Wednesday, November 14, 2012

Daily Report

Top Stories

 People living in 31 homes within a half-mile radius of a train derailment site in Louisville, Kentucky, were again forced from their homes November 13 while dangerous chemicals were removed from the scene. – Louisville Courier Journal

4. November 12, Louisville Courier Journal – (Kentucky) Latest evacuation for train derailment to begin Tuesday and could last up to four days. Residents around the site of the derailment of 13 Paducah & Louisville Railway (P&L) cars were again forced from their homes November 13 while dangerous chemicals were removed from the scene, reported the Louisville Courier-Journal. People living in 31 homes within a half-mile radius of the derailment were asked to evacuate, the Louisville Metro Emergency Management Agency said November 12. P&L said the evacuation order will be in place until all the chemicals are taken away, which could take three or four days. Dixie Highway from Kentucky 44 to the Salt River bridge will also be closed starting November 13 and will stay closed for the duration of the clean up. A no-flyzone will be in effect a half mile around the site and Ohio River traffic in the area will be stopped while tens of thousands of gallons of highly toxic hydrogen fluoride and flammable butadiene are offloaded from derailed tank cars. Source:|head

 November 12, Lockheed Martin cited a dramatic growth in the number and sophistication of international cyberattacks on its networks and said it was contacting suppliers to help them bolster their security. Company officials also said about 20 percent of the threats directed at Lockheed networks were considered prolonged and targeted attacks by a nation state or other group trying to steal data or harm operations. – Reuters

8. November 12, Reuters – (International) Lockheed says cyber attacks up sharply, suppliers targeted. November 12, the U.S. Department of Defense’s number-one supplier, Lockheed Martin, cited dramatic growth in the number and sophistication of international cyberattacks on its networks and said it was contacting suppliers to help them bolster their security. The company’s vice president and chief information security officer said about 20 percent of the threats directed at Lockheed networks were considered “advanced persistent threats,” prolonged and targeted attacks by a nation state or other group trying to steal data or harm operations. She said the company had seen “very successful” attacks against a number of the its suppliers, and was focusing heavily on helping those companies improve their security. Source:

 U.S. Food and Drug Administration inspectors released a 20-page report on Ameridose LLC November 12, claiming the Massachusetts drug company that has supplied dozens of Tennessee health-care facilities failed to properly test for the sterility of its products and did not investigate multiple complaints, including one case categorized as life-threatening. – Nashville Tennessean

28. November 12, Nashville Tennessean – (Massachusetts) Meningitis outbreak: Inspectors find bird flying through Ameridose pharmacy. U.S. Food and Drug Administration (FDA) inspectors found a Massachusetts drug company that has supplied dozens of Tennessee health-care facilities failed to properly test for the sterility of its products and did not investigate multiple complaints, including one case categorized as life-threatening. The 20-page report on Ameridose LLC issued November 12 listed multiple violations of federal regulations. Inspectors even reported seeing a bird flying through a storage area for sterile drugs. Ameridose, based in Westborough, Massachusetts, has the same owners as the New England Compounding Center, which has been blamed for a nationwide outbreak of fungal meningitis that has killed 31 patients, including 13 in Tennessee. A spokesman for the company said Ameridose was preparing a full response to the FDA report. Source:

 Two Digital Bond posts the week of November 5 showcase researcher findings on how

easy it is to find industrial control systems (ICS) that have already been compromised, and
that just fixing Supervisory control and data acquisition (SCADA) vulnerabilities is an
ongoing process, not a solution. – Infosecurity See item 42 below in the Information Technology Sector


Banking and Finance Sector

9. November 13, Softpedia – (International) Experts investigate malware used in Gozi-Prinimalka campaign against US banks. In October, RSA revealed that cybercriminals were planning to launch massive trojan attacks against several U.K. banks. Now, Trend Micro researchers analyzed a few samples of the malware that will likely be utilized in the Gozi-Prinimalka campaign, Softpedia reported November 13. One of the samples, BKDR_URSNIF.B, is designed to monitor its victims’ browsing activities and collect any information elated to financial institutions such as Wells Fargo, PayPal, and Wachovia. Another sample, BKDR_URSNIF.DN, starts by searching for a specific Firefox registry entry. If this entry is found, a file that drops JS_URSNIF.DJ is created. If the registry is not located, the malware does not steal any information, but it still performs other malicious tasks. JS_URSNIF.DJ is the JavaScript that is actually responsible for stealing information. It injects itself into specific Web sites and waits for the victims to enter their credentials. Once the information is harvested, it sends it back to its master via HTTP POST requests. According to the researchers, several command and control servers are utilized by these pieces of malware. Experts also managed to retrieve the names of three additional targets by analyzing the malware’s configurations files. TDBank, Firstrade Securities, and optionsXpress are on the list of targets. All of the institutions have been notified. Source:

10. November 12, Des Plaines Patch – (Kentucky; Illinois) Police: ‘Elmer Fudd Bandit’ arrested. Law enforcement reported they arrested a man who is suspected in four armed bank robberies in the Chicago area, an attempted armed bank robbery in Des Plaines, Illinois, and a bank robbery in Louisville, Kentucky, the Des Plaines Patch reported November 12. The man, dubbed the “Elmer Fudd Bandit” by the FBI due to the flannel shirts and caps seen in surveillance video, was arrested at an apartment building by Kentucky State Police and the Grayson County Sheriff’s Department. Law enforcement received an anonymous tip following a bank robbery that occurred at a U.S. Bank in Louisville November 8, the Grayson County News Gazette reported. In addition to the similar clothing worn by the male subject in surveillance video, in many of the incidents the man approached a bank teller with a notepad that stated to give him money, and he threatened to injure the teller. Source:

11. November 12, Business Technology News – (International) PayGate confirms security breach. The South African online payment service provider PayGate confirmed its systems were breached in August and some credit card numbers may have been exposed, BusinessTech reported November 12. It follows an admission November 9 by the Payments Association of South Africa that private credit card and banking details were leaked during a breach at a company which processes online transactions. “We detected unauthorised activity on our servers in August and immediately took action to secure our systems and protect our customers,” said PayGate’s managing director. He said that while some credit card details may have been exposed, “the card associations and banks are pro-actively monitoring all credit cards processed during this period and will contact cardholders directly if necessary.” He stressed that PayGate did not store any personal details like addresses or ID numbers, although it does store email

12. November 12, Associated Press – (New York; National) NY gets $9.5M from NC firm over soldier debt fraud. The New York Attorney General reached a $9.5 million settlement with retailer SmartBuy and its affiliated companies over debt fraud aimed at soldiers, the Associated Press reported November 12. The Attorney General said SmartBuy operated from a kiosk and small storefront at Salmon Run Mall near the Fort Drum Army post and ruined the credit of thousands of soldiers through fraudulent charges. The settlement, along with an earlier one with SmartBuy, wipes out $12.9 million in debt for more than 4,000 soldiers nationwide. The Attorney General said SmartBuy salespeople talked soldiers into payment contracts with hidden fees and exorbitant interest. Fayetteville, North Carolina-based SmartBuy closed its local operations after the Attorney General demanded it stop deceptive practices and reimburse soldiers. Investigators found that SmartBuy purchased merchandise, marked it up 200-325 percent, and added interest of 10-25 percent. It locked soldiers into credit agreements with undisclosed fees and high interest, paid directly from military paychecks. The settling entities include Frisco Marketing of New York, doing business as SmartBuy and SmartBuy Computers and Electronics; Integrity Financial of North Carolina; Britlee and GJS Management; all owned and/or operated by a North Carolina family. The settling companies will contractually release all of the approximately 358 New York soldiers, and an additional 3,963 soldiers nationwide from their debt. They will also clear all negative credit reports related to the contracts and will pay a $150,000 penalty to New York. Under a consent order and judgment, the companies are banned permanently from doing business in New York. Source:

Information Technology Sector

38. November 13, The Register – (International) Even a child can make a trojan to pillage Windows Phone 8. A teenager crafted prototype malware for Windows Phone 8 just weeks after the official unveiling of the smartphone platform. The proof-of-concept code is due to be demonstrated at the International Malware Conference (MalCon) in New Delhi, India, November 24. The teenager, who is a member of the Indian government-backed National Security Database program of information security professionals, created malware that attacked Microsoft’s Xbox Kinect in 2011. Documents posted on the MalCon Web site ahead of the talk suggest he developed a trojan that poses as a legitimate application before stealing users’ data, including contact numbers, text messages, and photos. Details are thin, so it is unclear whether the malware exploits a vulnerability in Windows Phone 8 or it simply tricks users into doing something daft, such as installing malicious code posing as a game or utility. Source:

39. November 12, Help Net Security – (International) One in four users at risk due to outdated browsers. Nearly a quarter of users do not use the latest browser versions, and those using Mozilla Firefox are the slowest when it comes to updating, which leaves them open to Web-based attacks, Kaspersky Lab warns. Basing their results on the information collected from their 10 million randomly selected customers from different regions across the world, the company discovered that Chrome users are nearly as numerous as Internet Explorer (IE) ones (36.5 and 37.8 percent, respectively), while the numbers for Firefox (19.5 percent) keep falling. While the news is not good for Mozilla, it is for security, as only 69.5 percent of Firefox users use the latest two versions, but 94.7 percent of Chrome users and 96.5 percent of IE users do the same. Also, compared to Chrome users, Firefox users update to the newer version at a slower speed and more users tend to stay on the older version for a longer period of time. The research differentiates between older (but still supported) versions of the browsers and the outdated ones, but still point out that 23 percent of the users have not opted for the latest versions and the security improvement they bring. Source:

40. November 12, Threatpost – (International) New Java attack introduced into Cool Exploit Kit. A new exploit was found in the Cool Exploit Kit for a vulnerability in Java 7 Update 7 as well as older versions, a flaw patched by Oracle in Java 7 Update 9. Cool Exploit Kit was discovered in October and is largely responsible for dropping the Reveton ransomware. A new Metasploit module was introduced November 11 by a researcher, according to a frequent Metasploit contributor. He suggested it is likely the exploit has been in the wild for a period of time and has only now been integrated into an exploit kit. The new Java exploit, a sandbox escape, targets vulnerability CVE-2012-5076 that was repaired in Oracle’s October 2012 Critical Patch Update. Attackers can run arbitrary code on compromised machines, the Metasploit contributor said. Source:

41. November 12, The H – (International) Ruby update fixes hash flooding vulnerability. The Ruby developers released an update to the 1.9.3 series of their open source programming language, fixing a denial-of-service (DoS) vulnerability. Ruby 1.9.3 patch level 327, labelled 1.9.3-p327, corrects a hash-flooding issue that could be exploited by an attacker to cause high CPU load that can result in a DoS. The problem can be caused by an error when parsing specially crafted sequences of strings. The developers point out that the vulnerability is similar to another widespread DoS issue in hash algorithms that affected a number of programs including the 1.8.7 branch of Ruby. All Ruby 1.9.x versions prior to 1.9.3-p327, as well as all Ruby 2.0 pre-release versions prior to trunk revision 37575 including 2.0.0 preview 1 from earlier in November are affected. Users running these versions are advised to upgrade to the latest 1.9.3 patch level or trunk revision 37575 or later as soon as possible. Source:

42. November 12, Infosecurity – (International) Researcher tracks down compromised ICS systems. Supervisory control and data acquisition (SCADA) and industrial control systems’ (ICS) security has been repeatedly questioned in recent months. Now, one researcher shows how easy it is to find ICS systems that have already been compromised, while another warns Siemens that just fixing SCADA vulnerabilities is an ongoing process, not a solution. In two Digital Bond posts the week of November 5, a researcher describes the SCADA vulnerability problem, and then a second researcher demonstrates how to locate such systems that have already been compromised. He concentrates on one particular system he found, “an extremely detailed DDS log.” “First off,” he writes, “this system has the SEL AcSELerator Quickset and GE Enervista, so it was used to either review relay configurations or install relay configurations on SEL and GE digital protective relays.” In other words, it effectively plugs into the national power grid. “This suggests a technician’s laptop, one who works on a wide variety of electric power systems and other automation systems.” However, the laptop was infected with two pieces of malware: The fake antivirus and backup program “Malware Protection Designed to Protect” and “Windows XP Recovery.” Such malware is usually installed either by drive-by downloading or direct installation. Source:

43. November 10, The H – (International) Worth reading: Dropbox is “quite secure”. Security specialists from the IT department at EADS cast a critical eye on the Dropbox cloud storage service and recently presented their findings at the Hack.LU security conference. They explained the trickery used by the service’s developers to encrypt the Python-based desktop client, showed how the client protects its configuration, and demonstrated how data is exchanged. The researchers said they found no major vulnerabilities. The researchers did, however, uncover one minor security problem: The client does not check one particular certificate when talking to other Dropbox clients on a local network. This potentially enables attackers to block the client of other network users. Source:

Communications Sector

44. November 12, Colorado Springs Gazette – (Colorado) Skunk spray downs Fox 21 News for a day. An almost day-long outage for KXRM 21 Colorado Springs and KXTU 20 Colorado Springs was apparently caused by a skunk that was burned inside the transmitter station, the Colorado Springs Gazette reported November 12. The wounded animal released his spray, soaking the transmitter and causing the breaker switch to be tripped inside, according to the station’s Facebook page. The outage started November 11 and affected viewers using Dish, Direct TV, and those using antennas. Engineers spent the day at the Cheyenne Mountain station trying to dry it off and get the transmitter back up and running. Programming began again November 12. Source:

45. November 12, WBNG 12 Binghamton – (New York) Phone lines down in Westford. A severed phone line left a majority of residents in Otsego County, New York, without phone service, including the ability to call 9-1-1. Otsego County Emergency Services reported November 11 that the main phone line providing service to the Town of Westford was cut. The damaged line left most of the town without phone service. Verizon repair crews were notified and there was no estimated restoration time. Otsego County Emergency Services reminded residents the outage did not affect cell phone service in the area and that cell phones could be used to report emergencies. Source:

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.