Security pros fail to get a grip on meaty bot

Lethic spam package uses Stuxnet nuke nobbler cert ploy


A new variant of the Lethic botnet agent comes signed with a digital certificate from the same firm whose identity was abused by the infamous Stuxnet industrial control system worm.

Lethic is a spam-spewing botnet that ranks relatively low in terms of compromised machines but bears a disproportionately high responsibility for the world's dodgy pharmaceuticals and replica watch junk mail. Takedown efforts at command and control systems back in January only provided a temporary respite from the deluge.


Recent variants of the Lethic botnet come "signed" with digital certificates from Taiwanese manufacturer Realtek Semiconductor Corp, just like variants of Stuxnet that infected power plants in Iran, India and elsewhere back in summer. Stuxnet is capable of reprogramming SCADA-based industrial control systems.

Iranian authorities admitted the worm infected systems at its controversial Bushehr Nuclear Power Plant but denied this was the reason for subsequent delays in bringing the reactor online, blaming a mystery "minor leak" instead.
The digital Realtek certificate misused by the Stuxnet worm was verified by a certificate authority. Lethic's Realtek signature, by contrast, wasn't verified and is probably some sort of forgery.

Zscaler, the security firm that first noticed the abuse of the Realtek certificate, reckons this is evidence that malware authors are picking on the same organisation for convenience rather than because of any collusion between the unknown Stuxnet and Lethic gangs.

Mike Geide of Zscalar concludes a detailed and nicely worked analysis by concluding that even though the Realtek signature used in recent variants of Lethic was a counterfeit, the same tactic may have been applied by the same gang to other strains of malware. "While this is not a digital signature - it is still identifying info that may be able to tie certain malware samples to the same author / group / or binary builder,"

 

http://www.theregister.co.uk/2010/11/12/lethic_bot_digital_cert_ploy/

Microsoft Warns of Attacks on Zero-Day IE Bug

Microsoft Corp. today warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven’t already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit.
According to the advisory Microsoft published, this is a browse-to-a-malicious-site-and-get-owned vulnerability. The company reports that the exploit code was discovered on a single Web site that is no longer online. But if past attacks against unpatched IE flaws are any indicator, it will probably not be long before the attack is stitched into plenty of other hacked and malicious Web sites.
Redmond says Data Execution Prevention (DEP) technology enabled by default in IE8 helps protect against attacks, and that the same protection is enabled on all supported platforms, including Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7. IE9 beta apparently is not at risk from this threat.

http://krebsonsecurity.com/2010/11/microsoft-warns-of-attacks-on-zero-day-ie-bug/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29#subscribe2

Google Extends Security Bug Bounty to Gmail, YouTube, Blogger

Google on Monday said it was expanding a program to pay security researchers who discreetly report software flaws in the company’s products. The move appears aimed at engendering goodwill within the hacker community while encouraging more researchers to keep their findings private until the holes can be fixed.


Earlier this year, Google launched a program to reward
researchers who directly report any security holes found
 in the company’s Chrome open-source browser project.

With its announcement today, Google is broadening the program to include bugs reported for its Web properties, including Gmail, YouTube, Blogger and others (the company says its desktop apps – Android, Picasa and Google Desktop, etc.  are not included in the expanded bounty program).

The program is unlikely to attract those who are looking to get rich selling security vulnerabilities, as there are several less reputable places online where critical bugs in important online applications can fetch far higher prices. But the expanded bounty may just win over researchers who might otherwise post their research online, effectively alerting Google to the problem at the same time as the cyber criminal community.

“We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page,” Google’s security team wrote on the company’s security blog. “As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”

http://krebsonsecurity.com/2010/11/google-extends-security-bug-bounty-to-gmail-youtube-blogger/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

Ind. AG sues WellPoint for $300K over data breach

http://www.businessweek.com/ap/financialnews/D9J5JNK00.htm

The Indiana attorney general's office is suing health insurance giant
WellPoint Inc. for $300,000 for waiting months to notify customers
that their medical records, credit card numbers and other sensitive
information may have been exposed online.

The lawsuit filed Friday in Marion County accuses WellPoint of
violating a state law that requires businesses to provide notification
of data breaches in a timely manner.

State officials say the personal records were exposed for at least 137
days between last October and March. The suit says WellPoint learned
of the problem Feb. 22 but didn't start notifying customers until
June.

WellPoint has said 470,000 individual insurance customers might have
been affected.

Messages seeking comment were left with WellPoint spokespeople.

University Posts Info Of 40K Students

http://www.npr.org/templates/story/story.php?storyId=130903298

The Social Security numbers, grades and other personal information of
more than 40,000 former University of Hawaii students were posted
online for nearly a year before being removed this week, The
Associated Press has learned.

University officials told the AP that a faculty member inadvertently
uploaded files containing the information to an unprotected server on
Nov. 30, 2009, exposing the names, academic performance, disabilities
and other sensitive information of 40,101 students who attended the
flagship Manoa campus from 1990 to 1998 and in 2001. A handful of
students from the West Oahu campus were included in the security
breach.
[..]

Zynga Faces Class-Action Lawsuit over Alleged Privacy Breach

Zynga Faces Class-Action Lawsuit over Alleged Privacy Breach

---

From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sat, 23 Oct 2010 23:42:40 -0400

---

http://blogs.sfweekly.com/thesnitch/2010/10/zynga_facebook_lawsuit.php

No matter what they do, some companies seem chronically incapable of
playing peacefully in the sandbox of American capitalism with others.
San Francisco-based game developer Zynga -- the wildly successful firm
behind such popular Facebook applications as FarmVille and Mafia Wars
-- is one of them, and  is now facing a class-action lawsuit driven by
customer allegations of privacy abuses.

The lawsuit, filed Monday in San Francisco's federal court by
Minnesota resident Nancy Graf, comes on the heels of a Wall Street
Journal investigation into the sharing of users' personal data by
Facebook and Zynga. The Journal found that Zynga games such as
FarmVille and FrontierVille were sending information identifying
gamers to third parties, which use the data to assemble profiles of
internet users and track people online for advertising purposes.

Even those who have set their Facebook privacy settings to the
strictest level can be affected by such breaches, according to the
Journal, which also reports that this sort of sharing of user data by
app developers is in violation of Facebook's rules. (Facebook is also
coming in for its share of the blame, as evidenced by a similar
lawsuit in Rhode Island.)

Graf's lawsuit asks for an injunction to prevent continued sharing of
user information, as well as monetary damages. The suit doesn't state
how much she is seeking.

Health insurers say data on 280, 000 Pennsylvania clients may be compromised

http://www.philly.com/inquirer/business/20101020_Health_insurers_say_data_on_280_000_Pennsylvania_clients_may_be_compromised.html

Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan said
Tuesday that a portable computer drive containing the names,
addresses, and health information of 280,000 Medicaid members in
Pennsylvania has been lost.

The affiliated companies together insure 400,000 people on medical
assistance in Pennsylvania.

The companies said the portable computer hard drive, used at community
health fairs, was lost within the companies' corporate offices.
Keystone's headquarters is in Southwest Philadelphia and AmeriHealth
Mercy's is in Harrisburg.

The computer drive included members' health plan identification
numbers and some of their health information, the insurers said.

Also stored on the drive were the last four digits of 801 members'
Social Security numbers, plus complete Social Security numbers for
seven others.

Illinois AG sues Payday Loan Store over improper disposal of customer data

http://www.databreaches.net/?p=14735


Attorney General Lisa Madigan today filed a lawsuit in Cook County Circuit
Court against The Payday Loan Store of Illinois, Inc. (PLS), for allegedly
failing to safeguard customer data as promised. The Attorney General filed
the suit after learning that documents containing customers’ personal
information had turned up in trash bins outside four store locations.

“Data security is absolutely critical to protecting consumers from identity
theft,” Attorney General Madigan said. “Businesses that collect, use and
ultimately dispose of sensitive personal information must live up to their
promises to protect that information from unauthorized access in order to
protect the financial privacy of consumers.”

PLS, which sells high-cost, short-term loans throughout Illinois, provides
customers with a privacy policy that promises the company will protect their
customers’ personal information by maintaining physical, electronic and
procedural safeguards in compliance with federal regulations. The Attorney
General’s complaint alleges, however, that PLS did not maintain those
safeguards and instead disposed of customers’ personal information in
publicly accessible trash containers.

The complaint alleges that a concerned individual alerted Bolingbrook police
that he had found documents containing sensitive information in a trash
container behind the PLS location in Bolingbrook. The police retrieved
approximately two boxes of documents containing nonpublic personal
information, including Social Security numbers, driver’s license numbers,
financial account numbers and PLS loan account numbers.

Computer security at Tech questioned

http://www.dchieftain.com/dc/index.php/news/2263-computer-security-at-tech-questioned.html

A procedural mishap at New Mexico Tech's Computer Center may have
allowed the Social Security numbers of a few thousand people to be
publicly available to anyone with a Tech computer account for nearly
five years.

William Colburn, Tech graduate, former Tech employee and Tech
Community College instructor and current Tech student, said he found
copies of an accounting file containing more than 3,000 Social
Security numbers stored in two locations on a publicly searchable disk
on the TCC server.

Tech's Public Information Officer, Thom Guengerich, said the problem
has been taken care of.

"We don't dispute that some files were accidentally and inadvertently
made open," Guengerich said, in a telephone interview on Thursday,
Oct. 14. "When it came to the university's attention, they were
deleted."
[..]

ACCOMACK: County laptop stolen on employee's trip to Vegas; residents' SSNs compromised

http://www.delmarvanow.com/article/20101014/NEWS01/101014035/1002/ACCOMACK--County-laptop-stolen-on-employee-s-trip-to-Vegas--residents--SSNs-compromised

ACCOMAC — An Accomack employee had a county-owned laptop computer stolen
while on a personal vacation to Las Vegas, and with it the names and Social
Security numbers of roughly 35,000 county residents.

In some cases, actual addresses of county residents also may have been
included in computer files.

“It was taken there without permission,” said County Administrator Steve
Miner of the computer.

Miner said the worker remains employed. The matter was discussed during a
closed meeting of the Board of Supervisors on Wednesday.

“We really haven’t resolved the personnel side of this,” he said.

The incident happened on the evening of Oct. 7. The county waited seven days
before issuing a prepared release to media warning citizens of it.

He said letters will be sent to affected residents “very soon.”

Miner said the county began determining what was on the computer immediately
after its theft.

“We have since been trying to work on the problem,” he said. “That was not
something we knew, in terms of files. That took some forensic work. Then we
had to figure out what it meant.”

Neither Miner nor the release named the employee who had the computer
stolen.

[...]

Microsoft: ‘Unprecedented Wave of Java Exploitation’

Microsoft Corp. today warned that it is seeing a huge uptick in attacks against security holes in Java, a software package that is installed on the majority of the world’s desktop computers.
In a posting to the Microsoft Malware Protection Center blog, senior program manager Holly Stewart warned of a “unprecedented wave of Java exploitation,” and confirmed findings that KrebsOnSecurity.com published one week ago:  Java exploits have usurped Adobe-related exploits as attackers’ preferred method for breaking into Windows PCs.

Image courtesy Microsoft

Stewart said the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions,” she added. Indeed, according to Microsoft’s one-year anniversary post for its Security Essentials anti-malware tool, exploits for a Java vulnerability pushed the Renos Trojan to the top of the list for all malware families (malware and exploits) detected in the United States.
My research shows the reason for the spike, and it precedes the 3rd quarter of 2010: Java exploits have been folded into a number of the top “exploit packs,” commercial crimeware kits sold in the hacker underground that make it simple to seed hacked or malicious sites with code that exploits a variety of browser flaws in a bid to install malware.

http://krebsonsecurity.com/2010/10/microsoft-a-tidal-wave-of-java-exploitation/utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+(Krebs+on+Security)

Three Banks Closed on Oct. 15

Federal and state banking regulators closed three banks on Friday, Oct. 15.
These closures raise the total number of failed institutions to 149 so far in 2010.
These are the latest failed banks:

Security Savings Bank, F.S.B, Olathe, Kan.

Security Savings Bank, F.S.B., Olathe, Kan., was closed by the Office of Thrift Supervision, and the Federal Deposit Insurance Corporation was appointed receiver. The FDIC arranged for Simmons First National Bank, Pine Bluff, Ark., to assume all of the deposits of the failed bank.
The nine branches of Security Savings Bank, F.S.B. will reopen as branches of Simmons First National Bank. Security Savings Bank, F.S.B. had $508.4 million in assets.
The estimated cost to the Deposit Insurance Fund (DIF) will be $82.2 million. WestBridge Bank and Trust Company, Chesterfield, Mo., was closed by the Missouri Division of Finance. The FDIC was appointed receiver. The FDIC arranged for Midland States Bank, Effingham, Ill., to assume all of the deposits of the failed bank.

WestBridge Bank and Trust Company, Chesterfield, Mo.

The sole branch of WestBridge Bank and Trust Company will reopen as a branch of Midland States Bank. WestBridge Bank and Trust Company had $91.5 million in total assets.
The estimated cost to the DIF will be $18.7 million. Premier Bank, Jefferson City, Mo., was closed by the Missouri Division of Finance, and the FDIC was appointed receiver. The FDIC arranged with Providence Bank, Columbia, Mo., to assume all of the deposits of Premier Bank.

Premier Bank, Jefferson City, Mo.

The nine branches of Premier Bank will reopen as branches of Providence Bank. Premier Bank had $1.18 billion in total assets.
The estimated cost to the DIF will be $406.9 million.



http://www.bankinfosecurity.com/articles.php?art_id=3015

Massive Health Insurance Fraud Alleged

Armenian-American Crime Ring Targeted in Medicare Case

October 14, 2010 - Howard Anderson, Managing Editor, HealthcareInfoSecurity.com

Federal authorities have charged 44 alleged members and associates of an Armenian-American organized crime enterprise in connection with two massive health insurance fraud schemes.
In addition to a $100 million scheme to defraud Medicare -- the largest single Medicare fraud case -- members of the crime ring also were charged in connection with a separate scheme to defraud private health insurers in the New York area, federal authorities say.
The Medicare indictment alleges defendants operated at least 118 bogus medical clinics in 25 states that submitted the fraudulent claims.
"There were no real medical clinics behind the fraudulent billings, just stolen doctors' identities," says Janice Fedarcyk, FBI assistant director-in-charge. "There were no colluding patients signing in at clinics for unneeded treatments, just stolen patient identities."

http://www.bankinfosecurity.com/articles.php?art_id=3009

Ie: Computer Containing Patient Data Stolen From Ennis Hospital

http://www.phiprivacy.net/?p=3962
By Dissent, September 27, 2010

The Health Service Executive (HSE) has confirmed that a computer containing patient information has been stolen during a break-in at Ennis General Hospital. Gardaí, the HSE and the Data Protection Commissioner are investigating the theft which occurred at Clare.s county hospital last week.

[...]

The HSE has launched it.s own investigation into the matter however it is not yet known how much data relating to personal information about patients was on the computer or whether the machine was encrypted. It is thought that the computer was password protected and had been used for recording patient.s blood pressure monitoring data.

more info:
http://www.clareherald.com/news/3092-computer-containing-patient-data-stolen-from-ennis-hospital.html

_______________________________________________

Alaska potential breach

http://www.ktva.com/ci_16146251

ANCHORAGE, Alaska - The HIV status of thousands of Alaskans could be in 
the hands of a thief.

Anchorage Police, along with the Alaska Aids Assistance Association 
known as the Four A's, say the sensitive information was taken earlier 
this month, but because the investigation is still very active, a lot of 
information is not being made public at this time.

However, both police officials and Four A's representatives say they're 
confident neither the organization, nor the information, were 
specifically targeted.

"The potential breach could affect around 2,000 individuals statewide, 
and until the investigation is completed itself, will we be able to 
determine if anybody at all was affected, to what level and then that 
will determine how we notify them, when we notify them and what 
information we share," said Four A's Executive Director Trevor Storrs.

(Update) Lincoln golf courses, restaurant sources of credit card leaks

http://www.databreaches.net/?p=14157

(Update) Lincoln golf courses, restaurant sources of credit card leaks
September 25, 2010

Zach Pluhacek and Cory Matteson provide the latest update to recent 
reports of card fraud in the Lincoln area:

     Two Lincoln golf courses and a restaurant say they are the sources of 
more than 200 credit and debit card numbers stolen recently from 
Lincoln-area residents.

     In a news release Friday, Wilderness Ridge golf course and restaurant, 
1800 Wilderness Woods Place, and Hidden Valley Golf, 10501 Pine Lake Road, 
announced they had uncovered a security breach that exposed the card 
numbers of its recent customers.

     .All offending systems were immediately shut down,. the release said.

     It.s not clear how far back the breach stretched. Lincoln Police Chief 
Tom Casady said one affected cardholder hadn.t been to either business 
since March.

     As of Friday morning, police had taken 225 reports of credit and debit 
card fraud they believe to be connected, Officer Katie Flood said.

Read more in the Lincoln Journal Star. The full press release is available 
on the paper.s web site, here.

CA: Records stolen from LabCorp Patient Service Center

http://www.phiprivacy.net/?p=3849

Records stolen from LabCorp Patient Service Center
By Dissent, September 21, 2010

LabCorp Patient Service Center in California notified Health & Human
Services (HHS) that 507 patients were affected by theft of their protected
health information.  The records were in paper format, and were reportedly
stolen on or about August 2.

I do not see any statement on LabCorp.s web site.  The company has a
number of locations and it is not clear where this theft occurred.

13800 accounts "stolen" in Nevada Florida and Arizona

http://www.lasvegassun.com/news/2010/sep/20/officials-man-skimmed-13800-credit-cards-alleged-s/


Officials: 13,800 credit cards ‘skimmed’ in alleged scheme

Federal charges have been filed against a Las Vegas man in connection
with the production and use of counterfeit credit and debit cards that
allegedly were encoded with information skimmed from gas pumps in Las
Vegas and elsewhere.

Zelalem Berhe, 41, is charged in a criminal indictment with five counts
of bank fraud, possession of 15 or more counterfeit access devices,
possession of access device-making equipment and aggravated identity
theft, said U.S. attorney for Nevada Daniel Bogden.

From about April 16, 2009, to May 4, 2010, the indictment alleges that
Berhe and others installed devices used to steal magnetic information
from credit and debit cards — known as "skimming" at gas pumps in the
Las Vegas area, as well as in Florida and Arizona.

...

Berhe and others allegedly skimmed about 13,800 credit and debit card
account numbers using this system and unlawfully used the stolen account
numbers to fraudulently obtain about $591,872 from more than 10
financial institutions, officials said.