Monday, November 26, 2012

Daily Report

Top Stories

• A crucial 200-mile stretch of the Mississippi River may be on the verge of shutdown to barge traffic, a move that could paralyze commerce on a vital inland waterway and ultimately drive up consumer prices. – USA Today

6. November 23, USA Today – (National) Mississippi River commerce imperiled by low water. A crucial 200-mile stretch of the Mississippi River may be on the verge of shutdown to barge traffic, a move that could paralyze commerce on a vital inland waterway and ultimately drive up consumer prices. The temporary closure of the Mississippi River from St. Louis to Cairo, Illinois, could result from an Army Corps of Engineers plan to reduce water flow from a reservoir into the Missouri River starting November 23, shipping companies and industry groups warned. The Corps annually decreases water releases to ensure adequate reservoir levels and to prevent ice buildup and flooding. In 2012, already-low river levels caused by drought could shrink to the point that barges carrying grain, coal, and other products would not be able to navigate the Mississippi, said a spokesperson with the Waterways Council, which represents ports and shippers. “This is an impending economic crisis that could delay shipment of $7 billion in commodities in December and January,” she said. A Corps spokeswoman said water releases from the reservoir at Gavins Point Dam on the Nebraska-South Dakota border will drop gradually starting November 23 from 36,000 cubic feet per second to 12,000 by December 11. Due to the drought, most vessels on the Mississippi River are now limited to a 9-foot draft, said a spokesperson with Knight Hawk Coal. “If we go to 6-foot drafts, the river is effectively closed,” he said. Source:

• Testing by the U.S. Food and Drug Administration on steroid medications produced by the New England Compounding Center found more contaminants in additional drugs. – Nashville Tennessean

21. November 21, Nashville Tennessean – (National) Meningitis outbreak: FDA finds more contaminants in NECC meds. Testing by the U.S. Food and Drug Administration (FDA) on steroid medications produced by New England Compounding Center has found more contaminants in additional drugs, the Nashville Tennessean reported November 21. The FDA has updated its list of lot numbers for contaminated drugs after finding unknown fungal growths in triamcinolone and bethamethasone. It also found three forms of bacteria in betamethasone and one form of bacteria in trimacinolone. New England Compounding Center’s products have been linked to a national outbreak of fungal meningitis and other infections that have sickened 490 people, with 34 deaths. Tennessee has had the most deaths with 13 and the second-most illnesses with 82. This is the first time that the FDA has confirmed contaminants in triamcinolone. However, the agency previously said in an inspection report that foreign substances were found on heating and cooling vent louvers behind a piece of equipment used to make bulk drug suspensions of preservative-free methylprednisolone and triamcinolone.

• Nearly 50 female inmates at a York County, Pennsylvania prison were treated for carbon monoxide poisoning. Officials said a preliminary investigation indicated the deadly odorless and colorless gas may have come from the heating, ventilation, and air conditioning system. – Associated Press

23. November 22, Associated Press – (Pennsylvania) 49 female inmates sickened by gas at Pa. prison. Nearly 50 female inmates at a York County, Pennsylvania prison were treated for carbon monoxide poisoning. A statement from York County said five inmates remained hospitalized as of November 22. The remaining 44 were returned to the York County Prison. The women fell ill November 21 in a prison dormitory. Officials said a preliminary investigation indicated the deadly odorless and colorless gas may have come from the heating, ventilation, and air conditioning system. That system was shut down. The county’s statement said carbon monoxide levels have returned to normal. Prisoners living in the affected unit were relocated to other areas in the facility. Source:

• Internet service was restored November 21 for Charter Communication customers after vandals cut a fiber-optic cable, crashing service across northern California for about 18 hours. The outage affected local Internet service providers and the City of Redding’s systems as well. – Redding Record Searchlight See item 33 below in the Information Technology Sector


Banking and Finance Sector
3. November 23, Silicon Republic – (International) Fake Apple invoices in your inbox could lead to empty bank accounts. Fake Apple invoices are appearing in inboxes that contain a Blackhole exploit kit and a trojan that is designed to log users’ keystrokes and ultimately compromise bank accounts, Silicon Republic reported November 23. The multi-pronged approach was discovered by a Sophos researcher who reported it in the Naked Security blog. The online criminals who circulated the fake invoices are using a form of social engineering where users think they are being billed for an expensive product they never bought, in the researcher’s case, he received an invoice telling him he ordered and paid for goods valued at $699. If a user clicks on any of the links contained in the email they are taken to a page proclaiming to be the IRS telling them their browser is unsupported and offers a range of browser options. As the page is displayed, the user’s computer gets infected with the Zeus/Zbot trojan. If the user clicks on any of the browser options, a file labeled update.exe is downloaded. If the user opens the file their computer is automatically infected with the trojan, which is designed to record keystrokes and ultimately give criminals the information they need to access the user’s bank account online.

4. November 23, The H – (International) DDoS attackers cost PayPal 3.5 million pounds. PayPal paid around $5.6 million to defend and arm itself against distributed denial-of-service (DDoS) attacks, The H reported November 23. The attacks in 2010 and 2011 were named Operation Payback by members of hacktivist collective Anonymous. The details were revealed in a court case in the United Kingdom where a defendant is facing charges of conspiring to impair the operation of computers. The BBC reported the prosecution as saying that more than one hundred workers from eBay, PayPal’s parent company, spent 3 weeks working on DDoS-attack-related issues and that PayPal had bought software and hardware to defend itself against further attacks. Source:

Information Technology Sector

26. November 23, Krebs on Security – (International) Yahoo email-stealing exploit
fetches $700. A zero-day vulnerability in that lets attackers hijack Yahoo!
email accounts and redirect users to malicious Web sites offers a fascinating glimpse
into the underground market for large-scale exploits. The exploit, being sold for $700
by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site
scripting” (XSS) weakness in that lets attackers steal cookies from Yahoo!
Webmail users. Such a flaw would let attackers send or read email from the victim’s
account. “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on
ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’
“And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s
stored xss.” Krebs On Security alerted Yahoo! to the vulnerability, and the company
says it is responding to the issue. The director of security at Yahoo! said the challenge
now is working out the exact URL that triggers the exploit.

27. November 23, Softpedia – (International) Cybercriminals use fake digital certificates to sign police trojans. Cybercriminals have begun using fake certificates to sign ransomware to ensure that the malware have a better chance of evading digital signature checks. Trend Micro experts have come across a couple of samples, identified as TROJ_RANSOM.DDR, both signed with a suspicious name and issued by a suspicious provider. One of the samples relies on the FBI to scare internauts into paying a fine if they want to see their computers unlocked, while the other one uses the reputation of the UK’s Police Central e-Crime Unit. The newer variants lock up computers and threaten victims with messages based on their geographic location. The language used to demand the payment of fines is adapted and so is the name of the law enforcement agency. Source:

28. November 23, Softpedia – (International) Sucuri warns of fake jQuery sites distributing malware. Cybercriminals have set up a number of fake jQuery Web sites and are using them to distribute pieces of malware. Experts from Sucuri Malware Labs have identified at least three such sites. The,, and domains are the ones in question. According to researchers, references to have been found in the header of the index.php file of numerous sites. Users are advised to steer clear of such sites. The legitimate jQuery sites are and Other variants, even if they look legitimate, are likely fake. Source:

29. November 23, Softpedia – (International) Cybercriminals hack DNS records of Go Daddy sites to distribute ransomware. Cybercriminals have found a clever way to distribute pieces of ransomware by hacking the Domain Name System (DNS) records of Web sites hosted by Go Daddy in an effort to redirect visitors to their own malicious sites. According to researchers from security firm Sophos, crooks are abusing this system by adding their own IP addresses to the DNS records of Web sites. By adding several subdomains with corresponding DNS entries that reference malicious IPs, attackers can evade security filtering and trick users into thinking that they are on a legitimate site. In this particular case, the rogue servers to which users are redirected to host an exploit kit called Cool EK, which looks for vulnerabilities in the target system to distribute ransomware. Experts have not been able to determine if the attackers are utilizing stolen account credentials, because Go Daddy does not allow webmasters to view their historical login activity. Source:

30. November 23, Softpedia – (International) ENISA releases report on the use of honeypots to detect cyberattacks. Digital traps or honeypots are often used by security researchers to detect and analyze cyber threats. However, according to the European Network and Information Security Agency (ENISA), their usage among Computer Emergency Response Teams (CERTs) is not as widespread as it should be. In a previous report, entitled “Proactive Detection of Network Security Incidents,” ENISA detailed the benefits of using honeypots to detect and investigate attacks. Despite their efficiency, certain CERTs have not deployed them. That is why the new study focuses on a number of 30 honeypots to offer insight on which technologies and solutions should be utilized. The report also looks at critical issues organizations are confronted with and practical deployment strategies. Over the past years, honeypots have been successfully utilized on a number of occasions. These digital traps are designed to mimic a real service, an application, or a system in an attempt to lure potential cyberattackers. When an entity connects to a honeypot, it is automatically considered to be suspicious and its every move is closely monitored in an attempt to detect malicious activity. Source:

31. November 22, Softpedia – (International) Experts find way to crack default WPA2 passwords of Belkin routers. Security researchers claim that the default WPA2 passwords used by many Belkin routers can be easily guessed by an attacker who knows the device’s WAN MAC address. A number of Belkin wireless routers are shipped with a default WPA2 password to protect network connections. The apparently random passwords are printed on a label on the bottom of the router. Although this approach should in theory be more secure, because the password is likely stronger than what many users would set themselves, it turns out that the random passphrases are not so random. The researchers determined that the password is based on the device’s WAN MAC address, and since this information is not so difficult to obtain, a remote attacker could easily hack into a targeted network if the default configuration is used. The default password is made of 8 characters which can be determined by replacing each hex-digit of the WAN MAC address with another value from a static substitution table. Several device models are affected, including Belkin N450 Model F9K1105V2 and Belkin Surf N150 Model F7D1301v1. Source:

32. November 21, Softpedia – (International) Exploitation of privileged access points: Common vector for high-profile attacks. A study performed by information security firm Cyber-Ark labs reveals that, in most of the recent high-profile cyberattacks, the common attack vector is the exploitation of privileged access points. These privileged access points usually consist of administrative or privileged accounts, application backdoors, and hardcoded or default passwords. In recent months, privileged access points have been utilized in the Flame attacks, and the ones against companies such as Saudi Aramco and Subway. The executive vice president Americas of Cyber-Ark Software explains that cybercriminals are well aware of the power and wide ranging access provided by these access points, which is the main reason why future attacks

For another story, see item 4 above in the Banking and Finance Sector

Communications Sector

33. November 21, Redding Record Searchlight – (California) Vandals cut Charter Communications’ cable; crash Internet for 18 hours. Internet service was restored November 21 for Charter Communication customers after vandals cut a fiber-optic cable, crashing service across northern California for about 18 hours. The cable was cut near Emeryville near Oakland. The outage halted email service and online bill payment services for all City of Redding departments. Charter officials said they did not know how many customers were affected. A spokeswoman for Charter said Comcast customers and local Internet service providers were also impacted by the disruption of service. The cable was cut by vandals November 20, which sent workers scurrying to repair the damage, a CenturyLink spokeswoman said November 21. Crews spliced the fiber line to make the repairs. Work was slowed because of flooding in the area, which sent water into manholes where the cable was located. Source:

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.