Friday, November 2, 2012

Daily Report

Top Stories

 • Officials with Connecticut Light&Power (CL&P) and United Illuminating started to offer estimates to people who lost power as a result of Hurricane Sandy. United Illuminating said it expects to restore power to 95 percent of its customers before midnight November 
5. – WFSB 3 Hartford; Associated Press

1. November 1, WFSB 3 Hartford; Associated Press – (Connecticut) CL&P, UI offer power restoration estimates. Officials with Connecticut Light & Power (CL&P) and United Illuminating started to offer estimates to people who have lost power as a result of Hurricane Sandy. United Illuminating said it expects to restore power to 95 percent of its customers before midnight November 5. The State’s second largest utility made the promise November 1, as 110,947 customers were still without power, 3 days after Hurricane Sandy caused massive damage in Connecticut and around the Northeast. CL&P reported 246,417 in the dark as of November 1. The state’s largest utility said it is estimating 98 percent of customers that remain in the dark will have power restored by November 6. At a news conference November 1, the senior vice president for CL&P told reporters he would not be more specific because of the extent of damage caused by Sandy. Total outages in Connecticut fell by more than one-fourth in 24 hours. Source:

 • A chemical fire at the site of a train derailment in Kentucky that forced hundreds of people to evacuate their homes was expected to continue burning all day November 1, far longer than initially predicted. – Associated Press

5. November 1, Associated Press – (Kentucky) Authorities: Blaze at site of Ky. train derailment expected to burn throughout the day. A chemical fire at the site of a train derailment in Kentucky that forced hundreds of people to evacuate their homes was expected to continue burning all day November 1, far longer than initially predicted. Emergency officials said they were given inaccurate information about how much of the flammable chemical, butadiene, remained in an overturned tanker car. Authorities initially estimated the fire would burn itself out within two hours. The blaze forced the evacuation of the entire central Kentucky town of West Point, as well as people from nearby Louisville. The evacuation order came after a cutting torch ignited butadiene vapors October 31 while workers tried to separate two cars that derailed early October 29. Three workers were taken to the University of Louisville hospital with severe burns. One was in critical condition and the other two were in fair condition. A coordinator with the U.S. Environmental Protection Agency said they were monitoring water in the nearby Salt River as contaminated water may be flowing into it from the scene. Officials erected a dam to try to contain the water. Residents within a 1.2-mile radius of the wreck were evacuated, and those living within a 5-mile radius were ordered to stay indoors. Three local schools within the areas of the evacuation or shelter-in-place orders were closed. A Metro Louisville Emergency Management spokeswoman said the evacuation order would stay in place until the blaze was extinguished. Source:

 • The security guards at a nuclear weapons plant who failed to stop protestors from reaching a bomb fuel storage building earlier in 2012 cheated on their re-certification exam, according to an internal investigation. – New York Times

10. October 31, New York Times – (Tennessee) Exam said to be leaked to guards at nuclear site. The security guards at a nuclear weapons plant who failed to stop protestors from reaching a bomb fuel storage building earlier in 2012 cheated on their re-certification exam, according to an internal investigation by the Department of Energy, which owns the weapons plant. The exam, with answers, was circulated to guards at the Y-12 complex, near Oak Ridge, Tennessee, before they sat down to take it, according to the report released October 31 by the department’s inspector general. The report said the cheating was enabled by the department itself; it was routine practice for the department to involve contractor personnel in preparation of such exams, because the federal government did not know enough about the security arrangements to write the exam without the help of the contractor. A federal security official sent the exam by encrypted email to ―trusted agents‖ at the management contractor, B&W, but did not instruct those executives to keep it secret from the people who would have to take it, according to the report. The government found out about the cheating only because an inspector visiting the plant noticed a copy of an exam on the seat of a patrol vehicle the day before guards were to take it. The security contractor was Wackenhut, but its contract was terminated after a security breach July 28, when the protestors breached the facility’s perimeter security. A subsequent investigation found that many security cameras were disabled long before the break-in. B&W is still the management contractor at the site. Source:

 • New York City’s Bellevue Hospital began evacuating hundreds of patients October 31 after fuel pumps swamped by water from superstorm Sandy failed, putting backup generators in peril. – New York Daily News

26. October 31, New York Daily News – (New York) Bellevue Hospital evacuating patients after power outage. New York City’s Bellevue Hospital began evacuating hundreds of patients October 31 after fuel pumps swamped by 17 million gallons of water from superstorm Sandy failed, putting backup generators in peril. There were 720 patients in the hospital when the flooding began. When the main power went out, the hospital switched to generators, which are kept on the 13th floor to avoid getting flooded. But the pumps that supply fuel to the generators are in the basement, which was still under 2.5 feet of water 2 days after the Sandy roared in. Officials said that it would take 24 hours to fully assess the damage and to determine exactly why the pumps failed. The hospital turned to the military to get the generators fueled, ―National Guardsmen manned a five-gallon bucket brigade up 14 floors,‖ officials said. Hundreds of National Guard troops also helped with the massive evacuation. October 31, the sickest patients had been moved to other hospitals around the city, and the remaining 300 were transferred November 1. The Greater New York Hospital Association worked with city and State agencies to coordinate the transfers. The State allowed hospitals that were full or nearly full to be at ―surge capacity‖ and accept more patients. Since the storm, some 20 other health-care facilities were evacuated including 17 nursing homes in low-lying coastal areas, New York University Downtown Hospital, the Manhattan Veterans Affairs Hospital, and Coney Island Hospital. Source:


Banking and Finance Sector

11. November 1, – (National) IRS warns of sophisticated phishing scheme using fake IRS website. A sophisticated phishing scheme that uses an official-looking but fake Internal Revenue Service (IRS) Web site has been netting victims, the IRS said November 1. The scam uses a Web site that mimics the IRS e-Services registration page to collect personal information. The official page provides products for tax preparers, not the general public. ―The phony Web page looks almost identical to the real one,‖ the IRS said in a prepared statement. ―Criminals use these sites to lure people into providing personal and financial information that may be used to steal the victim’s money or identity.‖ Source:

12. October 31, KABC 7 Los Angeles – (California) Alleged ‘Wigout Bandit’ arrested after 3 robberies in Ventura. Authorities said a man suspected of being the so-called ―Wigout Bandit‖ was arrested October 30 in connection to a string of robberies in Ventura, California. The man was by Santa Barbara police for his outstanding warrants for bank robbery and new charges of drug possession. He is suspected of robbing three Ventura banks in August and September. Source:

13. October 31, Associated Press – (National) Nev. family court judge accused of investment scam. Prosecutors filed federal charges against a Clark County, Nevada family court judge and five other people, alleging a $3 million, decade-long investment fraud scheme that authorities said the judge worked on from his courthouse chambers, the Associated Press reported October 31. An indictment accuses the elected district judge and the others in three States of scamming investors by telling them one of the defendants had connections in the federal government and could use their money to secure valuable water and land rights. It claims the defendants solicited people by mail, phone, and the Internet, and persuaded them to loan them money by telling them a defendant had privileged access within the federal government that would yield high returns. The defendants never paid back their investors, but instead used the money to pay for personal expenses and gambling debts, according to the indictment. When investors became suspicious about the investments, the defendants referred them to the judge, prosecutors said. The judge used his office to vouch for the scheme even though he knew it was a fraud, according to the charges, and he met with investors in his chambers. Prosecutors claim the judge also intervened on the defendant’s behalf to delay or prevent legal action against him. The charges against the group include two counts of conspiracy, six counts of wire fraud, one count of securities fraud, nine counts of money laundering, and two counts of engaging in money transactions in criminally derived property. Source:

14. October 31, Reuters – (California; International) U.S. power market regulator seeks $470 million from Barclays. U.S. federal energy regulators threatened to fine U.K. bank Barclays roughly $470 million to settle allegations that the bank and four traders manipulated California energy markets from November 2006 to December 2008, Reuters reported October 31. In a potentially record penalty that could eclipse fines over rigging the inter-bank lending rate known as Libor, the U.S. Federal Energy Regulatory Commission (FERC) said Barclays has 30 days to show why it should not be penalized for an alleged scheme of manipulating physical electricity markets in order to benefit from related positions in the swaps market. Barclays reiterated that it ―strongly disagreed‖ with the findings and was ready to fight the order. The FERC order suggests the agency was unable to reach a settlement with Barclays through negotiations, indicating the issue is likely to head toward an administrative court, said an expert in energy trade regulation. Source:

Information Technology Sector

37. November 1, The Register – (International) Windows 8 ‘penetrated’ says firm which sells to world’s spy agencies. French security research firm Vupen claims to have already developed a reliable Windows 8 exploit, just days after the launch of latest edition of Microsoft’s flagship operating system. The company said the exploit it developed allows it to take over Windows 8 machines running Internet Explorer (IE) 10. Windows 8 offers improved exploit mitigation technologies including Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) while IE10 bundles improved sandboxing. Surpassing these extra features is no easy task, but does not necessarily mean that exploits and malware from mainstream hackers will not flood cyberspace anytime soon. Vupen previously promised to develop Windows 8 exploits at the same time as the launch of the operating system. The firm’s chief executive told Forbes details of the Windows 8 attack would be supplied to its customers in a carefully worded answer that failed to rule out the use of the exploit as an offensive tool. ―The in-depth technical details of the flaws will be shared with our customers and they can use them to protect their critical infrastructures against potential attacks or for national security purposes,‖ he said. Source:

38. November 1, Softpedia – (International) Cybercriminals continue to improve Skype-spreading malware. At the beginning of October, cybercriminals started spreading malware via Skype by using messages such as ―lol is this your new profile pic‖ to trick users into clicking on malicious links. According to security firms, millions of users might have infected their computers after clicking on the suspicious links. Although the infection rates have dropped since, security researchers say the individuals responsible for developing and maintaining the threats known as W32.IRCBot.NG and W32.Phopifas have not given up on their project. The infection routine remains unchanged, but the developers added new hosts from which the pieces of malware can be downloaded, Symantec experts explain. Furthermore, W32.IRCBot.NG is capable of stealing passwords for file-hosting sites, and several new languages have been added to ensure that the malware can target a wider range of users. Some malicious modules have been placed on virtual server services and one of the URLs is even being listed in the Top 100 downloads section of a ranking Web site. Source:

39. November 1, The Register – (International) Free Android apps often secretly make calls, use the camera. Freebie mobile applications come with a higher privacy and security risk, according to an 18-month long study by Juniper Networks. The networking company ran an audit of 1.7 million applications on the Android market and discovered that free applications are 5 times more likely to track user location and 314 percent more likely to access user address books than paid counterparts. Around 1 in 4 (24.1 percent) free apps require permission to track location, while only 6 percent of paid apps request this ability. Approximately 6.7 percent of freebie Android apps have permission to access user’s address book, a figure that drops to just 2.1 percent for paid apps. It is commonly assumed that free apps collect information in order to serve advertisements from third-party ad networks. While this is true in some cases, Juniper found that the percentage of apps with the top 5 ad networks (9 percent) is much less than the total number tracking location (24.1 percent). Approximately 4.1 percent of apps feature ads from the AirPush network, with a total of nearly 5 percent of freebie Android apps linked to either the AdMob, Millennial Media, AdWhirl, or the Leadbolt ad networks. ―This leads us to believe there are several apps collecting information for reasons less apparent than advertising,‖ Juniper said. Source:

40. November 1, Homeland Security News Wire – (International) Ensuring that software security policies reflect user needs. Researchers from North Carolina State University and IBM Research developed a new natural language processing tool that businesses or other customers can use to ensure that software developers have a clear idea of the security policies to be incorporated into new software products. Specifically, the research focuses on access control policies (ACPs), which are the security requirements that software developers need to keep in mind when developing new software. For example, an ACP for a university grading program needs to allow professors to give grades to students, but should not allow students to change the grades. ―These ACPs are important, but are often buried amidst a lengthy list of other requirements that customers give to developers,‖ said an associate professor of computer science at the university and co-author of a paper on the research. These requirements are written in ―natural language,‖ which is the conversational language that people use when talking or corresponding via the written word. A North Carolina State University release reports that incomplete or inaccurate ACP requirements can appear, for example, if the customer writing the ACP requirements makes a mistake or does not have enough technical expertise to accurately describe a program’s security needs. Source:

41. October 31, The H – (International) Vulnerability in Yahoo’s JavaScript framework YUI 2. Yahoo indicated there is a security vulnerability in its JavaScript framework YUI version 2. The company does not, though, give a detailed description of the bug. The issue only, now, relates to any project where the developers hosted their own version of the YUI 2 SWF files (from version 2.4.0-2.9.0). Those who used Yahoo’s CDN or another CDN for YUI 2 or use YUI 3 are not affected by the issue, said Yahoo. The only information is a connection with ―SWF;‖ this could therefore be something in connection with the presence of the class SWFStore which supports the persistence of data using the Flash Player. The affected version of the framework has, though, been superseded by YUI 3 since 2009; YUI 3 does not include SWFStore. Source:

42. October 31, Threatpost – (International) Cisco patches vulnerabilities in Data Center and Web Conferencing products. Cisco is warning its customers about a remote command execution vulnerability in its Cisco Prime Data Center Network Manager. The product manages Ethernet and storage networks and troubleshoots for performance issues on Cisco products running NX-OS software. Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, Cisco said. An attacker could send arbitrary commands via the JBoss Application Server Remote Method Invocation (RMI) service, which is exposed to unauthenticated users. Cisco said no exploits are in the wild, but there is a Metasploit module that would exploit the JBoss configuration in question. Users are urged to upgrade to release 6.1.1. In the meantime, allowing only legitimate devices to connect to the RMI registry port (either TCP 1099 or 9099) will serve as a workaround. Source:

43. October 31, Network World – (International) Researcher warns that ‘zombie browsers’ are skyrocketing. Some Web browsers can be tricked into using so-called malicious extensions that can give hackers the ability to hijack the user’s session, spy on Web cameras, upload and download files, and in the newer mobile-device area, hack into Google Android phones. An IT security consultant at Deloitte Hungary spoke about the topic he calls ―zombie browsers‖ during the Hacker Halted Conference in Miami the week of October 29. He said up until a year ago, only 10 of these browser malicious extensions were known to exist, but 2012 has seen 49 new ones already. ―It’s skyrocketing,‖ the consultant noted, and he faulted the antivirus vendors for allegedly not addressing the issue at all. ―Even after two years, none of the antivirus vendors detect these,‖ he said, saying he’s issuing a plea for them ―to try harder on detecting malicious extensions.‖ In his talk, he explained how malicious extensions in Firefox, Chrome, and Safari have been created by attackers that try to get them added to the user’s browser through Web-based drive-by downloads or infected attachments. The result might be giving the attacker a way to steal data or spy on users, he said. Source:

44. October 31, IDG News Service – (International) One year after DigiNotar breach, Fox-IT details extent of compromise. The 2011 security breach at Dutch certificate authority (CA) DigiNotar resulted in an extensive compromise and was facilitated in part by shortcomings in the company’s network segmentation and firewall configuration, according to Fox-IT, the security company contracted by the Dutch government to investigate the incident. ―The DigiNotar network was divided into 24 different internal network segments,‖ Fox-IT said in its final investigation report, published the week of October 29. ―An internal and external Demilitarized Zone (DMZ) separated most segments of the internal network from the Internet. The zones were not strictly described or enforced and the firewall contained many rules that specified exceptions for network traffic between the various segments.‖ The DigiNotar security breach occurred in July 2011 and resulted in a hacker using the company’s CA infrastructure to issue hundreds of rogue digital certificates for high-profile domains. After the incident became public, browser and operating system developers revoked their trust in the certificates and the company filed for bankruptcy. The breach was significant because it raised questions about the security and trustworthiness of the public key infrastructure in its current form, which led to various technical proposals that promise to reduce the impact of certificate authority compromises and prevent the use of rogue digital certificates. There are currently hundreds of certificate authorities trusted by default in Web browsers and operating systems, and all of them can issue valid digital certificates for any domain on the Internet. Source:

Communications Sector

45. November 1, WLS 890 AM Chicago; ABC News Radio – (National) Why many didn’t get wireless emergency alerts during Sandy. Notifications alerting the public about Hurricane Sandy were what the Federal Emergency Management Agency (FEMA) and the Federal Communications Commission (FCC) call wireless emergency alerts, or WEAs, WLS 890 AM Chicago reported November 1. They were designed to alert people via their phones about three types of emergencies — imminent threats (including extreme or severe weather), AMBER alerts, and presidential alerts (alerts issued by the president). The alerts were launched in 2011 in many parts of the country and in May, came to AT&T, Verizon, Sprint, and other carriers. ―We have close to 100 carriers that are providing the service,‖ the vice president of regulatory affairs for the CTIA, the wireless industry trade group, told ABC News. He said that users can disable the imminent and AMBER alerts, but not the presidential ones. Source:

46. November 1, Wall Street Journal – (New York) A look inside Verizon’s flooded communications hub. Verizon Communications Inc. was scrambling to repair severe damage to a key switching facility inside its historic headquarters building in lower Manhattan, New York. Verizon saw severe damage from flooding, the Wall Street Journal reported November 1. Verizon employees said the October 29 hurricane surge was so powerful that it breached the protective plugs that surround cables coming into the building. As a result, water flooded the critical basement ―cable vault‖ that takes in communications cables and directs them to switching gear upstairs, which was not damaged. The building was one of the worst hit of a number of facilities that carriers were rushing to fix October 31. The Federal Communications Commission said the number of cell phone tower outages dropped on the second day after the storm made landfall, with just over a fifth of the sites in storm-affected areas in the northeast offline. Phone companies supplemented those efforts with extraordinary measures to bolster service. Wireless carriers AT&T Inc. and T-Mobile USA said they would switch each others’ customers between their networks depending on which was in better shape in a particular area. Source:

47. October 31, Ars Technica – (National) Meet the network operators helping to fuel the spike in big DDoS attacks. A company that helps secure Web sites has compiled a list of some of the Internet’s biggest network nuisances—operators that run open servers that can be abused to significantly aggravate the crippling effects of distributed denial-of-service attacks on innocent bystanders, Ars Technica reported October 31. One technique that is playing a key role in many recent attacks is not new at all. Known as DNS amplification, it relies on open domain name system servers to multiply the amount of junk data attackers can direct at a targeted Web site. By sending a modest-sized domain name query to an open DNS server and instructing it to send the result to an unfortunate target, attackers can direct a torrent of data at the victim site that is 50 times bigger than the original request. Source:

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.