Wednesday, October 17, 2012 


Daily Report

Top Stories

 • A federal cybersecurity team warned of critical vulnerabilities in computerized control systems that attackers could exploit to sabotage or steal sensitive data from operators of the solar arrays that generate electricity in homes and businesses. – Ars Technica

1. October 15, Ars Technica – (National) Solar panel control systems vulnerable to hacks, feds warn. DHS is warning of critical vulnerabilities in a computerized control system that attackers could exploit to sabotage or steal sensitive data from operators of the solar arrays that generate electricity in homes and businesses, Ars Technica reported October 15. A slew of vulnerabilities in a variety of products, including the Sinapsi eSolar Light Photovoltaic System Monitor and the Schneider Electric Ezylog Photovoltaic Management Server, allow unauthorized people to remotely log into the systems and execute commands, warned the Industrial Controls Systems Cyber Emergency Response Team in a recent alert. Other vulnerable devices include the Gavazzi Eos-Box and the Astrid Green Power Guardian. Proof-of-concept code available online makes it easy to exploit some of the bugs. The advisory is based on a report published in September that disclosed SQL injection vulnerabilities, passwords stored in plain text, hard-coded passwords, and other defects that left the devices open to tampering. According to researchers, the vulnerable management server is incorporated into a photovoltaic products from several manufacturers. “All the firmware versions we analyzed have been found to be affected by these issues,” the researchers wrote. “The software running on the affected devices is vulnerable to multiple security issues that allow unauthenticated remote attackers to gain administrative access and execute arbitrary commands,” the researchers said. Source: http://arstechnica.com/security/2012/10/solar-panel-control-systems- vulnerable-to-hacks/

 • Officials in Burlington, Washington, notified hundreds of employees and residents that their names, bank account information, and routing numbers were compromised the week of October 8 when hackers broke into city systems and stole more than $400,000 from the city’s account at Bank of America. – Computerworld See item 6 below in the Banking and Finance Sector

 • Hackers managed to gain access to the records of at least 8,500 current and former University of Georgia employees. The university’s representatives began investigating the breach October 1, after they learned the cybercriminals obtained unauthorized access through the accounts of two employees. – Softpedia

23. October 16, Softpedia – (Georgia) University of Georgia hacked, at least 8,500 employees exposed. Hackers managed to gain access to the records of at least 8,500 current and former University of Georgia employees, Softpedia reported October 16. The cybercriminals obtained access to the accounts of two employees who worked in “sensitive information technology positions.” From there, the attackers were able to gain access to the details of thousands of employees, including names, Social Security numbers, and other information, University of Georgia Today reported. The university’s representatives began investigating the breach October 1, after they learned the passwords of two employees were reset by an unknown actor. It was later determined that the intrusion could have occurred as early as September 28. It is believed the hackers might have been able to reset the passwords by guessing the answers to the secret questions set by the targets. All the affected individuals were notified and those who request it will benefit from credit monitoring services. The police were contacted to investigate the incident. Source: http://news.softpedia.com/news/University-of-Georgia-Hacked-At-Least-8- 500-Employees-Exposed-299800.shtml

 • Researchers from Symantec reported that cybercriminals are trying to spread malware disguised as Windows help files in attacks targeting government and industry sectors. – Softpedia See item 26 below in the Information Technology Sector

Details

Banking and Finance Sector

5. October 15, WNBC 4 New York – (New York) FBI arrests man accused of stuffing ATMs with fake cash. A man was arrested October 15 in connection with the counterfeit bills dispensed at two ATMs in New York City the week of October 8, authorities said. The man was arrested at Kennedy Airport after voluntarily returning to New York City from the Dominican Republic, the FBI said. He worked for a company that serviced the ATMs. He faces several charges, including embezzlement and other charges related to counterfeit currency. The amateurish fake bills were put in ATMs at two Chase branches in Manhattan to replace cash that had been stolen. The banks were short a total of some $11,000. The counterfeit bills were blank on one side. Authorities believe they were meant to trick the ATM into believing it was carrying a full complement of cash. A bank official said that the machines were able to distinguish most of the fake bills from real ones. Source: http://www.nbcnewyork.com/news/local/Counterfeit-ATM-Bills-Arrest- Midtown-Chase-Gene-Carlo-Pena-JFK-FBI-174268821.html

6. October 15, Computerworld – (Washington) Cyberthieves loot $400,000 from city bank account. Burlington, Washington officials notified hundreds of employees and residents that their bank account information was compromised the week of October 8 when hackers broke into city systems and stole more than $400,000 from a city account at Bank of America. Among those impacted by the breach were employees participating in Burlington’s electronic payroll deposit program and utility customers enrolled in the city’s autopay program. In an alert issued October 15, a city administrator said all autopay customers should assume that their name, bank account number, and routing number were comprised. He urged affected customers to immediately contact their bank to flag or close their accounts. All employees participating in the city’s electronic payroll deposit program were also asked to close out their old accounts and establish a new one as a result of the breach. The city first learned of the online heist October 11 when an east coast bank sought information about a series of suspicious transfers from a Burlington city account. The city immediately reviewed the activity and noticed at least three “significant transactions” from its Bank of America account to accounts at the east coast bank over a two-day period, the administrator said. The theft was from an account containing more funds, but the administrator said the city did not know why more was not taken. The account was frozen and all of the city’s money was temporarily moved out of Bank of America as a precaution. The Burlington theft came just days after security firm RSA warned of cybercriminals plotting a massive and concerted campaign to steal money from the online accounts of thousands of consumers at 30 or more major U.S. banks. Source: http://www.computerworld.com/s/article/9232372/Cyberthieves_loot_400_000_from_c ity_bank_account

7. October 15, Associated Press – (Texas) Ex-Houston attorney pleads guilty in Ponzi scheme. A former attorney in Houston who portrayed himself as a real estate investment tycoon pleaded guilty in a $7.8 million Ponzi scheme, the Associated Press reported October 15. Federal prosecutors in Houston said the man pleaded guilty to wire fraud. Investigators said more than 20 investors were scammed. Prosecutors said the man during the past 10 years pretended to be in the real estate investment business. He used money from investors to pay his previous debts and fund his personal lifestyle. Source: http://www.businessweek.com/ap/2012-10-15/ex-houston-attorney-pleads- guilty-in-ponzi-scheme

8. October 13, Lincoln Journal Star – (National) Former Cornhusker owner indicted on fraud charges. A Boca Raton, Florida man who formerly owned several lodging properties was indicted by a federal grand jury in Illinois on 10 counts of fraud and making false statements to lenders, the Lincoln Journal Star reported October 13. The hotel owner and another Floridian are accused of using about $9 million in bank loans to refinance and remodel hotels that the owner’s Shubh Hotels owned in Cincinnati, Ohio, and Boca Raton, Florida, for purposes other than those the bank intended. The hotel owner also owned hotels in Detroit, Michigan, Pittsburgh, Pennsylvania, and Lincoln, Nebraska. The indictment said the two men created false invoices in the name of the latter’s remodeling firm and used false documentation of supplies to get money from the lenders that ended up in accounts they controlled at other banks. The hotel owner borrowed money in 2007 from two banks in Illinois that later failed due to bad loans. Source: http://journalstar.com/business/local/former-cornhusker-owner-indicted-on- fraud-charges/article_c7556967-03a0-5acc-80dd-bb2c02984950.html

Information Technology Sector

26. October 16, Softpedia – (International) Windows Help files used in attacks against industry and government sectors. To make sure their potential victims do not suspect they are the targets of an attack, cybercriminals often rely on harmless-looking Windows Help files (.hlp) to spread pieces of malware. Symantec reports that in the past period, cyberattacks using this attack vector have been aimed at government and industry sectors. According to researchers, everything starts with a simple email which informs the recipient of a “White Paper on corporate strategic planning.” In reality, the attachment is not a white paper, but a cleverly designed Windows Help file. The Help file’s functionality permits a call to the Windows API, which allows the attacker to execute code and install other malicious elements. Experts emphasize the fact that this functionality exists by design, it is not an exploit. In the attacks identified so far, cybercriminals were trying to spread Trojan.Ecltys and Backdoor.Barkiofork — pieces of malware often utilized in targeted attacks against government agencies and the industry sector. Most of the threats have been identified in the United States, China, India, and France. Source: http://news.softpedia.com/news/Windows-Help-Files-Used-in-Attacks- Against-Industry-and-Government-Sectors-299782.shtml

27. October 16, Softpedia – (International) Steam browser protocol flaws allow cybercriminals to execute malicious commands. Two security researchers from ReVuln identified a vulnerability in the Steam Browser Protocol that could be leveraged by remote attackers to cause damage. Their research was published in a paper called Steam Browser Protocol Insecurity. The popular gaming platform uses the steam:// URL protocol in order to run, install, and uninstall games, backup files, connect to servers, and reach various sections dedicated to customers. After testing various browsers, the experts concluded that Mozilla and Safari are perfect for the “silent Stream Browser Protocol calls” needed to perform such an attack because they do not warn users before executing the external URL handler. Internet Explorer and Opera do warn users, but the “dodgy part” of the URL can be hidden by adding spaces into the steam:// URL. The researchers found that not only these Web browsers can be utilized for the calls to external protocol handlers. Steam browser and RealPlayer’s embedded browser are just as susceptible to an attack. One of the attacks they demonstrated relies on the retailinstall command that designed for installing and restoring backups from a local folder. A function that is in charge of loading a splash image during this process contains an integer overflow vulnerability which could be leveraged by an attacker to run his malicious scripts. Furthermore, the researchers showed that the Steam Browser Protocol can also be used in attacks against the Source and Unreal engines. Massive multiplayer online games can be exploited via the auto- update features by leveraging a directory traversal vulnerability. Source: http://news.softpedia.com/news/Steam-Browser-Protocol-Flaws-Allow- Cybercriminals-to-Execute-Malicious-Commands-299598.shtml

28. October 15, Threatpost – (International) Oracle patch update to include 109 patches. Oracle’s quarterly Critical Patch Update, October 16 included 109 fixes. The company released fixes for security vulnerabilities across most of its enterprise products, addressing a host of remotely exploitable flaws. This comes a little more than a month after exploits of a serious zero-day vulnerability in Java were reported, as well as a critical zero-day vulnerability in Java SE. Five patches were released addressing security problems in Oracle Database Server, including one that is remotely exploitable over a network without the need for a username and password, Oracle said. Two of the patches address client-only installations. Source: http://threatpost.com/en_us/blogs/oracle-patch-update-include-109-patches- 101512

29. October 15, Dark Reading – (International) Next-generation malware: Changing the game in security’s operations center. Sophisticated, automated malware attacks are spurring enterprises to shift their security technology and staffing strategies. In many new cases, augmentations to malware involves no human author, rather, it is being created by an automated program that continually tweaks known attacks in new ways, so that it will not be recognized by antivirus or intrusion prevention systems. Antivirus (AV) systems work by identifying malware through a blacklist — a database of known viruses, trojans, and other malicious code — and blocking and eradicating any code on the list. The premise of AV technology is that it is possible to identify the unique characteristics of any known malware — its “signature” — and use that signature to prevent it from penetrating the enterprise. However, with new “zero-day” malware being created constantly, AV systems often cannot keep up, and their blacklists have become bloated and slow to perform. This growing problem has spurred many vendors — and many enterprises — to begin looking for ways to recognize malware not by how it looks — its known signature — but by how it behaves. Source: http://www.darkreading.com/security-monitoring/167901086/security/security- management/240009058/next-generation-malware-changing-the-game-in-security-s- operations-center.html

30. October 15, Softpedia – (International) Fake DHL Express Tracking Notifications bring ‘good’ news and malware. A DHL Express Tracking Notification is making the rounds, landing in the inboxes of users in an attempt to trick them into infecting their computers with a piece of malware. Although DHL is one of the most commonly utilized brands by cybercriminals in their malicious campaigns, fake notifications that rely on the company’s name still appear to be a success. The latest malware attack relies on emails entitled “Processing complete successfully,” which urge recipients to open an attached file in order to see additional details. As in all similar schemes, the file (DHL_Express_Processing_ complete.pdf.zip) is not a detailed report, but a piece of malware identified by Sophos as Troj/BredoZp-S. Source: http://news.softpedia.com/news/Fake-DHL-Express-Tracking-Notifications- Bring-Good-News-and-Malware-299466.shtml

31. October 15, Softpedia – (International) Cybercriminals update the eBay logo in their phishing scams. In order to ensure their malicious campaigns record a success, cybercriminals must always keep up with the changes made by the companies whose names and reputations they leverage. That is exactly what a group in charge of an eBay phishing scam did. eBay recently changed its logo and while the new one is not completely different compared to the old one, this minor detail can make the difference between a successful and an unsuccessful phishing scheme. If a user sees that it bears the old logo, it is probably a scam. However, users should still be cautious when clicking on shady links, since most criminals will surely update their pages in the upcoming period. Source: http://news.softpedia.com/news/Cybercriminals-Update-the-eBay-Logo-in- Their-Phishing-Scams-299482.shtml

Communications Sector

Nothing to report


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.