Wednesday, September 26, 2012

Daily Report

Top Stories

 • A corroded pipe that failed and triggered a leak and massive fire at Chevron Corp.’s Richmond, California refinery had a low silicon content that went undetected during tests and therefore was unaddressed. – Associated Press

1. September 24, Associated Press – (California) Chevron: Failed pipe had unknown weakness. A corroded pipe that failed and triggered a leak and massive fire at Chevron Corp.’s Richmond, California refinery had a low silicon content that went undetected during the company’s tests and therefore was unaddressed, the manager in charge of the facility said September 24. The general manager of Chevron Richmond described the chemical composition of the decades-old, 8-inch pipe section as a contributing factor to the August 6 blaze that sent thousands of people to the hospital with smoke-related complaints and knocked offline one of the nation’s largest refineries. He told reporters during a news conference and residents at a community meeting that the company now thinks the pipe was more susceptible to thinning when exposed to high temperatures, a weakness not fully understood or acted upon before the corroded conduit exploded. The manager said the section that failed was part of a larger 200-foot-long pipe that was inspected in June at 19 points. Source:

 • Sunland Inc. of Portales, New Mexico, whose peanut butter was linked to a multi-State Salmonella outbreak, recalled all of the almond and peanut butter products it has manufactured since May. – Food Safety News

22. September 24, Food Safety News – (National) Peanut butter recall expands beyond Trader Joe’s. Sunland Inc. of Portales, New Mexico, whose peanut butter was linked to a multi-State Salmonella outbreak, issued a massive recall of products September 24. The company recalled all almond butter and peanut butter products manufactured since May because they may be contaminated with Salmonella Bredeney, a rare strain of Salmonella that has caused at least 29 illnesses in 18 States since June 11. This large market withdrawal follows a more limited one initiated by Trader Joe’s September 21, which included its Valencia Creamy Salted Peanut Butter. All affected products bear a best-if-used-by date between May 1, 2013 and September 24, 2013. Source:

 • Researchers from Security Explorations claimed to identify a flaw that affects all Oracle Java SE versions and the billions of devices on which the software is currently installed. – Softpedia See item 39 below in the Information Technology Sector

 • A Romanian computer programmer claims to have found a log on the Institute of Electrical and Electronics Engineers’s FTP servers containing log-in information for almost 100,000 members. Membership includes top people from fields such as nanotechnology, IT, telecommunications, energy, and biomedical and healthcare. – Nextgov See item 41 below in the Information Technology Sector


Banking and Finance Sector

8. September 25, Softpedia – (New Hampshire; International) JPMorgan Chase Bank servers hacked, Tiffany employee details exposed. Computer servers owned by JPMorgan Chase Bank were breached, and the financial institution alerted high-end jewelry company Tiffany & Co because the affected machines contained the personal details of some employees, Softpedia reported September 25. ―Chase told us that the affected servers, which contained certain information provided in connection with a Tiffany employee travel expense reimbursement system, contained information such as names, addresses, Social Security numbers and banking information,‖ Tiffany’s chief privacy officer wrote in a letter September 5 to the New Hampshire attorney general. The bank told the company it had no reason to believe that the sensitive data has been copied or misused by the attackers. The financial institution also shut down the affected servers and upgraded its security systems to prevent such incidents from occurring in the future. Tiffany also sent out letters to the impacted individuals – there are ―approximately‖ three employees from New Hampshire – advising them to be on the lookout for any suspicious transactions. Source:

9. September 25, Softpedia – (International) Bank of America website reveals details of random users, experts find. While logging in to Bank of America’s (BoA) Web site to access the Automated Clearing House (ACH) system, experts from Private Internet Access noticed they were actually viewing the bank account details of some other random customer, Softpedia reported September 25. After they entered the transfer interface, they were presented with the name, bank account, balance, email address, and other details of an individual who had nothing to do with the company. Apparently, the account is restored to normal after the user logs out and logs back in again, and the security hole could not be reproduced after this first occurrence. However, some users reported that they also encountered the problem in the past, which meant that it was not an isolated incident. Private Internet Access representatives made screenshots and sent out a detailed notification to BoA. Source:

10. September 25, Philadelphia Inquirer – (National) Discover to pay $214 million to settle charges of deceptive marketing. More than 3.5 million people who used Discover credit cards over the last 5 years will share about $200 million in restitution for marketing practices that federal regulators said were unfair and deceptive, the Consumer Financial Protection Bureau and the Federal Deposit Insurance Corporation announced September 24. The compensation will go to customers charged for add-on products such as ―Payment Protection‖ or ―Wallet Protection.‖ Regulators said telemarketers for the Delaware bank followed misleading scripts and often sped through fee disclosures, leading customers to believe that the bank was touting benefits that came free with their cards. Discover also agreed to pay $14 million in penalties to settle the case. About 4.7 million customers were billed for the services between December 2007 and August 2011, the period covered by the case. Source:

11. September 25, Wall Street Journal – (International) Treasury targets Sinaloa operative and his associates. The U.S. Department of the Treasury said September 25 that it placed Kingpin Act sanctions on an associate of the head of the Sinaloa Cartel, and four of his collaborators. The man is the head of a narcotics distribution and money laundering organization based in Guadalajara and Mexico City, Mexico, Treasury said. The man was arrested in March 2011 as part of a sweep by law enforcement in Mexico and Ecuador that netted several members of his organization. More members of the network were arrested in July 2011. The United States is seeking his and his associates’ extradition to face charges in a May 2011 indictment that alleges drug-trafficking and money laundering offenses. The indictment arose out of a U.S. Drug Enforcement Administration probe that linked his organization to the movement of cocaine by the ton in Ecuador and Mexico, and the laundering of millions of U.S. and Canadian dollars through the international financial system. Source:

12. September 24, KPRC 2 Houston – (Texas) Police: Bank robber sprays employees with chemicals. A man sprayed bank employees with a chemical believed to be pepper spray during an armed robbery in Shenandoah, Texas, September 24, police said. Shenandoah police said a man walked into a Citibank branch, pulled a small-framed semi-automatic rifle from his backpack, and walked up to a teller. The man demanded cash and sprayed the teller. There was one customer in the bank at the time of the robbery who was also sprayed. Police said the robber then went from office to office and sprayed other employees. Some workers were able to close their doors and avoid the substance. The man went back to the teller he attacked and then demanded cash. The people who were sprayed with the chemicals were treated at the scene. Hazardous materials crews cleared the air inside. Source:

13. September 24, Help Net Security – (International) Stolen card data on sale on professional-looking e-shop. A researcher from Webroot recently uncovered a seemingly well-established Web site for selling stolen card data, so much so that the crook behind the scheme has set up a professional-looking e-shop. The shop is advertised on a number of carding forums, and the crook can be contacted only via ICQ. The page is well designed and features a shop whose functionality does not seem to differ much from any other legitimate one. The e-shop also has a helpful search engine so customers can find exactly what they need. ―The service is currently offering 9,132 stolen credit cards for sale, and has already managed to sell 3,292 credit cards to prospective cybercriminals,‖ the researcher said, noting that the going rate for a sample stolen credit card depends on whether the card is debit or credit. The former go for $16, and the latter for $30 per item, but there are also discounts to be had for bulk purchases. Rather than exploiting the stolen card numbers, services like the e-shop forward the risk on to those who purchase the numbers and then attempt to exploit them. Source:

For another story, see item 46 below in the Communications Sector
Information Technology Sector

37. September 25, Softpedia – (International) DHL: Most common word used in spear phishing attacks in 2012 H1. In a new report, FireEye identified a trend in the words being utilized in the names of malicious files sent in spam campaigns. In the second half of 2011, the most common word used in such cybercriminal campaigns was ―label.‖ In the first half of 2012, ―label‖ dropped to the 6th position. Currently, the most commonly utilized words in spear phishing attacks are ―dhl‖ and ―notification.‖ Each of these words appears in almost a quarter (23.42 percent and 23.37 percent, respectively) of all the malicious attachments that land in users’ inboxes. Other words that stand out are ―delivery,‖ ―express,‖ ―2012,‖ ―shipment,‖ ―ups,‖ ―international,‖ ―parcel,‖ ―post,‖ ―confirmation,‖ ―alert,‖ ―usps,‖ ―report,‖ ―jan2012,‖ ―april,‖ ―idnotification,‖ ―ticket,‖ and ―shipping.‖ This shows that most of the malicious files that come via spam emails are somehow related to shipping. While this may not seem new, the figures from the report reveal that names related to this topic have grown from 19.20 percent to 26.35 percent. Source:

38. September 25, The H – (International) Apple fixes security vulnerabilities with Apple TV 5.1 update. Apple released Update 5.1 for its 2nd and 3rd generation iOS-based Apple TV devices, adding several new features and closing a number of important security holes. According to Apple, Apple TV 5.1 addresses 21 problems, some of which could be exploited by a remote attacker to, for example, cause a denial-of-service (DoS), determine which networks a device previously accessed, or even execute arbitrary code on the device. These include vulnerabilities in the LibXML library used by Apple TV, memory corruption problems in JavaScriptCore and the LibPNG library, a stack buffer overflow in ICU locale ID handling, an integer overflow, a double free bug in ImageIO’s handling of JPEG images, and a buffer overflow in the LibTIFF library. For an attack to be successful, a victim must connect to a malicious Wi-Fi network, or open a specially crafted movie or image file. Source:

39. September 25, Softpedia – (International) One billion users affected by Java security sandbox bypass vulnerability, experts say. Researchers from Security Explorations claimed to identify a flaw that affects all Oracle Java SE versions and the billions of devices on which the software is currently installed. This bug, codenamed issue 50, was identified just before the start of Oracle’s JavaOne 2012 conference. ―The impact of this issue is critical — we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7,‖ the CEO of Security Explorations said. He said the vulnerability can be leveraged by an attacker to ―violate a fundamental security constraint‖ of Java Virtual Machines. The researchers confirmed Java SE 5 — Update 22, Java SE 6 — Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack. The affected Web browsers are Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89, Firefox 15.0.1, and Internet Explorer 9.0.8112.16421. The company provided Oracle with a complete technical description of the flaw, along with source and binary codes, and a proof-of-concept that demonstrates the complete security sandbox bypass in Java SE 5, 6, and 7. Source:

40. September 25, The Register – (International) A single Web link will wipe Samsung Android smartphones. A hacker demonstrated how a simple Web page can reset various Samsung phones back to the state they left the factory — enabling a click, bump, or text to take out a victim’s mobile device entirely. The flaw lies in Samsung’s dialing software, triggered by the tel protocol in a URL. It is not applicable to all the company’s Android handsets, but those that are vulnerable can have their PIN changed or be wiped completely just by visiting a Web page or snapping a bad QR code, or even bumping up against the wrong wireless NFC tag. Source:

41. September 25, Nextgov – (International) IEEE data breach has global reach. A Romanian computer programmer currently affiliated with the Computer Science department at the University of Copenhagen, Denmark, claims to have found a log on
the Institute of Electrical and Electronics Engineers’s (IEEE) FTP servers containing the log-in information for almost 100,000 of its members. IEEE is one of the world’s preeminent professional organizations in such fields as nanotechnology, IT, telecommunications, energy, as well as biomedical and healthcare, and it is a global standards-making organization. According to the programmer, September 18, he first discovered a log with usernames and passwords in plaintext, publicly available via IEEE’s FTP server for at least a month. He informed them of his find September 24, and evidently the organization is addressing the issue. Among the users whose information was exposed are researchers at NASA, Stanford, IBM, Google, Apple, Oracle, and Samsung. IEEE’s membership of over 340,000 is roughly half American (49.8 percent as of 2011). About 8 percent of IEEE’s membership consists of government employees, including the military. Most members work in the private sector and academia. Source:

42. September 24, Infosecurity – (International) Most data breaches come from within. While the data breach events that catch headlines are the work of hacking collectives and professional malware writers, it turns out that the vast majority of information compromises are caused by companies’ own unwitting employees. According to new research from Forrester, only 25 percent of data breach cases are the work of external attackers, and only 12 percent of them were perpetrated by insiders with ill intent. That leaves 63 percent of the issues caused by something more mundane, like losing or misplacing corporate assets, the report found. Source:

43. September 24, Ars Technica – (International) Secret Microsoft policy limited Hotmail passwords to 16 characters. For years, Microsoft engineers quietly limited Hotmail passwords to 16 characters, a revelation that surprised and concerned some users who have long entered passcodes twice that long to access accounts. The limitation is in stark contrast to those found on services such as Gmail, which reportedly permits passwords as long as 200 characters or even Yahoo Mail, which allows 32-character passwords. Source:

44. September 24, PC Magazine – (International) New hacker collective emerges in response to anti-Islamic film. A new, focused group of hackers from a number of Arab countries is reportedly attacking Western Web sites in retaliation for an anti-Islamic video. ―The hacking operations are of course a response to the offense against the prophet, peace and blessing be upon him,‖ a member of the self-proclaimed Arab Electronic Army, comprised of hackers from Morocco, Saudi Arabia, Syria, and other countries, told recently. So far, the Arab Electronic Army reportedly defaced a number of relatively low-profile Web properties, many of them with Brazilian domain names, according to the spokesman for the hacker collective. Source:,2817,2410127,00.asp

45. September 24, Threatpost – (International) Tiny Evil Maid CHKDSK utility can steal passwords. Stealthy malware that can sneak onto machines during the boot process and remain undetected indefinitely is one of the ultimate goals of security research. There have been many tools developed over the years that aimed to accomplish this goal, with a researcher’s Evil Maid attack being perhaps the most famous. Threatpost reported September 24 that a developer in Canada recently produced a similar tool that impersonates the CHKDSK utility and can grab a user’s password and then exit without the user’s knowledge. The Evil Maid CHKDSK utility is designed to load from a USB device and will present the user with a screen that looks just like the actual CHKDSK screen, saying the tool is checking the volume on the C: drive for errors. Source:

For more stories, see items 8, 9 and 13, above in the Banking and Finance Sector and 46 below in the Communications Sector
Communications Sector

46. September 24, WTVA 9 Tupelo – (Mississippi) Phone service down in parts of Calhoun County. A phone outage plaguing parts of Calhoun County, Mississippi will likely not be resolved for several hours, according to the county’s 9-1-1 director. He said someone accidentally cut a fiber optic line near the fire department in Derma September 24. The damage to the line resulted in a loss of landline, ATM, and cell phone coverage for Vardaman and Derma. It also affected the county’s 9-1-1 service. Source:

For more stories, see items 40 and 41 above in the Information Technology Sector

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.