Thursday, November 8, 2012
Daily Report
Top Stories
• About 21,000 West Virginia homes and businesses
remained without power November 7 as utility crews continued restoring service
knocked out by the storm. However, officials in some places said a full
recovery will take months. – Associated Press
2. November 7, Associated
Press – (West
Virginia) FirstEnergy says about 21,000 W.Va. customers still without power;
Preston, Randolph have most. Life after Superstorm Sandy was slowly returning
to normal across West Virginia's hardest-hit counties November 7, but officials
in some places said a full recovery will take months. About 21,000 West
Virginia homes and businesses remained without power as utility crews continued
restoring service knocked out by the storm. Preston County reported nearly
6,000 customers without power, and Randolph County with more than 4,000
outages. The utility said it had about 3,000 outages in Upshur and about 2,000
in Barbour, but fewer than 2,000 apiece in Webster and Tucker counties.
Ohio-based FirstEnergy said it expected to return electricity to most customers
by November 9 and the remainder by the end of the weekend of November 10.
Schools remained closed in Preston and Webster counties, but a Preston emergency
management director said authorities were working with the school board in
hopes of getting buses back on the road the week of November 12. Source: http://www.therepublic.com/view/story/768ca6663e5b4e43990b7f79ad03516d/WV--Superstorm-Sandy-WVa
• American Airlines suspended most flights to
and from the New York area November 7 through November 8 as a winter storm
approached the northeast United States. Delta Air Lines Inc. also expected
canceled flights. – Bloomberg News
6. November 6, Bloomberg
News – (New Jersey;
New York) United, AMR to halt NYC-area flights tomorrow on storm. United
Continental Holdings Inc. and AMR Corp.’s American Airlines suspended most
flights to and from the New York area November 7 through November 8 as a winter
storm approached the northeast United States. About 500 flights will be
scrubbed as United pares service at its hub at New Jersey’s Newark Liberty
airport for 24 hours at midday, said a spokesman. American and its American
Eagle unit cut 290 flights. Delta Air Lines Inc. also expected to scrap some
flights, and Southwest Airlines Co. and US Airways Group Inc. were monitoring
the new storm, a spokesman said. The new storm was threatening the Northeast
after Hurricane Sandy forced about 20,000 cancellations the week of October 29.
Flooding along the coast was expected from Delaware north to Connecticut,
including New Jersey and Long Island, where tides may rise as much as 3 feet
above normal. Source: http://www.businessweek.com/news/2012-11-06/united-to-halt-nyc-area-flights-tomorrow-as-storm-nears
• Drinking water in one out of eight Denver
homes with lead plumbing may be contaminated with lead, test results revealed
November 7. Concentrations exceeded the federal drinking water standard by as
much as 3.8 times. – Denver Post
12. November 7, Denver Post – (Colorado) Denver detects lead in
tapwater, urges residents to limit exposure. Drinking water in one out of
eight Denver homes with lead plumbing may be contaminated with lead, a health
hazard that causes brain and nerve damage, especially in children, the Denver
Post reported November 7. This result from recent tests forced Denver Water to
warn residents and to take action to protect people. The lead concentrations
measured in samples from 60 homes exceeded the federal drinking water standard
of 15 parts per billion (ppb) by as much as 3.8 times. The 13 percent of Denver
homes that had high lead levels, up from 8 percent of homes in 2011, was the
highest percentage logged in 12 years, according to Denver Water data provided
to the Denver Post. The Environmental Protection Agency requires water
utilities to take action when required annual tests show more than 10 percent
of homes with lead pipes have water containing lead above 15 ppb. In November,
all 1.3 million metro residents served by Denver Water must be notified and
advised of precautions they can take. Source: http://www.denverpost.com/environment/ci_21942819/denver-detects-lead-tapwater-urges-residents-limit-exposure
• Scientists devised a virtual machine that
can extract private cryptographic keys stored on a separate virtual machine
when it resides on the same piece of hardware. This technique can be used to
pierce a key defense found in cloud environments. – Ars Technica See item 24 below in the Information Technology Sector
Details
Banking and Finance Sector
4. November
6, Tampa Bay Tribune – (Florida) Sarasota man admits role in mortgage fraud. A
Sarasota, Florida man pleaded guilty November 6 to conspiracy to commit bank
fraud that resulted in $6.8 million in losses for banks, according to a release
from a U.S. Attorney. Starting in March 2003 running through July 2008, the man
and others conspired to commit bank fraud and he used several corporate
entities to perpetuate the fraud scheme, including Southeast Capital Advisors,
LLC. He marketed a "no money down" residential purchase program that
made loans to his clients, enabling them to make down payments to purchases of residential
properties. Then, he and his co-conspirators prepared and submitted fraudulent
mortgage loan applications to lenders for the clients. The applications also
usually overstated the clients' assets and understated their liabilities. Some
loan applications also included the fraudulent misrepresentation that the
clients intended to use the properties as their primary residences, when in
fact they were investment properties. Some of the loans on the residential
properties went into default, and the losses incurred by the lenders on 49 such
residential properties totaled $6.8 million, according to the release. Source: http://www2.tbo.com/news/breaking-news/2012/nov/06/sarasota-man-admits-role-in-mortgage-fraud-ar-556393/
5. November
6, KLAS 8 Las Vegas – (Nevada) Las Vegas man convicted of using stolen credit card
numbers. A federal jury November 5 convicted a Las Vegas man of felony
charges for unlawfully obtaining thousands of credit, debit, and gift card
numbers and using them to obtain cash and buy electronics, Nevada's U.S.
Attorney said. The man was convicted of 1 count of conspiracy, 4 counts of
possession of 15 or more counterfeit or unauthorized access devices, 1 count of
aggravated identity theft, and criminal forfeiture. According to the superseding
indictment and evidence presented by the government at trial, between May 2010
and April 2012 the man purchased stolen credit, debit, or gift card account
numbers from a person in Pakistan. He then used them to purchase items,
including electronics, which he later resold for his own benefit. He also
obtained thousands of pages of customer records, including credit card numbers,
that were stolen from a hotel in Las Vegas. He used computer software to
predict gift card numbers issued by card companies. He then spent the money on
the gift cards before the owners could use them. Source: http://www.8newsnow.com/story/20021244/las-vegas-man-convicted-of-using-stolen-credit-card-numbers
Information Technology Sector
20. November
7, Softpedia – (International) Malware uses password recovery app to extract
credentials stored in browser. Most of the pieces of malware designed to
steal user credentials, log keystrokes in order to collect the information.
However, a new threat called PASSTEAL (TSPY_PASSTEAL.A) relies on a password
recovery application to accomplish the task. According to Trend Micro
researchers, the malware collects the information stored in Web browser by
sniffing out accounts from different online services and apps. The sample
analyzed by the security firm contains the PasswordFox app designed to work
with Firefox. “In effect, the password recovery tool enables PASSTEAL to
acquire all login credentials stored in the browser- even from websites using
secured connections (SSL or HTTPS),” a threat response engineer at Trend Micro
explained. ”Some sites that use this connection includes Facebook, Twitter, Pinterest,
Tumblr, Google, Yahoo, Microsoft, Amazon, EBay, Dropbox, and online banking
sites. PASSTEAL also doesn't restrict itself to browser applications. Certain
variants are designed to log information from applications such as Steam and
JDownloader.” After it extracts the data, the malicious element executes a
command to save all the information into a .xml file. Based on this .xml file,
a text (.txt) file is also created. Once all the information is gathered, the
malware connects to a remote FTP server and uploads the files. Source: http://news.softpedia.com/news/Malware-Uses-Password-Recovery-App-to-Extract-Credentials-Stored-in-Browser-305103.shtml
21. November
7, Computerworld – (International) Adobe, now 'married' to Microsoft, moves
Flash updates to Patch Tuesday. November 6, Adobe announced that it will
pair future security updates for its popular Flash Player with Microsoft's
Patch Tuesday schedule. At the same time, Adobe issued an update that patched
seven critical Flash vulnerabilities, and Microsoft shipped fixes for Internet
Explorer 10 (IE10), which includes an embedded copy of Flash. However, the move
to synchronize Flash Player updates with Microsoft's monthly patch schedule was
the bigger news. "Starting with the next Flash Player security update, we
plan to release regularly-scheduled security updates for Flash Player on 'Patch
Tuesdays,'" Adobe said. Source: http://www.computerworld.com/s/article/9233342/Adobe_now_married_to_Microsoft_moves_Flash_updates_to_Patch_Tuesday
22. November
7, The H – (International) Chrome 23 closes holes, promises longer
battery life. Version 23 of Chrome addresses 15 security vulnerabilities in
the browser, 6 of which are rated as "high severity." These include
high-risk use-after-free problems in video layout and in SVG filter handling,
an integer bounds check issue in GPU command buffers, and a memory corruption
flaw in texture handling; a Mac-only problem related to wild writes in buggy
graphics drivers was also fixed. Eight medium-severity flaws including an
integer overflow that could lead to an out-of-bounds read in WebP handling, as
well as a low-risk flaw were also corrected. Source: http://www.h-online.com/security/news/item/Chrome-23-closes-holes-promises-longer-battery-life-1744972.html
23. November
7, The H – (International) Security updates for Flash and Air. November
7, Adobe released new versions of its Flash Player to eliminate a number of
critical vulnerabilities. The vulnerabilities were associated with several CVE
numbers; CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277,
CVE-2012-5280 are buffer overflows, CVE-2012-5279 is a memory corruption issue,
and CVE-2012-5278 is a security bypass; all of which are listed as potentially
allowing an attacker to inject malicious code into the system. All the flaws
were discovered by members of the Google Security Team. Google Chrome's
embedded Flash Player was updated in the update of Google Chrome to version 23,
also released November 7. The automatic delivery of Flash Player for Windows 8
was also delivered to all users. Adobe updated its AIR runtime which includes
Flash Player and the associated development kits. Version 3.5.0.600 is now the
current version on all platforms. Source: http://www.h-online.com/security/news/item/Security-updates-for-Flash-and-Air-1744946.html
24. November
6, Ars Technica – (International) Virtual machine used to steal crypto keys
from other VM on same server. Piercing a key defense found in cloud
environments such as Amazon's EC2 service, scientists devised a virtual machine
that can extract private cryptographic keys stored on a separate virtual
machine when it resides on the same piece of hardware. The technique, unveiled
in a research paper published by computer scientists from the University of
North Carolina, the University of Wisconsin, and RSA Laboratories, took several
hours to recover the private key for a 4096-bit ElGamal-generated public key
using the libgcrypt v.1.5.0 cryptographic library. The attack relied on
"side-channel analysis," in which attackers crack a private key by
studying the electromagnetic emanations, data caches, or other manifestations
of the targeted cryptographic system. Source: http://arstechnica.com/security/2012/11/crypto-keys-stolen-from-virtual-machine/
Communications Sector
25.
November 7, Associated Press –
(National) AT&T, govt reach deal on data plan complaints. AT&T
agreed to pay the federal government $700,000 and offer refunds to customers
for mistakenly forcing some smartphone users into monthly data plans, the
Associated Press reported November 7. In late 2009, AT&T began to require
new smartphone customers to subscribe to monthly data plans. Existing
subscribers with pay-per-use plans or no plan at all had to get a monthly plan
when they upgraded to a new smartphone. The requirement was not supposed to
apply when subscribers replaced a lost or broken phone through an insurance
program or warranty, or if they moved to a different AT&T service area.
However, a computer error moved those customers into monthly plans anyway.
AT&T Inc. now must offer to restore the older plans and give refunds, which
the Federal Communications Commission said could be up to $30 a month. Source: http://www.sfgate.com/business/technology/article/AT-T-govt-reach-deal-on-data-plan-complaints-4015891.php
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.