Monday, September 24, 2012
Daily Report
Top Stories
• A federal cybersecurity team issued a warning
to customers of ORing Industrial Networking control devices about a serious
vulnerability that exposes their organizations to cyberattacks. – Softpedia
1.
September 21, Softpedia –
(International) Flawed ORing networking devices expose oil and gas companies
to cyberattacks. DHS’ Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT) issued an advisory to warn customers of ORing Industrial
Networking devices of a serious vulnerability that exposes their organizations
to cyberattacks, Softpedia reported September 21. A remote attacker who knows
the hard-coded credentials can exploit the affected product by logging into the
device with administrative privileges. This gives him/her permission to change
the system’s settings, and even read and write files. ―An attacker can log into
the operating system of the device using an SSH connection with the root credentials
to gain administrative access. Once the attacker gains access to the device,
the file system and settings can be accessed, which could result in a loss of
availability, integrity and confidentiality,‖ ICS-CERT reports. The products
susceptible to such attacks are industrial serial device servers and they are
used for SCADA systems. Source: http://news.softpedia.com/news/Flawed-ORing-Networking-Devices-Expose-Oil-and-Gas-Companies-to-Cyberattacks-293994.shtml
• Dell SecureWorks researchers discovered a
cyber espionage campaign targeting several large companies, including two in
the energy sector. – ComputerWeekly.com
4. September
20, ComputerWeekly.com – (International) Dell SecureWorks
uncovers cyber espionage targeting energy firms. Dell SecureWorks
researchers discovered a cyber espionage campaign targeting several large
companies, including two in the energy sector, ComputerWeekly.com reported
September 20. The campaign, dubbed Mirage, targeted an oil company in the
Philippines, an energy firm in Canada, a military organization in Taiwan and
other unidentified targets in Brazil, Israel, Egypt, and Nigeria. This is the
second cyber espionage campaign to be uncovered during 2012 by the Counter
Threat Unit of security firm Dell SecureWorks. The first campaign, dubbed Sin
Digoo, targeted several petroleum companies in Vietnam, government ministries
in different countries, an embassy, a nuclear safety agency, and other business
related groups. The Dell SecureWorks researchers believe either the same group
is behind both campaigns, or whoever is responsible for Mirage is working
closely with those behind Sin Digoo. Source: http://www.computerweekly.com/news/2240163620/Dell-SecureWorks-uncovers-cyber-espionage-targeting-energy-firms
• Heavy rain and strong winds hammered Mat-Su
Borough, Alaska, prompting many flood advisories and road closures, including
an incident where 10 people were rescued in Wasilla. – KTUU 2 Anchorage
17.
September 20, KTUU 2 Anchorage –
(Alaska) Mat-Su floods, road closures: 10 people rescued in Wasilla. Heavy
rain and strong winds continued to hit the Mat-Su Borough prompting many flood
advisories and road closures, including an incident where 10 people were
rescued in Wasilla, Alaska, September 20. A flash flood swept through a
neighborhood off of Lucille Street and Marilyn Circle. Residents of the house
with the most flooding said the water rose so fast that by the time they pulled
out of their driveway, the water was waist deep. People who lived in the four
other homes were rescued by emergency responders who rafted them to safety. Mat-Su
Borough officials said Shorty Road and Welch Road were closed. It said rock
slides increased between Miles 77 and 79 on the Glenn Highway, west of where it
crosses the Chickaloon River. Borough officials noted that Talkeetna, Beaver,
and Mercedes roads were flooded, and in East Talkeetna, people were instructed
to evacuate immediately at the north end of Beaver Road. Three shelters opened
overnight, according to the American Red Cross of Alaska. Source: http://articles.ktuu.com/2012-09-20/mat-su-borough_33984261
• A brawl at a Tucson, Arizona prison
involving 200 inmates seriously injured 3 inmates, and hurt 8 other prisoners,
and 3 corrections officers. – Associated Press
33.
September 21, Associated Press –
(Arizona) Fight involving 200 at Ariz. prison leaves 14 hurt. Two or
three corrections officers were among those treated after a fight broke out
among 200 black and Hispanic inmates at a State prison complex in Tucson,
Arizona, September 20. The brawl broke out in a recreation yard at the prison’s
Santa Rita unit, an Arizona Department of Corrections spokesman said. It was
broken up by a prison tactical force using pepper spray and ―minimal force‖
within a half hour, the spokesman said. One of the inmates was in critical
condition September 21, a hospital spokesman said, and two others were in the
intensive care unit in serious condition. The hospital treated and released
three prison guards. The corrections spokesman said the melee injured two
officers and 11 inmates. The prison has 5,150 beds and the unit where the fight
broke out houses 727 inmates. Source: http://www.charlotteobserver.com/2012/09/21/3545307/scores-of-inmates-fight-at-ariz.html
• Wildfires in central Washington merged and
tripled in size to more than 47 square miles, as thousands of firefighters
struggled to contain blazes that forced evacuations of hundreds of homes. – Associated
Press
48.
September 21, Associated Press –
(Washington) Heat, winds, low moisture make Wash. fires grow. Wildfires
in central Washington merged and tripled in size to more than 47 square miles,
due to a combination of warm temperatures, winds, very low humidity, and low
moisture in the vegetation, the Associated Press reported September 21. The
Table Mountain blaze was being fought by more than 750 firefighters and was 5
percent contained by late September 20, fire managers said. It had not burned
any homes, but 161 homes north of Ellensburg and in the Liberty area are under
a Level 3 evacuation, meaning residents are urged to leave, a Kittitas County
sheriff said. The Table Mountain Complex was one of several wildfires burning
on the eastern slopes of the Cascade Range. The largest, the Wenatchee Complex,
had grown to about 65 square miles. It was 24 percent contained and was being
fought by more than 2,000 firefighters. The fires were blanketing eastern
Washington with smoke forcing the relocation of school and college sporting
events, and dry conditions led the State to issue restrictions on logging and
other industrial activities. All together, the fires had covered more than 108
square miles as of late September 20, and hundreds of people had been evacuated
from their homes. Source: http://seattletimes.com/html/localnews/2019221019_apwawashwildfires.html
Details
Banking and Finance Sector
13. September 20, U.S. Securities and Exchange Commission –
(International) SEC freezes assets of insider trader in Burger King stock. The
Securities and Exchange Commission (SEC) September 20 obtained an emergency
court order to freeze the assets of a stockbroker who used nonpublic
information from a customer and engaged in insider trading ahead of Burger
King’s announcement it was being acquired by a New York private equity firm.
The SEC alleges the stockbroker, a citizen of Brazil who was working for Wells
Fargo in Miami, learned about the impending acquisition from a brokerage
customer who invested at least $50 million in a fund managed by private equity
firm 3G Capital Partners Ltd. and used to acquire Burger King in 2010. The
broker misused the confidential data to illegally trade in Burger King stock
for $175,000 in illicit profits, and he tipped others living in Brazil and
elsewhere who also traded on the information. The SEC obtained an asset freeze.
It took the emergency action to prevent the broker from transferring his assets
outside of U.S. jurisdiction. He recently abandoned his most current job at
Morgan Stanley Smith Barney, put his Miami home up for sale, and began
transferring all of his assets out of the country. Source: http://www.sec.gov/news/press/2012/2012-195.htm
14. September 20, Associated Press – (Oregon) SEC
files fraud charges against Ore. fund manager. The Securities and Exchange
Commission (SEC) September 20 filed fraud charges against an Oregon man accused
of running a Ponzi scheme that raised more than $37 million. The SEC alleges
that the man from Grifphon Asset Management in Lake Oswego falsely boasted of
double-digit returns to lure more than 100 people to invest their money in
hedge funds he managed. He then used money to pay off earlier investors and pay
for his personal expenses and travel. The complaint filed in federal court
claims little of the money was invested. He allegedly created phony assets and
sent bogus account statements to investors. Source: http://www.sfgate.com/news/article/SEC-files-fraud-charges-against-Ore-fund-manager-3881299.php
Information Technology Sector
36. September
21, The H – (International) Apple closes security holes in Mac OS X and
Safari. Apple released updates for versions 10.6 (Snow Leopard), 10.7
(Lion), and 10.8 (Mountain Lion) of its Mac OS X operating system that close
many critical security holes. Mac OS X 10.8.2, 10.7.5, and Security Update
2012-004 for Mac OS X 10.6.8 address a wide range of vulnerabilities. These
include information disclosure and denial-of-service (DoS) problems, bugs in
the sandbox that could allow malware to bypass restrictions, memory corruption
bugs, and buffer and integer overflows. According to Apple, many of these could
be exploited by an attacker to cause unexpected application termination or
arbitrary code execution. Among the changes in the updates are new versions of
Apache, the BIND DNS server, International Components for Unicode, the kernel,
Mail.app, PHP, Ruby, and the QuickTime media player, all of which correct
security problems. Apple also released an update to its Safari Web browser,
version 6.0.1 that addresses multiple information disclosure vulnerabilities,
including one that could allow Autofill contact data to be sent to maliciously
crafted Web sites. The majority of the holes closed in Safari were memory
corruption bugs found in its WebKit browser engine that could, for example, be
exploited by an attacker to cause unexpected application termination or
arbitrary code execution. For an attack to be successful, a victim must first
visit a specially crafted Web site. Source: http://www.h-online.com/security/news/item/Apple-closes-security-holes-in-Mac-OS-X-and-Safari-1714236.html
37. September
21, The Register – (International) Microsoft issues emergency IE bug patch. Microsoft
released a patch that fixes five vulnerabilities, including the zero-day flaw
that is cracking Windows systems via the most common versions of Internet
Explorer (IE). The MS12-063 update provides a fix for the flaw, which is in use
by hackers against some companies. The patch also has four more flaw fixes,
which have not been spotted in the wild, said Microsoft. The flaw was rated as
critical or moderate risk, depending on which browser and operating system a
user is running, but would allow full remote code execution on systems running
IE 7,8, and 9 running Adobe Flash on fully patched Windows XP, Vista, and 7
machines, using malware embedded in a Web page. The flaw was found by a
security researcher on an Italian hacking tools site, but there were reports it
has been used to distribute the Poison Ivy trojan by the same group that
exploited the Java zero-day flaw found in the last month. Source: http://www.theregister.co.uk/2012/09/21/microsoft_patches_zero_day_flaw/
38. September
20, Infosecurity – (International) IBM: Top threats include data breaches, BYOD,
browser exploits. When it comes to trends in security for 2012 so far, the
landscape has seen a sharp increase in browser-related exploits, like recent
ones for Internet Explorer and Java, along with renewed concerns around social
media password security and continued disparity in mobile devices and corporate
bring-your-own-device (BYOD) programs. That information comes from the IBM
X-Force 2012 Mid-Year Trend and Risk Report, which shows that a continuing
trend for attackers is to target individuals by directing them to a trusted URL
or site injected with malicious code. Through browser vulnerabilities, the attackers
are able to install malware on the target system. Further, the growth of SQL
injection, a technique used by attackers to access a database through a Web
site, is keeping pace with the increased usage of cross-site scripting and
directory traversal commands. Source: http://www.infosecurity-magazine.com/view/28370/ibm-top-threats-include-data-breaches-byod-browser-exploits
39. September
20, Government Computer News – (National) Energy lab
develops Sophia to help secure SCADA systems. New cybersecurity software
developed by an Energy Department lab specifically for utilities and other
industrial systems could be available as early as October. The Idaho National
Laboratory’s Sophia software sentry, funded by the Energy Department’s Office
of Electricity Delivery & Energy Reliability and DHS, passively monitors
networks to help operators detect intruders and other anomalies. Industrial
systems such as power plants have concentrated on physical security because
they were not connected to the Internet, but that has changed as operators have
added computer networks. Sophia is a tool to automate real-time monitoring on
static Supervisory Control and Data Acquisition (SCADA) system networks — those
with fairly fixed communications patterns. Anything out of the ordinary
triggers an alert. If the program detects suspicious activity, it alerts an
operator or network administrator, who can then decide if the activity is
threatening. Source: http://gcn.com/articles/2012/09/20/inl-sophia-industrial-control-system-security-tool.aspx
40. September
19, Technology Review – (International) Stuxnet tricks copied by
computer criminals. Experts indicate the techniques used in sophisticated,
state-backed malware are trickling down to less-skilled programmers who target
regular Web users and their online accounts or credit card details.
State-sponsored malware became widely known in 2010 with the discovery of
Stuxnet, a program targeted at Iranian industrial control systems. Since then,
several other very sophisticated malware packages have been discovered that are
also believed to have been made by governments or government contractors. These
packages include Duqu, exposed late in 2011, and Flame, found in May 2012. One
reason such malware is so effective is it tends to exploit previously unknown
software vulnerabilities, known as zero-days, in widely used programs such as
Microsoft Windows to gain control of a computer. A Kaspersky researcher said
those exploits can be quickly ―copy-pasted‖ by other programmers, as happened
after the discovery of Stuxnet. More concerning is the way higher-level design
features are being picked up, he said. Source: http://www.technologyreview.com/news/429173/stuxnet-tricks-copied-by-computer-criminals/
For more stories, see items 1 and 4 above in
Top Stories and 41 and 42 below in the Communications Sector
Communications Sector
41.
September 20, Atlanta Journal-Constitution –
(Georgia) AT&T customers’ Internet service disrupted. Around 7,500
AT&T customers in northern Atlanta were without Internet service for
several hours September 20 after the company said it experienced a router
problem. A spokesman said it would take a few days to complete an assessment of
the problem, but it appeared it was caused by a defective card in a router. He
said only Internet service was affected and not mobile phone service. The chief
executive officer of L2Networks said the outage also affected other carriers’
ability to provide similar services, including Qwest, CenturyLink, Deltacom,
Earthlink, and many smaller telecommunication providers. Source: http://blogs.ajc.com/business-beat/2012/09/20/att-customers-internet-service-disrupted/
42.
September 19, Computerworld –
(National) Sprint says Virgin Mobile users are safe from account hijacks. Sprint
September 19 denied that subscribers of its Virgin Mobile subsidiary were wide
open to account hijacking attacks as claimed by an independent software
developer the week of September 17. In emailed comments, a Sprint spokeswoman
said the company has multiple safeguards to protect customer accounts from
intrusion and tampering by unauthorized users. She was responding to questions
that arose from a September 17 blog post by a developer. In it, he detailed how
the username and password system used by Virgin Mobile to let users access
their accounts online was inherently weak and open to abuse. Virgin forces
subscribers to use their phone numbers as their username and a six-digit number
as their password, he noted. The developer said he went public with his
discovery because Sprint did not fix the vulnerability after being told how
easy it was to exploit. He also noted in his blog that Virgin Mobile
subscribers had no easy way to mitigate any exposure to account hijacks. In response,
Sprint said it implemented a new procedure to lock out users from their
accounts after four failed attempts. The developer described that move as
ineffective because hackers could bypass it by making log-in attempts without
sending any cookie data with the requests. Source: http://www.computerworld.com/s/article/9231470/Sprint_says_Virgin_Mobile_users_are_safe_from_account_hijacks
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.
No comments:
Post a Comment