Friday, September 21, 2012
Daily Report
Top Stories
• An underground utility explosion shut down
streets and forced evacuations of many office buildings and a courthouse in
Albany, New York. – Albany Times-Union
1.
September 20, Albany Times-Union –
(New York) A big blast from below. An underground utility explosion
rocked a downtown neighborhood of Albany, New York, September 19, sending
manhole covers flying with a fireball in the air. The explosions forced
officials to shut down streets and several office buildings on North Pearl
Street were evacuated. The blast happened at the corner of Steuben and Pearl
streets, according to the fire chief. The city ordered the evacuations of
buildings on North Pearl Street between State and Columbia streets. Some
buildings on Eagle and Pine streets were also closed. National Grid crews were
on the scene, dealing with the aftermath of the utility fire. The company cut
electrical service to many downtown buildings. The mayor said the city and utility
companies will need to look into the infrastructure under the ground to
determine if there are widespread problems. The Albany County Judicial Center
was evacuated and closed. County officials said a fire in the sewer system
outside the building caused smoke to be drawn into the building’s air intake
system. A spokesman for National Grid said the explosion was caused by a fault
on an electrical cable. He said utility crews were working to make repairs and
were testing for natural gas fumes. Source: http://www.timesunion.com/local/article/Albany-courthouse-evacuated-roads-closed-3877873.php
• Researchers discovered new versions of a
zero-day vulnerability in Internet Explorer targeting defense contractors,
including a U.S. aircraft and weapons delivery systems firm and a U.S.
aerospace and defense technology company. – Infosecurity
7.
September 19, Infosecurity –
(International) Internet Explorer zero-day targeting defense industry. Researchers
at AlienVault discovered new versions of the new zero-day vulnerability in
Internet Explorer that are targeting a number of defense and industrial
companies, including a U.S. aircraft and weapons delivery systems firm, a U.S.
aerospace and defense technology company, and a U.K. defense contractor. ―We
also found a fake domain of a company that builds turbines and power sources
used in several applications including utilities and power plants,‖ a
researcher said. ―We were able to check that the official Web site of the
company has been compromised as well and it is serving the Internet Explorer
ZeroDay to the visitors. They’ve included an iframe to the exploit in the entry
page.‖ The researcher and his team also found the exploit code evolved and is
now able to infect not only Windows XP but also Windows 7 32-bit running Java
6. Source: http://www.infosecurity-magazine.com/view/28357/
• A financial services industry group warned
U.S. banks, brokerages, and insurers to be on heightened alert for cyber
attacks after Bank of America and JPMorgan Chase experienced unexplained
outages on their public Web sites. – Reuters See item 10 below in the Banking and Finance Sector
• Washington D.C. train riders experienced
massive delays after a power failure stopped a train carrying 1,000 people in a
tunnel between two stations. – WTOP 103.5 FM Washington, D.C.
19.
September 19, WTOP 103.5 FM Washington, D.C. –
(Maryland; Washington, D.C.) Red Line running again after train stuck in
tunnel. Washington Metropolitan Area Transit Authority (WMATA) riders
experienced residual delays on the Red Line in Washington D.C. after a power
failure September 19 stopped a train in the tunnel between the Friendship
Heights and Tenleytown-AU stations with roughly 1,000 people on board. Red Line
trains were traveling at 35 mph until the transit agency could determine what
caused the problem. The issue that disabled the train forced riders to stay on
board for about an hour. During that time, Metro kept the train in the tunnel
until it reestablished power. The outage occurred on Wisconsin Avenue outside
the Tenleytown-AU station, according to Metropolitan police. Metro closed the
station during the incident. It has since reopened. Source: http://www.wtop.com/41/3044606/Red-Line-running-again-after-train-stuck-in-tunnel
• The piece of malware known as ZeroAccess was
found to be present on more than 1 million computers spread throughout almost
200 countries. – Softpedia See item 41
below in the Information Technology
Sector
Details
Banking and Finance Sector
8. September
20, Softpedia – (Puerto Rico; National) Tax refund fraud scheme shut down
after U.S. authorities arrest 14 suspects. September 19, authorities
arrested 14 individuals suspected of participating in one of the largest and
longest stolen identity tax refund fraud schemes the United States has ever
witnessed. It is believed that the fraudsters attempted to steal around $65
million. The individuals caused damages of $11.3 million according to a U.S.
attorney’s office in New Jersey. They were charged with conspiracy to defraud
the State and theft of government property. The perpetrators would steal the
Social Security numbers, dates of birth, and other sensitive details of
unsuspecting individuals, many of whom reside in Puerto Rico. The fraudulently
obtained data would then be utilized to file Individual Income Tax Returns. The
tax return checks issued by the U.S. Department of the Treasury were
intercepted by the conspirators, often by bribing mail carriers. Source: http://news.softpedia.com/news/Tax-Refund-Fraud-Scheme-Shut-Down-After-US-Authorities-Arrest-14-Suspects-293640.shtml
9. September
20, Softpedia – (International) Chase Bank site suffers outage, Muslim
hackers take credit. After the public-facing Web site of Bank of America
(BoA) experienced some minor outages, JPMorgan Chase suffered from similar
problems, Softpedia reported September 20. The same hackers who attacked BoA
also took responsibility for taking down Chase.com. On September 18, a hacker
collective threatened to attack the Web sites of BoA and the one of the New
York Stock Exchange in protest against a controversial film. At the time, they
threatened that other organizations would also be targeted in the upcoming
days, and Chase appears to be one of them. ―Chase.com is experiencing
intermittent issues. We’re working to restore full connectivity and apologize
for any inconvenience,‖ read a message posted by the financial institution on
Twitter. Around 5 hours later, the company announced that the site was back
online. The ―Cyber fighters of Izz ad-din Al qassam‖ published a second Pastebin
document, taking credit for the outage. Source: http://news.softpedia.com/news/Chase-Bank-Site-Suffers-Outage-Muslim-Hackers-Take-Credit-293681.shtml
10. September
20, Reuters – (International) Bank group warns of heightened risk of cyber
attacks. The Financial Services Information Sharing and Analysis Center
(FS-ISAC) warned U.S. banks, brokerages, and insurers September 19 to be on
heightened alert for cyber attacks after Bank of America and JPMorgan Chase
experienced unexplained outages on their public Web sites. FS-ISAC raised the
cyber threat level to ―high‖ from ―elevated‖ in an advisory to members, citing
―recent credible intelligence regarding the potential‖ for cyber attacks as its
reason for the move. The move by FS-ISAC came just 2 days the FBI published a
―fraud alert‖ advising financial services firms that cyber criminals may be
disrupting service to their Web sites in a bid to keep banks from noticing a
recent surge in fraudulent large-sized wire transfers. Source: http://in.reuters.com/article/2012/09/20/us-jpmorganchase-website-idINBRE88I16M20120920
11. September
20, WCVB 5 Boston – (Massachusetts; Rhode Island) Police: ‘Bearded Bandit’ bank
robber arrested at Seekonk motel. A man believed to be the ―Bearded Bandit‖
was arrested in Seekonk, Massachusetts. Police arrested the man September 19 at
the Seekonk Motel 6 where he had been living, according to police. The arrest
came after an officer spotted two vehicles in the motel parking lot that
matched descriptions of getaway cars used in at least eight robberies in Rhode
Island and Massachusetts. Investigators said the man was clean shaven and a
fake beard was found inside his room. Source: http://www.wcvb.com/news/local/boston-south/Police-Bearded-Bandit-bank-robber-arrested-at-Seekonk-motel/-/9848842/16673050/-/ccmhhe/-/index.html
12. September
19, U.S. Federal Bureau of Investigation – (International) Former
CME Group software engineer pleads guilty to stealing Globex computer trade
secrets while planning to improve electronic trading in China. A former
senior software engineer for Chicago-based CME Group Inc. pleaded guilty
September 19 to theft of trade secrets for stealing computer source code and
other proprietary information while at the same time pursuing plans to improve
an electronic trading exchange in China. The defendant admitted that he
downloaded more than 10,000 files containing CME source code that made up a
substantial part of the operating systems for the Globex electronic trading
platform. The government maintains that the potential loss was between $50
million and $100 million, while the defendant maintains that the potential loss
was less than $55.7 million. The programmer, who worked for CME Group for 11
years, pleaded guilty to two counts of theft of trade secrets. The programmer
and two unnamed business partners developed plans to form a business that would
contract to the Zhangliagang chemical electronic trading exchange to increase
trading value on the exchange using the stolen code. Source: http://www.fbi.gov/chicago/press-releases/2012/former-cme-group-software-engineer-pleads-guilty-to-stealing-globex-computer-trade-secrets-while-planning-to-improve-electronic-trading-in-china
13. September
19, WAPT 15 Jackson – (Mississippi) Bond set for women accused in robbery attempt
with fake bomb. Bond was set for two women accused in a fake bomb plot in
Canton, Mississippi,September 19, officials said. Canton police said a woman
who claimed that two men forced her to strap on a backpack with what she
thought was explosives was charged with bank robbery. Investigators said she
walked into a Trustmark bank September 14 and told employees she had a bomb in
the backpack she was wearing. She told police that two men attacked and
kidnapped her from a gas station and forced her to strap on the backpack that
she believed contained explosives. They then threatened to kill her if she did
not rob the bank, police said. Initially, police said it appeared she had been
a victim, but the investigation later led to her arrest. Police did not say
what role they believed the second woman played in the robbery attempt. Police
said the backpack contained two bricks, and no explosives. Source: http://www.wapt.com/news/central-mississippi/Court-next-stop-for-women-accused-in-fake-bomb-robbery-attempt/-/9156946/16659322/-/f1rgsiz/-/index.html
For more
stories, see items 42 and 46 below in the Information Technology Sector
Information Technology Sector
36. September
20, The Register – (International) Hacktivists, blackhats snatch sixguns from
whitehats’ holsters. Tools designed for testing server and network defenses
are being used by hacktivists to launch denial-of-service (DoS) attacks on Web
sites. More and more assaults are concentrating on exhausting Web apps and the
HTTP server software running it, rather than simply flooding the underlying
stack with bogus traffic to exhaust resources and bandwidth, according to the
latest edition of Imperva’s Hacker Intelligence report. This type of attack may
be directed at specific types of Web servers such as IIS or Apache, or to
specific applications, such as SharePoint. The latest and most popular
distributed denial-of-service (DDoS) tools include LOIC, SlowHTTPTest, and
railgun. The use of the latter two white-hat tools shows how black-hat hackers
have begun running attacks that utilize white-hat testing tools. Attacks
analyzed by Imperva in its report include network assaults by hacktivists in
Bahrain, Colombia, and Russia, as well as Web blitzes against businesses linked
to DDoS-for-hire scams. DDoS attacks typically run from botnet networks of
compromised computers. Source: http://www.theregister.co.uk/2012/09/20/ddos_trends_imperva/
37. September
20, Homeland Security News Wire – (International) New NIST
publication provides guidance for computer security risk assessments. The
National Institute of Standards and Technology (NIST) released a final version
of its risk assessment guidelines which, NIST says, can provide senior leaders
and executives with the information they need to understand and make decisions
about their organization’s current information security risks and information
technology infrastructures. A NIST release notes that information technology
risks include risk to the organization’s operations (including, for example,
missions and reputation), its critical assets such as data and physical
property, and individuals who are part of or served by the organization. In
some cases, these risks extend to the nation as a whole. Risk assessments are
part of an organization’s total risk management process. Source: http://www.homelandsecuritynewswire.com/dr20120920-new-nist-publication-provides-guidance-for-computer-security-risk-assessments
38. September
20, Computerworld – (International) Microsoft: Patch for critical IE zero-day bug
coming Friday. September 19, Microsoft released a stopgap defense that
protects Internet Explorer (IE) against attacks until the company issues a
patch September 21. The update will fix five flaws, including one revealed by a
security researcher the weekend of September 15 that hackers have been
exploiting to hijack Windows PCs and infect them with malware. The so-called
―zero-day‖ vulnerability — meaning it was leveraged by attackers before
Microsoft was aware of the bug, much
less able to patch it —
has been analyzed and discussed by security experts with increasing intensity
since September 17. Source: http://www.computerworld.com/s/article/9231478/Microsoft_Patch_for_critical_IE_zero_day_bug_coming_Friday
39. September
20, The Register – (International) Sophos antivirus classifies its own update
kit as malware. There were problems for Sophos users September 19 after the
business-focused antivirus firm Sophos released an update that classified
itself and any other update utility as a virus. As a result, enterprise PCs
running the application became confused, generating false positives reporting
SSH/Updater-B malware. System administrators were bombarded with automated
alerts by email about the bogus problem. The issue was resolved with a
functional update, issued later September 19. For many, troubles continued
because many endpoints and corporate networks hit by the false positive have
been left with systems that can no longer update themselves properly because
the required functionality has been consigned to quarantine. Source: http://www.theregister.co.uk/2012/09/20/sophos_auto_immune_update_chaos/
40. September
20, The Register – (International) Latest iPhone hacked to blab all your
secrets. Dutch hackers exploited a WebKit bug in mobile Web browser Safari
to wipe an iPhone 4S of its photos, address book contacts, and its browser
history. The flaw exists in Apple’s iOS 5.1.1 and the latest developer preview
of iOS 6, which was made public September 19. As such, the vulnerability should
affect iPhones, iPads, and modern iPods — including the new iPhone 5. The
vulnerability could also exist in BlackBerry and Android phones, which also use
the WebKit engine in their built-in Web browsers, although the hack has not
been tested on these platforms. The bug was demonstrated by the team at
Certified Secure at the Pwn2Own Mobile hacking contest in Amsterdam,
Netherlands, the week of September 17. A Samsung Galaxy S3 was also broken into
and compromised by a separate team at MWR Labs using wireless near-field
communication (NFC) technology. Source: http://www.theregister.co.uk/2012/09/20/iphone_hack_photos_contacts_taken/
41. September
20, Softpedia – (International) Over 1 million PCs currently part of
ZeroAccess global botnet. The piece of malware known as ZeroAccess is
present on more than 1 million computers spread throughout almost 200
countries. So far, the threat was found to be installed more than 9 million
times on the devices of unsuspecting users. The total number of installs
reached this limit in just several months. ZeroAccess generates a profit for
its masters with the aid of a peer-to-peer network that is used to download
malicious plugins. These components are capable of carrying out diverse tasks
that help the criminals make money. According to experts, cyber criminals can
earn as much as $100,000 per day if the botnet is operating at maximum
capacity. After monitoring the threat for 2 months, Sophos was able to pinpoint
the locations of the infected machines. Most appear to be in the United States
(55 percent), Canada, the United Kingdom, Germany, Turkey, Spain, France,
Austria, Italy, and Japan. Source: http://news.softpedia.com/news/Over-1-Million-PCs-Currently-Part-of-ZeroAccess-Global-Botnet-293573.shtml
42. September
20, Softpedia – (International) Users of mobile portals exposed to HTTP
header pollution attacks, expert finds. At the EUSecWest security
conference in Amsterdam, Netherlands, an independent security researcher
unveiled his findings on GSM vulnerabilities in a paper entitled ―Using HTTP
headers pollution for mobile networks attacks.‖ The attacks he demonstrated
target the Wireless Application Protocol (WAP) and Web portals on which the
customers of mobile operators can perform specific tasks such as money
transfers, content downloads, and subscriptions. Depending on the services
offered by the carrier on these Web sites, cyber criminals can abuse the
security holes for their own gain. Apparently, there is also a way for shady
companies to take advantage of these flaws. Third-party mobile content
providers can enter agreements with the carrier and secretly subscribe
customers to their paid services. A majority of the sites tested by the
researcher — belonging to operators from all over the world — were found to be
vulnerable to the attack method he identified. Source: http://news.softpedia.com/news/Users-of-Mobile-Portals-Exposed-to-HTTP-Header-Pollution-Attacks-Expert-Finds-293540.shtml
43. September
20, The H – (International) Apple closes numerous security holes with iOS
6. With the release of iOS 6.0, Apple not only delivers several new
features to the mobile operating system but also closes many security
vulnerabilities. The major update deals with a list of almost 200 CVE items,
some of which apply to several vulnerabilities. The problems grant hackers
almost free reign: They range from a hole that lets attackers circumvent the
passcode on the lock screen, to the ability to fake text message sender
information and code injection through specially prepared Web sites or media
files. One vulnerability is caused by an error in the way the operating system
parses some configuration files. The hole allows attackers to pretend an important
system update is available for the user’s device. This update appears to be
signed by Apple or the user’s mobile carrier, when in fact it is completely
fake. If the user installs the so-called ―update,‖ the malicious configuration
file is able to change critical system settings. Through this attack vector,
hackers can configure a proxy on the system and are able to breach the
encrypted data connections of the iOS device. This can even give hackers access
to the Apple account of the victim, allowing them to spend the victim’s money
in the iTunes Store. This vulnerability was first publicly disclosed 3 years
ago. Source: http://www.h-online.com/security/news/item/Apple-closes-numerous-security-holes-with-iOS-6-1713012.html
44. September
19, Dark Reading – (International) Attack easily cracks Oracle database
passwords. A researcher with AppSec Inc. plans to show an attack exploiting
cryptographic flaws he discovered in Oracle’s database authentication protocol
at the Ekoparty security conference in Buenas Aires, Argentina. It allows an
attacker without any database credentials to brute-force hack the password hash
of any database user so he/she then can access the data. The researcher and his
team first reported the bugs to Oracle in May 2010. Oracle fixed them in
mid-2011 via the 11.2.0.3 patch set, issuing a new version of the protocol.
―But they never fixed the current version, so the current 11.1 and 11.2
versions are still vulnerable,‖ the researcher said, and Oracle has no plans to
fix the flaws for version 11.1. Source: http://www.darkreading.com/authentication/167901072/security/application-security/240007643/
45. September
18, V3.co.uk – (International) Flame malware siblings still running wild and
undetected, warn researchers. The week of September 17, Kasperksy claimed
to have detected three Flame-related pieces of malware in the wild. Kaspersky’s
chief malware expert told V3.co.uk that analysis of the command and control
(C&C) servers used by Flame’s authors indicated the extent of the cyber
espionage campaign may be larger than first thought. As such, he warned there
are likely more than the three new Flame-level threats currently operating
undetected in the wild. Source: http://www.v3.co.uk/v3-uk/news/2206227/flame-malware-siblings-still-running-wild-and-undetected-warn-researchers
For more stories, see items 7 above in
Top Stories, 9, 10, and 12, above
in the Banking and Finance Sector
and 46 below in the Communications Sector
Communications Sector
46.
September 19, Warminster Patch –
(Pennsylvania) Verizon outage disrupts Bucks and Montgomery County. Verizon’s
private and business FiOS customers in Bucks and Montgomery County,
Pennsylvania, felt the effects of a September 18 storm well into September 19,
spending most of the day without phone and Internet service. Verizon’s media
relations manager for the northeast region said the trouble started September
18 when a tree toppled over power lines outside the company’s Hatboro office.
The back-up generator maintained operations until it shut down September 19.
When the generator regained power, it began recharging the office’s bank of
back-up batteries. One battery began to overheat, forcing technicians to shut
down power again to repair the faulty equipment. The loss of FiOS service not
only left residential customers without phone service for a bulk of the day,
but also affected the 9-1-1 systems for Bucks and Montgomery counties. Local
businesses that use FiOS for credit card transactions also experienced network
connectivity issues. Source: http://warminster.patch.com/articles/storm-damage-disrupts-verizon-service-in-bucks-and-montgomery
For
more stories, see items 40, 42, and 43 above in the Information Technology
Sector
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.