UNCLASSIFIED UNCLASSIFIED Page 1 of 2

UNCLASSIFIED

This document was prepared by the Office of Intelligence and Analysis to facilitate a greater understanding of the nature and scope of threats and hazards to the homeland. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities and follow-on measures. This product may contain U.S. person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures. Some content may be copyrighted. These materials, including copyrighted materials, are intended for "fair use" as permitted under Title 17, Section 107 of the United States Code ("The Copyright Law"). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-mail at: [email protected]. DHS Open Source Enterprise Daily Cyber Report 14 October 2011 CRITICAL INFRASTRUCTURE PROTECTION: • Nothing significant to report INFORMATION SYSTEMS BREACHES: • Thousands Of Patients At Risk Of ID Theft Following Genentech Breach: Thousands of patients seeking medical treatment may be at risk of identity theft following a breach of systems belonging to the biotech firm Genentech…. As many as 3,500 patients may have had information leaked in the breach, which occurred on August 17 when an "unauthorized person" might have accessed "a vendor's computers," according to Genentech's Chief Privacy Officer, Robert Glaser. … A slew of unencrypted information may have been exposed in the breach, including patients' names, addresses, phone numbers, date of birth, e-mail addresses, driver's license numbers, social security numbers, and medical and health insurance information…. [HSEC-1.10; Date: 13 October 2011; Source: http://threatpost.com/en_us/blogs/thousands-patients-risk-id-theft-following- genentech-breach-101311] • Anonymous Spills Banker Data In 'Occupy Wall Street' Operation: Personal data belonging to the head of The New York Community Bank, Joseph Ficalora and Kerry Killinger was published on Pastebin by CabinCr3w, a faction of the infamous Anonymous. Another set of information has ended up on the internet after Anonymous threatened that all those who harm the people that take part in the Wall Street protest will suffer. This time two famous bankers had their financial records, addresses, legal issues and business registrations made public on the website that's now famous for being used by hackers to brag with their accomplishments. [HSEC-1.10; Date: 14 October 2011; Source: http://news.softpedia.com/news/Anonymous-Spills-Banker-Data-in-Occupy-Wall- Street-Operation-227706.shtml] CYBERTERRORISM & CYBERWARFARE: • Drone Virus May Have Originated With Online Gaming: The computer virus that infected part of the military's unmanned aerial vehicle fleet was a common credential-stealing program that poses no threat to drone missions, the Air Force said. The virus … infected computers in a ground control system separate from flight control systems used by Air Force pilots and is "more of a nuisance than a threat," the Air Force Space Command said in a statement. Drone missions in Afghanistan and Iraq, controlled by pilots at Creech Air Force Base, Nev., have not been interrupted by the virus. … A defense official speaking anonymously told the Associated Press that the malware is a kind used to steal log-in and password information from people playing games such as "Mafia Wars" or gambling online. But the official made no comment on whether it got there because crews were playing online games. [HSEC-1.10; Date: 13 October 2011; Source: http://gcn.com/articles/2011/10/13/air- force-drone-virus-mafia-wars.aspx] VULNERABILITIES: • Update Closes Critical Safari Hole On Mac OS X: The update to Mac OS X 10.7.2 not only brings iCloud, but also closes a number of critical security holes – and at least one of them is particularly serious. … The update to Safari 5.1.1 closes numerous holes, but the one with the ID CVE-2011-3230 is especially critical – firstly, because it is very easy to exploit, and secondly, because public demonstrations of it are already in circulation. At its simplest, a web site can use a basic JavaScript command to launch arbitrary programs on Macs. The attack is possible because LaunchServices doesn't handle local file://URLs properly and instead launches the assigned program. [HSEC-1.6; Date: 13 October 2011; Source: http://www.h-online.com/security/news/item/Update- closes-critical-Safari-hole-on-Mac-OS-X-1360602.html] UNCLASSIFIED Page 1 of 2 UNCLASSIFIED

• Microsoft Targets SpyEye Trojan In Latest MSRT Update: The company takes aim at the ubiquitous SpyEye banking trojan with its free Malicious Software Removal Tool (MSRT), saying that the malware is more common than ever, and is being used to grab data from sensitive online sessions. In a blog post on Wednesday on the company's Malware Protection Center Threat Research and Response Blog, Microsoft said that SpyEye was one of two families of malware which have had their signatures added to the MSRT. The Other is Poison, aka PoisonIvy, a backdoor Trojan from the old school that's been circulating since at least 2006. [HSEC-1.6; Date: 13 October 2011; Source: http://threatpost.com/en_us/blogs/microsoft-targets-spyeye-trojan-latest-msrt-update- 101311] • DLL Hijacking Technique Spotted Using Windows Flaw: DLL file hijacking is not really news, but now another technique has been discovered by security annalists, cleverly masquerading itself alongside a text. Commtouch Café reveals that the piece of malware they labeled as W32/Trojan2.NOXC took advantage of a Windows flaw that allowed for components to load external libraries in a certain way. Fortunately, a security update issued by Microsoft in September took care of the vulnerability and the malicious element has no way of operating. [HSEC-1.6; Date: 14 October 2011; Source: http://news.softpedia.com/news/DLL-Hijacking- Technique-Spotted-Using-Windows-Flaw-227729.shtml] GENERAL CYBER/ELECTRONIC CRIME: • Housewives, Students And Security Pros Among Anonymous Members: Members of the infamous hacking collective Anonymous range from housewives to information security professionals, according to a panel of security experts who claim to have infiltrated the group. Speaking to the press at RSA Conference Europe, Akamai director of security intelligence Joshua Corman argued that the group has a diverse range of constituents, with varying levels of technological know-how. … Some are "very political", some are housewives, some have no hacking skills – while others are so-called "greyhats" with day jobs in information security, and a lot are students, he said. He added that the large numbers of students in Anonymous represents a failure on the part of the IT security industry to engage with kids who have an interest in hacking and want to develop their skills in the area. [HSEC-1.2; Date: 13 October 2011; Source: http://www.v3.co.uk/v3- uk/news/2117150/housewives-students-security-pros-anonymous] • Blackhole Crimeware Goes 'Prime Time': Attackers are increasingly using the Blackhole exploit kit in phishing campaigns: Most recently, one that poses as an email notification from an HP OfficeJet Printer has sent nearly 8 million emails thus far and uses 2,000 domains to serve up the malware. Researchers at AppRiver say the trend demonstrates how Blackhole is following the pattern of popular crimeware kit Zeus and SpyEye. Blackhole traditionally has been used to infect legitimate websites for drive-by infection purposes. "This attack is unique because Blackhole added an email vector to its format and is flooding the Internet with similar methods used by Zeus, SpyEye, and others, essentially moving it into prime time," says Fred Touchette, senior security analyst for AppRiver. [HSEC-1.10; Date: 13 October 2011; Source: http://www.darkreading.com/advanced- threats/167901091/security/attacks-breaches/231900780] • New 'Nice Pack' Exploit Kit Found, Thousands Of Owned Sites Redirecting Users To Attack Site: A new exploit pack has appeared on the scene in the last week or so and it already is causing trouble for users, with thousands of compromised Web sites redirecting users to a page that is hosting the pack and exploiting vulnerabilities on their machines to install malware. The attackers behind the exploit pack, known as Nice Pack, are following the tried and true path blazed by groups that use other better-known exploit kits such as Black Hole. The attackers are using various techniques to compromise a large number of legitimate Web pages, on which they then place malicious JavaScript that will redirect unsuspecting users to the remote site that's hosting the exploit pack itself. [HSEC-1.10; Date: 13 October 2011; Source: http://threatpost.com/en_us/blogs/new-nice- pack-exploit-kit-found-thousands-owned-sites-redirecting-users-attack-site-101311] • Yahoo Accounts Most Targeted In Hacking Operations: A report called "The State of Hacked Accounts" reveals information on the accounts people care for so much and the way they get overtaken. Results show that Gmail, Yahoo, Hotmail and Facebook accounts attract the most villains, probably because that's where internauts keep their most private stuff. After Yahoo, the most sought after were Facebook (23%) and Gmail (19%). More than half of the respondents claim they're not sure to how exactly the credentials were overtaken, while 15% recall using a public internet terminal or public Wi-Fi just before the attack. [HSEC-1.6; Date: 14 October 2011; Source: http://news.softpedia.com/news/Yahoo-Accounts-Most-Targeted-in- Hacking-Operations-227774.shtml]

UNCLASSIFIED Page 2 of 2