Monday, December 10, 2012
Daily Report
Top Stories
• Researchers December 6 unleashed
proof-of-concept code that would allow an attacker to effectively write himself
a check from the victim organization’s accounting software. They said the same
types of attacks could also be aimed against a variety of accounting packages.
– Dark Reading See item 3 below
in the Banking and Finance Sector
• Grease and rags from a residential
neighborhood clogged a 15-inch plastic sewer line in San Antonio December 4,
causing 63,000 gallons of sewage to overflow. – San Antonio Express-News
7.
December 7, Associated Press – (New
York) Bus driver not guilty of manslaughter in NY crash. A casino bus
driver at the helm of a New York crash that killed 15 people in 2011 was found
not guilty of manslaughter and criminally negligent homicide December 7. He was
found guilty on one count of aggravated unlicensed operation of a motor
vehicle. The defense attorney said he was well-rested and the crash was the
result of a tractor-trailer that swiped the bus and drove off, causing the bus
driver to lose control. The bus was driving from a Connecticut casino to New
York’s Chinatown when it crashed March 12, 2011. Authorities said the speeding
bus ran off the highway, hit a guardrail, and then toppled. Source: http://www.seattlepi.com/news/crime/article/Bus-driver-not-guilty-of-manslaughter-in-NY-crash-4098542.php
• Two separate reports released December 6
showed that 94 percent of U.S. healthcare organizations have been hit by at
least 1 data breach, and close to half suffered more than 5 breaches in the
past 2 years. – Dark Reading
16.
December 6, Dark Reading – (National) Most
healthcare organizations suffered data breaches. Two separate reports
released December 6 showed that 94 percent of U.S. healthcare organizations
have been hit by at least 1 data breach and close to half suffered more than 5
breaches in the past 2 years. The estimated cost to the healthcare industry of
these breaches is now at an average of $7 billion per year, a 15 percent
increase over the past three years, according to the Third Annual Benchmark
Study on Patient Privacy & Data Security study by The Ponemon Institute,
which was commissioned by ID Experts. According to a second unrelated report
from The Health Information Trust Alliance (HITRUST), there were some 500 data
breaches at U.S. healthcare organizations from 2009 to the present, with 21
million personal records exposed — an estimated cost of $4 billion in damages.
HITRUST included only breaches affecting 500 or more individuals, and says the
numbers, which come from U.S. Department of Health and Human Services (HHS)
data, signal little improvement in preventing breaches. More than 60 percent of
those breaches came at smaller-sized physician practices, of 1 to 100
employees. The data shows it takes a healthcare organization an average of 84
days to identify a breach, and 68 days to issue a notification of it. About
half of the respondents in the Ponemon survey said their data breaches led to
actual medical identify theft among their patients. Source: http://www.darkreading.com/risk-management/167901115/security/attacks-breaches/240144006/most-healthcare-organizations-suffered-data-breaches.html
• According to Microsoft’s Malware Protection
Center, the Necurs malware has been spotted on 83,427 unique computers in
November alone. Experts revealed that the malware might even be capable of
disabling Microsoft Security Essentials’ real time protection. – Softpedia See item 24 below in the Information Technology Sector
Details
Banking and Finance Sector
3. December
6, Dark Reading – (International) ‘Project Mayhem’ hacks accounting software. Researchers
December 6 unleashed proof-of-concept code that would allow an attacker to
basically write himself a check from the victim organization’s account. The
Python-based tool is just one example of the type of advanced financial fraud
that could be perpetrated against accounting applications and databases,
according to SecureState researchers, who at Black Hat Abu Dhabi demonstrated
their tool and findings on threats to accounting software. They focused their
efforts on Microsoft’s Dynamics Great Plains application, but they said the
same types of attacks could also be aimed at other accounting packages. No
vulnerabilities were discovered or exploited in the Microsoft product. The
Mayhem script detects that the Microsoft software is running, and creates a
backdoor for the attacker to remotely make SQL queries and commit all types of
financial fraud. ―It doesn’t even need to install a traditional piece of
[trojan] backdoor malware like‖ most financial fraud malware does today, said
the manager of SecureState’s penetration testing team. ―We compare it with a
banking trojan that hijacks [automated clearing house] ACH and wire transfers
without the user’s knowledge, but this time we’re looking at the accounting
system instead of the online banking session,‖ he said. Microsoft’s accounting
program is not the only potential victim. The manager said the same concept
could be applied to MAS 90, Peachtree, Oracle, and SAP. Source: http://www.darkreading.com/database-security/167901020/security/application-security/240144003/project-mayhem-hacks-accounting-software.html
4. December
6, Associated Press – (Colorado) Federal fraud charges in Colorado bank failure. A
former New Frontier Bank loan officer is facing federal fraud charges involving
millions of dollars in the 4 years prior to the Greeley, Colorado bank’s
shutdown by State regulators in 2009. The man appeared in U.S. District Court
December 5. He was the chief loan officer at New Frontier, which had $2 billion
in assets before lending practices turned it into one of the country’s most
expensive bank failures in 2009, costing the Federal Deposit Insurance Corp.
$670 million. The man was responsible for making more than $20 million in loans
to borrowers in return for $4.3 million used to purchase New Frontier Bankcorp
stock. He is also accused of trying to pocket $160,000 in illegally obtained
money. Source: http://www.sfgate.com/news/crime/article/Federal-fraud-charges-in-Colorado-bank-failure-4096795.php
5. December
6, IDG News Service – (International) Former Anonymous member convicted in attacks
against PayPal, MasterCard, Visa. A U.K. man was convicted for his
involvement in a series of distributed denial-of-service (DDoS) attacks
launched by the hacktivist group Anonymous against PayPal, MasterCard, Visa,
and other companies in 2010. The man was convicted December 6 in a London court
on one count of conspiracy to impair the operation of computers, the U.K.’s
Crown Prosecution Service said in a blog post. The man, who used the online
handle ―Nerdo,‖ was arrested in January 2011 and was charged in September 2011
with computer-related offenses in relation to Anonymous’ ―Operation Payback‖
attack campaign. DDoS attacks launched as part of ―Operation Payback‖
originally targeted companies and organizations from the music industry.
However, the campaign later switched its focus toward PayPal, MasterCard, Visa,
and other financial companies. Three other men arrested in the U.K. in
connection with the same attacks pleaded guilty earlier in 2012 to one count
each of conspiracy to impair the operation of computers. According to the Crown
Prosecution Service, the DDoS attacks cost PayPal, MasterCard, Visa, the
British Recorded Music Industry, Ministry of Sound, and the International
Federation of the Phonographic Industry $5.6 million in additional staffing,
software, and loss of sales. Source: http://www.computerworld.com/s/article/9234434/Former_Anonymous_member_convicted_in_attacks_against_PayPal_MasterCard_Visa?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+computerworld/s/feed/topic/17+(Computerworld+Security+N
Information Technology Sector
22. December
7, IDG News Service – (International) Tor network used to command Skynet botnet. Security
researchers have identified a botnet controlled by its creators over the Tor
anonymity network. It is likely that other botnet operators will adopt this
approach, according to the team from vulnerability assessment and penetration
testing firm Rapid7. The botnet is called Skynet and can be used to launch
distributed denial-of-service (DDoS) attacks, generate Bitcoins — a type of
virtual currency — using the processing power of graphics cards installed in
infected computers, download and execute arbitrary files, or steal login
credentials for Web sites, including online banking ones. However, what really
makes this botnet stand out is that its command and control (C&C) servers
are only accessible from within the Tor anonymity network using the Tor Hidden
Service protocol. Tor Hidden Services are perfect for a botnet operation, said
a security researcher at Rapid7 in an email December 7. ―As far as I
understand, there is no technical way neither to trace and definitely neither
to take down the Hidden Services used for C&C.‖ The researcher published a
blog post about the Skynet botnet December 6. He believes that the botnet is
the same one described by a self-confessed botnet operator in a ―IAmA‖ (I am a)
thread on Reddit seven months ago. Despite the wealth of information about the
botnet offered by its creator on Reddit seven months ago, the botnet is still
alive and strong. In fact, Rapid7 researchers estimate that the botnet’s
current size is of 12,000 to 15,000 compromised computers, up to 50 percent
more than what its operator estimated 7 months ago. Source: http://www.itworld.com/security/326374/tor-network-used-command-skynet-botnet
23. December
7, Softpedia – (International) BlackHole exploit kit has difficulties in
infecting Chrome users, experts say. The notorious Blackhole exploit kit
has difficulties when its victims utilize Google’s Chrome Web browser.
According to experts from Blue Coat, when potential victims are tricked into
clicking on links that point to Blackhole-infested Web sites, they are presented
with a ―loading‖ or a ―please wait‖ message, while in the background they are
redirected to the exploit pages that infect their computers with a piece of
malware. However, this only happens if the victim uses browsers such as
Internet Explorer or Firefox. During the attack, when users are redirected to
the exploit pages, a script checks the user agent to identify which browser is
utilized. If Chrome is detected, the victims are not redirected to the Blackhole
page. Instead, they are taken to another malicious page where they are urged to
install a rogue Chrome update. This happens because Blackhole uses
vulnerabilities in popular applications – such as Adobe Reader, Java, and the
browser itself – to push malware onto the victim’s device. However, since
Chrome renders PDF files by using its built-in reader, and it asks users for
permission before running a Java applet, Blackhole cannot succeed in its
malicious task. Source: http://news.softpedia.com/news/BlackHole-Exploit-Kit-Has-Difficulties-in-Infecting-Chrome-Users-Experts-Say-312810.shtml
24. December
7, Softpedia – (International) Necurs malware infects over 83,000 machines
in November 2012, Microsoft says. According to experts from Microsoft’s
Malware Protection Center, the Necurs malware has been spotted on 83,427 unique
computers in November alone. Researchers reveal the fact that Necurs is usually
distributed via Web sites that host the BlackHole exploit kit. Once the threat
finds itself on a computer, it downloads additional malicious elements,
disables security applications, and hides its components. Furthermore, the
malware also allows its controllers to gain complete control over the infected
device through its backdoor functionality. It can also send spam and install
pieces of scareware. Experts reveal that the malware might even be capable of
disabling Microsoft Security Essentials’ real time protection. Microsoft
researchers have published a technical analysis of how Necurs manages to
accomplish all these tasks. Source: http://news.softpedia.com/news/Necurs-Malware-Infects-Over-83-000-Machines-in-November-2012-Microsoft-Says-312884.shtml
25. December
7, The Register – (International) Rare critical Word vuln is the star of
December Patch Tuesday. Microsoft is planning to release seven bulletins
December 11, five of which tackle critical vulnerabilities, as part of its
final Patch Tuesday update of 2012. All currently supported operating systems
(including Windows 8 and Windows RT) will need patching. The updates feature
critical updates for Internet Explorer (IE) 9 and IE 10 browser software, a
critical update for Microsoft Word, and critical updates for some of
Microsoft’s server products (Exchange and Sharepoint). Qualys’s chief
technology officer singled out the Word update for particular attention.
―Bulletin 3 is special, as it affects Microsoft Word and is rated critical,
which happens very rarely,‖ he said. Source: http://www.theregister.co.uk/2012/12/07/patch_tuesday_dec_2012_pre_alert/
26. December
7, Associated Press – (International) Hackers said to hit UN telecoms talks in
Dubai. Organizers of a U.N. conference on global telecommunications said
December 6 that hackers apparently blocked their Web site and disrupted the
talks. The U.N.’s International Telecommunications Union said the Web site was
hit December 5, blocking access to its main page and interfering with a
closed-door working group. It says it is still investigating but initial signs
pointed to hackers. The statement says Internet traffic was diverted to a
backup Web site for 2 hours before normal operations resumed. Source: http://www.ctpost.com/business/technology/article/Hackers-said-to-hit-UN-telecoms-talks-in-Dubai-4096444.php
For more stories, see items 3 and 5 above in the Banking and Finance Sector
Communications Sector
27. December
7, Lihue Garden Island – (Hawaii) Storm knocks KUAI 720AM off the
air. A Kaua’i, Hawaii country radio station was knocked off the air in a
December 4 electrical storm. KUAI 720 AM Eleele has been off the air since
December 4 when both the power and telephone communication systems were
impacted by the storm, the chief engineer and operation manager for the KQNG
radio group said. The Kaua’i Island Utilities Cooperative was able to restore
power to the antenna and transmission tower. The chief engineer and operation
manager said Hawaiian Telcom was hoping to reach the tower December 7, but
their crews were experiencing a heavier repair load than usual from the storm
on the west side of the island. Both the power and telephone systems need to be
operational before he can assess if there was any damage to the equipment at
the studio. There was no estimated time as to how long it will be before the
station is back on the air. Source: http://thegardenisland.com/news/local/storm-knocks-kuai-am-off-the-air/article_8f779414-4045-11e2-a753-0019bb2963f4.html
28. December
7, New York Post – (New York) Mayor wants to have telecommunications services
restored to Lower Manhattan by end of year. Speaking December 7 at a forum
on New York City’s future after Hurricane Sandy, the city’s mayor disclosed
that he had a ―long conversation‖ December 6 with the Verizon CEO and together
they developed a plan to provide temporary telecommunications services to
downtown buildings by the end of 2012. Verizon lost 95 percent of its copper
wiring to the salt waters that enveloped its downtown system during the storm.
The deputy mayor said Verizon has undertaken a monumental recovery effort and
is replacing its unusable copper wires with advanced fiber optics. He said the
company, with the city’s help, will also work to provide interim service to the
affected buildings. Source: http://www.nypost.com/p/news/local/mayor_bloomberg_sandy_weather_working_kH8q04Sqs6FGoxV7M5dUeJ
29. December
6, CNET – (National) FCC fast tracks text-to-911 service. The
Federal Communications Commission (FCC) chairman announced December 6 that the
four largest wireless carriers in the U.S. have agreed to fast track a service
that will let people text the emergency 9-1-1 line. AT&T, Verizon Wireless,
Sprint, and T-Mobile have all signed on and major deployments are planned to
roll out in 2013. The service should be fully available nationwide by May 15,
2014. Dubbed ―Next Generation 9-1-1,‖ the FCC has been working on this project
for the last two years. The goal of the service is to offer people more ways to
contact emergency officials, as well as improve the network to ensure it holds
up for new communication technologies. According to the FCC chairman, a key
component in Next Generation 9-1-1 is the rapid deployment of text messaging,
photo, and video support. While the service is getting phased-in, the mobile
carries will send an automatic ―bounce back‖ text message when any attempts to
reach 9-1-1 via text message fail. This bounce back message would come before
the text-to-9-1-1 service is available in a certain area. Source: http://news.cnet.com/8301-1023_3-57557711-93/fcc-fast-tracks-text-to-911-service/
30. December
6, Visalia Times-Delta – (California) Visalia classic rock
station knocked off air. KIOO 99.7 FM Porterville was knocked off the air
when a delivery truck hit and destroyed its broadcast tower on Lewis Hill in
California, Visalia Times-Delta reported December 6. There were no injuries as
a result of the accident but the antenna was so badly damaged it had to be
removed. Momentum Broadcasting, the Visalia-based owners of the station, were
trying to get a limited signal going, but a new tower will have to be erected,
which may take up to two days, station management said. Source: http://blogs.visaliatimesdelta.com/choices/2012/12/06/visalia-classic-rock-station-knocked-off-air/
For another story, see item 26 above in the Information Technology Sector
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.