Monday, December 3, 2012

Daily Report

Top Stories

      A freight train derailment resulted in a chemical spill November 30 in Paulsboro, New Jersey, sending dozens of people to area hospitals. CBS News

8.  November 30, CBS News (New Jersey) Freight train derails, spills chemicals in Paulsboro, NJ. A freight train derailment resulted in a chemical spill November 30 in Paulsboro, New Jersey sending dozens of people to area hospitals. Officials said a Conrail freight train derailed over Mantua Creek, leaking a chemical called vinyl chloride. Three cars overturned into the creek and one was compromised. HAZMAT crews responded and limited evacuations were ordered. An environmental company responded by CSX to place booms in the creek and the Gloucester County HAZMAT Team and a HAZMAT Team from PRC Refinery were doing metering and monitoring. A Paulsboro public information officer said that all of the vinyl chloride in the compromised car was dissipated and Conrail put together a plan of attack that includes crews working on the ground and via barge with a crane. Officials said it appeared the cars derailed when the bridge they were traveling over buckled. This is not the first  time the bridge has failed. In 2009, it collapsed and had to be rebuilt. The County Office of Emergency Management issued a shelter in place activation and school children were sheltered in place in Paulsboro; East Greenwich; and West Deptford. Shelter for displaced residents was set up at a high school. Rescue units were dispatched to the scene after numerous people complained of respiratory problems. A total of 66 people, including some children, sought treatment at a hospital in  Woodbury. Vinyl chloride is used in the making of plastics, according to a professor of environmental engineering at Drexel University. He said that in the short term, the danger is the chemical gets into the air and causes irritation to people. Irritation to  both the respiratory tract and eye irritation, (and) perhaps some short-term breathing problems, he told KYW 1060 AM Philadelphia. In the long term, he said vinyl chloride is known to cause cancer. The National Transportation Safety Board had taken over the investigation. Source:

      In the month since Hurricane Sandy, hundreds of millions of gallons of raw and partially- raw sewage from Bay Park and other treatment plants have flowed into waterways in New York and New Jersey, exposing flaws in the regions wastewater infrastructure that could take several years and billions of dollars to fix, the New York Times reported November
29. New York Times

17. November 29, New York Times (New Jersey; New York) Sewage flows after Hurricane Sandy exposing flaws in system. In the month since Hurricane Sandy, hundreds of millions of gallons of raw and partially-raw sewage from Bay Park and other treatment plants have flowed into waterways in New York and New Jersey, exposing flaws in the regions wastewater infrastructure that could take several years and billions of dollars to fix, the New York Times reported November 29. In New York alone, the governor estimated that about $1.1 billion will be needed to repair treatment plants. Motors and electrical equipment would have to be raised above newly established flood levels, and circuitry must be made waterproof. Dams and levees may have to be built at some treatment plants to keep the rising waters at bay, experts explained. In New Jersey, workers at the Passaic Valley Sewerage Commission plant, evacuated as floodwaters surged in and wastewater gushed out. The Middlesex County Utility Authority plant in Sayreville, New Jersey, let about 75 million gallons of raw sewage a day flow into Raritan Bay for nearly a week before power was restored, said a spokesman for the New Jersey Environmental Protection Department. Operations at both plants have not yet been fully restored. Source: ows-aft er-hurricane-sandy-exposing-flaws-in-system.html?ref=nyregion&_r=0

      The man who faced federal charges of placing mercury in food and other locations at the Albany Medical Center pleaded guilty in U.S. District Court in Albany, New York, the Mid-Hudson News Network reported November 30. Mid-Hudson News Network

22. November 30, Mid-Hudson News Network (New York) Ulster man pleads guilty to using mercury as chemical weapon in hospital. The man who faced federal charges that he placed mercury in food and other locations at Albany Medical Center pleaded guilty in U.S. District Court in Albany, New York, to the three-count indictment against him, the Mid-Hudson News Network reported November 30. He had been a licensed pharmacist for 36 years and knew of the dangers of the chemical, authorities said. He admitted that after he wrote to the hospital expressing his concern about having to pay for medical care, he spread 1 to 2 pounds of the toxic chemical that can kill human nerve cells and cause serious bodily injuries in a basement area, outside the post-operative care unit, the triage window in the emergency room, in the tracks to the door of the center elevator in one building, and in food in the hospital cafeteria. As part of his plea agreement, he will have to pay Albany Med over $200,000 in restitution, pay restitution to the US government for expenses incurred relating to the seizure, storage, handling, transportation, and destruction of property seized in connection with the investigation of the mercury contamination. Source:

      The names and addresses of approximately 1,500 patients who received emergency medical services from Californias El Centro Fire Department were stolen, the city announced November 29. El Centro Imperial Valley Press

33. November 29, El Centro Imperial Valley Press (California) 1,500 emergency patient records stolen. The names and addresses of approximately 1,500 patients who received emergency medical services from Californias El Centro Fire Department were stolen, the city announced November 29. The citys announcement comes a day after El  Centro Regional Medical Center revealed that it was defrauded out of hundreds of thousands of X-ray files that were stolen for their silver. It wasn’t a breach here, it was a breach at a contractor, the city manager said, adding the information in question was stolen from ADPI-Intermedix, a billing contractor responsible for collecting emergency medical services fees. The theft included ambulance data from the fire departments of Corona, Los Angeles, and Berkeley, according to an ADPI press release. The company learned about the security breach October 1. The press release notes some of the information stolen was disclosed to a theft ring suspected of filing fraudulent federal  tax returns with the Internal Revenue Service. Authorities identified the employee who admitted to the crime. Though a company investigation revealed that in certain  instances the disclosure of personal information included social security numbers, names, and dates of birth, no medical information was accessed or disclosed. In the  next few days affected patients will start receiving letters of notifications. The city manager noted that the information stolen from El Centro patients are from 2006 to 2012, but have a lower likelihood that anyone is going to be able to use it, because we don’t provide date of birth or Social Security numbers some cities do.Source:,0,7944900.story

Banking and Finance Sector

3. November 30, The Register (International) Crooks inject malicious Java applet into FOREX trading website. FOREX trading Web site Trading Forex was contaminated with a malicious Java applet that is designed to install malware on the systems of visiting surfers, The Register reported November 30. The Web site remained contaminated as of mid-day November 29 according to Websense, the Web security firm that detected the attack. The backdoor planted on Trading Forex is written in Visual Basic.Net and requires the Microsofts .NET framework to be successfully installed and running on a victims computer. Its important to note that there was no exploit involved in this attack but rather a social engineering trick that requires the victims involvement - if successful it will allow a backdoor Trojan to run on the victims machine, a senior security researcher at Websense stated. A senior security research manager added: This injection could deposit malware to the users of this site, possibly opening them up to data stealing. We’re also seeing typosquatting being used here, perhaps ready for a future attack.Source:

4. November 30, Washington Post (Virginia) Fairfax County police find ATM skimmers at hospitals. Fairfax County, Virginia police are investigating skimmers that were found attached to two automated teller machines at Fairfax hospitals, the Washington Post reported November 30. Authorities said the devices may have been in place for weeks. They are urging people who may have used the machines to check  their financial statements. The devices were found November 27 at an ATM near the lobby gift shop of the Inova Fairfax Hospital Cardiac Care Center and November 28 at an ATM next to the cafeteria at Inova Fair Oaks Hospital. Police said that in one case, a hospital employee found the skimmer when she tried to insert her ATM card and the device fell off the machine. Police said a hospital security guard found the other skimmer. The ATM at the cardiac-care facility was also targeted by a skimmer device in August and September, authorities said.

5. November 30, Help Net Security (International) Aggressive worm infection leads to banking Trojan infection. Sophos warned that an aggressive variant of the VBNA-X “autorun worm is finding its way onto users computers, preparing them for further malicious downloads, Help Net Security reported November 30. W32/VBNA-X is a worm, but also exhibits characteristics typically found in a Trojan. Its most obvious method of spreading appears to be through the use of autorun.inf files dropped on removable media and writable network shares, a Sophos researcher shared. Still, there are many who have already disable the Autorun/Autoplay option, but still get infected, as the worm hides legitimate folders and file extensions, and creates copies of itself named Porn.exe, Sexy.exe, Passwords.exe, and Secret.exe and uses standard Windows 7 icons for them. The worm is capable of adding registry keys to make itself run every time the infected machine boots up, and some variants can also disable Windows Update. The new variant contacts a C&C server to receive instructions and downloads additional malicious payloads. In the instances investigated by Sophos, that payload was a Zeus trojan variant - but that can change in the future.

6. November 29, Reuters (National) Two charged with insider trading over 2009 IBM deal. Two former stock brokers at a Connecticut financial services company were charged with criminal insider trading November 29 over a 2009 acquisition by computer giant IBM Corp. U.S. authorities said the two men and three unnamed colleagues made more than $1 million in illicit gains by trading in shares of SPSS Inc before IBM agreed to buy the Chicago-based software company for $1.2 billion in 2009. Prosecutors said the scheme got its start with a tip from an associate at the New York law firm that represented IBM in the transaction. One man is a lawyer living in Denver, while the other lives in Baltimore. At the time of the alleged insider trading, both were employed at Euro Pacific Capital Inc, a Westport, Connecticut-based firm, according to the Financial Industry Regulatory Authority. Both were arrested by the FBI November 29 and charged with three criminal counts of securities fraud and one criminal count of conspiracy. Source: idUSL1E8MTAIG20121129

7. November 29, Reuters (International) Swedish stock futures market problem caused by mega-order glitch. An hours-long halt of trade in Swedish OMXS30 stock index futures and options was caused by a technical bug which made it seem like a order worth trillions of dollars was made when it had not been, a bourse spokesman said November 29. The market for trade in index futures and options was halted November 28 for about 4 hours. All other markets functioned as normal and the futures market was back to business November 29. The futures and options market halt came after an order was entered in the system which was wrongly treated as a negative quantity. The system does not normally handle negative values and incorrectly interpreted it as being an order for about 4 billion contracts on the December futures contract on the OMXS30 index, which was worth about 107,000 crowns per contract, said a Nasdaq OMX spokesman. That gave a theoretical order value of about 428 trillion crowns ($64.1 trillion)

Information Technology Sector

34. November 30, Help Net Security (International) Shylock’s new trick for evading malware researchers. The Shylock financial malware platform continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises. While analyzing a recent Shylock dropper Trusteer noticed a new trick it uses to evade detection. Namely, it can identify and avoid remote desktop  environments a setup commonly used by researchers when analyzing malware. The latest Shylock dropper detects a remote desktop environment by feeding invalid data into a certain routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other lab environments. In particular, when executed from a remote desktop session the return code will be different and Shylock will not install. It is possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

35. November 30, The H (International) Email hacks router. A whole range of Arcor, Asus, and TP-Link routers are vulnerable to being reconfigured remotely without authorization. A security researcher demonstrates that just displaying an email within the routers own network can have far-reaching consequences: when opened, his specially crafted test email reconfigures the wireless router so that it redirects the users internet data traffic. The attack uses the Cross-Site Request Forgery (CSRF) technique. The researcher embedded images whose source URL (src=) points to the routers default IP address (often in his HTML test email. The URL contains parameters that instruct the routers Web interface to modify the Domain Name System (DNS) server configuration. As the URL also contains the admin password for the Web interface, the attack will only be successful if the user has left the default password unchanged. The security researcher says that attacks are successful on devices such as Arcors EasyBox A 600. When displaying the email, the email client will attempt to retrieve the embedded picture from this URL. The router, however, will interpret the parameters as an instruction from the user to configure a different DNS server. Once  the changes have been made, any DNS queries will be handled by the configured DNS server, which is controlled by the attacker. From then on, the sender of the email can freely direct the user to arbitrary Web servers.

36. November 29, Threatpost (International) Malicious browser add-on guides victims to phishing sites. Phishers are using a typosquatted domain name designed to mimic
the URL of a popular e-commerce destination in order to lure their victims to a
malicious Web site that prompts its visitors to download a malicious add-on that will
guide users to phishing sites, even when they type legitimate URLs into their browsers address bar. According to a report written by a Symantec researcher, the campaigns primary motive is financial. The potential success of the attack is reliant on the consent of its victims. The malicious site can only prompt users to install the add-on. While not very advanced, the attack utilizes some interesting tactics. First, when users navigate to the malicious site, it determines their browser before prompting them to install the malicious add-on that will work with that browser. If a user allows the installation, the add-on goes into the Windows System32 directory and alters the hosts file. When a  user enters a URL into their browsers address bar, the browser checks the local Domain Name System (DNS) information, located in the hosts file, before sending the DNS query. The hosts file is modified by the add-on so that the domain names of recognizable brands are assigned new IP addresses associated with phishing sites. In this way, when a user attempts to navigate to a benign Web site, they end up at the malicious phishing site associated with it. Symantec reports that the initial infection site that prompts users to download the malicious add-on is currently inactive. Source:

For more stories, see items 3 and 5 above in the Banking and Finance Sector
Communications Sector

Nothing to report

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.