Friday, November 9, 2012

Daily Report

Top Stories

• Snow and wind caused more than 100,000 new power outages in the Mid-Atlantic and Northeast and new calls for evacuations, NBC News reported November 8. – NBC News

1. November 8, NBC News – (National) Nor'easter snow layers Sandy destruction; more evacuations, more power outages. Snow fell on damaged homes and debris piles in parts of the New York City area as a nor'easter moved in, causing new power outages and calls for evacuations, NBC News reported November 8. By November 7, the winds caused more than 100,000 new power outages in the Mid-Atlantic and Northeast, the U.S. Department of Energy stated. That brought the total number of outages to 715,000, most of those remaining from Superstorm Sandy, which made landfall in New Jersey October 29. Throughout the New Jersey, New York, and Connecticut tri-State area, people wore coats indoors as they endured yet another night without heat. About 1,200 flights were canceled across the Northeast, while residents of a few areas hit hardest by Superstorm Sandy were urged to evacuate in case of new flooding. Long Island Rail Road service was also suspended because of weather-related signal problems, WNBC 4 New York reported. The snow from the latest Nor'easter was expected to continue through November 9. Source:

• A former worker accused of setting a fire which caused about $450 million in damage to a nuclear-powered submarine at the Portsmouth Naval Shipyard in Kittery, Maine, pleaded guilty November 8 under a plea agreement that could send him to federal prison for nearly 20 years. – Associated Press

7. November 8, Associated Press – (Maine) Man pleads guilty to setting sub Miami fire. A former worker accused of setting a fire at the Portsmouth Naval Shipyard in Kittery, Maine, that caused about $450 million in damage to the nuclear-powered submarine USS Miami pleaded guilty November 8 under a plea agreement that could send him to federal prison for nearly 20 years. The man waived indictment and pleaded guilty to two counts of arson, a U.S. Attorney said. The man pleaded guilty to setting the fire inside the sub May 23, as well as a second fire outside the sub June 16 that caused little damage. The first fire carried a maximum sentence of life in federal prison, but both the defense and prosecutors agreed to recommend a sentence that ranges roughly between 15 and 19 years. The former worker, a painter and sand blaster, told Navy investigators that he set the fires to get out of work because he was suffering from anxiety and having problems with his ex-girlfriend. The man's attorney said he anticipates that sentencing will occur in March 2013. Source:

• A nor'easter could set back repairs to NJ Transit's rail system in New Jersey that is offering limited service in the wake of Sandy, the Associated Press reported November 8. – Associated Press

10. November 9, Associated Press – (New Jersey) Storm could delay rail work on damaged NJ lines. A nor'easter could set back repairs to NJ Transit's rail system in New Jersey that is offering limited service in the wake of Sandy, the Associated Press reported November 8. An NJ Transit spokesman said November 7 that crews were not allowed to perform some types of work if winds surpass 20 mph. That could affect repairs on wires and towers. NJ Transit resumed partial service November 2. The Northeast Corridor, Main, and Port Jervis Lines, and Raritan Valley Line were on modified schedules. The North Jersey Coast Line and Bergen and Pascack Valley lines were suspended, as were the Montclair-Boonton and Morris & Essex lines. On the Bergen and Pascack Valley lines, a loss of electricity left gates, switches, and signals in need of repair. The worst-hit line was the North Jersey Coast Line, where two bridges suffered extensive damage. The second-worst area was in Kearny, where tracks were washed out and trees and towers that hold overhead wires were toppled onto the Montclair-Boonton and Morris & Essex lines. Service into New York was hampered because one of Amtrak's two tunnels into the city was still inoperable. November 7, NJ Transit carried 23,275 customers into Manhattan during the morning commute, about half the number that normally would ride in. NJ Transit added more buses to connect commuters with ferry service into Manhattan. About 350 buses were provided by the U.S. Department of Transportation to go along with more than 150 that NJ Transit keeps in reserve to use in emergencies. Source:

 A researcher's team found more than 50 vulnerabilities in the WinCC program of the Siemens software that was targeted by the Stuxnet malware. – IDG News Service See item 28 below in the Information Technology Sector


Banking and Finance Sector

8. November 8, Associated Press – (Massachusetts; Rhode Island) Federal grand jury indicts suspect in RI, Mass 'bearded bandit' bank robberies. A man believed to be the bank robber dubbed the "bearded bandit" by law enforcement for a series of heists in Rhode Island and Massachusetts was indicted by a federal grand jury. Rhode Island's U.S. Attorney announced the eight-count indictment November 8. Authorities said the man robbed eight banks in Rhode Island. Police said that he sometimes claimed to have a gun and threatened bank tellers. He is being held in Massachusetts, where he is charged with robbing a Seekonk bank. Source:

9. November 7, Bloomberg News – (New York) DTCC operations ran during Sandy, vault status still unclear. The Depository Trust & Clearing Corporation (DTCC) processed about $19 trillion in securities trades the week of October 29 even as Hurricane Sandy submerged its 40-year-old underground Manhattan vault in New York City holding physical stock and bond certificates, Bloomberg News reported November 7. The company switched day-to-day command of its operations to its office in Tampa, Florida, and moved control of the technology that runs its clearing and settlement business and record-keeping to its Dallas data center the weekend before the Atlantic’s largest-ever tropical storm, the president and chief executive officer of DTCC, said. The DTCC handles trades in U.S. equities and government, municipal and corporate bonds, and is more important to how markets function than the New York Stock Exchange or Citigroup Inc., according to a professor at Georgetown University's McDonough School of Business. The DTCC's 10,000-square-foot vault, three levels below ground, contains 1.3 million stock and bond certificates and other securities. The entire 55 Wall Street building remains closed. While the certificates may be damaged if water flowed into the vault, they are already recorded electronically in DTCC’s systems, the DTTC CEO said. Once the company can assess the status of the certificates, it will figure out what to do about replacing them, he said. DTCC also has images of all bearer stocks and bonds in the vault, he said. Source:

Information Technology Sector

28. November 8, IDG News Service – (International) Siemens software targeted by Stuxnet still full of holes. Software made by Siemens and targeted by the Stuxnet malware is still full of other dangerous vulnerabilities, according to researchers. The CTO of Positive Technologies was scheduled to give a presentation in July at Defcon, but it was pulled after Siemens asked for more time to patch its WinCC software. WinCC is a type of supervisory control and data acquisition (SCADA) system, which is used to manage a variety of industrial processes in factories and energy utilities. The type of software underpins much of what is deemed critical infrastructure by countries. The CTO agreed to suspend his presentation at Defcon, but presented an overview of his WinCC research at the Power of Community security conference November 8. He withheld the specific details of the vulnerabilities since Siemens has not released patches. His team has found more than 50 vulnerabilities in WinCC's latest version, he said in an interview. Most are problems that would allow an attacker to take over a WinCC system remotely. He showed how, when an industrial system operator is using the same browser to access both the open Internet and WinCC's Web interface, a vulnerability can be exploited to obtain login credentials for the back-end SCADA network. Source:

29. November 8, Softpedia – (International) US-CERT warns of flaws in Symantec products caused by legacy decomposer. The U.S. Computer Emergency Readiness Team (US-CERT) issued an alert regarding a vulnerability in certain Symantec antivirus products, which can be leveraged by a remote attacker to execute arbitrary code with administrative privileges. The issue stems from the fact that some Symantec products fail to properly handle malformed CAB files, resulting in memory corruption. The affected products are Symantec Endpoint Protection 11.0 and Symantec Endpoint Protection Small Business Edition 12.0. These products are impacted because they rely on a legacy decomposer that fails to perform proper bounds check in some specifically formatted files when parsing content to be scanned from the CAB archive. ―Successful targeting of this nature would necessarily require the attacker to be able to get their maliciously formatted archive past established email security policies to be processed on a system. This may lessen the success of any potential attempts of this nature though it does not reduce the severity if successfully executed,‖ Symantec wrote in its report. The company confirmed that the legacy versions of the decomposer engines can cause crashes when handling malformed CAB files, but they have not been able to verify remote code execution. Source:

30. November 8, The H – (International) QuickTime for Windows updated to close security holes. Apple released version 7.7.3 of QuickTime for Windows, closing several security holes in its media player application. According to the company, the latest update addresses a total of nine vulnerabilities, all of which could be exploited by an attacker to crash the application or execute arbitrary code on a victim's system. These include a memory corruption issue and a buffer overflow when handling PICT files, multiple use-after-free and boundary errors, and problems when processing TeXML files that can be taken advantage of to cause a buffer overflow. For an attack to be successful, a user must first open a malicious Web site or a specially crafted file. Updating to version 7.7.3 of QuickTime addresses these issues. Source:

31. November 8, ZDNet – (International) How hackers scrape RAM to circumvent encryption. Speaking at Verizon's media day forum November 7, the company's business investigative response managing principal said the various encryption standards today do a good job of protecting data that is at rest, such as data stored on a server or in transit across a network. However, in many cases, data is left completely vulnerable during the processing stage. This has opened up servers to attack by a technique that the principal calls "RAM scraping," which examines the memory of the running Web server and extracts data while it is in its processed, unencrypted state. He demonstrated the attack using a fictitious e-commerce site that never stores credit card information — a practice that many retailers do when they take payment details and pass them on to a third-party payment processor. However, the Web server must handle the information during processing, and it is there that it appears in the memory of the server in its unencrypted form, which allowed the principal to retrieve the information. Source:

32. November 8, – (International) Cisco patch plugs password security flaws. Cisco issued a patch to address a security flaw which could allow an attacker to bypass password protections in its Access Control System (ACS) platform. The company said that the update would install a revision to the ACS platform, specifically the handling of the Tacas+ security protocol. Cisco said the flaw would potentially allow an attacker to use a specific set of characters in combination with a valid account name to cause a crash which lets the attacker bypass the authentication process and access the target system. The company noted that while an attacker would need a valid user name, the technique could be used on any system with the vulnerable component. Cisco is making the patch available as a free update. Both the company and third-party security researchers are advising administrators to install the fix as soon as possible. Source:

33. November 8, The H – (International) Best practices for the DKIM vulnerability. The Messaging, Malware, and Mobile Anti-Abuse Working Group published seven recommended best practices for addressing a vulnerability in DomainKeys Identified Mail (DKIM) digital signatures for emails. With DKIM, companies and organizations can include a digital signature to confirm that an email is actually from their domain. In late October, however, a mathematician found that a number of major Web sites were using keys that were too short for these signatures, making it easy to imitate addresses from Google, PayPal, Yahoo, Amazon, eBay, and many others. One recommendation is to use a key length of at least 1024-bits, since a 512-bit key can be cracked in just 72 hours using online cloud services. Recommendations also include rotating DKIM keys every quarter and assigning expiration periods that are longer than the rotation period. Old keys should be revoked in Domain Name System as needed. Source:

34. November 7, Krebs on Security – (International) Experts warn of zero-day exploit for Adobe Reader. Software vendor Adobe said it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground. The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who said they discovered that a new exploit capable of compromising the security of computers running Adobe Reader 10 and 11 is being sold in the underground for up to $50,000. This is significant because — beginning with Reader 10 — Adobe introduced a ―sandbox‖ feature aimed at blocking the exploitation of previously unidentified security holes in its software, and so far that protection has worked. However, according to Group-IB’s head of international projects, this vulnerability allows attackers to sidestep Reader’s sandbox protection. He said the finding is significant because ‖in the past there was no documented method of how to bypass‖ Adobe Reader 10’s sandbox to run code of the attacker’s choice on the target’s computer. Source:

Communications Sector

35. November 8, Complete Music Update – (New York) New York radio station WFMU on the brink after hurricane. New York community radio station WFMU 90.1 FM Hudson Valley managed to get one of its two transmitters up and running again November 5, a week after both were knocked out by Hurricane Sandy. Though, in addition to the $100,000 worth of damage caused to the transmitters, the station, which relies on donations and other fundraising, estimated it also lost approximately $150,000 more in costs and projected revenue from its annual 3-day record fair, which was cancelled after the storm hit. Source:

36. November 7, Press of Atlantic City – (New Jersey) Linwood radio station WOND hopes to be back on at 1400 AM next week. The tower for Linwood, New Jersey radio station WOND 1400 AM Pleasantville should be functioning again by the week of November 12, after being damaged by Hurricane Sandy. "We are still without electricity right now," a Longport Media engineer said. The tower for the station was found under 4 feet of water after the storm and the transmitters were damaged, he said. After electricity is returned, he will replace the transmitter and if there is no hidden damage, the station will be back on air. If there is more damage to the system than initially anticipated, it will extend the repair time, he said. Officials said the station will continue to broadcast from WWAC 102.7 FM Ocean City in the meantime. Source:

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.