Friday, November 16, 2012

Daily Report

Top Stories

  • BP will plead guilty to manslaughter charges, including numerous other felony charges, stemming from the 2010 Deepwater Horizon explosion and oil spill in the Gulf of Mexico, and BP also agreed to pay $4.5 billion in government penalties, the U.S. Attorney General announced November 15. – CNNMoney

1. November 15, CNNMoney – (National) BP to pay record penalty for Gulf oil spill. BP will plead guilty to manslaughter charges stemming from the 2010 Deepwater Horizon explosion and oil spill in the Gulf of Mexico, and agreed to pay $4.5 billion in government penalties, the U.S. Attorney General announced November 15. Of the penalties, $4 billion will resolve criminal charges. An additional $525 million will be paid to resolve claims brought by the U.S. Securities and Exchange Commission that BP lied to investors by understating the amount of oil flowing into the Gulf. Separate from the corporate manslaughter charges, a federal grand jury returned an indictment charging the two highest-ranking BP supervisors on board the Deepwater Horizon on the day of the explosion with 23 criminal counts. The two men were charged with seaman’s manslaughter and involuntary manslaughter for each of the 11 men killed in the blast, as well as a criminal violation of the clean water act. The grand jury also charged BP’s second-highest ranking representative at the company’s unified command post with hiding information from Congress and allegedly lying to law enforcement officials. The company also will plead guilty to a felony count of obstruction of Congress, a misdemeanor count under the Clean Water Act and a misdemeanor count under the Migratory Bird Treaty. The fine comes on top of $20 billion that the company has agreed to pay into a trust fund to meet damage claims from the millions of gallons of oil spilled into the Gulf. It said it expects to pay a final $860 million into that fund this quarter. Transocean, the owner and operator of the rig, also had unresolved liability issues. The U.S. Department of Justice, in its September filing, said the company is also guilty of gross negligence. Source:

 The United States electrical grid is vulnerable to terrorist attacks, including cyber strikes, which could cause far more damage than those associated with natural disasters such as Hurricane Sandy, according to a report released November 14. – Reuters

3. November 14, Reuters – (National) Report warns electricity grid vulnerable to attack. The electrical grid is vulnerable to terrorist attacks, including cyber strikes, that could cause far more damage than those associated with natural disasters such as Hurricane Sandy, according to a report released November 14. Without urgent attention to security, the United States risks having large parts of the country blacked out “for weeks or months” at a cost of billions of dollars, the National Research Council said. “Major cascading blackouts in the U.S. Southwest in 2011, and in India in 2012, underscore the need for the measures discussed in this report,” the group said. In the intervening 5 years, the potential for cyber attacks on critical elements of the electric power delivery system — including communications, sensors and controls, or other key infrastructure — has risen sharply. “Any telecommunication link that is even partially outside the control of the system operators could be an insecure pathway into operations and a threat to the grid,” the report said. The sprawling power transmission system, spread across hundreds of miles and with many key facilities unguarded, is “inherently vulnerable,” according to the council. Deregulation in the mid-1990s, designed to increase competition in the supply of bulk power, was said to have put the network even more at risk. As a result, many parts of the bulk high-voltage system are heavily stressed and at risk for multiple failures should an attack occur. Source:

  United Airlines grounded certain flights across the United States November 15 due to a glitch in the computer system that controls the airline’s ground operations. – Fox Business

15. November 15, Fox Business – (National) United flights resuming after nationwide computer glitch. United Airlines grounded certain flights across the United States November 15 due to a glitch in the computer system that controls the airline’s ground operations. A United spokesperson said that the internal system was “up and running,” adding that the airline is “getting back to normal.” The glitch caused “some but not all mainline flights” to be delayed, though United Express was not impacted, the spokesman said. The system outage was related to United’s Unimatic ground operation software. United said some computer activity had resumed, though it was not clear how long it would take to completely resolve all of the issues. The carrier has been plagued by a number of computer outages since its merger with Continental. Since combining their computer systems in March, outages have been reported in March, May, and August of 2012. Source:

  The contractor hired by the South Carolina Department of Revenue to provide computer security focused on the agency’s compliance with rules governing the handling of credit-card information, not stopping malicious programs such as those that hackers used to steal the tax records of 4.5 million South Carolina consumers and businesses. – Columbia State

29. November 14, Columbia State – (South Carolina) Security contractor didn’t detect hacker from SCDOR website. The contractor hired by the South Carolina Department of Revenue to provide computer security focused on the agency’s compliance with rules governing the handling of credit-card information, not stopping malicious programs such as those that hackers used to steal the tax records of 4.5 million South Carolina consumers and businesses, the Columbia State reported November 14. The Revenue Department also had its own computer security system that ran periodic scans for viruses and malware that hackers could use. Neither security effort prevented nor detected the massive theft, conducted using State-approved credentials, until State officials learned of the breach from the U.S. Secret Service a month after the data was swiped. While many questions remain about how the hacking occurred, the South Carolina governor ordered more computer security November 15 for the 16 State agencies that are part of her Cabinet. The agencies will use the Division of State Information Technology’s computer network monitoring services, which can spot unusual uploads or downloads and malicious programs within minutes. The State will assign four employees to provide around-the-clock monitoring of computer systems, such as spotting inappropriate log-ins. Source:


Banking and Finance Sector

10. November 15, Sacramento Bee – (California) Fraud suspect accused of cheating businesses, Inyo County tribe. A former El Dorado Hills, California businessman was arrested on charges of running a multimillion-dollar insurance fraud that cost a California Indian tribe $7 million, as well as targeting a host of employers. The man was arrested October 24 in Arizona on fraud and money-laundering charges, federal prosecutors said. According to the indictment, he set up a company in Roseville called Independent Management Resources to provide low-cost workers’ compensation insurance to construction contractors, roofers “and other high-risk occupations.” The man partnered with the Fort Independence Indian Reservation of Inyo County to establish a company called Independent Staffing Solutions (ISS) according to an Assistant U.S. Attorney. The tribe owned ISS but the man’s firm essentially ran it, the indictment said. After getting clients, he then “began diverting and misappropriating millions of dollars รข€¦ for his personal use,” the U.S. attorney’s office alleged. The man’s firm filed for bankruptcy protection in Nevada in 2008. Court records said his firm owed the tribal-owned company $7 million. Source:

11. November 14, Chicago Tribune – (Illinois) FBI: Two more banks hit by ‘Stringer Bell Bandit’. The FBI said the “Stringer Bell Bandit” hit two more banks in Chicago’s Loop area, bringing to seven the number of banks he has robbed or tried to rob since early October, the Chicago Tribune reported November 14. The robber — so named because he looks similar to a lead character in the HBO show The Wire — entered a Chase Bank branch November 13 and approached a teller’s window with his right hand in his pocket, according to the FBI and police. He displayed a note and told the teller, “Empty the drawer,’’ according to a police report. But he ran off when the teller asked for help from her supervisor because she did not understand what he wanted. About 3 hours later, the same man entered a Citibank Branch, shaking and acting erratically, and demanded money. The teller handed over cash from the drawer and the robber said, “Thank you,’’ and walked out, the report said. Source:

12. November 14, U.S. Federal Bureau of Investigation – (Oregon) Former Oregon broker pleads guilty to mortgage fraud scheme involving approximately $7M in bad loans. A man pleaded guilty November 13 to conspiracy to commit bank fraud and bank fraud charges related to a mortgage fraud scheme in central Oregon. The man admitted that he caused financial institutions to lose between $2.5 million and $7 million in bad loans he pushed through as a licensed mortgage broker with his company Deschutes Mortgage Group in Bend, Oregon. According to court records, he and others prepared and submitted fraudulent home loan applications and other false documents to lending institutions to obtain financing to purchase real estate. To convince financial institutions to approve the loans and advance loan funds, he and others falsely inflated borrowers’ monthly incomes, omitted borrowers’ liabilities, falsely claimed on home loan applications that the financing was for a primary residence, and used straw buyers to obtain financing for real estate. Additionally, the man and others caused large amounts of money to be deposited into borrowers’ checking accounts to temporarily inflate their account balances, thereby causing borrowers’ banks to generate false verifications of deposit (VOD). These VODs were used by him and others to falsely prove cash reserves to the lending institutions as a material part of the loan approval process. Source:

13. November 14, Threat Post – (International) Planned cyberattacks on US banks on hold. The hacker behind a coordinated attack against major U.S. banks such as Bank of America, Chase, Citibank, PNC, Wells Fargo, and nearly two dozen other banks called off the operation after media reports surfaced a month ago exposing the planned attacks, Threat Post reported November 14. Known as vorVzakone, the Russian has pulled back on his attempt to recruit 100 botmasters for massive man-in-the-middle attacks against American banks. Security blog Krebs on Security named vorVzakone as the mastermind behind the wire-fraud campaign. “Based on a communication posted following the media hype, vorVzakone has since given up on his attack plans for now,” said the head of business development for online threats managed services at RSA. “As a result, he has retreated to the deeper Web where we believe he may regroup and plan his attack albeit more secretly.” The scheme centered around an obscure piece of crimeware known as Gozi-Prinimalka, an offshoot of the Gozi banking Trojan. VorVzakone was recruiting up to 100 participants for the attack, initially planned for the first week of November. A RSA FraudAction research team member said in October that this was the first time a private cybercrime organization recruited outsiders for such an attack. The attackers were promised a cut for their efforts, and were only to be given executable files by vorVzakone, keeping the recruits dependent on him for updates. Source:

For another story, see item 35 below in the Information Technology Sector

Information Technology Sector

33. November 15, Dark Reading – (International) Most organizations unprepared for DDoS attacks, study says. Organizations are becoming increasingly concerned about system availability as they experience more and more distributed denial-of-service (DDoS) attacks, a new study said. The study, conducted by the Ponemon Institute, surveyed 705 IT security professionals on issues related to downtime and DDoS. While security pros have traditionally been focused on preventing data theft or corruption, today’s professionals are more worried about system availability, the study says. “DDoS attacks cost companies 3.5 million dollars every year,” Ponemon says. “Sixty-five percent reported experiencing an average of three DDoS attacks in the past 12 months, with an average downtime of 54 minutes per attack.” Most organizations do not have the ability to strike back at attackers. “While 60 percent say they want technology that slows down or even halts an attacker’s computer, the majority (63 percent) of respondents give their organizations an average or below average rating when it comes to their ability to launch counter measures,” the report states. Three-quarters of organizations still rely on antivirus and anti-malware to protect themselves from attacks. Source:

34. November 15, Government Computer News – (National) Supply chain threats ‘hard to detect expensive to fix’. A Congressional intelligence panel recommends that “the United States should view with suspicion the continued penetration of the U.S. telecommunications market by Chinese telecommunications companies,” and a recent report on emerging threats identifies supply chain security as a growing concern. The House Permanent Select Committee on Intelligence warned against Chinese telecom vendors in its report, “The U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE,” released in October. The 60-page report noted that telecom plays a critical role in national security and already is being targeted by other nations. Additionally, a report from the Georgia Tech Information Security Center and Georgia Tech Research Institute characterizes supply chain threats as “hard to detect, expensive to fix, and a policy nightmare,” with few good solutions. Supply chain threats involve the inclusion of back doors, malicious code, or other flawed hardware, software, or firmware in products; and the threats can occur anywhere along the line, from developers and manufacturers to vendors and integrators. They can include substandard or illegal counterfeit goods as well as maliciously designed products that can allow unauthorized access to sensitive systems, including critical infrastructure. Source:

35. November 15, The Register – (International) Opera site served Blackhole malvertising, says antivirus firm. Opera has suspended ad-serving on its portal as a precaution while it investigates reports that surfers were being exposed to malware simply by visiting the Norwegian browser firm’s home page. Malicious scripts loaded by were redirecting users towards a malicious site hosting the notorious BlackHole exploit kit, according to BitDefender, which said it had detected the apparent attack on its automated systems. BitDefender said it promptly warned Opera after it detected the problem November 14. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising. Opera has yet to confirm the problem, but has disabled advertising scripts on its portal in case they are tainted. A blog post by BitDefender claimed that cybercrooks were using obfuscated script to hide the attack. In controlled tests, BitDefender researchers were served with a PDF-based exploit designed to infect an unlucky user with a freshly compiled variant of the infamous ZBot (ZeuS) banking trojan. The exploit was served up from a server in Russia, according to BitDefender. Source:

36. November 15, CNET News – (International) Adobe suffers database leak, user forum taken offline. Adobe has temporarily closed one of its user forums after a hacker caused a data breach. The forum,, allows Adobe customers to share information and opinions about its Connect online conferencing service. However, after a hacker hailing from Egypt posted a purported file dump containing user details from the site on Pastebin, Adobe preemptively took down the forum and said it will reset the passwords of affected site members. The file dump, posted by the alleged hacker using the alias ViruS_HimA, apparently contains over 150,000 e-mail addresses and passwords from Adobe employees, the U.S. military, and companies including Google and NASA. Emails ending with, .mil, and .gov have only been released as a screenshot. According to the Hacker News, ViruS_HimA uploaded a php shell to the Web site, and then was able to look for database configuration files in order to steal the forum credentials, before exporting and dumping the database. ViruS_HimA said he undertook the attack to shed light on how slow Adobe is to fix security issues after it receives security notifications. The hacker also claims that Yahoo is the next target. Source:

For more stories, see items 3 and 29 above in Top Stories, 13 above in the Banking and Finance Sector and 38 below in the Communications Sector

Communications Sector

37. November 14, New Bern Sun Journal – (North Carolina; Virginia; Tennessee) Internet problem hits three States. November 14, thousands of Internet customers in North Carolina, Virginia, and Tennessee where affected when CenturyLink experienced network problems. The market development manager for CenturyLink said the service had been restored after several hours. “On the morning of Nov. 14, we experienced a fiber cut due to third-party construction, which caused intermittent service outages in North Carolina, Virginia, and Tennessee over the course of 3 1/2 hours,” he said in a statement. Source:

38. November 14, – (International) Skype claims account hijack flaw fixed. Skype said it addressed a security flaw which had left users vulnerable to account thefts and forced the company to suspend its recovery service, reported November 14. The company said that the flaw is now resolved and users can once again request password recoveries. The vulnerability had allowed an attacker to take over control of an account by simply discovering the target’s email address. While Skype did not disclose how many accounts were compromised, the company said that only a “small number” of users who had multiple accounts on the same email address were affected. Source:

For more stories, see items 3 above in Top Stories and 32 and 34 above in the Information Technology Sector

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.