UNCLASSIFIED

This document was prepared by the Office of Intelligence and Analysis to facilitate a greater understanding of the nature and scope of threats and hazards to the homeland. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities and follow-on measures. This product may contain U.S. person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures. Some content may be copyrighted. These materials, including copyrighted materials, are intended for "fair use" as permitted under Title 17, Section 107 of the United States Code ("The Copyright Law"). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-mail at: [email protected]. DHS Open Source Enterprise Daily Cyber Report 17 February 2011 CRITICAL INFRASTRUCTURE PROTECTION: • Securing The Smart Grid No Small Task: The road to a secure smart grid is still being built. Can it be finished in time to keep next-generation threats at bay? That question was left largely unanswered during a panel discussion on securing the smart grid at the RSA security conference taking place here this week. ... According to specialists, the problem is (and continues to be) huge fragmentation among the power companies, something that on its own is issue enough, but as the panelists lamented, the same problem threatens the technologies these companies plan to roll out. ... In the electricity industry that risk has become more apparent after what happened last year with Stuxnet.... As the grid gets more intertwined with consumer electronics and home area networks, the likelihood of a wider range of targets is expected to increase. [Date: 16 February 2011; Source: http://news.cnet.com/8301-1009_3-20032291-83.html] INFORMATION SYSTEMS BREACHES: • Winamp Advises Forum Password Reset After Mystery Hack: Winamp is advising users of its media player software who frequent its forum to change their passwords after a security breach resulted in the disclosure of thousands of email addresses. The breach only exposed users' email addresses, so the forum logon password change policy is purely a precaution, according to Winamp. The firm said that users of its media player software were not affected directly by the breach, which hit only its forum and not its main site winamp.com or its developers' site. Beyond saying that it had detected an attack on its forum database...Winamp says little about the likely source or motive of the cyber-assault. [Date: 16 February 2011; Source: http://www.theregister.co.uk/2011/02/16/winamp_forum_hack_password_reset/] • CAMC Patient Data Shows Up Online: A hospital contractor posted personal information for 3,655 Charleston [West Virginia] Area Medical Center patients on an unsecured website, state Attorney General Darrell McGraw said.... A spreadsheet containing the names, addresses, birth dates, Social Security numbers and other sensitive data of the patients was insecurely left up for several months on the website for CAMC's Research Institute. ... CAMC spokesman Dale Witte said the information had been available online since September 2010 and was posted by a third-party information technology contractor. [Date: 17 February 2011; Source: http://www.dailymail.com/News/201102161218] CYBERTERRORISM & CYBERWARFARE: • Act Now On Cyberwar, Security Experts Caution: The time to act on cyberwar is now, several experts at the RSA Security Conference held here this week said. Disagreements may persist on what constitutes an overt act of cyberwar or how to recognize such an act, they admitted. And questions also remain on whether cyberwar is an accurate term to describe deliberate attacks against critical infrastructure targets by enemies that may or may not be state-sponsored. Even so, the time has arrived for the U.S. to develop a strategic plan for dealing with threats against critical infrastructure and those targeting U.S. economic interests, they said. I don't think we are in a cyberwar right now, said Michael Chertoff, former secretary of the Department of Homeland Security and an independent consultant. But we would be foolish not to recognize the potential, Chertoff said during a keynote panel discussion at the trade show. There is no doubt that cyber warfare is going to be within the domain of conflict, very shortly. [Date: 17 February 2011; Source: http://www.computerworld.com/s/article/9209980/] UNCLASSIFIED Page 1 of 2

UNCLASSIFIED

VULNERABILITIES: • MS Fesses On Silent Security Fixes: Microsoft has explained its rationale for quietly fixing some security vulnerabilities without issuing an associated bulletin. Such silent updates have been happening for years, but have escaped much notice outside the small community of reverse engineers. Normally the bugs in question are close relatives of disclosed vulnerabilities that emerge during the verification of suspected security problems using fuzzing and other approaches. Associated flaws can increase the security (or exploitability) rating of their publicly disclosed siblings, but don't necessarily earn a bulletin all to themselves or inclusion in the Common Vulnerabilities and Exposures (CVE) database. [Date: 16 February 2011; Source: http://www.theregister.co.uk/2011/02/16/ms_silent_security_fix_rationale/] GENERAL CYBER/ELECTRONIC CRIME: • Massive Increase in Attacks In 2010: 2010 saw a dramatic increase in cyber crime and targeted botnet attacks, and at its peak around Christmas, the total number of unique botnet victims was 654 percent greater than the victim population at the beginning of the year, according to a new report. ... Damballa’s “Top 10 Botnet Threat Report – 2010” found that of 2010′s 10 largest , six did not exist in 2009 and only one (Monkif) was present in the previous year’s list of 10 largest botnets. The dubious honor of ranking first went to TDLBotnetA, a botnet that claimed 14.8 percent of all unique infected victims in 2010. ... RogueAVBotnet and ZeusBotnetB ranked second and third, respectively, followed by Monkif, .A, .C, Hamwek, AdwareTrojanBotnet, Sality and SpyEyeBotnetA. The significant spike in botnet infections has been linked to the rapid evolution of the many botnet DIY toolkits and the increased access to exploit packs, Damballa said. Also, another factor Damballa said played a role in the growth of botnet infections was the cyber crooks becoming more proficient at installing bot agents on behalf of botnet operators. [Date: 16 February 2011; Source: http://www.thenewnewinternet.com/2011/02/16/massive- increase-in-botnet-attacks-in-2010/] • 70% Of SMS Spam Is Financial Fraud: An analysis of SMS traffic conducted from March through December 2010 reveals that according to the reports of misuse submitted by AT&T, Bell Mobility, KT, Korean Internet & Security Agency, SFR, Sprint, and Vodafone consumers, spam is found across all networks, and at levels higher than originally anticipated. ... Attackers are using sophisticated message modification techniques and transmitting low volumes of messages from each sending number to avoid detection over a long period of time. ... Further findings show that most spam originates on-network, followed by peer networks and then through internet services, but each mobile network operator in the pilot was able to identify the source of the spam and take immediate action. Although nearly one-tenth of spam attacks identified were adult in content, the majority of attacks were for financial gain, with 70% of reports of spam being for fraudulent financial services rather than the traditional advertising scenarios found in email spam. Further, attacks can be split into three categories: Phishing attempts...Social engineering scams...[and] Premium rate fraud. [Date: 16 February 2011; Source: http://www.net-security.org/secworld.php?id=10614] • Canadian Finance Ministries Closed Off From Web After Cyberspy Hack: Chinese hackers have been blamed for looting sensitive Canadian government documents, forcing two government departments off the internet as a response. CBC reports that the attacks, first detected in January, have been traced back to Chinese computer networks – while noting...that compromised systems in China might have been used by third parties to disguise their tracks. The assaults targeted the computer networks of the Finance Department and Treasury Board, key Canadian economics ministries. Access to the internet from both departments was restricted following the discovery of the attacks last month. The attacks involved a combination of targeted spear-phishing attacks designed to fool government officials into handing over passwords and the use of . The pattern of the attack matches that GhostNet assault that penetrated 100 other governments around the world back in March 2010. [Date: 17 February 2011; Source: http://www.theregister.co.uk/2011/02/17/canada_cyber_espionage/] • Fake Tax Payment Rejection Notice Delivers Variant: The latest IRS-themed spam campaign carries a deadly attachment - a variant of the infamous Zeus Trojan, warns AppRiver. The e-mail, purportedly coming from the Internal Revenue Service, contains a warning. … Both the subject line and the e-mail text use a random combination of digits when referencing the notice and payment ID. The attached IRS-TAX- Notification-printing-form-SNXXXXXXXX.zip file contains a Zeus variant that had an extremely low detection rate on VirusTotal when AppRiver first spotted the e-mail yesterday - only one of the 41 solutions used managed to recognize the file for what it was. [Date: 16 February 2011; Source: http://www.net- security.org/malware_news.php?id=1633] UNCLASSIFIED Page 2 of 2