Monday, September 24, 2012


Daily Report

Top Stories

 • A federal cybersecurity team issued a warning to customers of ORing Industrial Networking control devices about a serious vulnerability that exposes their organizations to cyberattacks. – Softpedia

1. September 21, Softpedia – (International) Flawed ORing networking devices expose oil and gas companies to cyberattacks. DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory to warn customers of ORing Industrial Networking devices of a serious vulnerability that exposes their organizations to cyberattacks, Softpedia reported September 21. A remote attacker who knows the hard-coded credentials can exploit the affected product by logging into the device with administrative privileges. This gives him/her permission to change the system’s settings, and even read and write files. ―An attacker can log into the operating system of the device using an SSH connection with the root credentials to gain administrative access. Once the attacker gains access to the device, the file system and settings can be accessed, which could result in a loss of availability, integrity and confidentiality,‖ ICS-CERT reports. The products susceptible to such attacks are industrial serial device servers and they are used for SCADA systems. Source: http://news.softpedia.com/news/Flawed-ORing-Networking-Devices-Expose-Oil-and-Gas-Companies-to-Cyberattacks-293994.shtml

 • Dell SecureWorks researchers discovered a cyber espionage campaign targeting several large companies, including two in the energy sector. – ComputerWeekly.com

4. September 20, ComputerWeekly.com – (International) Dell SecureWorks uncovers cyber espionage targeting energy firms. Dell SecureWorks researchers discovered a cyber espionage campaign targeting several large companies, including two in the energy sector, ComputerWeekly.com reported September 20. The campaign, dubbed Mirage, targeted an oil company in the Philippines, an energy firm in Canada, a military organization in Taiwan and other unidentified targets in Brazil, Israel, Egypt, and Nigeria. This is the second cyber espionage campaign to be uncovered during 2012 by the Counter Threat Unit of security firm Dell SecureWorks. The first campaign, dubbed Sin Digoo, targeted several petroleum companies in Vietnam, government ministries in different countries, an embassy, a nuclear safety agency, and other business related groups. The Dell SecureWorks researchers believe either the same group is behind both campaigns, or whoever is responsible for Mirage is working closely with those behind Sin Digoo. Source: http://www.computerweekly.com/news/2240163620/Dell-SecureWorks-uncovers-cyber-espionage-targeting-energy-firms

 • Heavy rain and strong winds hammered Mat-Su Borough, Alaska, prompting many flood advisories and road closures, including an incident where 10 people were rescued in Wasilla. – KTUU 2 Anchorage

17. September 20, KTUU 2 Anchorage – (Alaska) Mat-Su floods, road closures: 10 people rescued in Wasilla. Heavy rain and strong winds continued to hit the Mat-Su Borough prompting many flood advisories and road closures, including an incident where 10 people were rescued in Wasilla, Alaska, September 20. A flash flood swept through a neighborhood off of Lucille Street and Marilyn Circle. Residents of the house with the most flooding said the water rose so fast that by the time they pulled out of their driveway, the water was waist deep. People who lived in the four other homes were rescued by emergency responders who rafted them to safety. Mat-Su Borough officials said Shorty Road and Welch Road were closed. It said rock slides increased between Miles 77 and 79 on the Glenn Highway, west of where it crosses the Chickaloon River. Borough officials noted that Talkeetna, Beaver, and Mercedes roads were flooded, and in East Talkeetna, people were instructed to evacuate immediately at the north end of Beaver Road. Three shelters opened overnight, according to the American Red Cross of Alaska. Source: http://articles.ktuu.com/2012-09-20/mat-su-borough_33984261

 • A brawl at a Tucson, Arizona prison involving 200 inmates seriously injured 3 inmates, and hurt 8 other prisoners, and 3 corrections officers. – Associated Press

33. September 21, Associated Press – (Arizona) Fight involving 200 at Ariz. prison leaves 14 hurt. Two or three corrections officers were among those treated after a fight broke out among 200 black and Hispanic inmates at a State prison complex in Tucson, Arizona, September 20. The brawl broke out in a recreation yard at the prison’s Santa Rita unit, an Arizona Department of Corrections spokesman said. It was broken up by a prison tactical force using pepper spray and ―minimal force‖ within a half hour, the spokesman said. One of the inmates was in critical condition September 21, a hospital spokesman said, and two others were in the intensive care unit in serious condition. The hospital treated and released three prison guards. The corrections spokesman said the melee injured two officers and 11 inmates. The prison has 5,150 beds and the unit where the fight broke out houses 727 inmates. Source: http://www.charlotteobserver.com/2012/09/21/3545307/scores-of-inmates-fight-at-ariz.html

 • Wildfires in central Washington merged and tripled in size to more than 47 square miles, as thousands of firefighters struggled to contain blazes that forced evacuations of hundreds of homes. – Associated Press

48. September 21, Associated Press – (Washington) Heat, winds, low moisture make Wash. fires grow. Wildfires in central Washington merged and tripled in size to more than 47 square miles, due to a combination of warm temperatures, winds, very low humidity, and low moisture in the vegetation, the Associated Press reported September 21. The Table Mountain blaze was being fought by more than 750 firefighters and was 5 percent contained by late September 20, fire managers said. It had not burned any homes, but 161 homes north of Ellensburg and in the Liberty area are under a Level 3 evacuation, meaning residents are urged to leave, a Kittitas County sheriff said. The Table Mountain Complex was one of several wildfires burning on the eastern slopes of the Cascade Range. The largest, the Wenatchee Complex, had grown to about 65 square miles. It was 24 percent contained and was being fought by more than 2,000 firefighters. The fires were blanketing eastern Washington with smoke forcing the relocation of school and college sporting events, and dry conditions led the State to issue restrictions on logging and other industrial activities. All together, the fires had covered more than 108 square miles as of late September 20, and hundreds of people had been evacuated from their homes. Source: http://seattletimes.com/html/localnews/2019221019_apwawashwildfires.html

Details

Banking and Finance Sector

13. September 20, U.S. Securities and Exchange Commission – (International) SEC freezes assets of insider trader in Burger King stock. The Securities and Exchange Commission (SEC) September 20 obtained an emergency court order to freeze the assets of a stockbroker who used nonpublic information from a customer and engaged in insider trading ahead of Burger King’s announcement it was being acquired by a New York private equity firm. The SEC alleges the stockbroker, a citizen of Brazil who was working for Wells Fargo in Miami, learned about the impending acquisition from a brokerage customer who invested at least $50 million in a fund managed by private equity firm 3G Capital Partners Ltd. and used to acquire Burger King in 2010. The broker misused the confidential data to illegally trade in Burger King stock for $175,000 in illicit profits, and he tipped others living in Brazil and elsewhere who also traded on the information. The SEC obtained an asset freeze. It took the emergency action to prevent the broker from transferring his assets outside of U.S. jurisdiction. He recently abandoned his most current job at Morgan Stanley Smith Barney, put his Miami home up for sale, and began transferring all of his assets out of the country. Source: http://www.sec.gov/news/press/2012/2012-195.htm

14. September 20, Associated Press – (Oregon) SEC files fraud charges against Ore. fund manager. The Securities and Exchange Commission (SEC) September 20 filed fraud charges against an Oregon man accused of running a Ponzi scheme that raised more than $37 million. The SEC alleges that the man from Grifphon Asset Management in Lake Oswego falsely boasted of double-digit returns to lure more than 100 people to invest their money in hedge funds he managed. He then used money to pay off earlier investors and pay for his personal expenses and travel. The complaint filed in federal court claims little of the money was invested. He allegedly created phony assets and sent bogus account statements to investors. Source: http://www.sfgate.com/news/article/SEC-files-fraud-charges-against-Ore-fund-manager-3881299.php

Information Technology Sector

36. September 21, The H – (International) Apple closes security holes in Mac OS X and Safari. Apple released updates for versions 10.6 (Snow Leopard), 10.7 (Lion), and 10.8 (Mountain Lion) of its Mac OS X operating system that close many critical security holes. Mac OS X 10.8.2, 10.7.5, and Security Update 2012-004 for Mac OS X 10.6.8 address a wide range of vulnerabilities. These include information disclosure and denial-of-service (DoS) problems, bugs in the sandbox that could allow malware to bypass restrictions, memory corruption bugs, and buffer and integer overflows. According to Apple, many of these could be exploited by an attacker to cause unexpected application termination or arbitrary code execution. Among the changes in the updates are new versions of Apache, the BIND DNS server, International Components for Unicode, the kernel, Mail.app, PHP, Ruby, and the QuickTime media player, all of which correct security problems. Apple also released an update to its Safari Web browser, version 6.0.1 that addresses multiple information disclosure vulnerabilities, including one that could allow Autofill contact data to be sent to maliciously crafted Web sites. The majority of the holes closed in Safari were memory corruption bugs found in its WebKit browser engine that could, for example, be exploited by an attacker to cause unexpected application termination or arbitrary code execution. For an attack to be successful, a victim must first visit a specially crafted Web site. Source: http://www.h-online.com/security/news/item/Apple-closes-security-holes-in-Mac-OS-X-and-Safari-1714236.html

37. September 21, The Register – (International) Microsoft issues emergency IE bug patch. Microsoft released a patch that fixes five vulnerabilities, including the zero-day flaw that is cracking Windows systems via the most common versions of Internet Explorer (IE). The MS12-063 update provides a fix for the flaw, which is in use by hackers against some companies. The patch also has four more flaw fixes, which have not been spotted in the wild, said Microsoft. The flaw was rated as critical or moderate risk, depending on which browser and operating system a user is running, but would allow full remote code execution on systems running IE 7,8, and 9 running Adobe Flash on fully patched Windows XP, Vista, and 7 machines, using malware embedded in a Web page. The flaw was found by a security researcher on an Italian hacking tools site, but there were reports it has been used to distribute the Poison Ivy trojan by the same group that exploited the Java zero-day flaw found in the last month. Source: http://www.theregister.co.uk/2012/09/21/microsoft_patches_zero_day_flaw/

38. September 20, Infosecurity – (International) IBM: Top threats include data breaches, BYOD, browser exploits. When it comes to trends in security for 2012 so far, the landscape has seen a sharp increase in browser-related exploits, like recent ones for Internet Explorer and Java, along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs. That information comes from the IBM X-Force 2012 Mid-Year Trend and Risk Report, which shows that a continuing trend for attackers is to target individuals by directing them to a trusted URL or site injected with malicious code. Through browser vulnerabilities, the attackers are able to install malware on the target system. Further, the growth of SQL injection, a technique used by attackers to access a database through a Web site, is keeping pace with the increased usage of cross-site scripting and directory traversal commands. Source: http://www.infosecurity-magazine.com/view/28370/ibm-top-threats-include-data-breaches-byod-browser-exploits

39. September 20, Government Computer News – (National) Energy lab develops Sophia to help secure SCADA systems. New cybersecurity software developed by an Energy Department lab specifically for utilities and other industrial systems could be available as early as October. The Idaho National Laboratory’s Sophia software sentry, funded by the Energy Department’s Office of Electricity Delivery & Energy Reliability and DHS, passively monitors networks to help operators detect intruders and other anomalies. Industrial systems such as power plants have concentrated on physical security because they were not connected to the Internet, but that has changed as operators have added computer networks. Sophia is a tool to automate real-time monitoring on static Supervisory Control and Data Acquisition (SCADA) system networks — those with fairly fixed communications patterns. Anything out of the ordinary triggers an alert. If the program detects suspicious activity, it alerts an operator or network administrator, who can then decide if the activity is threatening. Source: http://gcn.com/articles/2012/09/20/inl-sophia-industrial-control-system-security-tool.aspx

40. September 19, Technology Review – (International) Stuxnet tricks copied by computer criminals. Experts indicate the techniques used in sophisticated, state-backed malware are trickling down to less-skilled programmers who target regular Web users and their online accounts or credit card details. State-sponsored malware became widely known in 2010 with the discovery of Stuxnet, a program targeted at Iranian industrial control systems. Since then, several other very sophisticated malware packages have been discovered that are also believed to have been made by governments or government contractors. These packages include Duqu, exposed late in 2011, and Flame, found in May 2012. One reason such malware is so effective is it tends to exploit previously unknown software vulnerabilities, known as zero-days, in widely used programs such as Microsoft Windows to gain control of a computer. A Kaspersky researcher said those exploits can be quickly ―copy-pasted‖ by other programmers, as happened after the discovery of Stuxnet. More concerning is the way higher-level design features are being picked up, he said. Source: http://www.technologyreview.com/news/429173/stuxnet-tricks-copied-by-computer-criminals/

For more stories, see items 1 and 4 above in Top Stories and 41 and 42 below in the Communications Sector

Communications Sector

41. September 20, Atlanta Journal-Constitution – (Georgia) AT&T customers’ Internet service disrupted. Around 7,500 AT&T customers in northern Atlanta were without Internet service for several hours September 20 after the company said it experienced a router problem. A spokesman said it would take a few days to complete an assessment of the problem, but it appeared it was caused by a defective card in a router. He said only Internet service was affected and not mobile phone service. The chief executive officer of L2Networks said the outage also affected other carriers’ ability to provide similar services, including Qwest, CenturyLink, Deltacom, Earthlink, and many smaller telecommunication providers. Source: http://blogs.ajc.com/business-beat/2012/09/20/att-customers-internet-service-disrupted/

42. September 19, Computerworld – (National) Sprint says Virgin Mobile users are safe from account hijacks. Sprint September 19 denied that subscribers of its Virgin Mobile subsidiary were wide open to account hijacking attacks as claimed by an independent software developer the week of September 17. In emailed comments, a Sprint spokeswoman said the company has multiple safeguards to protect customer accounts from intrusion and tampering by unauthorized users. She was responding to questions that arose from a September 17 blog post by a developer. In it, he detailed how the username and password system used by Virgin Mobile to let users access their accounts online was inherently weak and open to abuse. Virgin forces subscribers to use their phone numbers as their username and a six-digit number as their password, he noted. The developer said he went public with his discovery because Sprint did not fix the vulnerability after being told how easy it was to exploit. He also noted in his blog that Virgin Mobile subscribers had no easy way to mitigate any exposure to account hijacks. In response, Sprint said it implemented a new procedure to lock out users from their accounts after four failed attempts. The developer described that move as ineffective because hackers could bypass it by making log-in attempts without sending any cookie data with the requests. Source: http://www.computerworld.com/s/article/9231470/Sprint_says_Virgin_Mobile_users_are_safe_from_account_hijacks


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.