Wednesday, October 24, 2012
Daily Report
Top Stories
• The extended shutdown of a sister company of
the pharmacy at the center of the deadly U.S. meningitis outbreak may
exacerbate drug shortages for some hospitals and healthcare providers as the
number of infection cases neared 300, U.S. health regulators said October 22. –
Reuters
18.
October 22, Reuters – (National) Meningitis
probe could hit hospital drug supplies. The extended shutdown of a sister
company of the pharmacy at the center of the deadly U.S. meningitis outbreak
may exacerbate drug shortages for some hospitals and healthcare providers as
the number of infection cases neared 300, U.S. health regulators said October
22. Ameridose, a drug manufacturer owned by the same people who own New England
Compounding Center, or NECC, has been closed since October 10. It will remain
shuttered until November 5, while authorities inspect the plant, at least
temporarily cutting off supplies to its customers. NECC shipped thousands of
potentially contaminated vials of a steroid used for injections to treat severe
back pain. Some 14,000 patients may have been exposed to the medicine that has
so far led to 23 deaths. Twelve additional fungal meningitis cases were
reported October 22, bringing the total to 294 in 16 States, plus 3 cases of
peripheral joint infection likely linked to the tainted steroid, according to
the U.S. Centers for Disease Control and Prevention. Nine of the new cases were
reported in Michigan, which has reported 63 infections and 5 deaths. Source: http://www.reuters.com/article/2012/10/22/us-usa-health-meningitis-shortages-
idUSBRE89L18320121022
• Five Points Correctional Facility in Seneca
County, New York, was put on lockdown after a riot the weekend of October 20
injured six officers. The lockdown was expected to last through the end of the
week of October 22. – WHAM 13 Rochester
22.
October 23, WHAM 13 Rochester – (New
York) Prison in lockdown after riot. Five Points Correctional Facility
in Seneca County, New York, is on lockdown after a riot over the weekend of
October 20. Officers at the prison tried to break up a fight between inmates
October 21. Some of the inmates started to assault the staff — leading officers
to use canisters of tear gas to get the situation under control. Six officers
were hurt; two of them had to go to a hospital for treatment but were expected
to be fine. Eight inmates were transferred to other correctional facilities in
New York. The lockdown was expected to last through the end of the week of
October 22. Source: http://www.13wham.com/news/state/story/Seneca-Co-Prison-In-
Lockdown/D3KfvOGTlkWJl0NHozFmkg.cspx
• A New York City Police Department (NYPD)
officer admitted to stealing guns from police lockers and selling them to drug
dealers to pay for his addiction to painkillers. He pleaded guilty October 22
to selling four stolen NYPD-issued guns and an additional pistol that belonged
to him. – Associated Press See item 26 below in the Information Technology Sector
• Web sites that use
Amazon’s AWS cloud-computing service for hosting were down as it experienced
“degraded performance”“ in its northern Virginia zone October 22. The sites
included Reddit, Coursera, Flipboard, FastCompany, Foursquare, Netflix,
Pinterest, and Airbnb. – Forbes See item 35
below in the Communications Sector
Details
Banking and Finance Sector
2. October
22, Reuters – (International) U.S. exchange flags internal trading
discrepancy. U.S. exchange operator Direct Edge said October 22 that it
found a discrepancy between how a stock trades in certain circumstances
compared with what its rules state, a contradiction at the center of a growing
debate over market complexity and fairness. The discrepancy that Direct Edge
found in its mid-point-match (MPM) order types has existed since trading
platform EDGX officially launched as a national securities exchange in July
2010, the company said in a notice to traders. An order type is the set of instructions
that govern the price and other variables in stock transactions. The
discrepancy involves the exchange’s Rule 11.8(a)(2), which is supposed to
assign priority to MPM orders over, among others, non-displayed limit orders.
Direct Edge said EDGX usually assigns priority for MPM orders but it identified
a circumstance in which the trading platform did not. In addition, the
likelihood that MPM orders are executed and result in price improvement is
higher because they automatically interact with displayed order flow. How often
the trading priority that MPM was supposed to deliver but did not was not
indicated in the trading notice. Source: http://www.reuters.com/article/2012/10/22/us-exchanges-directedge-
idUSBRE89L15X20121022
3. October
21, KSWB 5 San Diego – (California) ‘Chubby Bandit’ bank robbery suspect arrested. A
man suspected of being the “Chubby Bandit’’ was arrested October 21 for
allegedly robbing a pharmacy and five banks in the San Diego area and an
attempt to rob a sixth, law enforcement officials said. According to the FBI,
the heavy-set man dubbed the “Chubby Bandit’’ first struck October 9, holding
up a US Bank branch in Poway. He then allegedly robbed a CVS Pharmacy in San
Marcos October 10, a Chase Bank branch in Carlsbad October 11, and attempted to
rob another Chase Bank branch in Solana Beach October 13. The bandit then
allegedly robbed a Wells Fargo Bank branch in Encinitas October 15, a US Bank
branch in Carlsbad October
16, and a Wells Fargo Bank in San Diego October 18. In all the robberies, the
bandit used a demand note and said he had a gun, officials said. Source: http://www.fox5sandiego.com/news/kswb-chubby-bandit-arrested,0,3011373.story
Information Technology Sector
25. October
23, Softpedia – (International) Experts locate dropper of Japanese malware
responsible for making death threats. Approximately 10 days ago, a piece of
malware making death and bomb threats online on behalf of its victims was
discovered. Now, researchers from Symantec discovered the malicious element’s
dropper. The dropper of Backdoor.Rabasheeta — the component responsible for
installing the payload onto the victim’s computer — creates a registry to
ensure that the main module is executed each time the device is activated.
After it drops the main module and the configurations files that enable the
threat to communicate with its command and control server, it removes itself
from the infected computer. Backdoor.Rabasheeta has the capability to open a
backdoor on the compromised device and allow its controller to take command of
it. Source: http://news.softpedia.com/news/Experts-Locate-Dropper-of-Japanese-
Malware-Responsible-for-Making-Death-Threats-301400.shtml
26. October
23, The H – (International) CyanogenMod logged lockscreen swipe gestures.
A developer discovered that the popular modified Android firmware
CyanogenMod apparently recorded swipe gestures used to unlock smartphones. The
CyanogenMod project provides manufacturer-independent open source custom ROMs
for Android devices. In August, an update was released which modified the fixed
3x3 grid format for lockscreen gestures to make the grid size configurable (by
adding a PATTERN_SIZE
variable). In the process, a line of code to log gestures used was also added.
A researcher now discovered this code. Logging unlock gestures is comparable to
recording passwords entered by users. Neither represents a direct threat, as
without access to the device, attackers cannot access the log file. However, it
nonetheless poses an unnecessary risk that could allow data which should be
confidential to fall into the wrong hands- - for example by compromising a
backup saved to a PC. Source: http://www.h-online.com/security/news/item/CyanogenMod-logged-
lockscreen-swipe-gestures-1734701.html
27. October
23, Help Net Security – (International) Malvertising on Yahoo
Messenger hijacks browsers’ start page. Yahoo Messenger users who followed
the link in an advertisement for Vietnamese Internet directory Web site
LaBan(dot)vn and downloaded the offered executable installed a persistent
application that repeatedly leads them to the Web site. “It is not yet clear whether
the banner has reached YIM customers following a legit advertising campaign
that was modified by the advertiser later, or if it is an abusive attack that
exploits a bug in the Yahoo Ad services,” said a Bitdefender researcher, but
the banner was displayed for 4 hours. The problem with the app is that it
cannot be easily deleted. The app adds itself to the Windows startup entries in
order to run after every system reboot, and it repeatedly changes the default
start page of the browsers found on the affected computer. The researcher did
not mention whether the LaBan(dot)vn Web site offers other malicious software
except for this app. Source: http://www.net-security.org/malware_news.php?id=2300
28. October
23, The H – (International) Google Drive opens backdoor to Google
accounts. The Windows and Mac OS X desktop clients for Google’s Drive file
storage and synchronization service open a backdoor to users’ Google accounts
which could allow the curious to access a Drive user’s email, contacts, and
calendar entries. The sync tool includes a “Visit Google Drive on the web” link
which opens Drive’s Web interface in the default browser and automatically logs
the user in. Somewhat problematic is the fact that this session can then be
used to switch to other Google services such as Gmail and Google Calendar. Even
if the user explicitly logs out of the Google sites by clicking the “Sign out”
link, the Drive client will open a new session without requiring a password.
The desktop clients request login credentials only once, when they are first
installed and launched. The backdoor is particularly problematic where a user
shares their account with others or where a computer is not password protected.
The link also makes accessing a user’s Google account unnecessarily simple for
trojans. Source: http://www.h-online.com/security/news/item/Google-Drive-opens-backdoor-
to-Google-accounts-1735069.html
29. October
23, The H – (International) Security researcher experiments with patching
Java. With Oracle planning to wait until February 2013, a security
researcher decided to take matters into his own hands by developing a patch for
a critical security vulnerability he discovered in Java. He posted a report on
his efforts to security mailing list Full Disclosure. However, the patch is not
intended for publication — as this would reveal details of the vulnerability,
which the researcher has kept hidden so far. Instead, the researcher hopes
his experiment will prompt Oracle to speed up its process for releasing
official patches. He informed Oracle of the critical vulnerability in late
September. It potentially enables an attacker to use a specially crafted applet
to access assets on a system with user privileges. He was, however, too late
for the company’s October patch day. Oracle informed him that it was already in
the final stages of testing its October patches and that any patch would have
to be held over until the next critical patch update, scheduled for February
19, 2013. In order to estimate the amount of work involved, the security
researcher then decided to develop a patch himself and found that fixing the
vulnerability required changing just 25 characters of code in 30 minutes.
According to the researcher, the patch has no discernible effect on the code
logic, rendering extensive integration tests to check its effect on other
programs superfluous. Source: http://www.h-online.com/security/news/item/Security-researcher-experiments-
with-patching-Java-1735346.html
30. October
23, The H – (International) Adobe fixes critical Shockwave
vulnerabilities. Numerous critical flaws in Shockwave, which could allow an
attacker to inject malicious code into a system, were closed by Adobe with the
release of Shockwave Player 11.6.8.638 for Windows and Macintosh systems.
Overall, the vulnerabilities have six CVE numbers assigned to them
(CVE-2012-4172, CVE-2012- 4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-4176,
CVE-2012-5273) and are mostly buffer overflows with one array out of bounds
vulnerability. Adobe said the update is a priority 2 issue. The company
recommends users update their installations as soon as is possible, but notes
there are no known Shockware exploits in the wild for these flaws. Source: http://www.h-online.com/security/news/item/Adobe-fixes-critical-Shockwave-
vulnerabilities-1735371.html
31. October
22, Computer Weekly – (International) XSS attacks remain top threat to Web
applications. Cross-site scripting (XSS) attacks remain the top threat to
Web applications, databases, and Web sites, an analysis of 15 million cyberattacks
in the third quarter of 2012 revealed. Other top attack techniques are
directory traversals, SQL injections (SQLi), and cross-site request forgery
(CSRF), according to the latest Web application attack report by cloud hosting
firm FireHost. The increase in the number of cross-site attacks is one of the
most significant changes in attack traffic between Q2 and Q3 2012, the report
said. XSS and CSRF attacks rose to represent 64 percent of the group. XSS is
now the most common attack type, with CSRF now in second. Source: http://www.computerweekly.com/news/2240168930/XSS-attacks-remain-top-
threat-to-web-applications
32. October
22, Infosecurity – (International) Cross-zone scripting vulnerabilities found in
Dropbox and Drive. ”Exploiting this vulnerability,” announced IBM’s
Application Security Insider blog, “an attacker could steal arbitrary files
from a DropBox / Google Drive user by tricking him into viewing a malicious
HTML file inside the mobile app.” Applications such as Dropbox and Drive are of
increasing relevance to business, and their security is of increasing
importance. As the bring-your-own-device revolution gathers pace more and more
employees are using such cloud storage services as a simple means of
transferring data from corporate servers to personal tablets or smartphones.
The problem, according to an advisory released by a researcher, is that “the
DropBox apps use an embedded browser window to render the locally stored HTML
file.” The way this has been implemented would allow the execution of malicious
Javascript code “to steal potentially valuable information from the DOM of the
embedded browser, an attack dubbed Cross-Application Scripting (XAS).” Source: http://www.infosecurity-magazine.com/view/28915/crosszone-scripting-
vulnerabilities-found-in-dropbox-and-drive/
33. October
22, Ars Technica – (International) Java still has a crucial role to play—
despite security risks. Java has its security flaws, but it is not going
away any time soon — many important applications run on the technology,
especially in business settings. Still, many users are worried enough about
vulnerabilities that they restrict Java’s ability to run on their machines.
That is what Ars Technica heard when it asked its readers October 19 whether
they let Java run on their computers, and why. Some users disabled or
uninstalled Java entirely. However, the most common solution for those worried
about security risks is to leave the Java Runtime Environment in place on the
desktop while disabling the browser plugins that allow Java applets to run on
Web sites. Those plugins are often vulnerable to attacks involving remote code
execution. Source: http://arstechnica.com/information-technology/2012/10/java-still-has-a-crucial-
role-to-play-despite-security-risks/
34. October
22, U.S. Federal Trade Commission – (International) Tracking
software company settles FTC charges that it deceived consumers and failed to
safeguard sensitive data it collected. Web analytics Compete Inc. agreed to
settle Federal Trade Commission (FTC) charges that it violated federal law by
using its Web-tracking software that collected personal data without disclosing
the extent of the information that it was collecting. The company also
allegedly failed to honor promises it made to protect the personal data it
collected. Compete is a company that uses tracking software to collect data on
the browsing behavior of millions of consumers, then uses the data to generate
reports, which it sells to clients who want to improve their website traffic
and sales. The proposed settlement will require that Compete obtain consumers’
express consent before collecting any data from Compete software downloaded
onto consumers’ computers, that the company delete or anonymize the use of the
consumer data it already has collected, and that it provide directions to
consumers for uninstalling its software. Source: http://www.ftc.gov/opa/2012/10/compete.shtm
Communications Sector
35.
October 22, Forbes – (International) Amazon
AWS goes down again, takes Reddit with it. October 22, several Web sites
that use Amazon’s AWS cloud-computing service for hosting, including Reddit,
Coursera, Flipboard, FastCompany, Foursquare, Netflix, Pinterest, Airbnb, and
more, were down as it experienced “degraded performance for a small number of
EBS volumes in a single Availability Zone” in the northern Virginia zone. When
problems began Amazon reported, “we are currently investigating degraded
performance for a small number of EBS volumes in a single Availability Zone in
the US-EAST-1 Region.” Then, about an hour later, the company updated its
Service Health Dashboard: “We can confirm degraded performance for a small
number of EBS volumes in a single Availability Zone in the US-EAST-1 Region.
Instances using affected EBS volumes will also experience degraded
performance.” Amazon updated their customers throughout October 22, before
finally stating “we are continuing to restore impaired volumes and their
attached instances.” While some Web sites, such as Reddit, were back up October
22, others that rely on AWS were reportedly still experiencing problems.
Source: http://www.forbes.com/sites/kellyclay/2012/10/22/amazon-aws-goes-down-
again-takes-reddit-with-it/
36.
October 22, Threatpost –
(International) HackRF Jawbreaker could bring low-cost wireless hacking to
the masses. A researcher created a new radio called HackRF that is a kind
of all-in-one hacker’s dream with functionality to intercept and reverse-
engineer traffic from a wide range of frequencies and sources. HackRF is the
work of a researcher from Great Scott Gadgets, and the idea behind the project
was to build a multipurpose transceiver that a user could attach to his
computer and use as a “software-defined radio.” He released the hardware
specifications and the software for the radio, called HackRF Jawbreaker, on
Github. The device has the ability to transmit and receive over a wide range of
frequencies, covering a huge number of commercial devices. Source: http://threatpost.com/en_us/blogs/hackrf-jawbreaker-could-bring-low-cost-
wireless-hacking-masses-102212
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.