UNCLASSIFIED

This document was prepared by the Office of Intelligence and Analysis to facilitate a greater understanding of the nature and scope of threats and hazards to the homeland. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities and follow-on measures. This product may contain U.S. person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It should be handled in accordance with the recipient's intelligence oversight and/or information handling procedures. Some content may be copyrighted. These materials, including copyrighted materials, are intended for "fair use" as permitted under Title 17, Section 107 of the United States Code ("The Copyright Law"). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-mail at: [email protected].

DHS Open Source Enterprise Daily Cyber Report 27 October 2011 CRITICAL INFRASTRUCTURE PROTECTION: • NSA Helps Banks Battle : The National Security Agency (NSA), a secretive arm of the US military, has begun providing Wall Street banks with intelligence on foreign hackers, a sign of growing fears of financial sabotage. The assistance from the agency that conducts electronic spying overseas is part of an effort by American banks and other financial firms to get help from the US military and private defense contractors to fend off cyber attacks…. The Federal Bureau of Investigation has also warned banks of particular threats amid concerns that hackers could potentially exploit security vulnerabilities to wreak havoc across global markets and cause economic mayhem. [HSEC-1.10; Date: 27 October 2011; Source: http://ibnlive.in.com/news/nsa-helps- banks-battle-hackers/196625-11.html] • New Analysis Questions Origins Of Trojan: A new analysis of the recently discovered Duqu Trojan raises questions about the origin of the and its links to the earlier worm. … Analysts at SecureWorks studied the Trojan and found that, although Duqu and Stuxnet share characteristics, including the method both use to load malicious files onto infected systems, the payloads of the two pieces of malware are "significantly different and unrelated." … While Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL … files - injecting the malware into specific WIndows processes, that technique "is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats," according to a post by the STU team. As for claims that Stuxnet and Duqu were related because both use a kernel driver…signed using a valid software signing certificate, SecureWorks says that commonality isn't enough to prove a link between the two pieces of malware. [HSEC-1.10; Date: 26 October 2011; Source: http://threatpost.com/en_us/blogs/new-analysis-questions-origins-duqu-trojan-102611-0] INFORMATION SYSTEMS BREACHES: • Hackers Publish Vulnerabilities In US Law Enforcement Websites: A group of hackers called Team Poison (TeaMp0isoN) published a list of websites utilized by law enforcement authorities that are supposed to be vulnerable to MSAccess SQL injection attacks. A number of six sites that are listed are supposedly utilized by the police for their updates, the cybercriminals urging Occupy Wall Street supporters to take them down. "I do not like the Police. You beat on innocent and peaceful protestors for no reason other than that you want to protect your friends at the banks and yourselves to make money. It's all about money and the Police aiming to keep their job," reveals F0rsaken, a member of TeaMp0isoN. [HSEC-1.10; Date: 27 October 2011; Source: http://news.softpedia.com/news/Hackers-Publish-Vulnerabilities-in-US-Law-Enforcement-Websites-230414.shtm] • Biggest Hack In Swedish History Affects Politicians, Journalists Among Others: Login credentials for nearly 200,000 individuals, most Swedish citizens, have been exposed in what experts are calling the largest data breach in that country's history. According to a report from The Local, a Sweden-based, English language news publication, a popular Swedish blogging platform, Bloggtoppen, was hacked with login information for around 60 Web sites hosted on that platform - an estimated 90,000 account passwords - made public via the account of a 23 year-old Swedish Parliamentarian, William Petzail. Petzail, who is currently hospitalized … is not believed to be responsible for the breach. ... Local reports note that prominent journalists and members

UNCLASSIFIED Page 1 of 2

UNCLASSIFIED

of Sweden's Liberal Party were exposed in the leak. [HSEC-1.10; Date: 26 October 2011; Source: http://threatpost.com/en_us/blogs/biggest-hack-swedish-history-affects-politician-journalists-among-others- 102611] CYBERTERRORISM & CYBERWARFARE: • Chinese Military Suspected in Attacks on U.S. Satellites: Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway, according to a congressional commission. The intrusions on the satellites, used for earth climate and terrain observation, underscore the potential danger posed by hackers, according to excerpts from the final draft of the annual report by the U.S.-China Economic and Security Review Commission. The report is scheduled to be released next month. [HSEC-1.10; Date: 27 October 2011; Source: http://www.businessweek.com/news/2011-10-27/chinese-military-suspected-in-hacker-attacks-on-u-s- satellites.html] • Cyber War On Japanese Embassies: A cyber attack was launched against Japanese embassies and consulates throughout the world earlier this year, including the Dutch embassy in The Hague, Japanese newspaper Yomiuri Shimbun reported today. The hackers infected the embassy computer networks of the US, China, France, Canada, South Korea, Myanmar and the Netherlands last summer. The revelations come just one day after it was made known that hackers broke into the computer systems of a number of Japanese parliamentarians. They were able to access the email correspondence of the MPs for a whole month. They were reportedly looking for information on Japanese foreign and defence policies, according to newspaper Asahi Shimbun. [HSEC-1.10; Date: 26 October 2011; Source: http://www.rnw.nl/english/bulletin/cyber-war-japanese- embassies] VULNERABILITIES: • Researchers Demo Cloud Security Issue With AWS Attack: Researchers from the Horst Goertz Institute (HGI) of the Ruhr-University Bochum (RUB) in Germany have demonstrated an account hijacking attack against Amazon Web Services (AWS) that they believe affects other cloud computing products as well. The attack uses a technique, known at XML signature wrapping or XML rewriting, that … exploits a weakness in the way Web services validate signed requests. … The new practical attack against Amazon's cloud infrastructure was demonstrated at the ACM Conference on Computer and Communications Security last week and involved obtaining unauthorized access to an AWS account. [HSEC-1.6; Date: 26 October 2011; Source: http://www.computerworld.com/s/article/9221208] • Cisco Warns Of Remote Code Flaw In Security Agent Software: Cisco is advising administrators to update systems following the discovery of a remote code execution vulnerability in Security Agent 6.0. The flaw could allow an attacker to remotely target the Oracle Outside component for the Fusion Middleware platform to access the Cisco software on Windows systems. Cisco said in a security advisory that successful exploitation would allow the attacker to execute code and control the targeted system with administrator rights. Cisco has released a free patch and is advising customers to obtain the Cisco Security Agent 6.0.2.151 fix through their service provider or hardware retailer. [HSEC-1.6; Date: 27 October 2011; Source: http://www.v3.co.uk/v3- uk/news/2120369/cisco-warns-remote-code-flaw-security-agent-software] GENERAL CYBER/ELECTRONIC CRIME: • Threatens the Toronto Stock Exchange: The Canadian faction of the infamous hacktivist group issued a video in which they threaten to take down the website of the Toronto Stock Exchange on November 7. It seems as Anonymous will be Anonymous no matter in which country they reside and to make sure they're on the same page as their American counterparts, on October 15 they joined the protest called Occupy Toronto. According to Now Torronto, they haven't been very active so far, but now they released a YouTube message in which they announce their first major operation. [HSEC-1.10; Date: 26 October 2011; Source: http://news.softpedia.com/news/Anonymous-Threatens-the-Toronto-Stock-Exchange-230241.shtml] • CCC Criticises New Version Of Government Trojan: The CCC () has the more recent version of Digitask's German government trojan that was discovered by Kaspersky. … The analysis focused on the improvements that were made to fix the previous version's weaknesses, and on the postulated "audit-proof logging" of all activities. The CCC's "reversers" found that, while improvements were indeed made, these improvements are by no means sufficient to allow collection of evidence that is consistent with regulations. … Consequently, it took the CCC's specialists only a few hours to adapt their custom C&C server in such way that it worked with the more recent versions. [HSEC-1.10; Date: 26 October 2011; Source: http://www.h- online.com/security/news/item/CCC-criticises-new-version-of-government-trojan-1367160.html] UNCLASSIFIED Page 2 of 2