Wednesday, October 10, 2012
Daily Report
Top Stories
• Gasoline prices continued to hit record
highs across California, as the governor ordered emergency steps October 7 to
increase the State’s supply. – KNSD 7 San Diego
4.
October 7, KNSD 7 San Diego –
(California) Gas prices hit new record Sunday. Gasoline prices continued
to hit record highs across California, as the governor ordered emergency steps
October 7 to increase the State’s supply. A run on supplies at the wholesale
level prompted a massive spike in prices at the pump that has plagued consumers
for the past week. Under pressure to help alleviate the tight market, the
governor asked State regulators to allow refineries to start mixing and selling
a particular type of gasoline that is usually only available in the State
during the winter. The move was aimed at increasing the supply of gasoline
available to small gas stations, and ultimately to consumers. A power outage at
a major southern California Exxon refinery and fears of contamination in a Kern
County pipeline drove supplies down further. To make matters worse, a northern
California refinery struck by fire earlier in 2012 is still not back up to
capacity. Source: http://www.nbcsandiego.com/news/national-international/Gas-Prices-Hit-New-Record-Sunday-los-angeles-auto-club-california-173031861.html
• The United States brought charges against
530 people October 9, over mortgage schemes that cost homeowners more than $1
billion. More than 73,000 homeowners were victims of various frauds for which
charges were filed during a year-long crackdown. – Bloomberg News See item 15 below in the Banking
and Finance Sector
• Hundreds of thousands of users who signed up
for an inexpensive proxy service called Proxybox.name ended up installing a
trojan linked to a botnet first detected during the summer. Researchers at Symantec
reverse engineered the Backdoor.Proxybox malware and unearthed a major black
hat operation and perhaps the actual malware developer. – Threatpost See item 60 below in the Information
Technology Sector
Details
Banking and Finance Sector
15. October
9, Bloomberg News – (National) U.S. charges 530 in mortgage probe with $1 billion
in losses. The United States brought charges against 530 people over
mortgage schemes that cost homeowners more than $1 billion, the Attorney
General said October 9. More than 73,000 homeowners were victims of various
frauds for which charges were filed during a year-long crackdown, including
“foreclosure rescue schemes” that take advantage of those who have fallen
behind on payments, the Justice Department said in a statement. Typical schemes
involved promises to homeowners that foreclosures could be prevented by payment
of a fee, according to the statement. As part of the schemes, “investors”
purchase the mortgage or the titles of homes are transferred to those taking
part in the fraud, resulting in homeowners losing their property, the
department said. Source: http://www.bloomberg.com/news/2012-10-09/u-s-charges-530-in-mortgage-fraud-probe-with-1-billion-losses.html
16. October
8, Lewiston-Auburn Sun Journal – (National) TD Bank notifies
customers of March security breach. TD Bank is notifying an unknown number
of customers that backup computer tapes containing their confidential personal
information, including bank account and Social Security numbers, were
“misplaced,” putting them at risk for identity theft, Lewiston-Auburn Sun
Journal reported October 8. Although the security breach occurred in March, the
bank only recently began sending letters to customers. A TD Bank spokeswoman
said the delay was necessary as the bank conducted an internal investigation.
The security breach occurred when two backup tapes from a computer server were shipped
from one TD Bank location to another. The tapes were misplaced in
Massachusetts. That investigation is ongoing and the bank contacted
Massachusetts law enforcement, as well. TD Bank began telling customers about
the security breach several weeks ago. A spokeswoman declined to say how many
customers were affected, though she said they live throughout the bank’s East
Coast coverage area, from Florida to Maine. Notification letters are being sent
and will continue until late October. Only affected customers will receive a
letter. Source: http://www.sunjournal.com/news/lewiston-auburn/2012/10/08/td-bank-notifies-customers-march-security-breach/1262474
17. October
8, Sarasota Herald-Tribune – (Florida) Sarasota mortgage broker
indicted on fraud charges. A mortgage broker in Sarasota, Florida, who
recruited investors to join him in a series of boomtime real estate deals, was
indicted on 11 counts of bank fraud, the Sarasota Herald-Tribune reported
October 8. From March 2003 through July 2008, the suspect bought and resold
houses at higher prices to investors and filled out mortgage applications with
false information so that investors could get loans, an indictment filed in
Tampa’s U.S. District Court says. His management company later rented out the
houses, however, the indictment said he failed to use the proceeds “to pay all the
expenses associated with the residential properties” as promised. He pleaded
“not guilty” to the charges. A trial date was tentatively scheduled for
December. He bought and sold more than 41 new homes worth $11.6 million in
Sarasota and Manatee counties from 2006 to 2007, and made more than $1 million
in profits along the way. He recruited more than 30 investors into the
property-sharing venture. Source: http://www.heraldtribune.com/article/20121008/ARTICLE/121009652/-1/news?p=1&tc=pg
18. October
7, Tampa Bay Times – (Florida) Police blame serial bandit for several Pinellas
bank robberies. The suspect arrested in connection with a bank robbery in
St. Petersburg, Florida, October 5 was accused of being a serial robber
responsible for at least three similar heists since May. He remained jailed
October 6 as authorities stacked a litany of robbery and kidnapping charges
against him. In each of the robberies, which began May 26 at a PNC Bank in
Clearwater, a man pointed a small silver handgun at tellers and demanded cash.
The man wore a hat and sunglasses while concealing the lower half of his face
with a scarf or shirt. He was arrested after a group of undercover St.
Petersburg police detectives spotted him in front of a PNC Bank. He pulled a
shirt over his face while donning a ball cap and sunglasses and walked inside,
police said. He emerged moments later and ran to a car in a nearby lot where
officers stopped him. He had a chrome Davis Industries P-380 handgun and a
large sum of cash on him, authorities said. Bank tellers confirmed he robbed
them. Authorities later added charges that accused the suspect of the May 26
robbery, in which, police said, he ordered several tellers to the ground at
gunpoint before fleeing with more than $3,000. He also was charged in two
robberies at banks in Clearwater and Largo, June 8 and 19, respectively.
Source: http://www.tampabay.com/news/publicsafety/crime/police-blame-serial-bandit-for-several-pinellas-bank-robberies/1255246
19. October 5, U.S. Securities and Exchange Commission – (National) SEC charges four brokers with defrauding
customers in $18.7 million scheme. October 5, the Securities and Exchange
Commission (SEC) charged four brokers who formerly worked on the cash desk at a
New York-based broker-dealer with illegally overcharging customers $18.7
million by using hidden markups and markdowns and secretly keeping portions of
profitable customer trades. The SEC alleges that the brokers purported to
charge customers very low commission fees that were typically pennies or
fractions of pennies per transaction, but in reality they reported false prices
when executing the orders to purchase and sell securities on behalf of their
customers. The brokers made their scheme especially difficult to detect because
they deceptively charged the markups and markdowns during times of market
volatility in order to conceal the fraudulent nature of the prices they were
reporting to their customers. The surreptitiously embedded markups and
markdowns ranged from a few dollars to $228,000 and involved more than 36,000
transactions during a 4-year period. Some fees were altered by more than 1,000
percent of what was being told to customers. Source: http://www.sec.gov/news/press/2012/2012-207.htm
20. October
5, WLEX 18 Lexington – (Kentucky) Georgetown home builder indicted for bank fraud. A
home builder from Georgetown, Kentucky, was accused of fraudulently obtaining
more than a million dollars in loans from a Frankfort bank, WLEX 18 Lexington
reported October 5. A federal grand jury in Lexington indicted the suspect for
bank fraud, conspiracy, making false statements in a loan application, aiding
and abetting bank embezzlement, and aggravated identity theft. The indictment
alleges that starting in 2006, he began construction on a house and
fraudulently obtained more loans from American Founders Bank (AFB) than he was
entitled to receive. He obtained the loans by setting up shell corporations in
the names of other people to bypass AFB’s loan limits. He allegedly used some
of the money from loans obtained to construct a house in Frankfort to pay off
debt on other construction projects. He fraudulently received approximately
$1.4 million in loans from the bank, according to the indictment. The bank
eventually foreclosed on the home, but allegedly suffered a significant
financial loss. Source: http://www.lex18.com/news/georgetown-home-builder-indicted-for-bank-fraud
21. October
5, Orange County Register – (California) FBI: ‘Desperate Bandit’
robs bank in La Habra. A man police describe as the “Desperate Bandit” is
believed to have struck October 5 at a Bank of the West in La Habra,
California, marking the robber’s seventh hold-up. A man wearing a wig and a
baseball cap entered the bank branch, handed a teller a typed note asking for
money, and left with an undisclosed amount of cash, a FBI special agent said.
Authorities previously described him as a white male, 35-40 years old, about
5-foot-10-inches to 6-feet tall with a light complexion and short, dark hair,
although he reportedly wore a blond wig in the latest hold-up. While the man
claimed to be armed, no weapon was seen and no injuries were reported.
Authorities believe the robber is the “Desperate Bandit,” who has carried out
previous hold-ups at banks in Placentia, Anaheim Hills, Tustin, Fullerton,
Chino, and Corona. Source: http://www.ocregister.com/news/desperate-373778-bandit-bank.html
Information Technology Sector
53. October
9, Help Net Security – (International) New TDL4 rootkit successfully hiding from AV.
A new variant of TDL4 was identified, and it is now ranked as the second
most prevalent malware strain within 2 months since its detection. The
characteristics are similar to the iteration of the TDL4 rootkit, detected by
Damballa in September. Damballa detected the malware through its network
behavioral analysis software, which detected the generated domain names the new
variant apparently uses for command-and-control communication. Since Damballa
could only determine the existence of the new malware by looking for domain
fluxing, it was concluded that no binary samples of the new malware were
identified and categorized by commercial antivirus products operating at the
host or network levels. HitmanPro, however, detected Sst.c — also known as
Maxss — a modification of the TDL4 strain, and it is spreading fast. This new
variant is capable of infecting the Volume Boot Record (VBR) (also known as
Partition Table), and commercial antivirus products are unable to detect it,
let alone remove the malware. The vice president and GM Wave Systems EMEA
provided the following commentary: “Following the success of TDL4, hackers have
been
able to use the rootkit to develop new variants that continue to go undetected
by antivirus. The latest iteration, dubbed Sst.c, infects the Volume Boot
Record.” Without embedded hardware security to detect anomalies of behavior in
the boot process, it starts to cause havoc damaging the network. It also
reduces the window of detection for the enterprise to contain the threat. Source:
http://www.net-security.org/malware_news.php?id=2288
54. October
9, The Register – (International) Surprise! Microsoft patches latest IE10 Flash
vulns on time. Microsoft surprised Windows 8 and Windows Server 2012 users
October 8 by issuing a patch that fixes 25 security vulnerabilities found in
the Adobe Flash Player component of Internet Explorer (IE) 10, mere hours after
Adobe issued its own patch for the Flash Player plug-in used by other browsers.
Unlike earlier versions of Internet Explorer, IE10 bundles Flash Player as an
integral part of the browser, much like how Google bundles Flash with Chrome.
That means Adobe’s patches, which are designed for the plug-in version of
Flash, will not work on IE10. As with other IE10 security flaws, security fixes
for IE10’s Flash component can only come from Microsoft. Source: http://www.theregister.co.uk/2012/10/09/ms_ontime_ie10_flash_fix/
55. October
9, The H – (International) CloudStack alert users to critical
vulnerability. Citrix and the Apache Software Foundation alerted users to a
critical vulnerability in the CloudStack open source cloud infrastructure
management software. All versions downloaded from the cloudstack.org site will
be vulnerable. CloudStack is also an incubating Apache project but there have
been no official releases from Apache of that project. If users took the source
from the Apache project, that software will be vulnerable. Details of the issue
were disclosed October 7; it appears the system had a configuration issue which
meant any use could execute arbitrary CloudStack API calls such as deleting all
the VMs in the system. A workaround, detailed in the various announcements,
involves logging into the MySQL database that backs the system and setting a
random password on the cloud.user account. The Apache CloudStack code was
updated with a fix for the issue and it is believed the issue should not affect
any upcoming releases of the incubating Apache CloudStack project; version 4.0
has currently been frozen and a release candidate is expected soon. Source: http://www.h-online.com/security/news/item/CloudStack-alert-users-to-critical-vulnerability-1726599.html
56. October
9, The H – (International) Adobe releases 25 critical Flash patches. Adobe,
Microsoft, and Google issued updates to their products to patch vulnerabilities
in their various distributions of Adobe’s Flash Player. Nearly all of the 25
critical vulnerabilities fixed by the updates were discovered by the Google
Security Team. Adobe said the Windows version of Flash Player is a “Priority 1”
update which normally indicates that there is an exploit in the wild for one or
more of the holes, but Adobe did not indicate this was the case. Adobe
recommended that Windows users install the updates as soon as possible. The
vulnerabilities are either characterized as buffer overflow or memory
corruption vulnerabilities but no other details are currently available. As
Microsoft and Google now embed Flash Player in their browsers, both had to
issue updates through their normal update channels. Microsoft updated its Internet
Explorer 10 Web browser for Windows 8 and Windows Server 2012 to close these
Flash holes through Windows Update. The embedded version of Flash in Google’s
Chrome was also updated with version 22.0.1229.92 of Chrome for Windows, Mac OS
X, and Linux in the browser’s stable release channel. This release of Chrome
also closes five other holes, one of which is rated critical and is due to a
race condition in Chrome’s audio device handling. Source: http://www.h-online.com/security/news/item/Adobe-releases-25-critical-Flash-patches-1726163.html
57. October
9, Computerworld – (International) Windows 7 malware infection rate soars in
2012. Windows 7’s malware infection rate climbed by as much as 182 percent
in 2012, Microsoft said October 9. However, even with that dramatic increase,
Windows 7 remained two to three times less likely to fall to hacker attack than
the aged Windows XP. Data from Microsoft’s newest twice-yearly security report
showed that in the second quarter of 2012, Windows 7 was between 33 percent and
182 percent more likely to be infected by malware than in the second quarter of
2011. The infection rate for Windows RTM, or “release to manufacturing,” the
original version launched in October 2009, was 33 percent higher in 2012 for
the 32-bit edition (x86), and 59 percent higher for the 64-bit (x64) OS.
Windows 7 Service Pack 1 (SP1) — the upgrade that shipped in February 2011 —
saw even larger infection increases: 172 percent for x86, and 182 percent for
x64. Microsoft blamed several factors for the boost in successful malware
attacks, including less savvy users. Source: http://www.computerworld.com/s/article/9232188/Windows_7_malware_infection_rate_soars_in_2012
58. October
9, Softpedia – (International) Sality botnet scans entire Internet in search
for vulnerable VoIP servers. Experts discovered the Sality botnet may have
mapped all the IPv4 addresses in search for vulnerable voice-over-IP (VoIP)
servers. In a paper called “Analysis of a “/0” Stealth Scan from a Botnet,”
researchers from the University of California and the University of Napoli in
Italy presented the results of a study performed with the aid of the UCSD
darknet, designed to study malicious Internet activity. Sality is a piece of
malware whose main goal has been to infect Web servers, spread spam, and steal
data. However, the new research unveiled another purpose: to identify
vulnerable VoIP targets that could be utilized in vishing or toll fraud
attacks. By leveraging a technique called “reverse-byte order scanning,” Sality
managed to scan possibly the entire IPv4 space without being identified. That
is because the technique utilizes a low number of packets that come from
different sources, Dark Reading wrote. Source: http://news.softpedia.com/news/Sality-Botnet-Scans-Entire-Internet-in-Search-for-Vulnerable-VoIP-Servers-Video-298049.shtml
59. October
8, The Register – (International) Bing is the most heavily poisoned search
engine, study says. Bing search results are more affected by poisoning than
those of other search engines, according to a study by SophosLabs. Search
engine poisoning attacks are designed to skew results so that dodgy sites —
anything from malware infected Web sites to payday loan sites — appear
prominently in the index of sites related to popular search terms. In many
cases, the tactic is so successful that malware sites appear in the first page of
results for popular search terms, sometimes much higher than legitimate Web
sites. More recently, miscreants began trying to manipulate image search
results. Source: http://www.theregister.co.uk/2012/10/08/bing_worst_search_poisoning/
60. October
8, Threatpost – (International) Proxy service a front for malware
distribution. Hundreds of thousands of users who signed up for an
inexpensive proxy service called Proxybox.name ended up installing a trojan
linked to a botnet first detected during the summer. Researchers at Symantec
reverse engineered the Backdoor.Proxybox malware and unearthed a major black
hat operation and perhaps the actual malware developer. The investigation
started with a legitimate looking Russian Web site advertising access to
thousands of proxies for an extremely low monthly fee that could be paid via
WebMoney, Liberty Reserve, and RoboKassa. A closer inspection of the
command-and-control server showed the botnet maintains some 40,000 users online
at any time. Advertisements for Proxybox.name appear on four other Web sites
all linked to the same author. They include vpnlab.ru, avcheck.ru, and whoer.net,
which provides proxy testing. This led Symantec researchers to believe the same
Russian hacker is behind the black hat operation. Source: http://threatpost.com/en_us/blogs/proxy-service-front-malware-distribution-100812
61. October
8, IDG News Service – (International) Facebook’s phone search can be abused to find
people’s numbers, researchers say. Attackers can abuse Facebook’s phone
search feature to find valid phone numbers and the names of their owners,
according to security researchers. The attack is possible because Facebook does
not limit the number of phone number searches that can be performed by a user
via the mobile version of its Web site, an independent security researcher said
October 5. Facebook allows users to associate their phone numbers with their
accounts. Since most people do not change the default value of this setting, it
is possible for an attacker to generate a list of sequential phone numbers
within a chosen range — for example from a specific operator — and use
Facebook’s search box to discover who they belong to, the researcher said.
Connecting a random phone number to a name is every advertiser’s dream and
these types of lists would fetch a large price on the black market, he said.
Source: http://www.computerworld.com/s/article/9232178/Facebook_s_phone_search_can_be_abused_to_find_people_s_numbers_researchers_say?taxonomyId=244
Communications Sector
62. October
8, Kansas City Business Journal – (National) Sprint fixes
network disruption in Pacific Northwest. Two fiber cuts to Sprint Nextel
Corp.’s wireless network affected Pacific Northwesterners trying to make phone
calls, use data on their smartphones, and even catch flights October 8. All
services were restored by October 8, according to Overland Park-based Sprint.
The first cut happened October 7 or October 8, botching service to customers
between Chicago and Milwaukee. A Sprint spokeswoman said the incident was tied
to work at a railroad involving non-Sprint employees. A second cut happened
again October 8, somewhere between Tacoma, Washington, and Portland, Oregon,
disrupting voice and data services for customers between northern California,
parts of Oregon, and parts of Washington. Sprint has not determined the cause
of the second cut, which slowed the terminal check-in process for Sprint
customer Alaska Airlines October 8, leading to significant flight delays.
Alaska Airlines, which uses Sprint’s data services, had to manually check in
passengers until the fiber lines were repaired and services were restored, a
spokeswoman for Sprint said. Source: http://www.bizjournals.com/kansascity/news/2012/10/08/sprint-fixes-network-disruption-in.html
63. October
8, El Dorado Hills Telegraph – (California) Phone service
cut for 4,000 Folsom residents; repairs expected by Friday evening. October
4, a tractor digging at a construction site along Riley Street in Folsom,
California, severed a major AT&T phone line, disrupting service to city
facilities as well as nearly 4,000 AT&T residential customers. The
disruption was expected to continue through October 5. The Folsom Police and
Fire Department’s 9-1-1 emergency communications were forwarded to the
Sacramento County Sheriff’s Communications Bureau to ensure public safety was
not affected. Source: http://www.fireengineering.com/news/2012/10/08/phone-service-cut-for-4-000-folsom-residents-repairs-expected-by-friday-evening.html
64. October
8, Infosecurity – (International) Telecom vendors Huawei, ZTE, pose
cyber-espionage threats, lawmakers conclude. Two top telecom infrastructure
vendors from China, Huawei, and ZTE, pose potential cyber-espionage threats,
according to a panel of U.S. lawmakers on intelligence, Infosecurity reported
October 8. After an 11-month investigation, the U.S. House of Representatives’
Permanent Committee on Intelligence suggested that telecom networks built on
Huawei and ZTE gear could provide a way for the Chinese government to bake in
listening vectors, for instance. There is a “heightened threat of cyber
espionage and predatory disruption or destruction of US networks if
telecommunications networks are built by companies with known ties to the
Chinese state, a country known to aggressively steal valuable trade secrets and
other sensitive data from American companies,” the report said. The panel
recommended that American telcos, cable MSOs, satellite companies, wireless
operators, and broadband providers should consider other vendors going forward
when building out or expanding networks. And, sensitive government systems
should exclude Huawei or ZTE equipment or component parts — Huawei in
particular has a large enterprise IT division that could supply federal and
State networks. And, it said that it would seek to block mergers or
acquisitions involving Huawei and ZTE due to national security concerns. Source: http://www.infosecurity-magazine.com/view/28672/telecom-vendors-huawei-zte-pose-cyberespionage-threats-lawmakers-conclude/
65. October
7, WFLI 18 Lafayette – (Indiana) Phone lines down in Lafayette. The Frontier
Communications general manager said October 5 construction crews working in
Lafayette, Indiana, accidentally pulled around 200 feet of fiber out of the
ground, cutting the fiber cables in the process. Damage to the fiber cables led
to a massive landline and Internet outage posing new problems for emergency
personnel. Although people could not contact the non-emergency line, the West
Lafayette Police lieutenant said police were still able to respond to
emergencies. Source: http://www.wishtv.com/dpp/news/local/north_central/phone-lines-down-in-lafayette
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.