Tuesday, October 30, 2012

Daily Report

Top Stories

 • The supply of gasoline, diesel, and jet fuel into the East Coast almost completely stopped October 29, as Hurricane Sandy forced the closure of two-thirds of the region's refineries, its biggest pipeline, and most major ports. – Reuters

1. October 29, Reuters – (National) Sandy cuts E. Coast fuel supply; refiners, pipelines shut. The supply of gasoline, diesel, and jet fuel into the East Coast ground almost to a halt October 29, as Hurricane Sandy forced the closure of two-thirds of the region's refineries, its biggest pipeline, and most major ports. Benchmark New York harbor gasoline futures jumped as much as 11 cents a gallon, with traders fearing that power outages and flooding could leave refiners struggling to restore operations after the broadest storm ever to hit the United States. With Sandy gaining strength as it nears the coast, refinery, pipeline, port, and terminal operators shuttered or reduced operations, increasing the risk that bottlenecks would keep supplies of motor and heating fuel from customers. Colonial Pipeline, the nation's largest oil products pipeline that connects the East Coast to Gulf Coast refiners, said it has shut down lines servicing individual terminals along the Northeastern seaboard. Nearly 70 percent of the region's refining capacity was on track to be idled. Source: http://www.reuters.com/article/2012/10/29/storm-sandy-refining- idUSL1E8LS1OU20121029

 • U.S. stock markets were to be closed for 2 consecutive days due to weather, NBC News reported October 29. The decision to close financial markets for a second straight day October 30 was made during a call between industry executives and regulators October 29, Reuters said. – NBC News; Reuters; Associated Press See item 9 below in the Banking and Finance Sector

 • Airline and ground transportation systems in three major metropolitan areas shut down as Hurricane Sandy moved closer to the East Coast, CNN reported October 29. More than 10 million public transit commuters were without service. – CNN

15. October 29, CNN – (National) Sandy snarls travel along the East Coast. Airline and ground transportation systems in three major metropolitan areas shut down as Hurricane Sandy moved closer to the East Coast, CNN reported October 29. More than 10 million public transit commuters were without service. There were more than 8,000 flight cancellations as a result of the hurricane, according to FlightAware.com. Some 1,300 domestic and international flights were canceled October 28, according to FlightAware, with more than 6,800 October 29 flights canceled. More than 2,500 October 30 flights were already canceled, according to FlightAware. That number was expected to grow. US Airways announced the cancellation of all its October 30 operations at Philadelphia, Washington, Boston, and New York City airports. All October 29 operations at New York and New Jersey's three major metro airports were canceled, according to the Port Authority of New York and New Jersey. The majority of flights were also canceled out of Dulles International and Reagan National airports in the Washington, D.C. area, according to Metropolitan Washington Airports Authority. All October 29 flights out of Philadelphia International Airport were also canceled, an airport spokeswoman said. Flights were suspended at Connecticut's Bradley International Airport as well. New York's ubiquitous subway and bus services stopped October 28, and it was unknown when service would be restored. The area's Metropolitan Transit Authority Service, which also operates the Long Island Rail Road, Metro-North Railroad, serving Westchester and Connecticut, and the city's Staten Island Railway, suspended service on those three train lines. In New Jersey, the suspension of all NJ Transit bus, rail, light rail, and Access Link service was complete as of October 29. The Washington Metro system remained idle, and it was unclear when bus service and rail service would be restored, the Washington Metropolitan Area Transit Authority said. The 770,000 riders who use public transit each day in the Philadelphia area were also impacted. Amtrak said it was canceling almost all services on the eastern seaboard October 29. Bus lines connected to those trains were also canceled. Source: http://www.cnn.com/2012/10/28/travel/tropical-weather- transportation/index.html

 • The South Carolina Department of Revenue's Web site was hacked and millions of Social Security numbers and credit and debit card numbers belonging to approximately 77 percent of South Carolina residents were compromised, WIS 10 Columbia reported October 28. – WIS 10 Columbia

28. October 28, WIS 10 Columbia – (South Carolina) Millions of South Carolinians' Social Security numbers stolen from State agency. The South Carolina Department of Revenue's Web site was hacked and millions of social security numbers and credit and debit card numbers belonging to approximately 77 percent of South Carolina residents were compromised, WIS 10 Columbia reported October 28. State officials revealed that someone in a foreign country gained access to the Web site and a server was breached for the first time in late August. 387,000 credit and debit card numbers and 3.6 million Social Security numbers were exposed. The Social Security numbers were unencrypted. Of the credit cards, the vast majority are protected by strong encryption deemed sufficient under credit card industry standards, officials said. However, approximately 16,000 were unencrypted and exposed. Officials found out about the breach October 10. October 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made August 27. In mid-September, two other intrusions occurred, and to the best of the department's knowledge, the hacker obtained data for the first time. No other intrusions were uncovered. October 20, the vulnerability in the system was closed and, to the best of the department's knowledge, secured. The breach potentially affects anyone who has paid taxes in South Carolina since 1998. Source: http://www.wbtv.com/story/19926154/social-security-breach-nikki-haley- south-carolina-credit-cards-hacker


Banking and Finance Sector

9. October 29, NBC News; Reuters; Associated Press – (New York; National) Hurricane Sandy to keep stock markets shuttered Tuesday. For the first time since the Great Blizzard of 1888, U.S. stock markets were to be closed for 2 consecutive days due to weather, NBC News reported October 29. The decision to close financial markets for a second straight day October 30 was made during a call between industry executives and regulators October 29, Reuters said. The New York Stock Exchange (NYSE) and the Nasdaq Stock Market both said they intended to remain closed for business a second day. The bond market will also remain closed. The NYSE shuttered its operations October 29 as Hurricane Sandy neared landfall on the East Coast, bringing about the first unplanned shutdown since the September 2001 terrorist attacks. "We intend to re- open our U.S. markets on Wednesday ... conditions permitting; updates will be provided tomorrow," the NYSE said in an email. All major U.S. stock and options exchanges were closed October 29. Options and other exchange-based derivatives would remain closed October 30 due to the storm. There had been plans to allow electronic trading to go forward on the New York Stock Exchange October 29, but with all mass transit shut down in and out of New York City's Manhattan area, the risks were determined to be too great. A number of major U.S. companies postponed quarterly earnings as financial markets shut down. Source: http://marketday.nbcnews.com/_news/2012/10/29/14778477-hurricane-sandy-to-keep-stock-markets-shuttered-tuesday?lite

10. October 29, The Register – (Texas; National) Hackers crack Texan bank, Experian credit records come flooding out. Hackers managed to get login credentials for Experian's credit scoring reports after they broke into the systems of Abilene Telco Federal Credit Union in Abilene, Texas, in 2011, The Register reported October 29. Crooks gained access to the bank's systems after hacking into an employee's computer. The September 2011 breach allowed the hackers to get their hands on login credentials for the bank's account with Experian, exposing the details of millions to potential snooping in the process. A subsequent audit revealed that the attackers had used the compromised account to download credit reports on 847 people, obtaining Social Security numbers, dates of birth, and financial data on individuals across the U.S. who had never held an account with the small Texas bank. The breach is one of 86 incidents that have exposed data stored by credit reference agencies to snooping since 2006. Hackers have obtained this information not by going after the credit reference agencies directly but by targeting banks, auto-loan firms, data brokers, police departments, and other organizations that have access to the sensitive information, which can be used by identity thieves to establish lines of credit under false names. Source: http://www.theregister.co.uk/2012/10/29/credit_report_data_breach_worries/

11. October 27, Imperial Valley News – (California; Nevada) Fourteen charged in million-dollar ‘gone in 60 seconds’ bank fraud. Fourteen individuals were charged following a FBI-led investigation into the theft of over $1 million from Citibank using cash advance kiosks at casinos located in southern California and Nevada. According to an indictment unsealed October 26, the defendants stole the money by exploiting a gap which required multiple withdrawals all within 60 seconds in Citibank’s electronic transaction security protocols. According to court documents, a defendant recruited conspirators who were willing to open multiple Citibank checking accounts. He then supplied his co-defendants with "seed" money, which was deposited into the recently opened accounts. After the money was deposited into the checking accounts, he and his conspirators would travel to nearly a dozen casinos in California and Nevada. When inside the casino, the conspirators used cash advance kiosks at casinos to withdraw several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered. As part of the alleged scheme, the defendants kept both their deposits and withdrawals under $10,000 in order to avoid federal transaction reporting requirements and conceal their fraud. Source: http://www.imperialvalleynews.com/index.php/news/california-news/2126- fourteen-charged-in-million-dollar-gone-in-60-seconds-bank-fraud.html

12. October 27, Bay Area Newsgroup – (California) Campbell: 'Beanie Bandit' arrested in connection with six South Bay bank robberies. A man suspected of being the "Beanie Bandit'' who robbed six South Bay area, California banks was arrested October 26 after officers tracked him down and stopped his car, police said. Campbell police arrested the man after finding money and clothing in his home that was seen in the surveillance videos. He is suspected of robbing the six bank branches between August 24 and October 12. Two banks in Campbell, two in Sunnyvale, one in San Jose, and one in Los Gatos were hit. Sunnyvale police said that during the October 12 robbery at a Bank of America branch, the robber had given the teller a note stating that he was armed with a gun, but no weapon was seen. Source: http://www.mercurynews.com/campbell/ci_21869883/campbell-beanie-bandit-arrested-connection-six-south-bay

13. October 26, U.S. Securities and Exchange Commission – (California; National) SEC charges Silicon Valley executive for role in Galleon insider trading scheme. The Securities and Exchange Commission (SEC) October 26 charged a Saratoga, California former senior executive at a Silicon Valley technology company for illegally tipping a convicted hedge fund manager with nonpublic information that allowed the Galleon hedge funds to make nearly $1 million in illicit profits. The SEC alleges that the former senior executive tipped the hedge fund manager in December 2006 with confidential details from internal company reports indicating that Xilinx Inc. would fall short of revenue projections it had previously made publicly. The tip enabled the hedge fund manager to engage in short selling of Xilinx stock to illicitly benefit the Galleon funds. The executive tipped the manager, who was a close friend, at a time when the executive had his own substantial investment in Galleon funds and was in discussions with the manager about prospective employment at Galleon. The executive was hired at Galleon in May 2007. The executive agreed to pay more than $1.75 million to settle the SEC’s charges. Source: http://www.sec.gov/news/press/2012/2012-216.htm

14. October 26, U.S. Securities and Exchange Commission – (Colorado) SEC charges Denver-based insurance executive with insider trading. The Securities and Exchange Commission (SEC) October 26 charged an insurance company CEO with insider trading based on confidential information he obtained in advance of a private investment firm acquiring a significant stake in a Denver-based oil and gas company. The SEC alleges that the CEO learned from a Delta Petroleum Corporation insider that Tracinda was planning to acquire a 35 percent stake in Delta Petroleum for $684 million. The CEO subsequently purchased Delta Petroleum stock and highly speculative options contracts. He tipped several others, encouraging them to do the same, including a pair of relatives. After Tracinda’s investment was publicly announced, Delta Petroleum’s stock price shot up by almost 20 percent. The CEO and his tippees made more than $161,000 in illegal trading profits. The U.S. Attorney’s Office for the District of Colorado also announced a parallel criminal action against the CEO. Source: http://www.sec.gov/news/press/2012/2012-217.htm

Information Technology Sector

33. October 29, Help Net Security – (International) Privacy-invading module found in thousands of apps on Google Play. An advertising module embedded into over 7,000 "free" fake versions of legitimate Android applications that can be found on Google Play is actively harvesting personal and mobile use information from unsuspecting users, warned a Trend Micro senior threat researcher. She detected one such app after downloading by mistake a fake Flash Player from Google's official Android market and getting warned about its malicious nature by her company's own mobile security app. After consulting with a colleague from the Mobile Application Reputation team, she discovered the extent of the problem: apart from pushing ads onto the users, the adware module inside the app also sends information such as device ID, OS version, IP address, and the user's phone number, GPS location, account information, calendar, and browser bookmarks to the servers of the company that created the module. This particular ad module compromises the users' privacy and their devices' usability. It was found in over 7,000 free apps offered on Google Play. "80% of them are still available, and at least 10% of them have been downloaded more than one million times," the researcher warned, and added that the Web of Trust community believes the company that created the module is also involved in phishing and scamming users. Source: http://www.net-security.org/secworld.php?id=13860

34. October 29, Help Net Security – (International) Malware authors turn to simpler detection evasion techniques. Symantec researchers discovered two new, less- technical approaches malware developers are using to evade automated threat analysis. The first consists of making malware run only if it detects mouse movement or clicking. The second involves inserting delays between the execution of the various malware subroutines. The rationale behind the first test is that automated threat analysis systems do not use the mouse, while regular computer users do. The lack of this movement signals to the malware that it is probably being run in a sandbox. The rationale behind the subroutine execution delays — often spanning over 20 minutes for each — is that given the number of files the system must test, it usually spends only a small amount of time on each file, and chances are the file will be categorized as harmless and discarded before the first subroutine is even run. Source: http://www.net-security.org/malware_news.php?id=2307

35. October 29, The H – (International) Ubuntu 11.04 reaches its end of life. An Ubuntu release manager announced that Ubuntu 11.04, code-named "Natty Narwhal," reached its end of life October 28. This means that no new updates, including security updates and critical fixes, will be made available for version 11.04 of Canonical's Linux distribution. Released in April 2011, Natty Narwhal was based on the Linux kernel and was the first version of Ubuntu to replace the GNOME Shell with Unity as its default desktop environment. Firefox 4.0, version 3.3.2 of the LibreOffice productivity suite, and Banshee 2.0 were among the bundled default applications. Users still running Ubuntu 11.04 are advised to upgrade to version 11.10 "Oneiric Ocelot" or later in order to continue receiving updates. Those wanting to upgrade to the current Long Term Support edition, Ubuntu 12.04, or the most recent standard release, Ubuntu 12.10 "Quantal Quetzal," will need to upgrade in multiple steps, first upgrading to 11.10 and then the subsequent versions. Source: http://www.h-online.com/security/news/item/Ubuntu-11-04-reaches-its-end-of-life-1738365.html

36. October 27, Softpedia – (International) Users lured to Blackhole exploit kit with bogus 'Your Photos' LinkedIn emails. According to Sophos experts, one of the latest plots by cybercriminals to lure users to a Blackhole exploit kit-infested Web site involves send out fake LinkedIn emails entitled “Your Photos” in an attempt to trick them into opening an attached .htm file. The notification reads: ”Hi, I have attached your photos to the mail (Open with Internet Explorer).” Once the file, called “Image_DIG[random number].htm” is opened, a ”please wait a moment” message is displayed. In the meantime, in the background, the victim is redirected to a Blackhole exploit Web site that is designed to serve malware. The malicious .htm file is detected as Mal/JSRedir-M. Source: http://news.softpedia.com/news/Users-Lured-to-BlackHole-Exploit-Kit-With- Bogus-Your-Photo-LinkedIn-Emails-302569.shtml

37. October 27, The H – (International) Critical security holes closed in Firefox 16 and Thunderbird 16. Mozilla released a Firefox 16.0.2 update for its browser to close recently discovered critical security holes. Three problems, assigned CVE-2012-4194, CVE-2012-4195, and CVE-2012-4196 were addressed in the updates. The flaws also affect Thunderbird 16 to a more limited extent, but a Thunderbird 16.0.2 update was released. Enterprise ESR versions of the browser and email client are also affected; a 10.0.10 update for Firefox ESR and Thunderbird ESR were also released along with a 2.13.2 update of SeaMonkey. The flaws are centered on the Location object, which now has its security increased. A researcher discovered that the true value of window.location could be shadowed which could have enabled a cross-site-scripting (XSS) attack in conjunction with some plugins. A Mozilla security researcher found that using CheckURL on window.location could be forced to return the wrong calling document, also enabling an XSS attack; there was also a possibility of arbitrary code execution via any add-on that interacted with page content. Finally, a researcher from the PROSECCO research team at INRIA found that it was possible to inject properties into the Location object, exposing it to cross-origin reading. Source: http://www.h-online.com/security/news/item/Critical-security-holes-closed-in- Firefox-16-and-Thunderbird-16-1737891.html

Communications Sector

Nothing to report.

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.