Wednesday, November 14, 2012
Daily Report
Top Stories
• People living in 31 homes within a half-mile radius of a train
derailment site in Louisville, Kentucky, were again forced from their homes
November 13 while dangerous chemicals were removed from the scene. – Louisville
Courier Journal
4. November
12, Louisville Courier Journal – (Kentucky) Latest evacuation
for train derailment to begin Tuesday and could last up to four days. Residents
around the site of the derailment of 13 Paducah & Louisville Railway
(P&L) cars were again forced from their homes November 13 while dangerous
chemicals were removed from the scene, reported the Louisville Courier-Journal.
People living in 31 homes within a half-mile radius of the derailment were
asked to evacuate, the Louisville Metro Emergency Management Agency said
November 12. P&L said the evacuation order will be in place until all the
chemicals are taken away, which could take three or four days. Dixie Highway
from Kentucky 44 to the Salt River bridge will also be closed starting November
13 and will stay closed for the duration of the clean up. A no-flyzone will be in
effect a half mile around the site and Ohio River traffic in the area will be
stopped while tens of thousands of gallons of highly toxic hydrogen fluoride
and flammable butadiene are offloaded from derailed tank cars. Source: http://www.courierjournal.com/article/20121112/NEWS01/311120029/Tuesday-evacuation-order-lastlong-four-days-residents-living-around-derailment-site?odyssey=nav|head
• November 12, Lockheed Martin cited a dramatic growth in the
number and sophistication of international cyberattacks on its networks and
said it was contacting suppliers to help them bolster their security. Company
officials also said about 20 percent of the threats directed at Lockheed
networks were considered prolonged and targeted attacks by a nation state or
other group trying to steal data or harm operations. – Reuters
8. November
12, Reuters – (International) Lockheed says cyber attacks up sharply, suppliers
targeted. November 12, the U.S. Department of Defense’s number-one supplier,
Lockheed Martin, cited dramatic growth in the number and sophistication of international
cyberattacks on its networks and said it was contacting suppliers to help them
bolster their security. The company’s vice president and chief information security
officer said about 20 percent of the threats directed at Lockheed networks were
considered “advanced persistent threats,” prolonged and targeted attacks by a
nation state or other group trying to steal data or harm operations. She said
the company had seen “very successful” attacks against a number of the its
suppliers, and was focusing heavily on helping those companies improve their
security. Source: http://www.reuters.com/article/2012/11/13/net-us-lockheed-cyberidUSBRE8AC02S20121113
• U.S. Food and Drug Administration inspectors released a 20-page
report on Ameridose LLC November 12, claiming the Massachusetts drug company
that has supplied dozens of Tennessee health-care facilities failed to properly
test for the sterility of its products and did not investigate multiple
complaints, including one case categorized as life-threatening. – Nashville
Tennessean
28. November
12, Nashville Tennessean – (Massachusetts) Meningitis outbreak: Inspectors
find bird flying through Ameridose pharmacy. U.S. Food and Drug Administration
(FDA) inspectors found a Massachusetts drug company that has supplied dozens of
Tennessee health-care facilities failed to properly test for the sterility of
its products and did not investigate multiple complaints, including one case categorized
as life-threatening. The 20-page report on Ameridose LLC issued November 12
listed multiple violations of federal regulations. Inspectors even reported seeing
a bird flying through a storage area for sterile drugs. Ameridose, based in Westborough,
Massachusetts, has the same owners as the New England Compounding Center, which
has been blamed for a nationwide outbreak of fungal meningitis that has killed
31 patients, including 13 in Tennessee. A spokesman for the company said Ameridose
was preparing a full response to the FDA report. Source: http://www.wbir.com/news/article/241721/2/Meningitis-outbreak-Inspectorsfind-bird-flying-through-Ameridose-pharmacy
• Two Digital Bond posts the week of November 5 showcase
researcher findings on how
easy it is to find industrial control systems (ICS) that have
already been compromised, and
that just fixing Supervisory control and data acquisition (SCADA)
vulnerabilities is an
ongoing process, not a solution. – Infosecurity
See item 42 below in the Information Technology Sector
Details
Banking and Finance Sector
9. November
13, Softpedia – (International) Experts investigate malware used in Gozi-Prinimalka
campaign against US banks. In October, RSA revealed that cybercriminals
were planning to launch massive trojan attacks against several U.K. banks. Now,
Trend Micro researchers analyzed a few samples of the malware that will likely
be utilized in the Gozi-Prinimalka campaign, Softpedia reported November 13. One
of the samples, BKDR_URSNIF.B, is designed to monitor its victims’ browsing activities
and collect any information elated to financial institutions such as Wells Fargo,
PayPal, and Wachovia. Another sample, BKDR_URSNIF.DN, starts by searching for a
specific Firefox registry entry. If this entry is found, a file that drops JS_URSNIF.DJ
is created. If the registry is not located, the malware does not steal any information,
but it still performs other malicious tasks. JS_URSNIF.DJ is the JavaScript
that is actually responsible for stealing information. It injects itself into specific
Web sites and waits for the victims to enter their credentials. Once the information
is harvested, it sends it back to its master via HTTP POST requests. According
to the researchers, several command and control servers are utilized by these pieces
of malware. Experts also managed to retrieve the names of three additional targets
by analyzing the malware’s configurations files. TDBank, Firstrade Securities, and
optionsXpress are on the list of targets. All of the institutions have been
notified. Source: http://news.softpedia.com/news/Experts-Investigate-Malware-Used-in-Gozi-Prinimalka-Campaign-Against-US-Banks-306535.shtml
10. November
12, Des Plaines Patch – (Kentucky; Illinois) Police: ‘Elmer Fudd
Bandit’ arrested. Law enforcement reported they arrested a man who is
suspected in four armed bank robberies in the Chicago area, an attempted armed
bank robbery in Des Plaines, Illinois, and a bank robbery in Louisville,
Kentucky, the Des Plaines Patch reported November 12. The man, dubbed the
“Elmer Fudd Bandit” by the FBI due to the flannel shirts and caps seen in
surveillance video, was arrested at an apartment building by Kentucky State
Police and the Grayson County Sheriff’s Department. Law enforcement received an
anonymous tip following a bank robbery that occurred at a U.S. Bank in
Louisville November 8, the Grayson County News Gazette reported. In addition to
the similar clothing worn by the male subject in surveillance video, in many of
the incidents the man approached a bank teller with a notepad that stated to
give him money, and he threatened to injure the teller. Source: http://desplaines.patch.com/articles/police-elmer-fudd-bandit-arrested
11. November
12, Business Technology News – (International) PayGate
confirms security breach. The South African online payment service provider
PayGate confirmed its systems were breached in August and some credit card
numbers may have been exposed, BusinessTech reported November 12. It follows an
admission November 9 by the Payments Association of South Africa that private
credit card and banking details were leaked during a breach at a company which
processes online transactions. “We detected unauthorised activity on our
servers in August and immediately took action to secure our systems and protect
our customers,” said PayGate’s managing director. He said that while some
credit card details may have been exposed, “the card associations and banks are
pro-actively monitoring all credit cards processed during this period and will
contact cardholders directly if necessary.” He stressed that PayGate did not
store any personal details like addresses or ID numbers, although it does store
email
12. November
12, Associated Press – (New York; National) NY gets $9.5M from NC firm over soldier
debt fraud. The New York Attorney General reached a $9.5 million settlement
with retailer SmartBuy and its affiliated companies over debt fraud aimed at soldiers,
the Associated Press reported November 12. The Attorney General said SmartBuy
operated from a kiosk and small storefront at Salmon Run Mall near the Fort Drum
Army post and ruined the credit of thousands of soldiers through fraudulent charges.
The settlement, along with an earlier one with SmartBuy, wipes out $12.9 million
in debt for more than 4,000 soldiers nationwide. The Attorney General said SmartBuy
salespeople talked soldiers into payment contracts with hidden fees and exorbitant
interest. Fayetteville, North Carolina-based SmartBuy closed its local operations
after the Attorney General demanded it stop deceptive practices and reimburse
soldiers. Investigators found that SmartBuy purchased merchandise, marked it up
200-325 percent, and added interest of 10-25 percent. It locked soldiers into
credit agreements with undisclosed fees and high interest, paid directly from
military paychecks. The settling entities include Frisco Marketing of New York,
doing business as SmartBuy and SmartBuy Computers and Electronics; Integrity
Financial of North Carolina; Britlee and GJS Management; all owned and/or
operated by a North Carolina family. The settling companies will contractually
release all of the approximately 358 New York soldiers, and an additional 3,963
soldiers nationwide from their debt. They will also clear all negative credit
reports related to the contracts and will pay a $150,000 penalty to New York.
Under a consent order and judgment, the companies are banned permanently from
doing business in New York. Source:
Information Technology Sector
38. November
13, The Register – (International) Even a child can make a trojan to pillage
Windows Phone 8. A teenager crafted prototype malware for Windows Phone 8
just weeks after the official unveiling of the smartphone platform. The
proof-of-concept code is due to be demonstrated at the International Malware
Conference (MalCon) in New Delhi, India, November 24. The teenager, who is a
member of the Indian government-backed National Security Database program of
information security professionals, created malware that attacked Microsoft’s
Xbox Kinect in 2011. Documents posted on the MalCon Web site ahead of the talk
suggest he developed a trojan that poses as a legitimate application before
stealing users’ data, including contact numbers, text messages, and photos.
Details are thin, so it is unclear whether the malware exploits a vulnerability
in Windows Phone 8 or it simply tricks users into doing something daft, such as
installing malicious code posing as a game or utility. Source: http://www.theregister.co.uk/2012/11/13/windows_phone_8_malware/
39. November
12, Help Net Security – (International) One in four users at
risk due to outdated browsers. Nearly a quarter of users do not use the
latest browser versions, and those using Mozilla Firefox are the slowest when
it comes to updating, which leaves them open to Web-based attacks, Kaspersky
Lab warns. Basing their results on the information collected from their 10
million randomly selected customers from different regions across the world,
the company discovered that Chrome users are nearly as numerous as Internet
Explorer (IE) ones (36.5 and 37.8 percent, respectively), while the numbers for
Firefox (19.5 percent) keep falling. While the news is not good for Mozilla, it
is for security, as only 69.5 percent of Firefox users use the latest two versions,
but 94.7 percent of Chrome users and 96.5 percent of IE users do the same. Also,
compared to Chrome users, Firefox users update to the newer version at a slower
speed and more users tend to stay on the older version for a longer period of
time. The research differentiates between older (but still supported) versions
of the browsers and the outdated ones, but still point out that 23 percent of
the users have not opted for the latest versions and the security improvement
they bring. Source: http://www.net-security.org/secworld.php?id=13934
40. November
12, Threatpost – (International) New Java attack introduced into Cool Exploit
Kit. A new exploit was found in the Cool Exploit Kit for a vulnerability in
Java 7 Update 7 as well as older versions, a flaw patched by Oracle in Java 7
Update 9. Cool Exploit Kit was discovered in October and is largely responsible
for dropping the Reveton ransomware. A new Metasploit module was introduced
November 11 by a researcher, according to a frequent Metasploit contributor. He
suggested it is likely the exploit has been in the wild for a period of time
and has only now been integrated into an exploit kit. The new Java exploit, a
sandbox escape, targets vulnerability CVE-2012-5076 that was repaired in
Oracle’s October 2012 Critical Patch Update. Attackers can run arbitrary code
on compromised machines, the Metasploit contributor said. Source: http://threatpost.com/en_us/blogs/new-java-attack-introduced-cool-exploit-kit-111212
41. November
12, The H – (International) Ruby update fixes hash flooding vulnerability.
The Ruby developers released an update to the 1.9.3 series of their open source
programming language, fixing a denial-of-service (DoS) vulnerability. Ruby 1.9.3
patch level 327, labelled 1.9.3-p327, corrects a hash-flooding issue that could
be exploited by an attacker to cause high CPU load that can result in a DoS.
The problem can be caused by an error when parsing specially crafted sequences
of strings. The developers point out that the vulnerability is similar to
another widespread DoS issue in hash algorithms that affected a number of
programs including the 1.8.7 branch of Ruby. All Ruby 1.9.x versions prior to
1.9.3-p327, as well as all Ruby 2.0 pre-release versions prior to trunk
revision 37575 including 2.0.0 preview 1 from earlier in November are affected.
Users running these versions are advised to upgrade to the latest 1.9.3 patch level
or trunk revision 37575 or later as soon as possible. Source: http://www.h-online.com/security/news/item/Ruby-update-fixes-hash-floodingvulnerability-1748192.html
42. November
12, Infosecurity – (International) Researcher tracks down compromised ICS
systems. Supervisory control and data acquisition (SCADA) and industrial
control systems’ (ICS) security has been repeatedly questioned in recent
months. Now, one researcher shows how easy it is to find ICS systems that have
already been compromised, while another warns Siemens that just fixing SCADA
vulnerabilities is an ongoing process, not a solution. In two Digital Bond
posts the week of November 5, a researcher describes the SCADA vulnerability
problem, and then a second researcher demonstrates how to locate such systems
that have already been compromised. He concentrates on one particular system he
found, “an extremely detailed DDS log.” “First off,” he writes, “this system
has the SEL AcSELerator Quickset and GE Enervista, so it was used to either
review relay configurations or install relay configurations on SEL and GE
digital protective relays.” In other words, it effectively plugs into the
national power grid. “This suggests a technician’s laptop, one who works on a
wide variety of electric power systems and other automation systems.” However, the
laptop was infected with two pieces of malware: The fake antivirus and backup program
“Malware Protection Designed to Protect” and “Windows XP Recovery.” Such
malware is usually installed either by drive-by downloading or direct
installation. Source: http://www.infosecurity-magazine.com/view/29267/researcher-tracks-downcompromised-ics-stems/
43. November
10, The H – (International) Worth reading: Dropbox is “quite secure”. Security
specialists from the IT department at EADS cast a critical eye on the Dropbox
cloud storage service and recently presented their findings at the Hack.LU security
conference. They explained the trickery used by the service’s developers to encrypt
the Python-based desktop client, showed how the client protects its configuration,
and demonstrated how data is exchanged. The researchers said they found no
major vulnerabilities. The researchers did, however, uncover one minor security
problem: The client does not check one particular certificate when talking to other
Dropbox clients on a local network. This potentially enables attackers to block
the client of other network users. Source: http://www.h-online.com/security/news/item/Worth-Reading-Dropbox-isquite-secure-1747744.html
Communications Sector
44. November
12, Colorado Springs Gazette – (Colorado) Skunk spray downs
Fox 21 News for a day. An almost day-long outage for KXRM 21 Colorado
Springs and KXTU 20 Colorado Springs was apparently caused by a skunk that was
burned inside the transmitter station, the Colorado Springs Gazette reported
November 12. The wounded animal released his spray, soaking the transmitter and
causing the breaker switch to be tripped inside, according to the station’s
Facebook page. The outage started November 11 and affected viewers using Dish,
Direct TV, and those using antennas. Engineers spent the day at the Cheyenne
Mountain station trying to dry it off and get the transmitter back up and
running. Programming began again November 12. Source: http://www.gazette.com/news/viewers-147230-signal-fox.html
45. November
12, WBNG 12 Binghamton – (New York) Phone lines down in Westford.
A severed phone line left a majority of residents in Otsego County, New
York, without phone service, including the ability to call 9-1-1. Otsego County
Emergency Services reported November 11 that the main phone line providing
service to the Town of Westford was cut. The damaged line left most of the town
without phone service. Verizon repair crews were notified and there was no
estimated restoration time. Otsego County Emergency Services reminded residents
the outage did not affect cell phone service in the area and that cell phones
could be used to report emergencies. Source: http://www.wbng.com/news/local/Phone-Lines-Down-in-Westford-178896081.html
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.