Wednesday, November 7, 2012

Daily Report

Top Stories

• The Port Authority Transit Hub (PATH) train resumed limited service November 6 under the Hudson River from Jersey City to Midtown Manhattan, the Port Authority of New York and New Jersey announced. A fleet of 350 buses was also expected to begin arriving in New Jersey November 5 to help ease the commute. – Wall Street Journal

8. November 5, Wall Street Journal – (New Jersey; New York) PATH service to return as NJ Transit gets bus aid. The Port Authority Transit Hub (PATH) train resumed limited service November 6 under the Hudson River from Jersey City to Midtown Manhattan, the Port Authority of New York and New Jersey announced. All service was halted on the cross-river rapid-transit service ahead of Hurricane Sandy. The storm surge inundated stations and filled tunnels with what the New York governor estimated was 5 miles of water, knocking out all train service for the week after the storm. PATH trains operated on a limited schedule between Journal Square in Jersey City, New Jersey, and 33rd Street in Manhattan, New York. Service remained suspended on the PATH lines that connect Newark Penn Station and Hoboken through Jersey City to the World Trade Center and Lower Manhattan. Separately, a fleet of 350 buses owned by the U.S. Department of Transportation was expected to begin arriving in New Jersey November 5 to help ease the crippled commute after Sandy heavily damaged NJ Transit. Operational rail lines experienced heavy crowds during the morning commute November 5, with NJ Transit suspending the North Jersey Coast Line because of overcrowding at the Woodbridge station.

• The total raw sewage discharge from a break in Virginia approached 15 million gallons November 5, and repairs will take about a month. A spokesperson said samples show record highs in the amount of E. coli bacteria. – Suffolk News-Herald

17. November 5, Suffolk News-Herald – (Virginia) Sewage release ‘catastrophic’. The total raw sewage discharge from a break near Wilroy Road and Shingle Creek in Virginia approached 15 million gallons November 5 as crews scrambled to bypass the damaged portion of concrete pipe. The discharge continued at a rate of about 1,000 gallons per minute, which was needed to reduce the pressure at the point of repair, according to a Hampton Roads Sanitation District spokeswoman. A contractor working at the site hopes to install a bypass of the pipe November 9 and stop the discharge. Complete repairs will take about a month. The chairman of the Nansemond River Preservation Alliance’s water quality committee said samples taken after the leak began to show record highs in the amount of E. coli bacteria, nearly 10 times higher than the previous recorded highs in that location from 1985. Source:

• About 25 children were hospitalized after a carbon monoxide leak at a Chicago elementary school, Fire Media Affairs reported November 5. – Chicago Sun-Times

22. November 5, Chicago Sun-Times – (Illinois) Carbon monoxide leak sends 25 students to hospitals. About 25 children were hospitalized in good condition after a carbon monoxide leak at a Chicago elementary school November 5. The children suffered from nausea, vomiting, and headaches. Initially, 14 children were hospitalized. A Level 1 HAZMAT was called for the leak at Harold Washington Elementary School, according to Fire Media Affairs. Firefighters ventilated the third floor of the building with fans and evaluated the students before sending them to hospitals. The leak may have been due to a faulty boiler. Source:

• As of November 4, more than 182,000 individuals in Connecticut, New York, and New Jersey registered for assistance, and the Federal Emergency Management Agency (FEMA) approved more than $158 million for individuals to assist with housing and other disaster related needs. –

43. November 5, – (National) 182,000 file for assistance with FEMA from NY, NJ, CT; $158 million approved. As of November 4, more than 182,000 individuals in Connecticut, New York, and New Jersey registered for assistance, and the Federal Emergency Management Agency (FEMA) approved more than $158 million for individuals to assist with housing and other disaster-related needs. Disaster Recovery Centers opened in the hardest hit areas. The U.S. Small Business Administration began opening Business Recovery Centers in impacted areas of New Jersey and New York. These Centers provide one-on-one help to business owners seeking disaster assistance for losses caused by Hurricane Sandy. Businesses and nonprofit organizations may be eligible to borrow up to $2 million to repair or replace damaged or destroyed real estate, machinery and equipment, inventory, and other business assets. To date, the President declared that major disasters exist in Connecticut, New York, and New Jersey, and emergency declarations were made in 11 States and the District of Columbia. Federal and State personnel are on the ground to conduct joint preliminary damage assessments in several States. These assessments are designed to give the governor of each State a better picture of damages, and to determine if a request for further federal support is needed. Source:


Banking and Finance Sector

6. November 6, Pittsburgh Tribune-Review – (Pennsylvania) Latrobe bank loses $182K in check scheme. Commercial National Financial Corp.’s earnings in the third quarter were hurt by one-time items, including a counterfeit foreign check scheme by ―local parties‖ that cost the Latrobe, Pennsylvania bank $182,000, the Pittsburgh Tribune-Review reported November 6. The parent of Commercial Bank & Trust of Pennsylvania said in its earning statement that ‖a series of counterfeit non-U.S./foreign check deposits was recorded‖ in the July-September quarter. The bank paid an additional $5,000 in legal fees related to the fraud. ―Full recovery on this wire fraud recognition and all associated legal costs is being aggressively pursued by corporate legal counsel against the local parties responsible for this incident,‖ the bank's CEO said in the statement. Source:

7. November 6, Associated Press – (Ohio) Ohio man pleads guilty in credit union scheme. A developer pleaded guilty in Akron, Ohio, to bank fraud and other charges and will forfeit nearly $17 million for his part in a fraud scheme that led to the 2010 collapse of a northeast Ohio credit union, the Associated Press reported November 6. Federal officials said the man pleaded guilty November 5 to conspiracy to commit bank fraud and bank bribery, money laundering, bank fraud, bribery, and making false statements of financial institutions. Authorities said the man conspired to submit false loan documents to St. Paul Croatian Federal Credit Union in Eastlake and to pay bribes and kickbacks to get loans for companies he controlled. Authorities said the crimes occurred from December 2003 through March 2010. Source:
For another story, see item 28 below in the Information Technology Sector

Information Technology Sector

27. November 6, Ars Technica – (New Jersey) E-voting chaos: NJ voters sent to official’s personal Hotmail address. Security experts warned that New Jersey's plan for email based voting was a recipe for problems, and anecdotal evidence became apparent November 6 that the system did not work as well as organizers hoped. The problems were first spotted by Buzzfeed, which noted that a number of voters have tweeted about having their emails to county voting officials bounce. Essex County is in the suburbs of New York and has nearly 800,000 residents. As one of the largest counties in the State, it struggled to keep up with the demand for email ballots. Aware of the problems with the official email system, the Essex County clerk suggested that displaced voters could email a request for a ballot to his personal email address, according to a post on the Facebook page of the town of West Orange. However, a security researcher noted that the clerk's Hotmail address has his mother's maiden name as a "password recovery" question. This means that anyone who can figure out the clerk's mother's maiden name could seize control of his Hotmail account and intercept voters' official ballot requests. Morris County also experienced problems November 6. The county's election Web site instructs voters to send ballot requests to a government address. However, when users sent email to that address, they received a delivery failure notification from the County's mail server in reply. Source:

28. November 6, Krebs on Security – (Missouri) Cyberheists ‘a helluva wake-up call’ to small biz. A $180,000 robbery took the building security and maintenance system installer Primary Systems Inc. by complete surprise. More than two-dozen people helped to steal funds from the company’s coffers in an overnight heist in May, but none of the perpetrators were ever caught on video. Rather, a single virus-laden email that an employee clicked on let the attackers open a digital backdoor, exposing security weaknesses that persist between many banks and their corporate customers. The St. Louis-based firm first learned that things were not quite right May 30, when the company’s payroll manager logged into her account at the local bank and discovered that an oversized payroll batch for approximately $180,000 had been sent through May 29. The money was pushed out of Primary Systems’ bank accounts in amounts between $5,000 and $9,000 to 26 individuals throughout the United States who had no prior interaction with the firm, and who had been added to the firm’s payroll that very same day. The 26 were ―money mules,‖ willing or unwitting participants who are hired through work-at-home job schemes to help cyber thieves move money abroad. Most of the mules hired in this attack were instructed to send the company’s funds to recipients in Ukraine. Source:

29. November 6, The H – (International) Sophos fixes critical security vulnerability. A security expert revealed critical security vulnerabilities in Sophos antivirus software. This includes the publication of a proof-of-concept for a root exploit for Sophos 8.0.6 for Mac OS X, which utilizes a stack buffer overflow when searching through PDF files. The vulnerability is also likely to affect Linux and Windows versions. The security expert published a full analysis on the security mailing list newsletter. A module for the Metasploit penetration testing software is now also available. According to information from Sophos, the security deficits listed have been fixed since November 5 and the antivirus company is not aware of any of the vulnerabilities having been exploited in the wild. The complete list of bugs identified by the security expert will, it said, be fixed by November 28 at the latest. The security expert's paper on security deficits in Sophos software is particularly critical of the product's approach to address space layout randomization (ASLR). The paper also describes the ability to use PDF file encryption to trigger a stack buffer overflow, allowing an attacker to use a crafted URL or email to execute malicious code on an affected computer. Source:

30. November 6, The H – (International) Android 4.2 warns against malicious apps and premium rate texts. The upcoming Android 4.2 release will introduce new security features which, until now, Google has been quiet about. In an interview with Computerworld, the VP of Android Engineering at Google detailed two new security features in the latest version of the mobile operating system — a reputation service for applications and a system to protect users from being ripped off by expensive premium rate texts. Version 4.2 of Android includes what is essentially cloud-based antivirus software, which warns against known malicious files on request. If the "Verify apps" options is selected, prior to installing an app from a source other than the official Play Store (a process known as "sideloading"), Android will check a signature of the APK installation file with a Google server. Source:

31. November 6, Infosecurity – (International) New Gh0st-related malware discovered. A new type of malware, backdoor.ADDNEW, was recently identified, Infosecurity reported November 5. It is based on the Russian DaRK DDoSer malware and has a link with the Gh0st RAT trojan. Gh0st RAT is the trojan linked to Gh0stNet, a cyber espionage network largely reporting to command and control servers in China. In the past, recruitment to the Gh0stNet has mainly been achieved by targeted emails carrying a malicious attachment that drops a trojan that can download the Gh0st RAT, which then allows its controllers to gain complete real-time control of infected Windows computers. Source:

32. November 6, Softpedia – (International) US voters targeted with malware hidden in fake election documents, YouTube videos. As U.S. citizens prepared to elect their president, cybercriminals have intensified their malicious campaigns in an effort to take advantage of the hype that surrounds the event. Security experts from GFI Labs discovered a myriad of schemes. For example, individuals who might be forced to vote via email or fax because of the damages caused by Hurricane Sandy might come across an executable file which hides a piece of malware. Researchers also discovered files which contain an executable that actually opens an election-related document when it is executed. However, in the background, a malicious element is unleashed. Finally, some YouTube videos were found to advertise links that lead to malicious movie players and download managers. Source:

33. November 6, Help Net Security – (International) Most Android malware are SMS trojans. Android versions 2.3.6, or "Gingerbread," and 4.0.4, or "Ice Cream Sandwich," were the most popular Android targets among cybercriminals during the third quarter of 2012, according to Kaspersky Lab. The rapid growth in the number of new mobile malicious programs for Android continued in the third quarter, prompting the specialists at Kaspersky Lab to identify the platform versions most frequently targeted by cybercriminals. Android 2.3.6 Gingerbread accounted for 28 percent of all blocked attempts to install malware, while the second most commonly attacked version was the new 4.0.4 Ice Cream Sandwich, which accounted for 22 percent of attempts. "Although Gingerbread was released back in September 2011, due to the segmentation of the Android device market it still remains one of the most popular versions, which, in turn, attracts increased interest from cybercriminals," a senior malware analyst at Kaspersky Lab said. "The popularity of the most recent version of the Android OS – Ice Cream Sandwich - among virus writers can be explained by the fact that the devices running the latest versions of the OS are more suitable for online activities. Unfortunately, users actively surfing the web often end up on malicious sites," he added. More than half of all malware detected on users smartphones turned out to be SMS trojans, that is, malicious programs that steal money from victims' mobile accounts by sending SMS messages to premium rate numbers. Source:

34. November 6, The H – (International) Plone releases fixes for 24 vulnerabilities. After an alert the week of October 29 that Zope and the Plone CMS were vulnerable to 24 security holes that could have led to privilege escalation and code injection, the developers now released a hotfix for Plone that closes them. The hotfix was tested with Plone 4.2, Plone 4.1, Plone 4, Plone 3, Plone 2.5, and Plone 2.1. The list of flaws was extensive: issues include the ability for anonymous users to execute arbitrary Python in the admin interface, crafting of URLs which can log users out, an ability to escape the Python sandbox, cross-site scripting (XSS) issues, permissions bypasses, denial-ofservice through unsanitized inputs or by requesting large collections, anonymous manipulation of content item titles, unauthorized downloading of BLOB content, password timing attacks, and more. According to a Plone security team member, some of the vulnerabilities affect only Plone 3 or Plone 4, others are in Zope or other libraries. Although many of the issues are relatively minor, there are some serious issues within the 24 vulnerabilities. The developers did not break down the vulnerabilities publicly by which version or location is affected, but ensured that applying the hotfix to any vulnerable version of Plone removes the risk. Many of the issues were found by the Plone Security Team who were conducting an audit of the code, although some were reported by users. Source:

35. November 6, The H – (International) Users take their time over Java and Flash updates. Of the computers studied by Kaspersky in the third quarter of 2012, 35 percent suffered from a Java vulnerability and 19 percent from a vulnerability in an Adobe product. Comparing Kaspersky's quarterly security reports from 2010-2012 shows that the Oracle and Adobe update agents are not good enough at getting their users to carry out updates. Since 2010, Java and Flash Player have been at the top of the Kaspersky list. Microsoft, in contrast, has gradually dropped out of the top 10, suggesting that its patch routines are working. Kaspersky's top 10 for the third quarter of 2012 is filled by Oracle Java, Adobe Flash Player, Reader, and Shockwave, Apple's QuickTime and iTunes, and Nullsoft's Winamp. Thirty-five percent of the computers studied by Kaspersky were affected by vulnerabilities in Java, with just under 19 percent vulnerable to infection through the Adobe Flash Player. Source:

36. November 5, The H – (International) Avira incompatible with Windows 8 and Windows Server 2012. In a new knowledge base post on its site, security company Avira is now warning customers that its products are currently incompatible with Windows 8 and Windows Server 2012. Upgrading from Windows 7 to Windows 8 with existing Avira products installed will result in a blue error screen. Apparently, the problem will only be fixed by the company in the first quarter of 2013. Avira said "significant changes to the operating system platform" of Windows 8 and Windows Server 2012 are the reason for the incompatibility. On systems already upgraded to the latest version of Windows, Avira software can only be uninstalled manually. In order to do so, systems may need to be booted in safe mode. Source:

37. November 5, Infosecurity – (International) Apple releases update for iOS addressing iPhone, iPad critical flaws. Apple released a new iOS, version 6.0.2, that addresses a several vulnerabilities in the system affecting iPhone 3GS and later, the iPod touch fourth generation and later, and the iPad 2 and later devices. The update addresses a vulnerability that allows maliciously crafted or compromised iOS applications to determine addresses in the kernel. An information disclosure issue existed in the handling of APIs related to kernel extensions, Apple said. "Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection," the company noted. "This issue was addressed by unsliding the addresses before returning them." Source:

Communications Sector

Nothing to report

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.