UNCLASSIFIED

This document was prepared by the Office of Intelligence and Analysis to facilitate a greater understanding of the nature and scope of threats and hazards to the homeland. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities and follow-on measures. This product may contain U.S. person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures. Some content may be copyrighted. These materials, including copyrighted materials, are intended for "fair use" as permitted under Title 17, Section 107 of the United States Code ("The Copyright Law"). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-mail at: [email protected].

DHS Open Source Enterprise Daily Cyber Report 13 December 2010 CRITICAL INFRASTRUCTURE PROTECTION: • Nothing significant to report INFORMATION SYSTEMS BREACHES: • Hackers Steal McDonald's Customer Data: McDonald's is working with law enforcement authorities after malicious hackers broke into another company's databases and stole information about an undetermined number of the fast food chain's customers. McDonald's has also alerted potentially affected customers via e- mail and through a message on its Web site. ... McDonald's hired Arc [Worldwide] to develop and coordinate the distribution of promotional e-mail messages, and Arc in turn relied on an unidentified e-mail company to manage the customer information database. This e-mail company's systems were hacked into. The data, which customers had provided voluntarily, doesn't include Social Security Numbers, credit card numbers, nor any sensitive financial information. ... This means that customer data likely includes full names, phone numbers, postal addresses and e-mail addresses. ... [A McDonald's] spokeswoman didn't say how many people are potentially affected and in what countries, besides the U.S. She also didn't say when the breach happened. [Date: 11 December 2010; Source: http://www.computerworld.com/s/article/9200918/] • Media Hacked, Firm Warns Users To Change Passwords: E-mail addresses and password details for 200,000 registered users of websites are now circulating on peer-to-peer networks after a weekend hack attack. The company warned users to change their passwords -- including on other sites, if they use the same passwords elsewhere. The websites affected include , , Gawker, , , Jalopnik, , and . Users are required to register, providing their e-mail address and a password, in order to leave comments on those websites. A group named "Gnosis" claimed credit for the attack. The compromised information is now available in a 487 MB file, which can be downloaded from peer-to-peer networks using a torrent now indexed on The Pirate Bay. Other information in the file includes something called "gawker_redesign_beta.jpg" as well as Gawker's server kernel versions. ... The stored passwords were encrypted although Gnosis said some of the passwords have already been cracked. [Date: 13 December 2010; Source: http://www.computerworld.com/s/article/9200978/] CYBERTERRORISM & CYBERWARFARE: • Nothing significant to report VULNERABILITIES: • Overdue Patches Published For RealPlayer: RealNetworks has released a monster update that closes an impressive 27 security holes in Windows RealPlayer 11.1. Other versions, such as RealPlayer SP, RealPlayer Enterprise and the Mac / Linux versions are also partially affected. Apparently the current RealPlayer 14.0 does not exhibit any of the vulnerabilities. ... Most of the holes are related to flaws in the handling of certain multimedia formats, which cause buffer overflows and other memory management problems. Such errors can often be exploited to inject and execute malicious code; in extreme cases, computers can be infected with spy software. ... RealNetworks was notified of some of the holes six months ago, but apparently waited until now to patch older versions after the patched version 14 was published at the end of October. [Date: 12 December 2010; Source: http://www.h-online.com/security/news/item/Overdue- patches-published-for-RealPlayer-1151696.html] UNCLASSIFIED Page 1 of 2 UNCLASSIFIED

• Exim Code-Execution Bug, Now With Root Access: Exim maintainers have warned of an in-the-wild attack that allowed miscreants to execute malicious code with unfettered system privileges by exploiting a bug in older versions of the open-source mail transfer agent. The memory-corruption vulnerability resides in Exim 4.69 and earlier versions, and already has been used in at least one attack to completely root an enterprise server, according to this account. Security pros have sounded the alarm because the vulnerability is remotely exploitable and is already being used maliciously. What's more, attack code has also been added to the Metasploit exploitation kit, making it easy for others to reproduce the attack. ... Maintainers for the Debian and Red Hat distributions of Linux have already issued patches, and their counterparts for other distributions are sure to follow soon. ... The vulnerability was patched in 2008, in version 4.7. But the fix was never identified as a security patch so it was never applied to older versions, which are still in wide use. [Date: 11 December 2010; Source: http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/] GENERAL CYBER/ELECTRONIC CRIME: • Diet Spam Splurge Blamed On Gawker Compromise: Compromised Twitter accounts are being abused to post spam messages promoting a diet website. Tens of thousands of messages promoting an acai berries diet website appeared on Sunday, prompting speculation that a worm was spreading across the micro-blogging service. ... [I]t seems that the compromised Twitter accounts promoting the spam messages were hit as a result of last weekend's Gawker compromise. Exposed users made the mistake of using the same login credentials for both Gawker and Twitter. The attack illustrates the importance of using different login credentials on different websites, as well as the common sense approach of using hard-to-guess passwords. Twitter has begun pushing password resets to affected accounts. The micro-blogging service blames the snafu on the Gawker compromise and bad password security rather than anything under its direct control. [Date: 13 December 2010; Source: http://www.theregister.co.uk/2010/12/13/twitter_diet_spam_gawker_compromise/] • Google, Microsoft Ad Networks Briefly Hit By Malware: For a brief period this week, cybercriminals managed to infect Google's and Microsoft's online ad networks with malicious advertisements that attacked users' PCs, according to security consultancy Armorize. The attacks started around Dec. 5 and lasted a few days, sending victims who clicked on the ads to malicious Web pages. Those pages took advantage of known software bugs to install backdoor programs that gave the attackers control of the victims' PCs, or to install software that made it appear as though the PCs were filled with malicious software. ... [Google spokesman Jay] Nancarrow wouldn't say how the malicious ads got onto Google's ad network, but Armorize Chief Technology Officer Wayne Huang [cq] said cybercriminals may have tricked Google by serving the ads from a domain similar to that used by a legitimate ad-serving company, AdShuffle, based in Irving, Texas. ... Armorize and others spotted similar ads on Microsoft's Hotmail service, according to Huang. Microsoft said via email Friday that it was looking into the matter and could not comment in time for this report. [Date: 10 December 2010; Source: http://www.computerworld.com/s/article/9200899/] • Amazon Blames Hardware – Not Hackers – For European Outage: Problems with Amazon's systems in Europe over the weekend were down to hardware failure rather than hackers, the e-commerce giant said on Sunday. Christmas shoppers trying to complete purchases from Amazon's online stores in the UK, France, Germany, Austria and Italy were locked out for around half an hour on Sunday. Amazon famously withdrew services from whistle-blower website Wikileaks at the start of the month, a move that potentially made it a target for attacks from Anonymous. However, Amazon said the temporary outage was caused by "hardware failure" at a Dublin-based hosting facility that serves the sites. ... A statement from Anonymous denied launching an attack against Amazon, arguing that such a move would be counterproductive, in PR terms, as well as difficult in practice. Amazon's distributed system makes it more resilient against distributed denial of service attacks, if not hardware failure. [Date: 13 December 2010; Source: http://www.theregister.co.uk/2010/12/13/amazon_outage_not_anonymous/] • WikiLeaks In A Dangerous Internet Neighborhood: The WikiLeaks main domain, Wikileaks.org, currently redirects to mirror.wikileaks.info. The latter site is hosted on IP address 92.241.190.202 in Heihachi Ltd. Heihachi Ltd is known as a bulletproof, black-hat hosting provider in Russia which is a safe haven for criminals and fraudsters. It hosts a long list of criminally-related domains. Among these domains are banking fraud domains, websites of carders (criminals who trade stolen credit card information), malware sites, and phishing sites. No matter what your political view is, this is rather disturbing. We at Trend Micro...don’t know whether wikileaks.org has perhaps been compromised or whether WikiLeaks is knowingly getting services from a black-hat provider. Either way we assess the wikileaks.info domain as high risk and we do not recommend visiting this site as long as it is hosted by Heihachi Ltd. [Date: 12 December 2010; Source: http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/]

UNCLASSIFIED Page 2 of 2