Friday, September 21, 2012 


Daily Report

Top Stories

 • An underground utility explosion shut down streets and forced evacuations of many office buildings and a courthouse in Albany, New York. – Albany Times-Union

1. September 20, Albany Times-Union – (New York) A big blast from below. An underground utility explosion rocked a downtown neighborhood of Albany, New York, September 19, sending manhole covers flying with a fireball in the air. The explosions forced officials to shut down streets and several office buildings on North Pearl Street were evacuated. The blast happened at the corner of Steuben and Pearl streets, according to the fire chief. The city ordered the evacuations of buildings on North Pearl Street between State and Columbia streets. Some buildings on Eagle and Pine streets were also closed. National Grid crews were on the scene, dealing with the aftermath of the utility fire. The company cut electrical service to many downtown buildings. The mayor said the city and utility companies will need to look into the infrastructure under the ground to determine if there are widespread problems. The Albany County Judicial Center was evacuated and closed. County officials said a fire in the sewer system outside the building caused smoke to be drawn into the building’s air intake system. A spokesman for National Grid said the explosion was caused by a fault on an electrical cable. He said utility crews were working to make repairs and were testing for natural gas fumes. Source: http://www.timesunion.com/local/article/Albany-courthouse-evacuated-roads-closed-3877873.php

 • Researchers discovered new versions of a zero-day vulnerability in Internet Explorer targeting defense contractors, including a U.S. aircraft and weapons delivery systems firm and a U.S. aerospace and defense technology company. – Infosecurity

7. September 19, Infosecurity – (International) Internet Explorer zero-day targeting defense industry. Researchers at AlienVault discovered new versions of the new zero-day vulnerability in Internet Explorer that are targeting a number of defense and industrial companies, including a U.S. aircraft and weapons delivery systems firm, a U.S. aerospace and defense technology company, and a U.K. defense contractor. ―We also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants,‖ a researcher said. ―We were able to check that the official Web site of the company has been compromised as well and it is serving the Internet Explorer ZeroDay to the visitors. They’ve included an iframe to the exploit in the entry page.‖ The researcher and his team also found the exploit code evolved and is now able to infect not only Windows XP but also Windows 7 32-bit running Java 6. Source: http://www.infosecurity-magazine.com/view/28357/

 • A financial services industry group warned U.S. banks, brokerages, and insurers to be on heightened alert for cyber attacks after Bank of America and JPMorgan Chase experienced unexplained outages on their public Web sites. – Reuters See item 10 below in the Banking and Finance Sector

 • Washington D.C. train riders experienced massive delays after a power failure stopped a train carrying 1,000 people in a tunnel between two stations. – WTOP 103.5 FM Washington, D.C.

19. September 19, WTOP 103.5 FM Washington, D.C. – (Maryland; Washington, D.C.) Red Line running again after train stuck in tunnel. Washington Metropolitan Area Transit Authority (WMATA) riders experienced residual delays on the Red Line in Washington D.C. after a power failure September 19 stopped a train in the tunnel between the Friendship Heights and Tenleytown-AU stations with roughly 1,000 people on board. Red Line trains were traveling at 35 mph until the transit agency could determine what caused the problem. The issue that disabled the train forced riders to stay on board for about an hour. During that time, Metro kept the train in the tunnel until it reestablished power. The outage occurred on Wisconsin Avenue outside the Tenleytown-AU station, according to Metropolitan police. Metro closed the station during the incident. It has since reopened. Source: http://www.wtop.com/41/3044606/Red-Line-running-again-after-train-stuck-in-tunnel

 • The piece of malware known as ZeroAccess was found to be present on more than 1 million computers spread throughout almost 200 countries. – Softpedia See item 41 below in the Information Technology Sector

Details

Banking and Finance Sector

8. September 20, Softpedia – (Puerto Rico; National) Tax refund fraud scheme shut down after U.S. authorities arrest 14 suspects. September 19, authorities arrested 14 individuals suspected of participating in one of the largest and longest stolen identity tax refund fraud schemes the United States has ever witnessed. It is believed that the fraudsters attempted to steal around $65 million. The individuals caused damages of $11.3 million according to a U.S. attorney’s office in New Jersey. They were charged with conspiracy to defraud the State and theft of government property. The perpetrators would steal the Social Security numbers, dates of birth, and other sensitive details of unsuspecting individuals, many of whom reside in Puerto Rico. The fraudulently obtained data would then be utilized to file Individual Income Tax Returns. The tax return checks issued by the U.S. Department of the Treasury were intercepted by the conspirators, often by bribing mail carriers. Source: http://news.softpedia.com/news/Tax-Refund-Fraud-Scheme-Shut-Down-After-US-Authorities-Arrest-14-Suspects-293640.shtml

9. September 20, Softpedia – (International) Chase Bank site suffers outage, Muslim hackers take credit. After the public-facing Web site of Bank of America (BoA) experienced some minor outages, JPMorgan Chase suffered from similar problems, Softpedia reported September 20. The same hackers who attacked BoA also took responsibility for taking down Chase.com. On September 18, a hacker collective threatened to attack the Web sites of BoA and the one of the New York Stock Exchange in protest against a controversial film. At the time, they threatened that other organizations would also be targeted in the upcoming days, and Chase appears to be one of them. ―Chase.com is experiencing intermittent issues. We’re working to restore full connectivity and apologize for any inconvenience,‖ read a message posted by the financial institution on Twitter. Around 5 hours later, the company announced that the site was back online. The ―Cyber fighters of Izz ad-din Al qassam‖ published a second Pastebin document, taking credit for the outage. Source: http://news.softpedia.com/news/Chase-Bank-Site-Suffers-Outage-Muslim-Hackers-Take-Credit-293681.shtml

10. September 20, Reuters – (International) Bank group warns of heightened risk of cyber attacks. The Financial Services Information Sharing and Analysis Center (FS-ISAC) warned U.S. banks, brokerages, and insurers September 19 to be on heightened alert for cyber attacks after Bank of America and JPMorgan Chase experienced unexplained outages on their public Web sites. FS-ISAC raised the cyber threat level to ―high‖ from ―elevated‖ in an advisory to members, citing ―recent credible intelligence regarding the potential‖ for cyber attacks as its reason for the move. The move by FS-ISAC came just 2 days the FBI published a ―fraud alert‖ advising financial services firms that cyber criminals may be disrupting service to their Web sites in a bid to keep banks from noticing a recent surge in fraudulent large-sized wire transfers. Source: http://in.reuters.com/article/2012/09/20/us-jpmorganchase-website-idINBRE88I16M20120920

11. September 20, WCVB 5 Boston – (Massachusetts; Rhode Island) Police: ‘Bearded Bandit’ bank robber arrested at Seekonk motel. A man believed to be the ―Bearded Bandit‖ was arrested in Seekonk, Massachusetts. Police arrested the man September 19 at the Seekonk Motel 6 where he had been living, according to police. The arrest came after an officer spotted two vehicles in the motel parking lot that matched descriptions of getaway cars used in at least eight robberies in Rhode Island and Massachusetts. Investigators said the man was clean shaven and a fake beard was found inside his room. Source: http://www.wcvb.com/news/local/boston-south/Police-Bearded-Bandit-bank-robber-arrested-at-Seekonk-motel/-/9848842/16673050/-/ccmhhe/-/index.html

12. September 19, U.S. Federal Bureau of Investigation – (International) Former CME Group software engineer pleads guilty to stealing Globex computer trade secrets while planning to improve electronic trading in China. A former senior software engineer for Chicago-based CME Group Inc. pleaded guilty September 19 to theft of trade secrets for stealing computer source code and other proprietary information while at the same time pursuing plans to improve an electronic trading exchange in China. The defendant admitted that he downloaded more than 10,000 files containing CME source code that made up a substantial part of the operating systems for the Globex electronic trading platform. The government maintains that the potential loss was between $50 million and $100 million, while the defendant maintains that the potential loss was less than $55.7 million. The programmer, who worked for CME Group for 11 years, pleaded guilty to two counts of theft of trade secrets. The programmer and two unnamed business partners developed plans to form a business that would contract to the Zhangliagang chemical electronic trading exchange to increase trading value on the exchange using the stolen code. Source: http://www.fbi.gov/chicago/press-releases/2012/former-cme-group-software-engineer-pleads-guilty-to-stealing-globex-computer-trade-secrets-while-planning-to-improve-electronic-trading-in-china

13. September 19, WAPT 15 Jackson – (Mississippi) Bond set for women accused in robbery attempt with fake bomb. Bond was set for two women accused in a fake bomb plot in Canton, Mississippi,September 19, officials said. Canton police said a woman who claimed that two men forced her to strap on a backpack with what she thought was explosives was charged with bank robbery. Investigators said she walked into a Trustmark bank September 14 and told employees she had a bomb in the backpack she was wearing. She told police that two men attacked and kidnapped her from a gas station and forced her to strap on the backpack that she believed contained explosives. They then threatened to kill her if she did not rob the bank, police said. Initially, police said it appeared she had been a victim, but the investigation later led to her arrest. Police did not say what role they believed the second woman played in the robbery attempt. Police said the backpack contained two bricks, and no explosives. Source: http://www.wapt.com/news/central-mississippi/Court-next-stop-for-women-accused-in-fake-bomb-robbery-attempt/-/9156946/16659322/-/f1rgsiz/-/index.html

For more stories, see items 42 and 46 below in the Information Technology Sector
Information Technology Sector

36. September 20, The Register – (International) Hacktivists, blackhats snatch sixguns from whitehats’ holsters. Tools designed for testing server and network defenses are being used by hacktivists to launch denial-of-service (DoS) attacks on Web sites. More and more assaults are concentrating on exhausting Web apps and the HTTP server software running it, rather than simply flooding the underlying stack with bogus traffic to exhaust resources and bandwidth, according to the latest edition of Imperva’s Hacker Intelligence report. This type of attack may be directed at specific types of Web servers such as IIS or Apache, or to specific applications, such as SharePoint. The latest and most popular distributed denial-of-service (DDoS) tools include LOIC, SlowHTTPTest, and railgun. The use of the latter two white-hat tools shows how black-hat hackers have begun running attacks that utilize white-hat testing tools. Attacks analyzed by Imperva in its report include network assaults by hacktivists in Bahrain, Colombia, and Russia, as well as Web blitzes against businesses linked to DDoS-for-hire scams. DDoS attacks typically run from botnet networks of compromised computers. Source: http://www.theregister.co.uk/2012/09/20/ddos_trends_imperva/

37. September 20, Homeland Security News Wire – (International) New NIST publication provides guidance for computer security risk assessments. The National Institute of Standards and Technology (NIST) released a final version of its risk assessment guidelines which, NIST says, can provide senior leaders and executives with the information they need to understand and make decisions about their organization’s current information security risks and information technology infrastructures. A NIST release notes that information technology risks include risk to the organization’s operations (including, for example, missions and reputation), its critical assets such as data and physical property, and individuals who are part of or served by the organization. In some cases, these risks extend to the nation as a whole. Risk assessments are part of an organization’s total risk management process. Source: http://www.homelandsecuritynewswire.com/dr20120920-new-nist-publication-provides-guidance-for-computer-security-risk-assessments

38. September 20, Computerworld – (International) Microsoft: Patch for critical IE zero-day bug coming Friday. September 19, Microsoft released a stopgap defense that protects Internet Explorer (IE) against attacks until the company issues a patch September 21. The update will fix five flaws, including one revealed by a security researcher the weekend of September 15 that hackers have been exploiting to hijack Windows PCs and infect them with malware. The so-called ―zero-day‖ vulnerability — meaning it was leveraged by attackers before Microsoft was aware of the bug, much
less able to patch it — has been analyzed and discussed by security experts with increasing intensity since September 17. Source: http://www.computerworld.com/s/article/9231478/Microsoft_Patch_for_critical_IE_zero_day_bug_coming_Friday

39. September 20, The Register – (International) Sophos antivirus classifies its own update kit as malware. There were problems for Sophos users September 19 after the business-focused antivirus firm Sophos released an update that classified itself and any other update utility as a virus. As a result, enterprise PCs running the application became confused, generating false positives reporting SSH/Updater-B malware. System administrators were bombarded with automated alerts by email about the bogus problem. The issue was resolved with a functional update, issued later September 19. For many, troubles continued because many endpoints and corporate networks hit by the false positive have been left with systems that can no longer update themselves properly because the required functionality has been consigned to quarantine. Source: http://www.theregister.co.uk/2012/09/20/sophos_auto_immune_update_chaos/

40. September 20, The Register – (International) Latest iPhone hacked to blab all your secrets. Dutch hackers exploited a WebKit bug in mobile Web browser Safari to wipe an iPhone 4S of its photos, address book contacts, and its browser history. The flaw exists in Apple’s iOS 5.1.1 and the latest developer preview of iOS 6, which was made public September 19. As such, the vulnerability should affect iPhones, iPads, and modern iPods — including the new iPhone 5. The vulnerability could also exist in BlackBerry and Android phones, which also use the WebKit engine in their built-in Web browsers, although the hack has not been tested on these platforms. The bug was demonstrated by the team at Certified Secure at the Pwn2Own Mobile hacking contest in Amsterdam, Netherlands, the week of September 17. A Samsung Galaxy S3 was also broken into and compromised by a separate team at MWR Labs using wireless near-field communication (NFC) technology. Source: http://www.theregister.co.uk/2012/09/20/iphone_hack_photos_contacts_taken/

41. September 20, Softpedia – (International) Over 1 million PCs currently part of ZeroAccess global botnet. The piece of malware known as ZeroAccess is present on more than 1 million computers spread throughout almost 200 countries. So far, the threat was found to be installed more than 9 million times on the devices of unsuspecting users. The total number of installs reached this limit in just several months. ZeroAccess generates a profit for its masters with the aid of a peer-to-peer network that is used to download malicious plugins. These components are capable of carrying out diverse tasks that help the criminals make money. According to experts, cyber criminals can earn as much as $100,000 per day if the botnet is operating at maximum capacity. After monitoring the threat for 2 months, Sophos was able to pinpoint the locations of the infected machines. Most appear to be in the United States (55 percent), Canada, the United Kingdom, Germany, Turkey, Spain, France, Austria, Italy, and Japan. Source: http://news.softpedia.com/news/Over-1-Million-PCs-Currently-Part-of-ZeroAccess-Global-Botnet-293573.shtml

42. September 20, Softpedia – (International) Users of mobile portals exposed to HTTP header pollution attacks, expert finds. At the EUSecWest security conference in Amsterdam, Netherlands, an independent security researcher unveiled his findings on GSM vulnerabilities in a paper entitled ―Using HTTP headers pollution for mobile networks attacks.‖ The attacks he demonstrated target the Wireless Application Protocol (WAP) and Web portals on which the customers of mobile operators can perform specific tasks such as money transfers, content downloads, and subscriptions. Depending on the services offered by the carrier on these Web sites, cyber criminals can abuse the security holes for their own gain. Apparently, there is also a way for shady companies to take advantage of these flaws. Third-party mobile content providers can enter agreements with the carrier and secretly subscribe customers to their paid services. A majority of the sites tested by the researcher — belonging to operators from all over the world — were found to be vulnerable to the attack method he identified. Source: http://news.softpedia.com/news/Users-of-Mobile-Portals-Exposed-to-HTTP-Header-Pollution-Attacks-Expert-Finds-293540.shtml

43. September 20, The H – (International) Apple closes numerous security holes with iOS 6. With the release of iOS 6.0, Apple not only delivers several new features to the mobile operating system but also closes many security vulnerabilities. The major update deals with a list of almost 200 CVE items, some of which apply to several vulnerabilities. The problems grant hackers almost free reign: They range from a hole that lets attackers circumvent the passcode on the lock screen, to the ability to fake text message sender information and code injection through specially prepared Web sites or media files. One vulnerability is caused by an error in the way the operating system parses some configuration files. The hole allows attackers to pretend an important system update is available for the user’s device. This update appears to be signed by Apple or the user’s mobile carrier, when in fact it is completely fake. If the user installs the so-called ―update,‖ the malicious configuration file is able to change critical system settings. Through this attack vector, hackers can configure a proxy on the system and are able to breach the encrypted data connections of the iOS device. This can even give hackers access to the Apple account of the victim, allowing them to spend the victim’s money in the iTunes Store. This vulnerability was first publicly disclosed 3 years ago. Source: http://www.h-online.com/security/news/item/Apple-closes-numerous-security-holes-with-iOS-6-1713012.html

44. September 19, Dark Reading – (International) Attack easily cracks Oracle database passwords. A researcher with AppSec Inc. plans to show an attack exploiting cryptographic flaws he discovered in Oracle’s database authentication protocol at the Ekoparty security conference in Buenas Aires, Argentina. It allows an attacker without any database credentials to brute-force hack the password hash of any database user so he/she then can access the data. The researcher and his team first reported the bugs to Oracle in May 2010. Oracle fixed them in mid-2011 via the 11.2.0.3 patch set, issuing a new version of the protocol. ―But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable,‖ the researcher said, and Oracle has no plans to fix the flaws for version 11.1. Source: http://www.darkreading.com/authentication/167901072/security/application-security/240007643/

45. September 18, V3.co.uk – (International) Flame malware siblings still running wild and undetected, warn researchers. The week of September 17, Kasperksy claimed to have detected three Flame-related pieces of malware in the wild. Kaspersky’s chief malware expert told V3.co.uk that analysis of the command and control (C&C) servers used by Flame’s authors indicated the extent of the cyber espionage campaign may be larger than first thought. As such, he warned there are likely more than the three new Flame-level threats currently operating undetected in the wild. Source: http://www.v3.co.uk/v3-uk/news/2206227/flame-malware-siblings-still-running-wild-and-undetected-warn-researchers

For more stories, see items 7 above in Top Stories, 9, 10, and 12, above in the Banking and Finance Sector and 46 below in the Communications Sector

Communications Sector

46. September 19, Warminster Patch – (Pennsylvania) Verizon outage disrupts Bucks and Montgomery County. Verizon’s private and business FiOS customers in Bucks and Montgomery County, Pennsylvania, felt the effects of a September 18 storm well into September 19, spending most of the day without phone and Internet service. Verizon’s media relations manager for the northeast region said the trouble started September 18 when a tree toppled over power lines outside the company’s Hatboro office. The back-up generator maintained operations until it shut down September 19. When the generator regained power, it began recharging the office’s bank of back-up batteries. One battery began to overheat, forcing technicians to shut down power again to repair the faulty equipment. The loss of FiOS service not only left residential customers without phone service for a bulk of the day, but also affected the 9-1-1 systems for Bucks and Montgomery counties. Local businesses that use FiOS for credit card transactions also experienced network connectivity issues. Source: http://warminster.patch.com/articles/storm-damage-disrupts-verizon-service-in-bucks-and-montgomery
For more stories, see items 40, 42, and 43 above in the Information Technology Sector


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.