Thursday, September 27, 2012 

Daily Report

Top Stories

 • A company whose software and services are used to remotely administer the energy industry began warning customers it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada, and Spain. – Krebs on Security

3. September 26, Krebs on Security – (International) Chinese hackers blamed for intrusion at energy industry giant Telvent. A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers the week of September 17 that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada, and Spain, Krebs on Security reported September 26. Experts say digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests. In letters sent to customers, Telvent Canada Ltd. said that September 10 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced ―smart grid‖ technologies. The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks. Source: KrebsOnSecurity (Krebs on Security)&utm_source=twitterfeed&utm_medium=twitter

 • The Government Accountability Office released a report in which it demonstrates that counterfeit documents can be used easily to obtain valid driver‘s licenses and State-issued identification cards under fake identities. – Homeland Security News Wire

31. September 26, Homeland Security News Wire – (National) GAO: Easily obtained counterfeit IDs present real risks. The Government Accountability Office (GAO) released a report September 21 in which the agency demonstrates that counterfeit documents can still be used easily to obtain valid driver‘s licenses and State-issued identification cards under fictitious identities. GAO recommended that DHS exert more assertive leadership in an effort to correct the problem, Homeland Security News Wire reported September 26. The president of the Coalition for a Secure Driver‘s License, stated, ―The GAO replicated the same techniques used by the 9/11 terrorists to get more than 30 driver‘s license and IDs from State licensing agencies. To obtain a driver‘s license with your photo but with someone else‘s biographic information or with fictitious information, terrorists need only travel to a State where identification standards are low and service is fast. Terrorists planning future attacks on Americans will be delighted by GAO‘s findings, but Congress should be very concerned.‖ A coalition release notes that GAO‘s investigators obtained five driver‘s licenses in three different States under fictitious identities using combinations of name, birth date, and Social Security numbers together with counterfeit documents. In two States, a GAO investigator was able to obtain two licenses with different identities using the same person‘s face. Only in one case did a motor vehicle employee appear to question the validity of the documents being presented, but the GAO investigator was still able to obtain a driver‘s license. Source:

 • The Federal Trade Commission settled a case with several computer rent-to-own companies and a software maker over their use of a program that spied on and collected data and images on as many as 420,000 people. – The H See item 41 below in the Information Technology Sector

 • New research suggests planting malware at sites most likely to be visited by targets have been used in espionage attacks against the defense, government, financial services, healthcare, and utilities sectors. – Krebs on Security See item 44 below in the Information Technology Sector


Banking and Finance Sector

9. September 26, IDG News Service – (International) Wells Fargo recovers after site outage. Wells Fargo‘s Web site experienced intermittent outages September 25, while the hacker group claiming responsibility threatened to hit U.S. Bancorp and PNC Financial Services Group over the next 2 days, IDG News Service reported. Wells Fargo apologized on Twitter for the disruption, and said they were working to restore access. By September 26, the site appeared to be functioning. A group calling itself the ―Mrt. Izz ad-Din al-Qassam Cyber Fighters‖ said it coordinated the attacks, and planned further ones on U.S. Bancorp September 26 and PNC Financial Services Group September 27, according to a post on Pastebin. The group said the cyberattacks are in retaliation for the 14-minute video trailer insulting the Prophet Muhammad, and said the attacks will continue until the video is removed from the Internet. The attacks would last 8 hours starting at 2:30 p.m. GMT, the group wrote. Source:

10. September 25, Bloomberg News – (International) SEC says New York firm allowed high-speed stock manipulation. A New York-based brokerage allowed overseas clients to run a scheme aimed at distorting stock prices by rapidly canceling orders, according to the U.S. Securities and Exchange Commission (SEC), Bloomberg News reported September 25. Clients of Hold Brothers On-Line Investment Services were ―repeatedly manipulating publicly traded stocks‖ by placing and erasing orders in an illegal strategy designed to trick others into buying or selling, the SEC said. Hold Brothers, its owners, and the foreign firms Trade Alpha Corporate Ltd. and Demonstrate LLC agreed to settle allegations that the New York broker failed to supervise customers and pay $4 million in fines. The SEC complaint targeted practices that abused high-speed computer trading on American equity venues. As high-frequency activity has grown in recent years, the agency‘s efforts to stop practices such as ―layering‖ or ―spoofing‖ have extended to automated trading tactics. Along with Hold Brothers, the SEC charged its co-founder and president, who created and partially owned Trade Alpha and Demonstrate. A former chief compliance officer and chief financial officer, and another executive, were also charged and agreed to the penalties. Source:

11. September 25, Associated Press – (Nebraska; National) 3 ex-TierOne Bank execs charged with hiding losses. Three former TierOne Bank executives were charged September 25 with concealing millions of dollars in real estate losses and misleading investors during the recent recession. The Securities and Exchange Commission (SEC) filed the civil charges against the bank‘s former CEO, former president, and former chief credit officer. The CEO‘s son was also charged with insider trading. All but the former chief credit officer agreed to settlements. The CEO and former president will pay nearly $1.2 million but did not admit any wrongdoing. The SEC said TierOne relied on outdated appraisals that inflated the value of real estate that the bank had loans on or had repossessed. The Lincoln, a Nebraska-based bank understated its losses by millions of dollars in 2008 and 2009. Federal regulators closed TierOne in June 2010 and sold its assets to Great Western Bank. TierOne had losses in 10 of its last 11 quarters before regulators closed it as it struggled under the weight of bad loans in parts of the United States hit hard by the subprime mortgage crisis. Investors did not learn the extent of TierOne‘s loan losses until late 2009, when regulators with the Office of Thrift Supervision required TierOne to obtain new appraisals of its impaired loans. That prompted TierOne to disclose $130 million of additional loan losses. Source:

For more stories, see items 41 and 44 below in the Information Technology Sector
Information Technology Sector

40. September 26, The H – (International) Security fixes dominate in Google’s Chrome 22. Chrome 22 closes more than 40 security holes, of which 1 is considered to be critical and 19 are rated as ―high severity‖ by the company. These problems include a critical Windows kernel memory corruption vulnerability and two UXSS vulnerabilities in frame handling and V8 JavaScript bindings. Other corrected problems include use-after-free issues in onclick handling and SVG text references, out-of-bounds writes in the Skia graphics library, a buffer overflow in SSE2 optimizations, an integer overflow in WebGL on Mac systems, and 18 separate issues in the PDF viewer. Source:

41. September 26, The H – (International) Rent-to-own laptops were spying on users. The U.S. Federal Trade Commission (FTC) settled a case with several computer rent-to-own companies and a software maker over their use of a program that spied on as many as 420,000 users of the computers. The terms of the settlement will ban the firms from using monitoring software, deceiving customers into giving up information, or using geo-location to track users. The software for rental companies from DesignerWare included a ―Detective Mode,‖ a spyware application that, according to the FTC‘s complaint, could activate the Webcam of a laptop and take pictures and log keystrokes of user activity. The software also regularly presented a fake registration screen designed to trick users into entering personal information. The data collected was transmitted to DesignerWare and then passed on to the rent-to-own companies. DesignerWare sold the service, which included a ―kill switch‖ to disable the machine, to be activated if a computer was stolen or a renter was late making payments. However, the data gathered also contained user names and passwords for email accounts, social media Web sites, and financial institutions, said the FTC. The complaint said Social Security numbers, private email with doctors, bank and credit card statements, and Webcam pictures of ―children, partially undressed individuals and intimate activities at home‖ were collected. The complaint against DesignerWare said its licensing and enabling of ―Detective Mode‖ was providing the rent-to-own companies with the means to break the law. Source:

42. September 26, – (International) Samsung delivers Galaxy S3 remote-wipe bug fix. Samsung released a fix for a critical error in its software that allowed malicious code to remotely wipe its Galaxy S3 smartphone. The vulnerability was showcased by a security researcher at the Ekoparty security conference September 25. Samsung later told V3 it was aware of the issue and had built a fix, which it was distributing as an over-the-air update. The vulnerability was reportedly in the device‘s Unstructured Supplementary Service Data (USSD) protocol, which is used in the messaging between handset and mobile network. Potentially, hackers could use the vulnerability to send a ―factory reset‖ command to the user‘s device. The attacks could be mounted using many different mediums including Web site links, NFC tags, and QR codes. Security firm Sophos has since warned that the vulnerability may relate to several other Android handsets, including those made by other manufacturers, and urged owners of devices to back-up their phone regularly. Source:

43. September 25, Softpedia – (International) Backdoor in phpMyAdmin allows hackers to execute PHP code. phpMyAdmin warned customers that a kit hosted on the mirror system was found to contain a backdoor that allows remote attackers to execute arbitrary PHP code. The developers were notified by the Tencent Security Response Center that the distribution contains a malicious file. The affected mirror is called cdnetworks-kr-1, the backdoor being located in the server_sync.php file. Apparently, this was not the only corrupt file. The phpMyAdmin development team claims a second file — js/cross_framing_protection.js — was also modified. The vulnerability was cataloged as critical. Source:

44. September 25, Krebs on Security – (International) Espionage hackers target ‘watering hole’ sites. Security experts are accustomed to direct attacks, but some of today‘s more insidious incursions succeed in a roundabout way — by planting malware at sites deemed most likely to be visited by the targets of interest. New research suggests these so-called ―watering hole‖ tactics have recently been used as stepping stones to conduct espionage attacks against a host of targets across a variety of industries, including the defense, government, academia, financial services, healthcare, and utilities sectors. In a report released September 25, RSA FirstWatch‘s (RSA) experts hint at — but do not explicitly name — some of the watering hole sites. According to RSA, the sites in question were hacked between June and July 2012. Source:

45. September 24, Washington Post – (International) Donuts Inc.’s major play for new Web domain names raises fears of fraud. A historic land rush is underway for vast new swaths of the Internet: Amazon has bid for control of all the Web addresses that end with ―.book.‖ Google wants ―.buy.‖ Allstate wants ―.carinsurance.‖ However, the single most aggressive bidder for lucrative new Web domains is a little-known investment group with an intriguing name: Donuts Inc. Its $57 million play for 307 new domains — more than Google, Amazon, and Allstate combined — has prompted alarm among industry groups and Internet watchdogs. They warn Donuts has close ties to a company with a well-documented history of providing services to spammers and other perpetrators of Internet abuses. Should Donuts come to control hundreds of new domains, including ―.doctor,‖ ―.financial,‖ and ―.school,‖ consumers could see a spike in online misbehavior, these critics warn. Source:

For more stories, see items 3 above in Top Stories and 9 above in the Banking and Finance Sector

Communications Sector

See item 42 above in the Information Technology Sector

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.