Thursday, December 6, 2012


Daily Report

Top Stories

• Fire officials estimated damage to a Mobile Transformer burned in a December 4 fire at the Maui Electric Company’s Pu’ukoli’i Substation at one million dollars. The Maui Police Department also reported a water outage in the Ka’anapali resort area. – Mauinow.com

1. December 4, Mauinow.com – (Hawaii) Pu’ukoli’i substation fire causes $1 million damage. Fire officials estimated damage to a Mobile Transformer burned in a morning fire at the Maui Electric Company’s (MECO) Pu’ukoli’i Substation at one million dollars, Maui Now reported December 4. The Maui Fire Services chief said the fire was reported at Pu’ukoli’i Road. The fire resulted in a power outage for much of the Ka’anapali resort area. MECO officials said electrical service has since been restored to remaining customers in Pu’ukoli’i. No injuries were reported and the cause of the fire was undetermined, said the fire chief. The Maui Police Department also reported a water outage in the Ka’anapali resort area. Officials have been notified and work crews were on scene. County officials had indicated that a power outage caused by the Pu’ukoli’i substation may have affected one of the county’s pump stations and water service in the area. Source: http://mauinow.com/2012/12/04/puukolii-power-outage-fire-at-substation/

 • The cybercrime group behind the Gameover Zeus Trojan that steals online banking credentials and credit card numbers is waging a massive malicious email campaign that enlists the massive Cutwail spamming botnet to blast its emails. More than half of the Top 20 Fortune 500 firms were infected with the trojan as of this summer. – Dark Reading See item 4 below in the Banking and Finance Sector

 • The investigation into Legionnaire’s disease at Pittsburgh’s Veterans Affairs (VA) hospitals has widened to include claims that some union workers have gotten sick there, and the death of a man in October. A VA spokesman confirmed that Pittsburgh VA officials found Legionella bacteria in the water supply. – Associated Press

18. December 5, Associated Press – (Pennsylvania) Legionnaire’s probe at Pittsburgh VA widening. The investigation into Legionnaire’s disease at Pittsburgh’s Veterans Affairs (VA) hospitals has widened to include claims that some union workers have gotten sick there, and the death of a man in October, the Associated Press reported December 5. The U.S. Centers for Disease Control and Prevention have previously been investigating five cases reported last month, including one patient who died. A - 10 - widow said her husband died October 23 after he was diagnosed with Legionnaire’s shortly after staying at a VA hospital for heart problems, according to the Pittsburgh Post-Gazette. And the Pittsburgh Tribune-Review reported that union officials claim three hospital workers have gotten Legionnaire’s in the past several weeks. VA spokesman said he could not comment on the claims by the widow regarding the death of her husband. He also would not comment on claims about the sick workers made by American Federation of Government Employees Local 2028 president. A VA spokesman confirmed that Pittsburgh VA officials found Legionella bacteria in the water supply at its H.J. Heinz Campus, near Aspinwall, and were restricting water use there while the filtration system was treated with chlorine. Source: http://www.militarytimes.com/news/2012/12/ap-legionnaries-probe-at-pittsburgh-va-widening-120412/

 • A San Francisco consumer protection lawyer reported December 4 that more than 100,000 patients of Alere Home Monitoring were alerted that their personal information may have been compromised after the company discovered a laptop containing patient records was stolen from an employee’s vehicle. – Justice News Flash

20. December 4, Justice News Flash – (California) Alere Home Monitoring data breach affects more than 100,000 patients. A San Francisco consumer protection lawyer reported December 4 that more than 100,000 patients of Alere Home Monitoring were alerted that their personal information may have been compromised after the company discovered a laptop containing patient records was stolen from an employee’s vehicle. According to the News-Press.com, the laptop contained the names, Social Security numbers, addresses, and diagnoses of more than 100,000 patients who take drugs to prevent blood clots, such as Warfarin or Coumadin. Although the information on the laptop was password protected, it was not encrypted. According to the News- Press.com, affected individuals are now at risk of identity theft as a result of the data breach. Source: http://www.justicenewsflash.com/2012/12/04/bay-area-consumer-protection- lawyer-alere-home-monitoring-leaks-patient-info_20121204108038.html

Details

Banking and Finance Sector

2. December 5, Help Net Security – (International) How the Eurograbber attack stole 36 million euros. Check Point has revealed how a sophisticated malware attack was used to steal an estimated 36 million euros from over 30,000 customers of over 30 banks in Italy, Spain, Germany, and Holland over summer, Help Net Security reported December 5. The theft used malware to target the PCs and mobile devices of banking customers. The attack also took advantage of SMS messages used by banks as part of customers’ secure login and authentication process. The attack worked by infecting victims’ PCs and mobiles with a modified version of the Zeus trojan. When victims attempted online bank transactions, the process was intercepted by the trojan. Under the guise of upgrading the online banking software, victims were duped into giving additional information including their mobile phone number, infecting the mobile device. The mobile Trojan worked on both Blackberry and Android devices. The attackers could then intercept and hijack all the victims’ banking transactions, including the bank’s SMS to the customer containing the ‘transaction authentication number’ (TAN). With the account number, password, and TAN, the attackers were able to stealthily transfer funds out of victims’ accounts while victims were left with the impression that their transaction had completed successfully. Source: http://www.net-security.org/malware_news.php?id=2344&utm_source=feedburner&utm_medium=fee d&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Goog le+Reader

3. December 5, ZDNet – (Connecticut) Apple trader arrested in $1 billion wire fraud. A trader for Rochdale Securities in Stamford, Connecticut, was arrested December 5 based on a federal criminal complaint charging him with wire fraud involving an unauthorized stock purchase that caused Rochdale a $5 million loss. In a “get-rich-quick” scheme, the trader allegedly orchestrated an unauthorized purchase of roughly $1 billion in Apple stock, which left his employer with severe financial losses. Within the criminal complaint, the FBI said that the trader cooked up a quick way to make money by purchasing 1.625 million Apple shares with the brokerage’s money October 25, the same day that Apple was due to release their quarterly earnings. The trader expected the stock prices to rise, but when they fell he left the company at a - 4 - severe loss. As the shares were bought with the brokerage’s money, Rochdale bore the $5 million financial loss. Authorities also said that the trader may have defrauded another broker-dealer at the same time. Through “misrepresentations” it is alleged that the trader convinced an unrelated company to sell 500,000 Apple shares in order to conduct the larger scheme at Rochdales. Source: http://www.zdnet.com/apple-trader-arrested-in-1-billion-wire-fraud- 7000008349/

4. December 4, Dark Reading – (International) ‘Gameover Zeus’ gang launches new attacks. The cybercrime group behind the Gameover Zeus Trojan that steals online banking credentials and credit card numbers is waging a massive malicious email campaign that enlists the massive Cutwail spamming botnet to blast its emails, Dark Reading reported December 4. Millions of emails — many of which pose as coming from major U.S. banks — have been spammed out in recent weeks, according to Dell SecureWorks’ Counter Threat Unit. “You have received a new encrypted message or a secure message from [XYZ] Bank,” one of the email campaigns reads. The message includes an infected attachment that the “bank” requires for download and registration to the supposed secure email system. Once downloaded, it executes the pony downloader trojan that installs Gameover and steals online banking credentials, credit card account numbers, and other information. Another email campaign claims the recipient has received a fax, scan, or voicemail, and includes a “free program” for retrieving the message. This installs the malware. The Gameover gang, unlike some cybercrime groups, does not lease or sell its malware or services. It is a closed operation that, instead, sometimes contracts resources such as the Cutwail botnet to transport its attacks. More than half of the Top 20 Fortune 500 firms were infected with the trojan as of this summer, according to SecureWorks, which in July published a report on Gameover. Source: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240143802/gameover-zeus-gang-launches-new-attacks.html

5. December 4, Associated Press – (Iowa) Officials: More than 90,000 Iowa residents affected by nationwide insurance data breach. Iowa officials said more than 90,000 residents in the State have been affected by a nationwide insurance breach that has impacted more than a million people, the Associated Press reported December 4. The breach affected customers for Nationwide Insurance and Allied Insurance. The Ohio-based company posted news on its Web site about the October 3 intrusion, which explains personal data was compromised from both policy holders and non-policy holders. The company said it is not aware of any misuse of the information. The Iowa attorney general said Iowa residents may have been affected by the breach if they were seeking a competitive insurance quote through a company or third party agent that ran information through Nationwide. Source: http://www.therepublic.com/view/story/ca836963edeb4ddda06405de389f6e52/IA-- Data-Breach-Iowa

6. December 4, Krebs on Security – (International) ATM thieves swap security camera for keyboard. Authorities in Brazil arrested a man who allegedly stole more than - 5 - $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine, Krebs on Security reported December 4. According to the O Estado de S. Paulo newspaper, a crook approached an ATM at the Bank of Brazil and somehow removed the security camera from the machine. Apparently, the camera was a USB-based device, because the thief then was able to insert his own USB stick into the slot previously occupied by the camera. The attacker was then able to connect a folding keyboard to the ATM’s computer and restart the machine. After the thief rebooted the ATM’s computer, he was reportedly able to type the value of the currency notes that he intended to withdraw. The thief started by removing all of the R $100 bills, and then moved on to the R $50 notes, and so on. Police were alerted by the central bank’s security team, and caught the thief in the process of withdrawing the funds. Brazilian authorities said they believe the man was being coached via phone, but that the man they apprehended refused to give up the identity of his accomplice. Source: http://krebsonsecurity.com/2012/12/atm-thieves-swap-security-camera-for-keyboard/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+KrebsOnSecurity+(Krebs+on+Security)&utm_content=Google+Reader

For another story, see item 31 below in the Information Technology Sector

Information Technology Sector

31. December 5, Help Net Security – (International) Spoofed RapidFax alert carries hard-to-detect trojan. Malicious email alerts purportedly being sent by RapidFax, a service that allows users to send faxes online without the need for a fax machine, have been hitting inboxes in the last few days, warns MX Lab. The spoofed “From” email address is reports @ rapidfax.com, and the subject line contains variations of “RapidFax: New Inbound Fax”. The body of the email states that a fax has been received, and gives information on when it was received, how many pages it contains, etc. The email also contains an attachment which supposedly contained the sent fax. An extremely long file name is used to make the .exe extension less noticeable, and the file sports a PDF icon for the same reason. The file is actually a trojan, and when the malicious spam campaign was first spotted, the malware was detected by only 2 of the 46 antivirus engines used by VirusTotal. That number has risen to 24. Source: http://www.net-security.org/malware_news.php?id=2345&utm_source=feedburner&utm_medium=fee d&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Goog le+Reader

32. December 5, Help Net Security – (International) Antivirus solutions inadequate in detecting new viruses. Imperva collected and analyzed more than 80 previously non- cataloged viruses against more than 40 antivirus solutions. They found that less than 5 percent of anti-virus solutions in the study were able to initially detect previously non- cataloged viruses and that many solutions took up to a month or longer following the initial scan to update their signatures. Imperva utilized various methods for collecting more than 80 viruses. These 82 unreported viruses were tested in a virtual execution environment that ensured that they displayed behavior indicative of viruses and that limited the vulnerability to computing resources. The key findings and implications of the report included that antivirus solutions have a difficult time detecting newly created viruses, antivirus solutions lag in updating signatures, and that investment in antivirus is misaligned. While Imperva did not find a single antivirus product that provided complete protection, the solutions that had the best detection rates included two freeware antivirus products. - 15 - Source: http://www.net-security.org/malware_news.php?id=2343&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Goog le+Reader

33. December 5, Help Net Security – (International) 80% of attacks are redirects from legitimate sites. Sophos released its Security Threat Report 2013, an assessment of what has happened in IT security for 2012 and what is expected for 2013. The increasing mobility of data in corporate environments has forced IT staff to become even more agile. 2012 was also a retro year driven by resurgence in traditional malware attacks, specifically malware distributed via the Web. For example, more than 80 percent of attacks were redirects, the majority of which were from legitimate Web sites that were hacked. While a large proportion of cybercrime continues to be opportunistic, Sophos believes that, in 2013, increased availability of malware testing platforms — some even providing criminals with money back guarantees – will make it more likely for malware to slip through traditional business security systems. The report also includes predictions concerning “irreversible” malware, attack toolkits with premium features, a decrease in vulnerability exploits, an increase in social engineering attacks, and attacks tied to the increasing integration of GPS and near field communication (NFC) functions. Source: http://www.net-security.org/secworld.php?id=14066&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+R eader

34. December 4, Softpedia – (International) Vulnerability Lab researchers find 3 remotely-exploitable vulnerabilities in Skype. Vulnerability Lab researchers have identified another series of flaws in the popular Skype messaging application. Two of them are mail encoding Web vulnerabilities that affect the Skype Community. The first – a high-severity persistent input validation vulnerability bug – can allow a remote attacker to inject arbitrary code on the application-side of the Skype Community Web site. The second Web problem identified by the researchers is a filter and mail encoding vulnerability that affects the same Skype Community Web site. The security hole affects the outgoing email service and can be leveraged to execute persistent code against forum customers, administrators, and moderators. The third flaw refers to a persistent software vulnerability that affects the Windows version of Skype v5.11.0.102. A remote attacker could exploit this problem to manipulate configuration app login index files. This allows cybercriminals to persistently execute (API). This high-severity issue can be addressed by disallowing bound requests out of the software’s context. The mail encoding Web vulnerabilities have been addressed by Skype, but according to the researchers, last time they checked, the persistent software issue was not fixed. Source: http://news.softpedia.com/news/Vulnerability-Lab-Researchers-Find-3- Remotely-Exploitable-Vulnerabilities-in-Skype-311886.shtml

35. December 3, SC Magazine – (International) “Changeup” cases climb as worm exploits AutoRun. Researchers have seen a significant uptick in cases of Changeup, a worm that spreads the banking trojan Zeus and other malware via removable media, such as USB sticks, or file-sharing programs. In a six-day period between November 23 and November 28, security firm Symantec noted that Changeup detections rose from around 8,000 cases to more than 14,000. The worm – which goes by a number of other names, including “AutoRun,” coined by McAfee – is capable of infecting users’ machines that run older Windows operating systems employing AutoRun by default. Source: http://www.scmagazine.com/changeup-cases-climb-as-worm-exploits-autorun/article/270991/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+SCMagazineNews+(SC+Magazine+News)&utm_content=Google+Reader

For another story, see item 4 below in the Banking and Finance Sector

Communications Sector

36. December 4, Softpedia – (International) DefCamp 2012: Flaws in mobile networks allow users to surf the Web for free. An independent researcher at DefCamp 2012 security conference showed that a flaw in the systems of mobile operators allowed users to have unlimited access to mobile data traffic, Softpedia reported December 4. The expert found that many companies allow their customers to access the operator’s Web page even after they have eaten all the monthly data included in their contract, in order to allow them to access their user accounts. However, this access can be exploited by utilizing two different methods. If the operator does not check the type of traffic that passes through the DNS port, users can set up a VPN server – with a routable IP – on the UDP port 53, which is the same one utilized by the DNS. By making a connection from the mobile phone (or from a modem connected to a computer) to the VPN server, and by ensuring that all the traffic passes through this VPN tunnel, users can gain unlimited access to the Web. The second scenario is the one in which the mobile operators allows only DNS queries on the specific port and not through VPN. Some of the mobile operators contacted by the researcher claim they are aware of the issue. However, they will not address it, unless they discover that the flaw is being abused. Source: http://news.softpedia.com/news/DefCamp-2012-Flaw-in-Mobile-Networks- Allows-Users-to-Surf-the-Web-for-Free-311811.shtml

For another story, see item 34 above in the Information Technology Sector

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.