Friday, November 2, 2012
Daily Report
Top Stories
• Officials with Connecticut Light&Power
(CL&P) and United Illuminating started to offer estimates to people who
lost power as a result of Hurricane Sandy. United Illuminating said it expects
to restore power to 95 percent of its customers before midnight November
5. – WFSB
3 Hartford; Associated Press
1. November 1, WFSB 3
Hartford; Associated Press –
(Connecticut) CL&P, UI offer power restoration estimates. Officials
with Connecticut Light & Power (CL&P) and United Illuminating started to
offer estimates to people who have lost power as a result of Hurricane Sandy.
United Illuminating said it expects to restore power to 95 percent of its
customers before midnight November 5. The State’s second largest utility made
the promise November 1, as 110,947 customers were still without power, 3 days
after Hurricane Sandy caused massive damage in Connecticut and around the
Northeast. CL&P reported 246,417 in the dark as of November 1. The state’s
largest utility said it is estimating 98 percent of customers that remain in
the dark will have power restored by November 6. At a news conference November
1, the senior vice president for CL&P told reporters he would not be more
specific because of the extent of damage caused by Sandy. Total outages in Connecticut
fell by more than one-fourth in 24 hours. Source: http://www.kpho.com/story/19972211/ui-promises-power-to-95-pct-of-customers-by-monday
• A chemical fire at the site of a train
derailment in Kentucky that forced hundreds of people to evacuate their homes
was expected to continue burning all day November 1, far longer than initially
predicted. – Associated Press
5. November 1, Associated
Press – (Kentucky) Authorities:
Blaze at site of Ky. train derailment expected to burn throughout the day. A
chemical fire at the site of a train derailment in Kentucky that forced
hundreds of people to evacuate their homes was expected to continue burning all
day November 1, far longer than initially predicted. Emergency officials said
they were given inaccurate information about how much of the flammable
chemical, butadiene, remained in an overturned tanker car. Authorities
initially estimated the fire would burn itself out within two hours. The blaze
forced the evacuation of the entire central Kentucky town of West Point, as well
as people from nearby Louisville. The evacuation order came after a cutting
torch ignited butadiene vapors October 31 while workers tried to separate two
cars that derailed early October 29. Three workers were taken to the University
of Louisville hospital with severe burns. One was in critical condition and the
other two were in fair condition. A coordinator with the U.S. Environmental
Protection Agency said they were monitoring water in the nearby Salt River as
contaminated water may be flowing into it from the scene. Officials erected a
dam to try to contain the water. Residents within a 1.2-mile radius of the
wreck were evacuated, and those living within a 5-mile radius were ordered to
stay indoors. Three local schools within the areas of the evacuation or
shelter-in-place orders were closed. A Metro Louisville Emergency Management
spokeswoman said the evacuation order would stay in place until the blaze was
extinguished. Source: http://www.washingtonpost.com/national/fire-erupts-at-ky-chemical-train-derailment-site-3-workers-burned-town-evacuated/2012/10/31/4f023604-23b8-11e2-92f8-7f9c4daf276a_story.html
• The security guards at a nuclear weapons
plant who failed to stop protestors from reaching a bomb fuel storage building
earlier in 2012 cheated on their re-certification exam, according to an
internal investigation. – New York Times
10. October
31, New York Times – (Tennessee) Exam said to be leaked to guards at nuclear site.
The security guards at a nuclear weapons plant who failed to stop
protestors from reaching a bomb fuel storage building earlier in 2012 cheated
on their re-certification exam, according to an internal investigation by the
Department of Energy, which owns the weapons plant. The exam, with answers, was
circulated to guards at the Y-12 complex, near Oak Ridge, Tennessee, before
they sat down to take it, according to the report released October 31 by the
department’s inspector general. The report said the cheating was enabled by the
department itself; it was routine practice for the department to involve
contractor personnel in preparation of such exams, because the federal
government did not know enough about the security arrangements to write the
exam without the help of the contractor. A federal security official sent the
exam by encrypted email to ―trusted agents‖ at the management contractor,
B&W, but did not instruct those executives to keep it secret from the
people who would have to take it, according to the report. The government found
out about the cheating only because an inspector visiting the plant noticed a
copy of an exam on the seat
of a patrol vehicle the day before guards were to take it. The security
contractor was Wackenhut, but its contract was terminated after a security
breach July 28, when the protestors breached the facility’s perimeter security.
A subsequent investigation found that many security cameras were disabled long
before the break-in. B&W is still the management contractor at the site.
Source: http://www.nytimes.com/2012/11/01/us/guards-at-breached-nuclear-site-in-tennessee-cheated-on-exam-report-says.html?_r=0
• New York City’s Bellevue Hospital began
evacuating hundreds of patients October 31 after fuel pumps swamped by water
from superstorm Sandy failed, putting backup generators in peril. – New York
Daily News
26. October
31, New York Daily News – (New York) Bellevue Hospital evacuating
patients after power outage. New York City’s Bellevue Hospital began
evacuating hundreds of patients October 31 after fuel pumps swamped by 17
million gallons of water from superstorm Sandy failed, putting backup
generators in peril. There were 720 patients in the hospital when the flooding
began. When the main power went out, the hospital switched to generators, which
are kept on the 13th floor to avoid getting flooded. But the pumps that supply
fuel to the generators are in the basement, which was still under 2.5 feet of
water 2 days after the Sandy roared in. Officials said that it would take 24
hours to fully assess the damage and to determine exactly why the pumps failed.
The hospital turned to the military to get the generators fueled, ―National
Guardsmen manned a five-gallon bucket brigade up 14 floors,‖ officials said.
Hundreds of National Guard troops also helped with the massive evacuation.
October 31, the sickest patients had been moved to other hospitals around the
city, and the remaining 300 were transferred November 1. The Greater New York
Hospital Association worked with city and State agencies to coordinate the
transfers. The State allowed hospitals that were full or nearly full to be at
―surge capacity‖ and accept more patients. Since the storm, some 20 other
health-care facilities were evacuated including 17 nursing homes in low-lying
coastal areas, New York University Downtown Hospital, the Manhattan Veterans
Affairs Hospital, and Coney Island Hospital. Source: http://www.nydailynews.com/life-style/health/bellevue-evacuating-hundreds-patients-power-outage-article-1.1195105
Details
Banking and Finance Sector
11. November
1, AL.com – (National) IRS warns of sophisticated phishing scheme using
fake IRS website. A sophisticated phishing scheme that uses an
official-looking but fake Internal Revenue Service (IRS) Web site has been
netting victims, the IRS said November 1. The scam uses a Web site that mimics
the IRS e-Services registration page to collect personal information. The
official page provides products for tax preparers, not the general public. ―The
phony Web page looks almost identical to the real one,‖ the IRS said in a
prepared statement. ―Criminals use these sites to lure people into providing
personal and financial information that may be used to steal the victim’s money
or identity.‖ Source: http://blog.al.com/businessnews/2012/11/irs_warns_of_sophisticated_phi.html
12. October
31, KABC 7 Los Angeles – (California) Alleged ‘Wigout Bandit’
arrested after 3 robberies in Ventura. Authorities said a man suspected of
being the so-called ―Wigout Bandit‖ was arrested October 30 in connection to a
string of robberies in Ventura, California. The man was by Santa Barbara police
for his outstanding warrants for bank robbery and new charges of drug
possession. He is suspected of robbing three Ventura banks in August and
September. Source: http://abclocal.go.com/kabc/story?section=news/local/ventura_county&id=8868289
13. October
31, Associated Press – (National) Nev. family court judge accused of investment
scam. Prosecutors filed federal charges against a Clark County, Nevada
family court judge and five other people, alleging a $3 million, decade-long
investment fraud scheme that authorities said the judge worked on from his
courthouse chambers, the Associated Press reported October 31. An indictment
accuses the elected district judge and the others in three States of scamming
investors by telling them one of the defendants had connections in the federal
government and could use their money to secure valuable water and land rights.
It claims the defendants solicited people by mail, phone, and the Internet, and
persuaded them to loan them money by telling them a defendant had privileged
access within the federal government that would yield high returns. The
defendants never paid back their investors, but instead used the money to pay
for personal expenses and gambling debts, according to the indictment. When
investors became suspicious about the investments, the defendants referred them
to the judge, prosecutors said. The judge used his office to vouch for the
scheme even though he knew it was a fraud, according to the charges, and he met
with investors in his chambers. Prosecutors claim the judge also intervened on
the defendant’s behalf to delay or prevent legal action against him. The
charges against the group include two counts of conspiracy, six counts of wire
fraud, one count of securities fraud, nine counts of money laundering, and two
counts of engaging in money transactions in criminally derived property.
Source: http://www.sfgate.com/news/science/article/Nev-family-court-judge-accused-of-investment-scam-3997342.php
14. October
31, Reuters – (California; International) U.S. power market regulator seeks
$470 million from Barclays. U.S. federal energy regulators threatened to
fine U.K. bank Barclays roughly $470 million to settle allegations that the
bank and four traders manipulated California energy markets from November 2006
to December 2008, Reuters reported October 31. In a potentially record penalty
that could eclipse fines over rigging the inter-bank lending rate known as
Libor, the U.S. Federal Energy Regulatory Commission (FERC) said Barclays has
30 days to show why it should not be penalized for an alleged scheme of
manipulating physical electricity markets in order to benefit from related
positions in the swaps market. Barclays reiterated that it ―strongly disagreed‖
with the findings and was ready to fight the order. The FERC order suggests the
agency was unable to reach a settlement with Barclays through negotiations,
indicating the issue is likely to head toward an administrative court, said an
expert in energy trade regulation. Source: http://www.reuters.com/article/2012/10/31/us-barclays-ferc-idUSBRE89U1QV20121031
Information Technology Sector
37. November
1, The Register – (International) Windows 8 ‘penetrated’ says firm which sells
to world’s spy agencies. French security research firm Vupen claims to have
already developed a reliable Windows 8 exploit, just days after the launch of
latest edition of Microsoft’s flagship operating system. The company said the
exploit it developed allows it to take over Windows 8 machines running Internet
Explorer (IE) 10. Windows 8 offers improved exploit mitigation technologies
including Data Execution Prevention (DEP), Address Space Layout Randomization
(ASLR) while IE10 bundles improved sandboxing. Surpassing these extra features
is no easy task, but does not necessarily mean that exploits and malware from
mainstream hackers will not flood cyberspace anytime soon. Vupen previously
promised to develop Windows 8 exploits at the same time as the launch of the
operating system. The firm’s chief executive told Forbes details of the Windows
8 attack would be supplied to its customers in a carefully worded answer that
failed to rule out the use of the exploit as an offensive tool. ―The in-depth
technical details of the flaws will be shared with our customers and they can
use them to protect their critical infrastructures against potential attacks or
for national security purposes,‖ he said. Source: http://www.theregister.co.uk/2012/11/01/win8_exploited_already/
38. November
1, Softpedia – (International) Cybercriminals continue to improve
Skype-spreading malware. At the beginning of October, cybercriminals
started spreading malware via Skype by using messages such as ―lol is this your
new profile pic‖ to trick users into clicking on malicious links. According to
security firms, millions of users might have infected their computers after
clicking on the suspicious links. Although the infection rates have dropped
since, security researchers say the individuals responsible for developing and
maintaining the threats known as W32.IRCBot.NG and W32.Phopifas have not given
up on their project. The infection routine remains unchanged, but the
developers added new hosts from which the pieces of malware can be downloaded,
Symantec experts explain. Furthermore, W32.IRCBot.NG is capable of stealing
passwords for file-hosting sites, and several new languages have been added to
ensure that the malware can target a wider range of users. Some malicious
modules have been placed on virtual server services and one of the URLs is even
being listed in the Top 100 downloads section of a ranking Web site. Source: http://news.softpedia.com/news/Cybercriminals-Continue-to-Improve-Skype-Spreading-Malware-303654.shtml
39. November
1, The Register – (International) Free Android apps often secretly make calls,
use the camera. Freebie mobile applications come with a higher privacy and
security risk, according to an 18-month long study by Juniper Networks. The
networking company ran an audit of 1.7 million applications on the Android
market and discovered that free applications are 5 times more likely to track
user location and 314 percent more likely to access user address books than
paid counterparts. Around 1 in 4 (24.1 percent) free apps require permission to
track location, while only 6 percent of paid apps request this ability.
Approximately 6.7 percent of freebie Android apps have permission to access
user’s address book, a figure that drops to just 2.1 percent for paid apps. It
is commonly assumed that free apps collect information in order to serve
advertisements from third-party ad networks. While this is true in some cases,
Juniper found that the percentage of apps with the top 5 ad networks (9 percent)
is much less than the total number tracking location (24.1 percent).
Approximately 4.1 percent of apps feature ads from the AirPush network, with a
total of nearly 5 percent of freebie Android apps linked to either the AdMob,
Millennial Media, AdWhirl, or the Leadbolt ad networks. ―This leads us to
believe there are several apps collecting information for reasons less apparent
than advertising,‖ Juniper said. Source: http://www.theregister.co.uk/2012/11/01/android_app_privacy_audit/
40. November
1, Homeland Security News Wire – (International) Ensuring
that software security policies reflect user needs. Researchers from North
Carolina State University and IBM Research developed a new natural language
processing tool that businesses or other customers can use to ensure that
software developers have a clear idea of the security policies to be
incorporated into new software products. Specifically, the research focuses on
access control policies (ACPs), which are the security requirements that
software developers need to keep in mind when developing new software. For
example, an ACP for a university grading program needs to allow professors to
give grades to students, but should not allow students to change the grades.
―These ACPs are important, but are often buried amidst a lengthy list of other
requirements that customers give to developers,‖ said an associate professor of
computer science at the university and co-author of a paper on the research.
These requirements are written in ―natural language,‖ which is the
conversational language that people use when talking or corresponding via the
written word. A North Carolina State University release reports that incomplete
or inaccurate ACP requirements can appear, for example, if the customer writing
the ACP requirements makes a mistake or does not have enough technical
expertise to accurately describe a program’s security needs. Source: http://www.homelandsecuritynewswire.com/dr20121101-ensuring-that-software-security-policies-reflect-user-needs
41. October
31, The H – (International) Vulnerability in Yahoo’s JavaScript framework
YUI 2. Yahoo indicated there is a security vulnerability in its JavaScript
framework YUI version 2. The company does not, though, give a detailed
description of the bug. The issue only, now, relates to any project where the
developers hosted their own version of the YUI 2 SWF files (from version
2.4.0-2.9.0). Those who used Yahoo’s yui.yahooapis.com CDN or another CDN for
YUI 2 or use YUI 3 are not affected by the issue, said Yahoo. The only
information is a connection with ―SWF;‖ this could therefore be something in
connection with the presence of the class SWFStore which supports the
persistence of data using the Flash Player. The affected version of the
framework has, though, been superseded by YUI 3 since 2009; YUI 3 does not
include SWFStore. Source: http://www.h-online.com/security/news/item/Vulnerability-in-Yahoo-s-JavaScript-framework-YUI-2-1741111.html
42. October
31, Threatpost – (International) Cisco patches vulnerabilities in Data Center
and Web Conferencing products. Cisco is warning its customers about a
remote command execution vulnerability in its Cisco Prime Data Center Network
Manager. The product manages Ethernet and storage networks and troubleshoots
for performance issues on Cisco products running NX-OS software. Versions prior
to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts
the application, Cisco said. An attacker could send arbitrary commands via the
JBoss Application Server Remote Method Invocation (RMI) service, which is
exposed to unauthenticated users. Cisco said no exploits are in the wild, but
there is a Metasploit module that would exploit the JBoss configuration in
question. Users are urged to upgrade to release 6.1.1. In the meantime,
allowing only legitimate devices to connect to the RMI registry port (either
TCP 1099 or 9099) will serve as a workaround. Source: http://threatpost.com/en_us/blogs/cisco-patches-vulnerabilities-data-center-and-web-conferencing-products-103112
43. October
31, Network World – (International) Researcher warns that ‘zombie browsers’ are
skyrocketing. Some Web browsers can be tricked into using so-called
malicious extensions that can give hackers the ability to hijack the user’s
session, spy on Web cameras, upload and download files, and in the newer
mobile-device area, hack into Google Android phones. An IT security consultant
at Deloitte Hungary spoke about the topic he calls ―zombie browsers‖ during the
Hacker Halted Conference in Miami the week of October 29. He said up until a
year ago, only 10 of these browser malicious extensions were known to exist,
but 2012 has seen 49 new ones already. ―It’s skyrocketing,‖ the consultant
noted, and he faulted the antivirus vendors for allegedly not addressing the
issue at all. ―Even after two years, none of the antivirus vendors detect
these,‖ he said, saying he’s issuing a plea for them ―to try harder on
detecting malicious extensions.‖ In his talk, he explained how malicious
extensions in Firefox, Chrome, and Safari have been created by attackers that
try to get them added to the user’s browser through Web-based drive-by
downloads or infected attachments. The result might be giving the attacker a
way to steal data or spy on users, he said. Source: http://www.computerworld.com/s/article/9233140/Researcher_warns_that_zombie_browsers_are_skyrocketing
44. October
31, IDG News Service – (International) One year after DigiNotar breach, Fox-IT
details extent of compromise. The 2011 security breach at Dutch certificate
authority (CA) DigiNotar resulted in an extensive compromise and was
facilitated in part by shortcomings in the company’s network segmentation and
firewall configuration, according to Fox-IT, the security company contracted by
the Dutch government to investigate the incident. ―The DigiNotar network was
divided into 24 different internal network segments,‖ Fox-IT said in its final
investigation report, published the week of October 29. ―An internal and
external Demilitarized Zone (DMZ) separated most segments of the internal
network from the Internet. The zones were not strictly described or enforced
and the firewall contained many rules that specified exceptions for network
traffic between the various segments.‖ The DigiNotar security breach occurred
in July 2011 and resulted in a hacker using the company’s CA infrastructure to
issue hundreds of rogue digital certificates for high-profile domains. After
the incident became public, browser and operating system developers revoked
their trust in the certificates and the company filed for bankruptcy. The
breach was significant because it raised questions about the security and
trustworthiness of the public key infrastructure in its current form, which led
to various technical proposals that promise to reduce the impact of certificate
authority compromises and prevent the use of rogue digital certificates. There
are currently hundreds of certificate authorities trusted by default in Web
browsers and operating systems, and all of them can issue valid digital
certificates for any domain on the Internet. Source: http://www.computerworld.com/s/article/9233138/One_year_after_DigiNotar_breach_Fox_IT_details_extent_of_compromise
Communications Sector
45. November
1, WLS 890 AM Chicago; ABC News Radio – (National) Why many didn’t
get wireless emergency alerts during Sandy. Notifications alerting the
public about Hurricane Sandy were what the Federal Emergency Management Agency
(FEMA) and the Federal Communications Commission (FCC) call wireless emergency
alerts, or WEAs, WLS 890 AM Chicago reported November 1. They were designed to
alert people via their phones about three types of emergencies — imminent
threats (including extreme or severe weather), AMBER alerts, and presidential
alerts (alerts issued by the president). The alerts were launched in 2011 in
many parts of the country and in May, came to AT&T, Verizon, Sprint, and
other carriers. ―We have close to 100 carriers that are providing the service,‖
the vice president of regulatory affairs for the CTIA, the wireless industry
trade group, told ABC News. He said that users can disable the imminent and
AMBER alerts, but not the presidential ones. Source: http://www.wlsam.com/Article.asp?id=2564881&spid=
46. November
1, Wall Street Journal – (New York) A look inside Verizon’s
flooded communications hub. Verizon Communications Inc. was scrambling to
repair severe damage to a key switching facility inside its historic
headquarters building in lower Manhattan, New York. Verizon saw severe damage
from flooding, the Wall Street Journal reported November 1. Verizon employees
said the October 29 hurricane surge was so powerful that it breached the
protective plugs that surround cables coming into the building. As a result,
water flooded the critical basement ―cable vault‖ that takes in communications
cables and directs them to switching gear upstairs, which was not damaged. The
building was one of the worst hit of a number of facilities that carriers were
rushing to fix October 31. The Federal Communications Commission said the
number of cell phone tower outages dropped on the second day after the storm
made landfall, with just over a fifth of the sites in storm-affected areas in
the northeast offline. Phone companies supplemented those efforts with
extraordinary measures to bolster service. Wireless carriers AT&T Inc. and
T-Mobile USA said they would switch each others’ customers between their
networks depending on which was in better shape in a particular area. Source: http://online.wsj.com/article/SB10001424052970204707104578091171538491386.html
47. October
31, Ars Technica – (National) Meet the network operators helping to fuel the
spike in big DDoS attacks. A company that helps secure Web sites has
compiled a list of some of the Internet’s biggest network nuisances—operators
that run open servers that can be abused to significantly aggravate the
crippling effects of distributed denial-of-service attacks on innocent
bystanders, Ars Technica reported October 31. One technique that is playing a
key role in many recent attacks is not new at all. Known as DNS amplification,
it relies on open domain name system servers to multiply the amount of junk
data attackers can direct at a targeted Web site. By sending a modest-sized
domain name query to an open DNS server and instructing it to send the result
to an unfortunate target, attackers can direct a torrent of data at the victim
site that is 50 times bigger than the original request. Source: http://arstechnica.com/security/2012/10/meet-the-network-operators-helping-fuel-the-spike-in-big-ddos-attacks/
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.