry, and Android smartphones will be among the devices under attack. HP will award the largest prize in the mobile Pwn2own contest to the researcher who can demonstrate a cellular baseband vulnerability. Source: http://www.esecurityplanet.com/hackers/mobile-emphasis-at-hps-pwn2own.html

43. September 17, Threatpost – (International) New iteration of TDSS/TDL-4 botnet uses domain fluxing to avoid detection. A new version of the TDSS/TDL-4 botnet is rapidly growing, primarily because it is having success using an evasion technique known as a domain generation algorithm (DGA) to avoid detection, researchers at Damballa Security revealed September 17. The algorithm helps the latest version of the botnet conduct click-fraud campaigns and is used primarily to rapidly move communication between victims and command-and-control servers from domain to domain, a technique known as domain fluxing, similar to fast fluxing. Since this new version appeared in May, it has reportedly infected 250,000 unique victims, including machines inside government agencies, ISP networks, and 46 of the Fortune 500. Damballa researchers said they found 85 command and control servers and 418 domains related to the new version, primarily hosted in Russia, Romania, and the Netherlands. Source: http://threatpost.com/en_us/blogs/new-iteration-tdsstdl-4-botnet-uses-domain-fluxing-avoid-detection-091712

For more stories, see items 7, 8 and 10 above in the Banking and Finance Sector and 44 below in the Communications Sector

Communications Sector

44. September 17, Threatpost – (National) Developer warns millions of Virgin Mobile subscribers about authentication flaw. An Alamo, Texas developer September 17 warned Virgin Mobile U.S. subscribers that their accounts can be hacked after the company failed to respond with a fix. ―I reported the issue to Virgin Mobile a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly,‖ he said in a blog post. He said he found that the carrier’s current authentication method relied on the user’s phone number and a six-number PIN to access an account. Using his own account, he created a script to narrow in on the 1 million possible passwords. Once the script unlocked his numeric PIN he realized ―pretty much anyone can log into your Virgin Mobile account and wreak havoc, as long as they know your phone number.‖ He said he contacted the firm and its parent, Sprint, in August to alert them to the issue but became frustrated with the pace of the investigation and lack of communication. After several emails back and forth with a Sprint official, he was told September 14 the company did not plan further action on Virgin Mobile’s end. Source: http://threatpost.com/en_us/blogs/developer-warns-millions-virgin-mobile-subscribers-about-authentication-flaw-091712

For more stories, see items 8 above in the Banking and Finance Sector and 42 above in the Information Technology Sector


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.