Wednesday, October 3, 2012 

Daily Report

Top Stories

 • Some 39 people on an Amtrak passenger train were injured when it derailed after a big rig crashed into it near Hanford, California, October 1. – Associated Press

11. October 2, Associated Press – (California) Amtrak: Crossing gate down in Calif. train crash. The crossing gate was down, lights were flashing and bells were ringing when a big rig crashed into a passing Amtrak passenger train October 1 near Hanford, California, an Amtrak official said. An Amtrak spokeswoman said 39 people on the train from Oakland to Bakersfield were injured. The truck hit the train being pushed by the locomotive between the locomotive and the last car. Authorities described the injuries as mostly bumps and bruises, although the spokeswoman said at least one person suffered a broken leg. The driver of the big rig went through the warning arms and hit the train before his truck overturned, according to the California Highway Patrol (CHP). The impact from the truck pushed two of the train’s four cars and its locomotive off the tracks. The train traveled about 600 feet after the collision before hitting a switchback and derailing, the CHP said. Officials have not determined how fast the train or the truck were going, but the average speed for Amtrak through the area is 70 mph to 80 mph, while the speed limit on the roadway where the truck was traveling is 55 mph, according to the CHP. The track reopened October 2 after crews replaced hundreds of feet of damaged track and some signal equipment, a BNSF Railway spokeswoman said. BNSF owns the line. Source:

 • American Airlines said passenger seats on a third flight in 1 week came loose as the plane was airborne, and that it was continuing to inspect other jets with similar seating. – Associated Press

12. October 2, Associated Press – (National) American Airlines inspects jets after passenger seats break loose in mid-flight on 3 planes. American Airlines said passenger seats on a third flight came loose as the plane was airborne, and it was continuing to inspect other jets with similar seating. The airline acknowledged October 2 that seats came loose on a flight the week of September 24 between Vail, Colorado, and Dallas-Fort Worth International Airport in Texas. The same thing happened on a flight September 29 and another October 1. An American Airlines spokeswoman said the airline is inspecting eight of its Boeing 757s that share similar seat assemblies. An initial review by American indicated that there could be a problem with the way the seats fit into tracks on the floor of the Boeing 757, but technical teams from the airline ―are looking at everything,‖ she said. The planes involved in the incidents were recently worked on at an American Airlines maintenance base in Tulsa, Oklahoma, and a Timco Aviation Services facility in North Carolina. The Federal Aviation Administration said it is looking into the incidents. Source:

 • A beef recall by XL Foods, Inc.of Alberta, Canada, expanded for the 13th time. It now has affected U.S. retailers in 41 States, and has rendered more than 1,100 beef products unsafe. – Food Safety News

15. October 2, Food Safety News – (International) Canadian beef recall grows, again. October 2, Food Safety News reported the thirteenth expansion of the XL Foods, Inc. recall. Alberta, Canada-based XL Foods, Inc. is voluntarily recalling 260 more varieties of beef, announced the Canadian Food Inspection Agency in a health alert October 1. These newly recalled meats have been added to hundreds of other beef products recalled by the company in the past 2 weeks. Some beef products listed in this latest recall — including rump roast, soup bones, and tenderized hip steak among others — were not listed in previous recall updates that have mainly included ground beef and various whole and tenderized cuts. Products affected by this update were manufactured on the same dates as XL’s previously recalled ground beef products — August 24, 27, 28, 29, and September 5. Affected products were sold in retail stores across the United States, including Dominion, Extra Foods, Real Atlantic, Save Easy, ValuFoods, Valu-mart, VillageMart, and Zehrs, among others. The XL Foods recall has so far affected U.S. retailers in 41 States, and has rendered over 1,100 beef products unsafe. Source:

 • A salmonella outbreak that has left hundreds of people sick in the Netherlands and the United States was traced to smoked salmon. – Associated Press; CBS News

16. October 2, Associated Press; CBS News – (International) Salmonella tied to Dutch salmon sickens hundreds. A salmonella outbreak that has left hundreds of people sick in the Netherlands and the United States was traced to smoked salmon, CBS News reported October 2. The Netherlands’ National Institute for Public Health and the Environment (RIVM) said the salmon was traced to Dutch company Foppen, which sells fish to many major Dutch supermarkets and to stores around the world, including the United States. RIVM said that around 200 people — and likely more — in the Netherlands, and more than 100 people in the United States were sickened. A RIVM spokesman said the institute got its information on Americans becoming ill from the Centers for Disease Control and Prevention (CDC). However, a CDC representative said the agency had not confirmed any illnesses. A Foppen company spokesman said that in the United States, Foppen sells only to Costco Wholesale Corp., which would deal with any U.S. recall. The smoked salmon was sold under the Foppen name, as well as under Costco’s store-brank name, Kirkland. Costco said it had no reports of illness. Source:

 • A U.S. Border Patrol agent was killed and another wounded in a shooting October 2 in Naco, Arizona, near the U.S.-Mexico line. – Associated Press

37. October 2, Associated Press – (Arizona) Border Patrol agent shot, killed on patrol in Ariz. A U.S. Border Patrol agent was killed and another wounded in a shooting October 2 in Arizona near the U.S.-Mexico line, according to the Border Patrol. The agents were shot while patrolling on horseback in Naco, Arizona, October 2, the Border Patrol said in a statement. The agents who were shot were on patrol with a third agent, who was not harmed, according to the president of the National Border Patrol Council, a union representing about 17,000 border patrol agents. The shooting occurred after an alarm was triggered on one of the many sensors along the border and the three agents went to investigate, said a Cochise County Sheriff’s spokeswoman. Authorities have not identified any suspects, she said. It is not known whether the agents returned fire. The wounded agent was airlifted to a hospital after being shot in the ankle and buttocks, the Border Patrol said. That agent was in surgery and expected to recover said the union president. Source:


Banking and Finance Sector

7. October 1, Ars Technica – (International) DSL modem hack used to infect millions with banking fraud malware. Millions of Internet users in Brazil fell victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a Kaspersky security researcher said. The attack, described the week of September 24 during a presentation at the Virus Bulletin conference in Dallas, infected more than 4.5 million DSL modems, said the researcher, citing statistics provided by Brazil’s Computer Emergency Response Team. The cross-site request forgery (CSRF) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular Web sites to instead connect to booby-trapped imposter sites. Source:

8. October 2, Softpedia – (International) Persistent flaws in PayPal allow cybercriminals to hijack user sessions and more. Multiple Web vulnerabilities have been identified by Vulnerability Lab researchers on the official PayPal Web site, Softpedia reported October 2. The high-severity security holes could have been exploited by a remote attacker against Pro, seller, or regular customer accounts. ―A persistent input validation vulnerability is detected in the official Paypal ecommerce website content management system (Customer/Pro/Seller). The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent) of the paypal web service,‖ the experts explained. ―The vulnerability is located in the company profile input fields with the bound vulnerable address_id, details (mail) & companyname parameters. The bug affects the important user profile listing, the address listings & security notification (mail),‖ they added. A similar vulnerability also affects the mail security notification module. If exploited successfully, the flaws could have allowed a cybercriminal to hijack user sessions, steal accounts via persistent Web attacks, and manipulate context in the affected modules. According to the experts, the payment processor was notified of the issues in July, but the security holes were addressed only in mid-September. Source:

9. October 1, Agence France-Presse – (National) Scam went back further than thought. The Bernard L. Madoff Investment Securities LLC’s multi-billion dollar Wall Street fraud, the largest in U.S. history, started in the early 1970s, at least two decades earlier than previously thought, officials said October 1. The revelation was contained in a superseding indictment that adds charges against five former employees of the investment firm who are accused of conspiring to defraud clients of billions. The alleged new crimes in the indictment include bank fraud charges and tax offenses, the federal prosecutor’s office in Manhattan, New York said. ―Whereas the November 2010 Indictment alleged that the conspiracy to defraud BLMIS’s clients began in or about 1992, the Superseding Indictment dates the conspiracy back to at least the early 1970s,‖ the prosecutor’s office said in a statement. A FBI official said the five defendants were ―at the core‖ of the scheme. Shielded by a reputation as one of Wall Street’s most savvy investors, the firm’s leader secretly stole clients’ capital to pay back steady returns in phony profits. The scheme only collapsed in 2008 amid the U.S. financial crisis. Source:

10. October 1, Associated Press – (Kentucky; New York) Federal authorities in NY charge Ky. man and 2 others in $100M fraud linked to bank collapse. A Kentucky businessman was arrested October 1 in a $100 million scheme that contributed to the collapse of a bank and tried to drain money from the federal bank bailout program before some funds were used to pay his mortgages and to buy luxury goods, authorities said. Along with two alleged accomplices arrested in New York, the man faces various charges, including conspiracy to commit bank bribery, bank and insurance fraud, and tax evasion. A U.S. attorney in New York City alleged that the man carried out several illegal financial schemes that relied largely on his corrupt relationship with New York’s Park Avenue Bank, its former president, and the bank’s senior vice president. The former president previously pleaded guilty to fraud, bank bribery, embezzlement, and conspiracy. The bank’s senior vice president also was arrested, along with the executive director of investments at an investment bank and financial services company headquartered in Manhattan. The government said the executive director also aided the Kentucky man in his schemes. Source:

For another story, see item 38 below in the Information Technology Sector

Information Technology Sector

38. October 2, Softpedia – (International) Prolexic: ‘itsoknoproblembro’ DDoS attacks are highly sophisticated. Experts from Prolexic Technologies claim a new type of distributed denial-of-service (DDoS) attack has not only increased in size, but also reached a new level of sophistication. DDoS attacks have recently caused a lot of problems for organizations; in September, the sites of several financial institutions were disrupted as a result of such operations. Prolexic found that many of the recent attacks against their customers relied on the itsoknoproblembro DDoS toolkit. By combining the toolkit’s capabilities with other sophisticated methods, the cyber criminals have been able to launch attacks that are difficult to mitigate even for specialized firms. Prolexic recorded massive sustained floods, some of which peaked at 70 Gbps and over 30 million pps. Itsoknoproblembro includes a number of application layer and infrastructure attack vectors, such as UDP and SSL encrypted attack types, SYN floods, and ICMP. The botnet that powers these attacks contains a large number of legitimate IP addresses. This allows the attack to bypass the anti-spoofing mechanisms deployed by companies.

39. October 2, Softpedia – (International) Twitter authentication flaw allows hackers to hijack user accounts. Cyber criminals can steal Twitter accounts by leveraging a flaw in the social network’s authentication system. In a recent case, a hacker utilized software that repeatedly tests common passwords against the account. This type of brute force attack is possible because Twitter only limits the log-in attempts if they come from the same IP address. Most Web sites implemented a system that prevents potential criminals from hijacking accounts by trying out random passwords. However, since Twitter only prevents multiple log-in attempts from the same computer, attackers can try out as many passwords as they want as long as they change their IP address. Source:

40. October 2, The H – (International) Internet Explorer security examined. A security expert illustrated how different statistical approaches can provide differing perspectives on browser security. For example, if only vulnerabilities are counted, Internet Explorer compares well with its competitors. However, if vulnerabilities that are actually exploited are counted, Internet Explorer fares comparatively poorly, according to the researcher. He calculated that 275 vulnerabilities were reported for Google Chrome in 2011, 97 for Mozilla Firefox, and only 45 for Internet Explorer. Using this method, Internet Explorer appears to be have a solid security story. However, looking at the statistics for zero-day exploits actually spread by malicious Web sites, Internet Explorer ranks far behind other browsers. Between January 2011 and September 2012, the researcher counted 89 days on which Internet Explorer users were exposed to actively exploited security vulnerabilities, compared to none at all for either Google Chrome or Mozilla Firefox. The researcher argues that, ―Active exploitation is the most important qualifier of a true zero-day.‖ He believes this is what matters from a user perspective. Source:

41. October 1, Help Net Security – (International) IEEE password compromise was due to proxy ‘anomaly’. The week of September 24, a researcher revealed that he found the usernames and passwords of 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) unencrypted on a FTP server, available for anyone to find. Upon being notified of the matter, the organization mounted an investigation, and revealed its results: ―The incident related to the communication of user IDs and passwords between two specific applications within our internal network resulting in the inclusion of such data in web logs. An anomaly occurred with a process executed in coordination with a proxy provider of IEEE, with the result that copies of some of the logs were placed on our public FTP server. These communications affected approximately two percent of our users. The log files in question contained user IDs and accompanying passwords that matched our directory. The primary logs were, and are, stored in protected areas.‖ IEEE made also sure to note that it does not store its corporate directory information in the clear, does not expose it to the public, and was not compromised. Source:

42. October 1, Softpedia – (International) Quervar malware found to download ZeroAcess trojans and ransomware. September 27, security researchers from Trend Micro spotted a new variant of the Quervar malware. Cyber criminals launched a new Quervar campaign paired with two different payloads: ZeroAccess trojans and ransomware. The ransomware is designed to lock computers and demand ransoms in the name of the FBI. The trojan, TROJ_SIREFEF.SZP, is a rootkit malware that hides its presence by patching the services.exe file, and by disabling all the operating system’s security-related services. Source:

43. October 1, The H – (International) SQL injection in Trend Micro’s Control Manager. Trend Micro’s platform for centralized security management is vulnerable to SQL injection attacks. According to the U.S. Computer Emergency Readiness Team, versions 5.5 and 6.0 of the Trend Micro Control Manager are vulnerable. The company provided patches for both affected versions. The vulnerability in question concerns a blind SQL injection attack which means the Web frontend does not divulge any information from the database. According to a report by security consulting firm Spentera that includes a proof-of-concept, the vulnerable system can be made to leak information such as password hashes by analyzing the timing of SQL queries. Source:

For more stories, see items 7 and 8 above in the Banking and Finance Sector

Communications Sector

Nothing to report

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.