UNCLASSIFIED

This document was prepared by the Office of Intelligence and Analysis to facilitate a greater understanding of the nature and scope of threats and hazards to the homeland. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities and follow-on measures. This product may contain U.S. person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures. Some content may be copyrighted. These materials, including copyrighted materials, are intended for "fair use" as permitted under Title 17, Section 107 of the United States Code ("The Copyright Law"). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-mail at: [email protected].

DHS Open Source Enterprise Daily Cyber Report 9 December 2010 CRITICAL INFRASTRUCTURE PROTECTION: • No Apparent Impact In US: Cyber Official: Computer software targeted by Stuxnet is used in US infrastructure but the virus does not appear to have affected any systems in the United States, a US cybersecurity official said Tuesday. Greg Schaffer, assistant secretary for cybersecurity and communications in the Department of Homeland Security (DHS), told reporters...that Stuxnet demonstrates the increasingly sophisticated nature of cyber threats today. ... Schaffer said Stuxnet "focused on specific software implementations and those software implementations did exist in some US infrastructure so there was the potential for some US infrastructure to be impacted at some level." ... He added cyber threats today are becoming "more sophisticated, more targeted, more capable, harder to detect, harder to mitigate." "This is no longer a world in which malicious defacements of Web pages are what we are focused on," he said. "We are worried about the migration towards things of value, intrusions that are very targeted and very specific." [Date: 8 December 2010; Source: http://www.google.com/hostednews/afp/article/ALeqM5gABqKg3RFSAqmukHRnd_S9w6NRdQ] INFORMATION SYSTEMS BREACHES: • Healthcare Database Breach Brings User Account Management Practices Back Into Focus: A recent database breach that exposed the private healthcare records of more than 400,000 Puerto Rican residents yet again shines a stark light on the inadequate access management and account provisioning practices that leave databases exposed at so many organizations today. The breach occurred this fall through the database systems of Triple-S Management, a Puerto Rico-based managed healthcare company. The account details of more than 400,000 were pored over by employees at a competitor organization, Medical Card System, who had somehow acquired active user ID and password combinations for Triple-S databases in order to gain unauthorized access. ... Provisioning database accounts is a manual practice at best, but usually the management of passwords and accounts is simply nonexistent. ... According to a recent survey conducted by Enterprise Strategy Group, 60 percent of organizations scan databases only once per quarter -- or more infrequently -- for anomalies in privileges. [Date: 8 December 2010; Source: http://www.darkreading.com/database-security/167901020/security/application-security/228701991/] CYBERTERRORISM & CYBERWARFARE: • Nothing significant to report VULNERABILITIES: • OOPS - Root Privileges Under Linux: On the Full Disclosure security mailing list, Dan Rosenberg presents a small demo program which craftily combines several security holes to obtain root privileges on Linux systems. The starting point is a problem Nelson Elhage discovered in connection with the kernel's thread management and troubleshooting routines (CVE-2010-4258), where a user can potentially exploit an OOPS to write a null byte into the kernel's memory area. Rosenberg combined this with a number of vulnerabilities also recently discovered by Nelson Elhage in the Econet protocol implementation. Two of them (CVE-2010-3848, CVE-2010-3849) can only be exploited if an administrator has already configured Econet interfaces in the system. However, CVE-2010-3850 allows local users without root privileges to do just that. The astonishing aspect is that although Econet is an ancient protocol Acorn computers used for UNCLASSIFIED Page 1 of 2 UNCLASSIFIED

communicating with file and print servers via special network cards, many current kernels support its emulation by default and without any user interaction. [Date: 8 December 2010; Source: http://www.h- online.com/security/news/item/OOPS-Root-privileges-under-Linux-1149758.html] GENERAL CYBER/ELECTRONIC CRIME: • ' Wikileaks 'Infowar' LATEST ROUNDUP: The hacktivist collective Anonymous, operating under the banner Operation:Payback, has continued to mount various types of hacking attacks including DDoS strikes – supplemented by the use of illegal – against targets assessed as being anti- Wikileaks. ... Payment organisations such as MasterCard, Visa and PayPal are being consistently hit by Operation:Payback. ... Anonymous has also attacked US Senator 's official government site, causing outages, and that of... – in both cases for making public statements critical of Wikileaks or its spokesman . ... Similarly there has been much discussion among the anarchic Anonymous collective on attacking – it being suggested that Twitter has purposely prevented the "infowar" becoming a trending topic under various tags. ... Our sources, however, suggest that the Anonymous consensus does not favour attacking Twitter. [Date: 9 December 2010; Source: http://www.theregister.co.uk/2010/12/09/operation_payback_anonymous_wikileaks_infowar_latest/] • Group Used 30,000-Node In MasterCard, PayPal Attacks: PayPal's website was hit late Wednesday by two botnets as online activists continued their Web attacks on companies that have severed their relationships with WikiLeaks. The activists have recruited volunteers, who have banded their computers into a distributed denial of service (DDoS) botnet, but they are also using hacked machines to carry out these attacks, said Sean-Paul Correll of threat researcher Panda Security. "Today we observed over 3,000 computers in the voluntary botnet, but we also have knowledge of a 30k node botnet," he said. This botnet infects computers via peer to peer filesharing systems, but it can spread via Microsoft Messenger and USB sticks as well. ... PayPal was hit late Wednesday afternoon, Pacific time, and the Paypal.com address was unresponsive into early Thursday morning. ... MasterCard's SecureCode service -- used to add a security code for use in online transactions...also suffered a disruption Wednesday. [Date: 9 December 2010; Source: http://www.computerworld.com/s/article/9200598/] • Fake Receipt Program Targets Retailers: Amazon retailers are being targeted by fraudsters who have created a custom-built a program that generates fakes receipts for nonexistent orders, according to researchers from GFI Software. The program is designed to create a customized HTML file that closely resembles an actual Amazon.com receipt, wrote Christopher Boyd, senior threat researcher, on GFI's blog. A fraudster can fill out the date, item, price, order number and address among other information. Users also have the option of selecting specific Amazon portals, including ".com," ".co.uk," ".fr" and ".ca." ... The scam relies entirely on social engineering, with the fraudster hoping a vendor will be tricked into thinking a product was sold. "The gag here is that the scammer is relying on the seller not checking the details and accepting the printout at face value," Boyd wrote. ... Retailers can protect themselves by checking their own sales records. Amazon.com will also be able to confirm whether a real sale has taken place, Boyd wrote. [Date: 9 December 2010; Source: http://www.computerworld.com/s/article/9200601/] • Scammers Preying On Those Wanting To Adopt: The IC3 received information from law enforcement and complaints filed with the IC3 concerning an adoption scam. The scam is an attempt to collect personal information and funds from individuals seeking to adopt a child. Victims reported responding to on-line advertisements for adoptions.... The operators of the site are fraudsters who claimed to have an overseas orphaned child in need of adoption. Preying on victims' emotions, the scammers explained how they promised to care for the child after the mother's death. The fraudsters said they were not affiliated with an adoption agency because no such agencies exist in their area. Nevertheless, they asked the victims to send pictures of their family and to complete forms that required personal information such as Social Security Number and their mother's maiden name. [Date: 9 December 2010; Source: http://www.net- security.org/secworld.php?id=10287] • Trojans Dominate The Threat Landscape: As in recent months, Trojans dominated the threat landscape in November, according to GFI Software. Their data revealed that seven of the top 10 threats were classified as Trojans. The number-one detection, Trojan.Win32.Generic!BT, is a Trojan comprising over 20 percent of the ThreatNet detections. Tom Kelchner, GFI Software communications and research analyst said, "There is another picture in the top-10 numbers. Three of them go after applications or server software that hasn't been patched. The number six detection, Exploit.PDF-JS.Gen (v), tries to exploit a security flaw in PDF files with embedded JavaScript. That's aiming at Adobe products. It often installs downloaders that pull down other malware from remote Web sites." [Date: 9 December 2010; Source: http://www.net- security.org/malware_news.php?id=1561] UNCLASSIFIED Page 2 of 2