Friday, October 19, 2012 


Daily Report

Top Stories

 • A Bangladeshi man snared in an FBI terror sting considered targeting the U.S. President and the New York City Stock Exchange before plotting a car bomb attack on the Federal Reserve, an official told the Associated Press October 18. – Associated Press See item 7 below in the Banking and Finance Sector

 • BB&T Corp. acknowledged October 17 that its Web site was suffering from intermittent outages related to a distributed denial-of-service (DDoS) attack. The institution is the ninth U.S. bank to be affected by a DDoS strike in the last 5 weeks. – BankInfoSecurity See item 9 below in the Banking and Finance Sector

 • California pharmacy regulators began an investigation of reports of irregularities in prescription refills at CVS pharmacies. Investigators are probing complaints that CVS renewed doctors’ prescriptions and billed insurers without customers’ consent, and in some cases enrolled the customers in automatic refill programs without their knowledge. – United Press International

28. October 17, United Press International – (California) California investigates CVS pharmacies. California pharmacy regulators have begun an investigation of reports of irregularities in prescription refills at CVS pharmacies. The executive officer of the California Board of Pharmacy said October 16 investigators are probing complaints that CVS Caremark Corporation renewed doctors’ prescriptions and billed insurers without customers’ consent, and in some cases enrolled the customers in automatic refill programs without their knowledge. A spokesman for CVS said the company’s policy requires a patient’s consent “be obtained before a prescription is filled,” and added the company would provide the pharmacy board with any information needed. The week of October 8, the U.S. Department of Health and Human Services began another investigation of CVS into allegations the company billed Medicare for medication patients had not ordered or picked up, and in 2011 the company agreed to pay $17.5 million to resolve allegations it falsified prescription drug claims for Medicaid programs in California and nine other States, the Los Angeles Times reported October 17. Source: http://www.upi.com/Top_News/US/2012/10/17/California-investigates-CVS- pharmacies/UPI-57311350501834/

 • Cherryville, North Carolina’s police chief and a police captain were suspended after investigators found they allegedly used their credentials and legal authority to let trucks full of stolen goods pass through Gaston County. – WBTV 3 Charlotte

33. October 18, WBTV 3 Charlotte – (North Carolina) Cherryville police chief, officer suspended due to FBI probe. Cherryville, North Carolina’s police chief and a police captain were suspended after investigators found they allegedly let trucks full of stolen goods pass through Gaston County, WBTV 3 Charlotte reported October 18. Two federal indictments unsealed in U.S. District Court in Charlotte, charge a reserve deputy sheriff with the Gaston County Sheriff’s Office and police officers with the Cherryville Police Department with multiple counts related to the misuse of their official position to provide protection for the transportation of goods they believed to be stolen, announced a U.S. Attorney for the Western District of North Carolina. Two non-law enforcement defendants were also charged for their role in the conspiracy. According to allegations contained in the two indictments, on multiple occasions, the men used their credentials and legal authority to assist with the transfer or transport of stolen goods and/or cash proceeds from the sale of stolen goods, in exchange for monetary bribes. Source: http://www.wbtv.com/story/19843917/cherryville-police-chief-officer- suspended-due-to-fbi-probe

 • Police provided the name of the gunman who stormed into a Casselberry, Florida salon October 18 and shot four women — killing three — before driving away and committing suicide. – Orlando Sentinel

48. October 18, Orlando Sentinel – (Florida) Police ID gunman in Casselberry salon mass shooting. Police provided the name of the gunman who stormed into a Casselberry, Florida salon October 18 and shot four women — killing three — before driving away and committing suicide. The suspect killed his ex-girlfriend, the salon manager, and several of her coworkers at the Las Dominicanas M & M Salon on Aloma Avenue. Both the salon manager and the owner of the salon filed domestic violence injunctions against the suspect in recent weeks. He was supposed to report to the Orange County Courthouse October 18 for a hearing in the domestic violence case. A fourth employee was taken to an area hospital, and her condition is unknown. Police said the suspect left the salon, located in a small strip mall near a Family Dollar store, and then shot himself several miles away at a home on Paradise Lane. Source: http://www.orlandosentinel.com/news/local/breakingnews/os-casselberry- shooting-three-dead-20121018,0,289503,print.story

Details

Banking and Finance Sector

7. October 18, Associated Press – (New York) U.S. President was considered potential target. A Bangladeshi man snared in an FBI terror sting considered targeting the U.S. President and the New York City Stock Exchange before plotting a car bomb attack on the Federal Reserve, a law enforcement official told the Associated Press October 18. The official stressed that the suspect never got beyond the discussion stage in considering an attack on the U.S. President. In a September meeting with an undercover agent posing as a fellow jihadist, the suspect explained he chose the Federal Reserve as his car bomb target “for operational reasons,” according to a criminal complaint. The suspect also indicated he knew that choice would “cause a large number of civilian casualties, including women and children,” the complaint said. FBI agents grabbed the man — armed with a cellphone he believed was rigged as a detonator — after he made several attempts to blow up a fake 1,000-pound the bomb inside a vehicle parked next to the Federal Reserve October 17 in lower Manhattan, the complaint said. The suspect appeared in federal court October 17 to face charges of attempting to use a weapon of mass destruction and attempting to provide material support to a terrorist group. Source: http://abcnews.go.com/US/wireStory/feds-indicted-plot-attack-federal-reserve- 17502296#.UIAqjK74LxM

8. October 17, Reuters – (New Jersey) SEC charges Yorkville with securities fraud. Securities regulators October 17 sued Yorkville Advisors LLC and its top executives, accusing the New Jersey hedge fund of reporting false and inflated values for some of its investments. The Securities and Exchange Commission (SEC) lawsuit targeted Yorkville, which has been one of the largest funds specializing in thinly traded micro-cap and small-cap companies, the founder and president, and the chief financial officer. The firm misreported values as the financial crisis hit in 2008 and 2009 and market conditions deteriorated, and its returns during the period consisted mostly of unrealized gains from marked-up investments, the SEC said. The scheme let Yorkville improperly boost its management fees and led it to improperly receive more than $10 million in unearned fees, the SEC said. The SEC accused Yorkville, which once managed more than $1 billion in assets, of creating and providing false and misleading documents to its auditors to further the scheme. The firm also made false and misleading statements to its investors between April 2008 and January 2010 about the value of its investments and other matters, the SEC said. The “false portrayal of Yorkville as a firm that employed ‘robust’ internal controls caused pension funds and funds of funds to invest over $280 million in the Funds,” the SEC said. Source: http://www.reuters.com/article/2012/10/17/us-sec-yorkville- idUSBRE89G14L20121017

9. October 17, BankInfoSecurity – (National) BB&T site outages linked to DDoS. BB&T Corp. acknowledged October 17 that its Web site was suffering from intermittent outages related to a distributed denial-of-service (DDoS) attack. The $178.5 billion institution is the ninth U.S. bank to be affected by a DDoS strike in the last 5 weeks. “BB&T is experiencing intermittent outages on BBT.com due to a ‘Denial of Service’ event,” a bank spokesman said October 17. BB&T’s site outage is the second attack apparently waged by a hacktivist group the week of October 15. October 16, Capital One’s online banking and corporate sites suffered outages believed to be caused by a second attack aimed at the bank by the same group. Capital One’s Web site was back up and running by October 17, said a spokeswoman, although some customers may continue to suffer from periodic glitches linked to ongoing system upgrades. Source: http://www.bankinfosecurity.com/bbt-site-outages-linked-to-ddos-a-5208?rf=2012-10-18- eb&elq=f35dac9ed1d9430aad0f418cc8491d5f&elqCampaignId=4861

10. October 17, Bloomberg News – (Georgia) Former American United Bank officers, directors sued by FDIC. Former American United Bank officers and directors were sued by the Federal Deposit Insurance Corporation (FDIC) for $45.2 million over their alleged negligence in managing the bank’s lending operations. The lawsuit, filed October 17 in federal court in Atlanta, names the defendants as the former president and chief executive officer, former senior vice president, and the chief lending officer. “Rather than manage the bank’s lending function in a sound and responsible manner, the defendants took unreasonable risks with the bank’s loan portfolio,” the FDIC said in the complaint. American United Bank, based in Lawrenceville, Georgia, was closed by State regulators in 2009. Ameris Bank of Moultrie, Georgia, agreed to assume all American United Bank’s deposits, the FDIC said in 2009. Source: http://www.bloomberg.com/news/2012-10-17/former-american-united-bank- officers-directors-sued-by-fdic.html

Information Technology Sector

37. October 18, The H – (International) Information leak in ZENworks Asset Management disclosed. The Metasploit developers discovered an information leaking vulnerability in Novell ZENworks Asset Management 7.5 that allows a remote attacker to read files that have system-level privileges and extract all information stored by the application. A researcher from Rapid7 explained that the Web console of ZENworks Asset Management provides two maintenance calls that can be used with hard-coded credentials. One of the calls allows remote attackers to gain access to the filesystem, while the other call gives details of the software’s backend database credentials in clear text. The researcher discovered the vulnerability in August and immediately wrote a Metasploit module to exploit it. He then disclosed it to Novell and the U.S. Computer Emergency Readiness Team, and now published the exploit and corresponding Metasploit module. Source: http://www.h-online.com/security/news/item/Information-leak-in-ZENworks- Asset-Management-disclosed-1732130.html

38. October 18, The H – (International) Apple updates Java for older Mac OS X - kills browser plugin. Following Oracle’s CPU patch day, in which a large number of Java vulnerabilities were fixed, Apple released an update for Java 6 on Mac OS X 10.6.8, 10.7, and 10.8. The update brings Apple’s Java 6 in line with Oracle’s Java 6 Update 37, but also removes the Apple-provided Java applet plugin from all Web browsers. Apple previously modified its plugin to reduce unnecessary exposure to Java-based malware by disabling the plugin if it went unused for a period of time. This policy has apparently not been sufficient and now the update completely removes the plugin; browsers will display a “missing plugin” message, which, if clicked, will take the user to Oracle’s site where they can download the latest Java applet plugin from Oracle. Source: http://www.h-online.com/security/news/item/Apple-updates-Java-for-older- Mac-OS-X-kills-browser-plugin-1732089.html

39. October 18, The Register – (International) One year on, SSL servers still cower before the BEAST. The latest monthly survey by the SSL Labs project discovered that many secure sockets layer (SSL) sites remain vulnerable to the Browser Exploit Against SSL/TLS (BEAST) attack, more than a year after the underlying vulnerability - 16 -
was demonstrated by security researchers. The stealthy piece of JavaScript works with a network sniffer to decrypt the encrypted cookies that a targeted Web site uses to grant access to restricted user accounts. October figures from SSL Pulse survey of 179,000 popular Web sites secured with the ubiquitous SSL protocol reveals that 71 percent (127,000) are still vulnerable to the BEAST attack. The latest statistics show little change from September figures, down just 1 percentage point from the 71.6 percent vulnerable to the BEAST attack recorded in September. Exposure to the so-called CRIME attack was also rife, 41 percent of the sample support SSL Compression, a key prerequisite of the attack. The so-called CRIME technique lures a vulnerable Web browser into leaking an authentication cookie created when a user starts a secure session with a Web site. Once the cookie is obtained, it can be used by hackers to log in to the victim’s account on the site. Source: http://www.theregister.co.uk/2012/10/18/ssl_security_survey/

40. October 18, Softpedia – (International) Citadel trojan Rain Edition represents Fraud-as-a-Service at its best, RSA says. The developers of the Citadel trojan recently released the 1.3.5.1 version, dubbed Rain Edition. The new variant costs more than its predecessor, but it also possesses new features. One of the most noteworthy new features is called “Dynamic Config.” It allows botmasters to interact faster with their victims via browser injection technology. “This nifty function allows Trojan operators to create web injections and use them on the fly, pushing them to selected bots without the hassle of pushing/downloading an entire new configuration file,” an RSA researcher explained. “Citadel-infected machines are going to have an instruction to reach out to the C&C every 2 minutes and update themselves with a predefined file where injection ‘packs’ will be ready to go. The whole system will be managed by a clever distribution mechanism dictating which injection(s) go to which bot or group of bots,” he added. This new mechanism makes Citadel a representative for the Fraud-as-a-Service (FaaS) model. That is because botmasters are not forced to do all the work by themselves. Instead, they can hire up to five subordinates to help them create injections. They all have their own section on the administrator panel, which gives them only limited access to the entire operation. The advantage for the injection sellers in this case is that they can work with multiple botmasters. Source: http://news.softpedia.com/news/Citadel-Trojan-Rain-Edition-Represents- Fraud-as-a-Service-at-Its-Best-RSA-Says-300441.shtml

41. October 17, Threatpost – (International) Oracle leaves fix for Java SE zero day until February patch update. Oracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6, and 7 until its February Critical Patch Update (CPU), according to the researcher who discovered the flaw. The researcher, from security firm Security Explorations, told Threatpost that Oracle said it was deep into testing of another Java patch for the October CPU released October 16, and that it was too late to include the sandbox fix. The researcher said he plans to present technical details on the flaw November 14 at the Devoxx Java Community Conference in Belguim. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine. - 17 -

42. October 17, Softpedia – (International) Researcher finds denial of service vulnerability in Window 7. A researcher claims to have identified a denial-of-service (DoS) vulnerability that affects fully updated versions of Windows 7 and possibly even Windows Vista. He revealed that a blue screen of death (BSOD) can be triggered by making a “very specific set of operating system calls.” Although he has not been able to determine if the security hole can be used by an attacker to execute arbitrary code, he confirmed that it could be utilized to corrupt kernel memory and cause a DoS state. Source: http://news.softpedia.com/news/Researcher-Finds-Denial-of-Service- Vulnerability-in-Window-7-300118.shtml

43. October 17, Threatpost – (International) Nitol Botnet shares code with other China- based DDoS malware. Microsoft learned that much of the code used by the Nitol malware family is copied from free malware resources hosted on Chinese Web sites. Microsoft posted portions of the code online the week of October 15, where similar lines used for denial-of-service (DoS) attack functionality are present in Nitol and on the sites in question. An antivirus researcher at Microsoft said that Nitol.A and Nitol.B also resemble malware used by the IMDDOS and Avzhan botnets, both of which, like Nitol, are used to carry out distributed denial-of-service (DDoS) attacks. Nitol.A and Nitol.B are the most active variants of the Nitol family. The Nitol botnet was recently taken down by Microsoft after it was given permission by the U.S. District Court for the Eastern District of Virginia to take control of the 70,000 sub-domains hosting malware on the 3322.org domain. Source: http://threatpost.com/en_us/blogs/nitol-botnet-shares-code-other-china-based- ddos-malware-101712

44. October 17, Softpedia – (International) Vodafone ‘account update’ notifications lead to phishing sites. Vodafone phishing emails have been seen landing in inboxes in the past few days, informing customers that they need to update their accounts. Cybercriminals are not only after bank account details. The information stored in accounts that customers register on their mobile carrier’s site could be just as valuable. Spammers have started sending out alerts entitled “Your Vodafone accounts update.” The link does not point to the legitimate Vodafone site, but a Web page designed to trick users into disclosing their usernames and passwords. By gaining access to their victims’ accounts, the scammers also gain access to billing information and other sensitive data that can be used to commit identity theft-related crimes. Source: http://news.softpedia.com/news/Vodafone-Account-Update-Notifications- Lead-to-Phishing-Sites-300149.shtml

45. October 17, SC Magazine – (International) Security beefed up in new Adobe Reader, Acrobat. The week of October 15, Adobe released new versions of its flagship Reader and Acrobat products to include a number of new security capabilities. Reader XI extends previously introduced sandbox “Protected View” controls — in which PDFs are displayed in a confined environment to prevent malware from running elsewhere on the machine — to now include “read-only” activities so hackers are unable to steal data via attacks, including so-called screen scrapes. The new Reader and Acrobat editions also include a built-in security feature known as Address Space Layout Randomization, or ASLR. Introduced with the release of Windows Vista in early 2007, ASLR randomizes memory space and significantly lowers the chances for certain code execution attacks to succeed. “Force ASLR improves the effectiveness of existing ASLR implementations by ensuring that all DLLs (dynamic-link libraries) loaded by Adobe Reader or Acrobat XI, including legacy DLLs without ASLR enabled, are randomized,” a researcher with the Adobe Secure Software Engineering Team said October 17. Source: http://www.scmagazine.com/security-beefed-up-in-new-adobe-reader- acrobat/article/264112/

Communications Sector

46. October 18, NorthEscambia.com – (Florida; Alabama) Frontier, Verizon customers report widespread telephone outages. There was no immediate word October 17 on the cause of communications problems in North Escambia, Florida, that left many residents unable to make or receive phone calls. Frontier Communications customers from Molino, Florida north through Walnut Hill and Atmore into Monroe County, Alabama, reported that they were unable to make phone calls outside of Frontier exchanges and unable to receive phone calls from non-Frontier customers. Numerous Verizon Wireless customers also reported problems making and receiving calls or text messages, particularly in the Molino area. Source: http://www.northescambia.com/2012/10/frontier-verizon-customers-report- widespread-telephone-outages


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.