Thursday, September 27, 2012
Daily Report
Top Stories
• A company whose software and services are
used to remotely administer the energy industry began warning customers it is
investigating a sophisticated hacker attack spanning its operations in the
United States, Canada, and Spain. – Krebs on Security
3.
September 26, Krebs on Security –
(International) Chinese hackers blamed for intrusion at energy industry
giant Telvent. A company whose software and services are used to remotely
administer and monitor large sections of the energy industry began warning
customers the week of September 17 that it is investigating a sophisticated
hacker attack spanning its operations in the United States, Canada, and Spain,
Krebs on Security reported September 26. Experts say digital fingerprints left
behind by attackers point to a Chinese hacking group tied to repeated
cyber-espionage campaigns against key Western interests. In letters sent to
customers, Telvent Canada Ltd. said that September 10 it learned of a breach of
its internal firewall and security systems. Telvent said the attacker(s)
installed malicious software and stole project files related to one of its core
offerings — OASyS SCADA — a product that helps energy firms mesh older IT
assets with more advanced ―smart grid‖ technologies. The firm said it was still
investigating the incident, but that as a precautionary measure, it had
disconnected the usual data links between clients and affected portions of its
internal networks. Source: http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:
KrebsOnSecurity (Krebs on
Security)&utm_source=twitterfeed&utm_medium=twitter
• The Government Accountability Office
released a report in which it demonstrates that counterfeit documents can be
used easily to obtain valid driver‘s licenses and State-issued identification
cards under fake identities. – Homeland Security News Wire
31.
September 26, Homeland Security News Wire –
(National) GAO: Easily obtained counterfeit IDs present real risks. The
Government Accountability Office (GAO) released a report September 21 in which
the agency demonstrates that counterfeit documents can still be used easily to
obtain valid driver‘s licenses and State-issued identification cards under
fictitious identities. GAO recommended that DHS exert more assertive leadership
in an effort to correct the problem, Homeland Security News Wire reported
September 26. The president of the Coalition for a Secure Driver‘s License,
stated, ―The GAO replicated the same techniques used by the 9/11 terrorists to
get more than 30 driver‘s license and IDs from State licensing agencies. To
obtain a driver‘s license with your photo but with someone else‘s biographic
information or with fictitious information, terrorists need only travel to a
State where identification standards are low and service is fast. Terrorists
planning future attacks on Americans will be delighted by GAO‘s findings, but
Congress should be very concerned.‖ A coalition release notes that GAO‘s
investigators obtained five driver‘s licenses in three different States under
fictitious identities using combinations of name, birth date, and Social
Security numbers together with counterfeit documents. In two States, a GAO
investigator was able to obtain two licenses with different identities using
the same person‘s face. Only in one case did a motor vehicle employee appear to
question the validity of the documents being presented, but the GAO
investigator was still able to obtain a driver‘s license. Source: http://www.homelandsecuritynewswire.com/dr20120926-gao-easily-obtained-counterfeit-ids-present-real-risks
• The Federal Trade Commission settled a case
with several computer rent-to-own companies and a software maker over their use
of a program that spied on and collected data and images on as many as 420,000
people. – The H See item 41 below
in the Information Technology Sector
• New research suggests planting malware at
sites most likely to be visited by targets have been used in espionage attacks
against the defense, government, financial services, healthcare, and utilities
sectors. – Krebs on Security See item 44
below in the Information Technology
Sector
Details
Banking and Finance Sector
9. September
26, IDG News Service – (International) Wells Fargo recovers after site outage. Wells
Fargo‘s Web site experienced intermittent outages September 25, while the
hacker group claiming responsibility threatened to hit U.S. Bancorp and PNC
Financial Services Group over the next 2 days, IDG News Service reported. Wells
Fargo apologized on Twitter for the disruption, and said they were working to
restore access. By September 26, the site appeared to be functioning. A group
calling itself the ―Mrt. Izz ad-Din al-Qassam Cyber Fighters‖ said it
coordinated the attacks, and planned further ones on U.S. Bancorp September 26
and PNC Financial Services Group September 27, according to a post on Pastebin.
The group said the cyberattacks are in retaliation for the 14-minute video
trailer insulting the Prophet Muhammad, and said the attacks will continue
until the video is removed from the Internet. The attacks would last 8 hours
starting at 2:30 p.m. GMT, the group wrote. Source: http://www.computerworld.com/s/article/9231721/Wells_Fargo_recovers_after_site_outage
10. September
25, Bloomberg News – (International) SEC says New York firm allowed high-speed
stock manipulation. A New York-based brokerage allowed overseas clients to
run a scheme aimed at distorting stock prices by rapidly canceling orders,
according to the U.S. Securities and Exchange Commission (SEC), Bloomberg News
reported September 25. Clients of Hold Brothers On-Line Investment Services
were ―repeatedly manipulating publicly traded stocks‖ by placing and erasing
orders in an illegal strategy designed to trick others into buying or selling,
the SEC said. Hold Brothers, its owners, and the foreign firms Trade Alpha
Corporate Ltd. and Demonstrate LLC agreed to settle allegations that the New
York broker failed to supervise customers and pay $4 million in fines. The SEC
complaint targeted practices that abused high-speed computer trading on
American equity venues. As high-frequency activity has grown in recent years,
the agency‘s efforts to stop practices such as ―layering‖ or ―spoofing‖ have
extended to automated trading tactics. Along with Hold Brothers, the SEC
charged its co-founder and president, who created and partially owned Trade
Alpha and Demonstrate. A former chief compliance officer and chief financial
officer, and another executive, were also charged and agreed to the penalties. Source:
http://www.businessweek.com/news/2012-09-25/sec-says-new-york-broker-allowed-high-speed-stock-manipulation
11. September
25, Associated Press – (Nebraska; National) 3 ex-TierOne Bank execs charged with
hiding losses. Three former TierOne Bank executives were charged September
25 with concealing millions of dollars in real estate losses and misleading
investors during the recent recession. The Securities and Exchange Commission
(SEC) filed the civil charges against the bank‘s former CEO, former president,
and former chief credit officer. The CEO‘s son was also charged with insider
trading. All but the former chief credit officer agreed to settlements. The CEO
and former president will pay nearly $1.2 million but did not admit any
wrongdoing. The SEC said TierOne relied on outdated appraisals that inflated
the value of real estate that the bank had loans on or had repossessed. The
Lincoln, a Nebraska-based bank understated its losses by millions of dollars in
2008 and 2009. Federal regulators closed TierOne in June 2010 and sold its
assets to Great Western Bank. TierOne had losses in 10 of its last 11 quarters
before regulators closed it as it struggled under the weight of bad loans in
parts of the United States hit hard by the subprime mortgage crisis. Investors
did not learn the extent of TierOne‘s loan losses until late 2009, when
regulators with the Office of Thrift Supervision required TierOne to obtain new
appraisals of its impaired loans. That prompted TierOne to disclose $130
million of additional loan losses. Source: http://www.businessweek.com/ap/2012-09-25/3-ex-tierone-bank-execs-charged-with-hiding-losses
For more
stories, see items 41 and 44 below in the Information Technology Sector
Information Technology Sector
40. September
26, The H – (International) Security fixes dominate in Google’s Chrome
22. Chrome 22 closes more than 40 security holes, of which 1 is considered
to be critical and 19 are rated as ―high severity‖ by the company. These
problems include a critical Windows kernel memory corruption vulnerability and
two UXSS vulnerabilities in frame handling and V8 JavaScript bindings. Other
corrected problems include use-after-free issues in onclick handling and SVG
text references, out-of-bounds writes in the Skia graphics library, a buffer
overflow in SSE2 optimizations, an integer overflow in WebGL on Mac systems,
and 18 separate issues in the PDF viewer. Source: http://www.h-online.com/security/news/item/Security-fixes-dominate-in-Google-s-Chrome-22-1717660.html
41. September
26, The H – (International) Rent-to-own laptops were spying on users. The
U.S. Federal Trade Commission (FTC) settled a case with several computer
rent-to-own companies and a software maker over their use of a program that
spied on as many as 420,000 users of the computers. The terms of the settlement
will ban the firms from using monitoring software, deceiving customers into
giving up information, or using geo-location to track users. The software for
rental companies from DesignerWare included a ―Detective Mode,‖ a spyware
application that, according to the FTC‘s complaint, could activate the Webcam
of a laptop and take pictures and log keystrokes of user activity. The software
also regularly presented a fake registration screen designed to trick users
into entering personal information. The data collected was transmitted to
DesignerWare and then passed on to the rent-to-own companies. DesignerWare sold
the service, which included a ―kill switch‖ to disable the machine, to be
activated if a computer was stolen or a renter was late making payments.
However, the data gathered also contained user names and passwords for email
accounts, social media Web sites, and financial institutions, said the FTC. The
complaint said Social Security numbers, private email with doctors, bank and
credit card statements, and Webcam pictures of ―children, partially undressed
individuals and intimate activities at home‖ were collected. The complaint
against DesignerWare said its licensing and enabling of ―Detective Mode‖ was
providing the rent-to-own companies with the means to break the law. Source: http://www.h-online.com/security/news/item/Rent-to-own-laptops-were-spying-on-users-1717567.html
42. September
26, V3.co.uk – (International) Samsung delivers Galaxy S3 remote-wipe bug
fix. Samsung released a fix for a critical error in its software that allowed
malicious code to remotely wipe its Galaxy S3 smartphone. The vulnerability was
showcased by a security researcher at the Ekoparty security conference
September 25. Samsung later told V3 it was aware of the issue and had built a
fix, which it was distributing as an over-the-air update. The vulnerability was
reportedly in the device‘s Unstructured Supplementary Service Data (USSD)
protocol, which is used in the messaging between handset and mobile network.
Potentially, hackers could use the vulnerability to send a ―factory reset‖
command to the user‘s device. The attacks could be mounted using many different
mediums including Web site links, NFC tags, and QR codes. Security firm Sophos
has since warned that the vulnerability may relate to several other Android
handsets, including those made by other manufacturers, and urged owners of
devices to back-up their phone regularly. Source: http://www.v3.co.uk/v3-uk/news/2208239/samsung-delivers-galaxy-s3-remotewipe-bug-fix
43. September
25, Softpedia – (International) Backdoor in phpMyAdmin allows hackers to
execute PHP code. phpMyAdmin warned customers that a kit hosted on the
SourceForge.net mirror system was found to contain a backdoor that allows
remote attackers to execute arbitrary PHP code. The developers were notified by
the Tencent Security Response Center that the distribution contains a malicious
file. The affected mirror is called cdnetworks-kr-1, the backdoor being located
in the server_sync.php file. Apparently, this was not the only corrupt file.
The phpMyAdmin development team claims a second file —
js/cross_framing_protection.js — was also modified. The vulnerability was
cataloged as critical. Source: http://news.softpedia.com/news/Backdoor-in-phpMyAdmin-Allows-Hackers-to-Execute-PHP-Code-294706.shtml
44. September
25, Krebs on Security – (International) Espionage hackers target
‘watering hole’ sites. Security experts are accustomed to direct attacks,
but some of today‘s more insidious incursions succeed in a roundabout way — by
planting malware at sites deemed most likely to be visited by the targets of
interest. New research suggests these so-called ―watering hole‖ tactics have
recently been used as stepping stones to conduct espionage attacks against a
host of targets across a variety of industries, including the defense,
government, academia, financial services, healthcare, and utilities sectors. In
a report released September 25, RSA FirstWatch‘s (RSA) experts hint at — but do
not explicitly name — some of the watering hole sites. According to RSA, the
sites in question were hacked between June and July 2012. Source: http://krebsonsecurity.com/2012/09/espionage-hackers-target-watering-hole-sites/
45. September
24, Washington Post – (International) Donuts Inc.’s major play for new Web domain
names raises fears of fraud. A historic land rush is underway for vast new
swaths of the Internet: Amazon has bid for control of all the Web addresses
that end with ―.book.‖ Google wants ―.buy.‖ Allstate wants ―.carinsurance.‖
However, the single most aggressive bidder for lucrative new Web domains is a
little-known investment group with an intriguing name: Donuts Inc. Its $57
million play for 307 new domains — more than Google, Amazon, and Allstate
combined — has prompted alarm among industry groups and Internet watchdogs.
They warn Donuts has close ties to a company with a well-documented history of
providing services to spammers and other perpetrators of Internet abuses.
Should Donuts come to control hundreds of new domains, including ―.doctor,‖
―.financial,‖ and ―.school,‖ consumers could see a spike in online misbehavior,
these critics warn. Source: http://www.washingtonpost.com/business/technology/2012/09/24/c8745362-f782-11e1-8398-0327ab83ab91_story.html
For more stories, see items 3 above in
Top Stories and 9 above in
the Banking and Finance Sector
Communications Sector
See
item 42 above in the Information Technology Sector
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.