Wednesday, October 24, 2012

Daily Report

Top Stories

 • The extended shutdown of a sister company of the pharmacy at the center of the deadly U.S. meningitis outbreak may exacerbate drug shortages for some hospitals and healthcare providers as the number of infection cases neared 300, U.S. health regulators said October 22. – Reuters

18. October 22, Reuters – (National) Meningitis probe could hit hospital drug supplies. The extended shutdown of a sister company of the pharmacy at the center of the deadly U.S. meningitis outbreak may exacerbate drug shortages for some hospitals and healthcare providers as the number of infection cases neared 300, U.S. health regulators said October 22. Ameridose, a drug manufacturer owned by the same people who own New England Compounding Center, or NECC, has been closed since October 10. It will remain shuttered until November 5, while authorities inspect the plant, at least temporarily cutting off supplies to its customers. NECC shipped thousands of potentially contaminated vials of a steroid used for injections to treat severe back pain. Some 14,000 patients may have been exposed to the medicine that has so far led to 23 deaths. Twelve additional fungal meningitis cases were reported October 22, bringing the total to 294 in 16 States, plus 3 cases of peripheral joint infection likely linked to the tainted steroid, according to the U.S. Centers for Disease Control and Prevention. Nine of the new cases were reported in Michigan, which has reported 63 infections and 5 deaths. Source: idUSBRE89L18320121022

 • Five Points Correctional Facility in Seneca County, New York, was put on lockdown after a riot the weekend of October 20 injured six officers. The lockdown was expected to last through the end of the week of October 22. – WHAM 13 Rochester

22. October 23, WHAM 13 Rochester – (New York) Prison in lockdown after riot. Five Points Correctional Facility in Seneca County, New York, is on lockdown after a riot over the weekend of October 20. Officers at the prison tried to break up a fight between inmates October 21. Some of the inmates started to assault the staff — leading officers to use canisters of tear gas to get the situation under control. Six officers were hurt; two of them had to go to a hospital for treatment but were expected to be fine. Eight inmates were transferred to other correctional facilities in New York. The lockdown was expected to last through the end of the week of October 22. Source: Lockdown/D3KfvOGTlkWJl0NHozFmkg.cspx

 • A New York City Police Department (NYPD) officer admitted to stealing guns from police lockers and selling them to drug dealers to pay for his addiction to painkillers. He pleaded guilty October 22 to selling four stolen NYPD-issued guns and an additional pistol that belonged to him. – Associated Press See item 26 below in the Information Technology Sector

• Web sites that use Amazon’s AWS cloud-computing service for hosting were down as it experienced “degraded performance”“ in its northern Virginia zone October 22. The sites included Reddit, Coursera, Flipboard, FastCompany, Foursquare, Netflix, Pinterest, and Airbnb. – Forbes See item 35 below in the Communications Sector


Banking and Finance Sector

2. October 22, Reuters – (International) U.S. exchange flags internal trading discrepancy. U.S. exchange operator Direct Edge said October 22 that it found a discrepancy between how a stock trades in certain circumstances compared with what its rules state, a contradiction at the center of a growing debate over market complexity and fairness. The discrepancy that Direct Edge found in its mid-point-match (MPM) order types has existed since trading platform EDGX officially launched as a national securities exchange in July 2010, the company said in a notice to traders. An order type is the set of instructions that govern the price and other variables in stock transactions. The discrepancy involves the exchange’s Rule 11.8(a)(2), which is supposed to assign priority to MPM orders over, among others, non-displayed limit orders. Direct Edge said EDGX usually assigns priority for MPM orders but it identified a circumstance in which the trading platform did not. In addition, the likelihood that MPM orders are executed and result in price improvement is higher because they automatically interact with displayed order flow. How often the trading priority that MPM was supposed to deliver but did not was not indicated in the trading notice. Source: idUSBRE89L15X20121022

3. October 21, KSWB 5 San Diego – (California) ‘Chubby Bandit’ bank robbery suspect arrested. A man suspected of being the “Chubby Bandit’’ was arrested October 21 for allegedly robbing a pharmacy and five banks in the San Diego area and an attempt to rob a sixth, law enforcement officials said. According to the FBI, the heavy-set man dubbed the “Chubby Bandit’’ first struck October 9, holding up a US Bank branch in Poway. He then allegedly robbed a CVS Pharmacy in San Marcos October 10, a Chase Bank branch in Carlsbad October 11, and attempted to rob another Chase Bank branch in Solana Beach October 13. The bandit then allegedly robbed a Wells Fargo Bank branch in Encinitas October 15, a US Bank branch in Carlsbad October 16, and a Wells Fargo Bank in San Diego October 18. In all the robberies, the bandit used a demand note and said he had a gun, officials said. Source:,0,3011373.story

Information Technology Sector

25. October 23, Softpedia – (International) Experts locate dropper of Japanese malware responsible for making death threats. Approximately 10 days ago, a piece of malware making death and bomb threats online on behalf of its victims was discovered. Now, researchers from Symantec discovered the malicious element’s dropper. The dropper of Backdoor.Rabasheeta — the component responsible for installing the payload onto the victim’s computer — creates a registry to ensure that the main module is executed each time the device is activated. After it drops the main module and the configurations files that enable the threat to communicate with its command and control server, it removes itself from the infected computer. Backdoor.Rabasheeta has the capability to open a backdoor on the compromised device and allow its controller to take command of it. Source: Malware-Responsible-for-Making-Death-Threats-301400.shtml

26. October 23, The H – (International) CyanogenMod logged lockscreen swipe gestures. A developer discovered that the popular modified Android firmware CyanogenMod apparently recorded swipe gestures used to unlock smartphones. The CyanogenMod project provides manufacturer-independent open source custom ROMs for Android devices. In August, an update was released which modified the fixed 3x3 grid format for lockscreen gestures to make the grid size configurable (by adding a PATTERN_SIZE variable). In the process, a line of code to log gestures used was also added. A researcher now discovered this code. Logging unlock gestures is comparable to recording passwords entered by users. Neither represents a direct threat, as without access to the device, attackers cannot access the log file. However, it nonetheless poses an unnecessary risk that could allow data which should be confidential to fall into the wrong hands- - for example by compromising a backup saved to a PC. Source: lockscreen-swipe-gestures-1734701.html

27. October 23, Help Net Security – (International) Malvertising on Yahoo Messenger hijacks browsers’ start page. Yahoo Messenger users who followed the link in an advertisement for Vietnamese Internet directory Web site LaBan(dot)vn and downloaded the offered executable installed a persistent application that repeatedly leads them to the Web site. “It is not yet clear whether the banner has reached YIM customers following a legit advertising campaign that was modified by the advertiser later, or if it is an abusive attack that exploits a bug in the Yahoo Ad services,” said a Bitdefender researcher, but the banner was displayed for 4 hours. The problem with the app is that it cannot be easily deleted. The app adds itself to the Windows startup entries in order to run after every system reboot, and it repeatedly changes the default start page of the browsers found on the affected computer. The researcher did not mention whether the LaBan(dot)vn Web site offers other malicious software except for this app. Source:

28. October 23, The H – (International) Google Drive opens backdoor to Google accounts. The Windows and Mac OS X desktop clients for Google’s Drive file storage and synchronization service open a backdoor to users’ Google accounts which could allow the curious to access a Drive user’s email, contacts, and calendar entries. The sync tool includes a “Visit Google Drive on the web” link which opens Drive’s Web interface in the default browser and automatically logs the user in. Somewhat problematic is the fact that this session can then be used to switch to other Google services such as Gmail and Google Calendar. Even if the user explicitly logs out of the Google sites by clicking the “Sign out” link, the Drive client will open a new session without requiring a password. The desktop clients request login credentials only once, when they are first installed and launched. The backdoor is particularly problematic where a user shares their account with others or where a computer is not password protected. The link also makes accessing a user’s Google account unnecessarily simple for trojans. Source: to-Google-accounts-1735069.html

29. October 23, The H – (International) Security researcher experiments with patching Java. With Oracle planning to wait until February 2013, a security researcher decided to take matters into his own hands by developing a patch for a critical security vulnerability he discovered in Java. He posted a report on his efforts to security mailing list Full Disclosure. However, the patch is not intended for publication — as this would reveal details of the vulnerability, which the researcher has kept hidden so far. Instead, the researcher hopes his experiment will prompt Oracle to speed up its process for releasing official patches. He informed Oracle of the critical vulnerability in late September. It potentially enables an attacker to use a specially crafted applet to access assets on a system with user privileges. He was, however, too late for the company’s October patch day. Oracle informed him that it was already in the final stages of testing its October patches and that any patch would have to be held over until the next critical patch update, scheduled for February 19, 2013. In order to estimate the amount of work involved, the security researcher then decided to develop a patch himself and found that fixing the vulnerability required changing just 25 characters of code in 30 minutes. According to the researcher, the patch has no discernible effect on the code logic, rendering extensive integration tests to check its effect on other programs superfluous. Source: with-patching-Java-1735346.html

30. October 23, The H – (International) Adobe fixes critical Shockwave vulnerabilities. Numerous critical flaws in Shockwave, which could allow an attacker to inject malicious code into a system, were closed by Adobe with the release of Shockwave Player for Windows and Macintosh systems. Overall, the vulnerabilities have six CVE numbers assigned to them (CVE-2012-4172, CVE-2012- 4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-4176, CVE-2012-5273) and are mostly buffer overflows with one array out of bounds vulnerability. Adobe said the update is a priority 2 issue. The company recommends users update their installations as soon as is possible, but notes there are no known Shockware exploits in the wild for these flaws. Source: vulnerabilities-1735371.html

31. October 22, Computer Weekly – (International) XSS attacks remain top threat to Web applications. Cross-site scripting (XSS) attacks remain the top threat to Web applications, databases, and Web sites, an analysis of 15 million cyberattacks in the third quarter of 2012 revealed. Other top attack techniques are directory traversals, SQL injections (SQLi), and cross-site request forgery (CSRF), according to the latest Web application attack report by cloud hosting firm FireHost. The increase in the number of cross-site attacks is one of the most significant changes in attack traffic between Q2 and Q3 2012, the report said. XSS and CSRF attacks rose to represent 64 percent of the group. XSS is now the most common attack type, with CSRF now in second. Source: threat-to-web-applications

32. October 22, Infosecurity – (International) Cross-zone scripting vulnerabilities found in Dropbox and Drive. ”Exploiting this vulnerability,” announced IBM’s Application Security Insider blog, “an attacker could steal arbitrary files from a DropBox / Google Drive user by tricking him into viewing a malicious HTML file inside the mobile app.” Applications such as Dropbox and Drive are of increasing relevance to business, and their security is of increasing importance. As the bring-your-own-device revolution gathers pace more and more employees are using such cloud storage services as a simple means of transferring data from corporate servers to personal tablets or smartphones. The problem, according to an advisory released by a researcher, is that “the DropBox apps use an embedded browser window to render the locally stored HTML file.” The way this has been implemented would allow the execution of malicious Javascript code “to steal potentially valuable information from the DOM of the embedded browser, an attack dubbed Cross-Application Scripting (XAS).” Source: vulnerabilities-found-in-dropbox-and-drive/

33. October 22, Ars Technica – (International) Java still has a crucial role to play— despite security risks. Java has its security flaws, but it is not going away any time soon — many important applications run on the technology, especially in business settings. Still, many users are worried enough about vulnerabilities that they restrict Java’s ability to run on their machines. That is what Ars Technica heard when it asked its readers October 19 whether they let Java run on their computers, and why. Some users disabled or uninstalled Java entirely. However, the most common solution for those worried about security risks is to leave the Java Runtime Environment in place on the desktop while disabling the browser plugins that allow Java applets to run on Web sites. Those plugins are often vulnerable to attacks involving remote code execution. Source: role-to-play-despite-security-risks/

34. October 22, U.S. Federal Trade Commission – (International) Tracking software company settles FTC charges that it deceived consumers and failed to safeguard sensitive data it collected. Web analytics Compete Inc. agreed to settle Federal Trade Commission (FTC) charges that it violated federal law by using its Web-tracking software that collected personal data without disclosing the extent of the information that it was collecting. The company also allegedly failed to honor promises it made to protect the personal data it collected. Compete is a company that uses tracking software to collect data on the browsing behavior of millions of consumers, then uses the data to generate reports, which it sells to clients who want to improve their website traffic and sales. The proposed settlement will require that Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or anonymize the use of the consumer data it already has collected, and that it provide directions to consumers for uninstalling its software. Source:
Communications Sector

35. October 22, Forbes – (International) Amazon AWS goes down again, takes Reddit with it. October 22, several Web sites that use Amazon’s AWS cloud-computing service for hosting, including Reddit, Coursera, Flipboard, FastCompany, Foursquare, Netflix, Pinterest, Airbnb, and more, were down as it experienced “degraded performance for a small number of EBS volumes in a single Availability Zone” in the northern Virginia zone. When problems began Amazon reported, “we are currently investigating degraded performance for a small number of EBS volumes in a single Availability Zone in the US-EAST-1 Region.” Then, about an hour later, the company updated its Service Health Dashboard: “We can confirm degraded performance for a small number of EBS volumes in a single Availability Zone in the US-EAST-1 Region. Instances using affected EBS volumes will also experience degraded performance.” Amazon updated their customers throughout October 22, before finally stating “we are continuing to restore impaired volumes and their attached instances.” While some Web sites, such as Reddit, were back up October 22, others that rely on AWS were reportedly still experiencing problems. Source: again-takes-reddit-with-it/

36. October 22, Threatpost – (International) HackRF Jawbreaker could bring low-cost wireless hacking to the masses. A researcher created a new radio called HackRF that is a kind of all-in-one hacker’s dream with functionality to intercept and reverse- engineer traffic from a wide range of frequencies and sources. HackRF is the work of a researcher from Great Scott Gadgets, and the idea behind the project was to build a multipurpose transceiver that a user could attach to his computer and use as a “software-defined radio.” He released the hardware specifications and the software for the radio, called HackRF Jawbreaker, on Github. The device has the ability to transmit and receive over a wide range of frequencies, covering a huge number of commercial devices. Source: wireless-hacking-masses-102212

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.