Friday, November 9, 2012
Daily Report
Top Stories
• Snow and wind caused more than 100,000 new power outages in the
Mid-Atlantic and Northeast and new calls for evacuations, NBC News reported
November 8. – NBC News
1. November
8, NBC News – (National) Nor'easter snow layers Sandy destruction; more
evacuations, more power outages. Snow fell on damaged homes and debris piles
in parts of the New York City area as a nor'easter moved in, causing new power outages
and calls for evacuations, NBC News reported November 8. By November 7, the
winds caused more than 100,000 new power outages in the Mid-Atlantic and Northeast,
the U.S. Department of Energy stated. That brought the total number of outages
to 715,000, most of those remaining from Superstorm Sandy, which made landfall
in New Jersey October 29. Throughout the New Jersey, New York, and Connecticut
tri-State area, people wore coats indoors as they endured yet another night without
heat. About 1,200 flights were canceled across the Northeast, while residents
of a few areas hit hardest by Superstorm Sandy were urged to evacuate in case
of new flooding. Long Island Rail Road service was also suspended because of
weather-related signal problems, WNBC 4 New York reported. The snow from the
latest Nor'easter was expected to continue through November 9. Source: http://usnews.nbcnews.com/_news/2012/11/07/14987947-noreaster-snow-layers-sandy-destruction-more-evacuations-more-power-outages?lite
• A former worker accused of setting a fire which caused about
$450 million in damage to a nuclear-powered submarine at the Portsmouth Naval
Shipyard in Kittery, Maine, pleaded guilty November 8 under a plea agreement
that could send him to federal prison for nearly 20 years. – Associated
Press
7. November
8, Associated Press – (Maine) Man pleads guilty to setting sub Miami fire. A
former worker accused of setting a fire at the Portsmouth Naval Shipyard in Kittery,
Maine, that caused about $450 million in damage to the nuclear-powered submarine
USS Miami pleaded guilty November 8 under a plea agreement that could send him
to federal prison for nearly 20 years. The man waived indictment and pleaded guilty
to two counts of arson, a U.S. Attorney said. The man pleaded guilty to setting
the fire inside the sub May 23, as well as a second fire outside the sub June
16 that caused little damage. The first fire carried a maximum sentence of life
in federal prison, but both the defense and prosecutors agreed to recommend a
sentence that ranges roughly between 15 and 19 years. The former worker, a
painter and sand blaster, told Navy investigators that he set the fires to get
out of work because he was suffering from anxiety and having problems with his
ex-girlfriend. The man's attorney said he anticipates that sentencing will
occur in March 2013. Source: http://www.militarytimes.com/news/2012/11/ap-ex-sub-worker-fury-pleads-guilty-110812/
• A nor'easter could set back repairs to NJ Transit's rail system
in New Jersey that is offering limited service in the wake of Sandy, the
Associated Press reported November 8. – Associated Press
10. November
9, Associated Press – (New Jersey) Storm could delay rail work on damaged NJ lines.
A nor'easter could set back repairs to NJ Transit's rail system in New
Jersey that is offering limited service in the wake of Sandy, the Associated
Press reported November 8. An NJ Transit spokesman said November 7 that crews
were not allowed to perform some types of work if winds surpass 20 mph. That
could affect repairs on wires and towers. NJ Transit resumed partial service
November 2. The Northeast Corridor, Main, and Port Jervis Lines, and Raritan
Valley Line were on modified schedules. The North Jersey Coast Line and Bergen
and Pascack Valley lines were suspended, as were the Montclair-Boonton and
Morris & Essex lines. On the Bergen and Pascack Valley lines, a loss of
electricity left gates, switches, and signals in need of repair. The worst-hit
line was the North Jersey Coast Line, where two bridges suffered extensive
damage. The second-worst area was in Kearny, where tracks were washed out and
trees and towers that hold overhead wires were toppled onto the Montclair-Boonton
and Morris & Essex lines. Service into New York was hampered because one of
Amtrak's two tunnels into the city was still inoperable. November 7, NJ Transit
carried 23,275 customers into Manhattan during the morning commute, about half
the number that normally would ride in. NJ Transit added more buses to connect
commuters with ferry service into Manhattan. About 350 buses were provided by
the U.S. Department of Transportation to go along with more than 150 that NJ
Transit keeps in reserve to use in emergencies. Source: http://nz.finance.yahoo.com/news/storm-could-delay-rail-damaged-192731336.html
A researcher's team found more than 50 vulnerabilities in the
WinCC program of the Siemens software that was targeted by the Stuxnet malware.
– IDG News Service See item 28 below in
the Information Technology Sector
Details
Banking and Finance Sector
8. November
8, Associated Press – (Massachusetts; Rhode Island) Federal grand jury indicts
suspect in RI, Mass 'bearded bandit' bank robberies. A man believed to be the
bank robber dubbed the "bearded bandit" by law enforcement for a
series of heists in Rhode Island and Massachusetts was indicted by a federal
grand jury. Rhode Island's U.S. Attorney announced the eight-count indictment
November 8. Authorities said the man robbed eight banks in Rhode Island. Police
said that he sometimes claimed to have a gun and threatened bank tellers. He is
being held in Massachusetts, where he is charged with robbing a Seekonk bank.
Source: http://www.therepublic.com/view/story/e40d0c3a96a44c4cb949282def9bc4ba/RI--Bearded-Bandit
9. November
7, Bloomberg News – (New York) DTCC operations ran during Sandy, vault status
still unclear. The Depository Trust & Clearing Corporation (DTCC) processed
about $19 trillion in securities trades the week of October 29 even as Hurricane
Sandy submerged its 40-year-old underground Manhattan vault in New York City
holding physical stock and bond certificates, Bloomberg News reported November
7. The company switched day-to-day command of its operations to its office in
Tampa, Florida, and moved control of the technology that runs its clearing and
settlement business and record-keeping to its Dallas data center the weekend
before the Atlantic’s largest-ever tropical storm, the president and chief
executive officer of DTCC, said. The DTCC handles trades in U.S. equities and
government, municipal and corporate bonds, and is more important to how markets
function than the New York Stock Exchange or Citigroup Inc., according to a
professor at Georgetown University's McDonough School of Business. The DTCC's
10,000-square-foot vault, three levels below ground, contains 1.3 million stock
and bond certificates and other securities. The entire 55 Wall Street building
remains closed. While the certificates may be damaged if water flowed into the
vault, they are already recorded electronically in DTCC’s systems, the DTTC CEO
said. Once the company can assess the status of the certificates, it will
figure out what to do about replacing them, he said. DTCC also has images of
all bearer stocks and bonds in the vault, he said. Source: http://www.businessweek.com/news/2012-11-07/dtcc-operations-ran-during-sandy-vault-status-still-unclear
Information Technology Sector
28. November
8, IDG News Service – (International) Siemens software targeted by Stuxnet still
full of holes. Software made by Siemens and targeted by the Stuxnet malware
is still full of other dangerous vulnerabilities, according to researchers. The
CTO of Positive Technologies was scheduled to give a presentation in July at
Defcon, but it was pulled after Siemens asked for more time to patch its WinCC
software. WinCC is a type of supervisory control and data acquisition (SCADA)
system, which is used to manage a variety of industrial processes in factories
and energy utilities. The type of software underpins much of what is deemed
critical infrastructure by countries. The CTO agreed to suspend his
presentation at Defcon, but presented an overview of his WinCC research at the
Power of Community security conference November 8. He withheld the specific
details of the vulnerabilities since Siemens has not released patches. His team
has found more than 50 vulnerabilities in WinCC's latest version, he said in an
interview. Most are problems that would allow an attacker to take over a WinCC
system remotely. He showed how, when an industrial system operator is using the
same browser to access both the open Internet and WinCC's Web interface, a
vulnerability can be exploited to obtain login credentials for the back-end
SCADA network. Source: http://www.computerworld.com/s/article/9233378/Siemens_software_targeted_by_Stuxnet_still_full_of_holes
29. November
8, Softpedia – (International) US-CERT warns of flaws in Symantec products
caused by legacy decomposer. The U.S. Computer Emergency Readiness Team
(US-CERT) issued an alert regarding a vulnerability in certain Symantec
antivirus products, which can be leveraged by a remote attacker to execute
arbitrary code with administrative privileges. The issue stems from the fact
that some Symantec products fail to properly handle malformed CAB files,
resulting in memory corruption. The affected products are Symantec Endpoint
Protection 11.0 and Symantec Endpoint Protection Small Business Edition 12.0.
These products are impacted because they rely on a legacy decomposer that fails
to perform proper bounds check in some specifically formatted files when
parsing content to be scanned from the CAB archive. ―Successful targeting of
this nature would necessarily require the attacker to be able to get their maliciously
formatted archive past established email security policies to be processed on a
system. This may lessen the success of any potential attempts of this nature
though it does not reduce the severity if successfully executed,‖ Symantec
wrote in its report. The company confirmed that the legacy versions of the
decomposer engines can cause crashes when handling malformed CAB files, but
they have not been able to verify remote code execution. Source: http://news.softpedia.com/news/US-CERT-Warns-of-Flaws-in-Symantec-Products-Caused-by-Legacy-Decomposer-305417.shtml
30. November
8, The H – (International) QuickTime for Windows updated to close security
holes. Apple released version 7.7.3 of QuickTime for Windows, closing several
security holes in its media player application. According to the company, the
latest update addresses a total of nine vulnerabilities, all of which could be
exploited by an attacker to crash the application or execute arbitrary code on
a victim's system. These include a memory corruption issue and a buffer
overflow when handling PICT files, multiple use-after-free and boundary errors,
and problems when processing TeXML files that can be taken advantage of to
cause a buffer overflow. For an attack to be successful, a user must first open
a malicious Web site or a specially crafted file. Updating to version 7.7.3 of
QuickTime addresses these issues. Source: http://www.h-online.com/security/news/item/QuickTime-for-Windows-updated-to-close-security-holes-1746273.html
31. November
8, ZDNet – (International) How hackers scrape RAM to circumvent encryption.
Speaking at Verizon's media day forum November 7, the company's business
investigative response managing principal said the various encryption standards
today do a good job of protecting data that is at rest, such as data stored on
a server or in transit across a network. However, in many cases, data is left
completely vulnerable during the processing stage. This has opened up servers
to attack by a technique that the principal calls "RAM scraping,"
which examines the memory of the running Web server and extracts data while it
is in its processed, unencrypted state. He demonstrated the attack using a
fictitious e-commerce site that never stores credit card information — a
practice that many retailers do when they take payment details and pass them on
to a third-party payment processor. However, the Web server must handle the
information during processing, and it is there that it appears in the memory of
the server in its unencrypted form, which allowed the principal to retrieve the
information. Source: http://www.zdnet.com/how-hackers-scrape-ram-to-circumvent-encryption-7000007068/
32. November
8, V3.co.uk – (International) Cisco patch plugs password security flaws. Cisco
issued a patch to address a security flaw which could allow an attacker to bypass
password protections in its Access Control System (ACS) platform. The company
said that the update would install a revision to the ACS platform, specifically
the handling of the Tacas+ security protocol. Cisco said the flaw would
potentially allow an attacker to use a specific set of characters in
combination with a valid account name to cause a crash which lets the attacker
bypass the authentication process and access the target system. The company
noted that while an attacker would need a valid user name, the technique could
be used on any system with the vulnerable component. Cisco is making the patch
available as a free update. Both the company and third-party security
researchers are advising administrators to install the fix as soon as possible.
Source: http://www.v3.co.uk/v3-uk/news/2223271/cisco-issues-patch-to-plug-password-security-flaws
33. November
8, The H – (International) Best practices for the DKIM vulnerability. The
Messaging, Malware, and Mobile Anti-Abuse Working Group published seven recommended
best practices for addressing a vulnerability in DomainKeys Identified Mail
(DKIM) digital signatures for emails. With DKIM, companies and organizations can
include a digital signature to confirm that an email is actually from their
domain. In late October, however, a mathematician found that a number of major
Web sites were using keys that were too short for these signatures, making it
easy to imitate addresses from Google, PayPal, Yahoo, Amazon, eBay, and many
others. One recommendation is to use a key length of at least 1024-bits, since
a 512-bit key can be cracked in just 72 hours using online cloud services.
Recommendations also include rotating DKIM keys every quarter and assigning
expiration periods that are longer than the rotation period. Old keys should be
revoked in Domain Name System as needed. Source: http://www.h-online.com/security/news/item/Best-practices-for-the-DKIM-vulnerability-1746758.html
34. November
7, Krebs on Security – (International) Experts warn of zero-day exploit for Adobe
Reader. Software vendor Adobe said it is investigating claims that
instructions for exploiting a previously unknown critical security hole in the
latest versions of its widely-used PDF Reader software are being sold in the
cybercriminal underground. The finding comes from malware analysts at
Moscow-based forensics firm Group-IB, who said they discovered that a new
exploit capable of compromising the security of computers running Adobe Reader
10 and 11 is being sold in the underground for up to $50,000. This is
significant because — beginning with Reader 10 — Adobe introduced a ―sandbox‖
feature aimed at blocking the exploitation of previously unidentified security
holes in its software, and so far that protection has worked. However, according
to Group-IB’s head of international projects, this vulnerability allows attackers
to sidestep Reader’s sandbox protection. He said the finding is significant because
‖in the past there was no documented method of how to bypass‖ Adobe Reader 10’s
sandbox to run code of the attacker’s choice on the target’s computer. Source: http://krebsonsecurity.com/2012/11/experts-warn-of-zero-day-exploit-for-adobe-reader/
Communications Sector
35. November
8, Complete Music Update – (New York) New York radio station WFMU on
the brink after hurricane. New York community radio station WFMU 90.1 FM Hudson
Valley managed to get one of its two transmitters up and running again November
5, a week after both were knocked out by Hurricane Sandy. Though, in addition
to the $100,000 worth of damage caused to the transmitters, the station, which relies
on donations and other fundraising, estimated it also lost approximately
$150,000 more in costs and projected revenue from its annual 3-day record fair,
which was cancelled after the storm hit. Source: http://www.thecmuwebsite.com/article/new-york-radio-station-wfmu-on-the-brink-after-hurricane/
36. November
7, Press of Atlantic City – (New Jersey) Linwood radio station WOND hopes
to be back on at 1400 AM next week. The tower for Linwood, New Jersey radio
station WOND 1400 AM Pleasantville should be functioning again by the week of
November 12, after being damaged by Hurricane Sandy. "We are still without
electricity right now," a Longport Media engineer said. The tower for the
station was found under 4 feet of water after the storm and the transmitters
were damaged, he said. After electricity is returned, he will replace the
transmitter and if there is no hidden damage, the station will be back on air. If
there is more damage to the system than initially anticipated, it will extend
the repair time, he said. Officials said the station will continue to broadcast
from WWAC 102.7 FM Ocean City in the meantime. Source: http://www.menafn.com/menafn/840ace83-12ce-41bc-a7ea-9aa8fb411fa5/BRIEF-Linwood-radio-station-WOND-hopes-to-be-back-on-at-1400-AM-next-week?src=main
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.