Tuesday, November 27, 2012


Daily Report

Top Stories

 • Approximately 140 people including passengers and crew on board Royal Caribbean’s Voyager of the Seas developed gastrointestinal symptoms resembling norovirus upon returning from New Zealand to Sydney, according to a Royal Caribbean blog report November 23. – Denver Examiner

10. November 23, Denver Examiner – (International) Norovirus outbreak sickens 140 on Royal Caribbean’s ‘Voyager of the Seas’. Approximately 140 passengers and crew on board Royal Caribbean’s Voyager of the Seas developed gastrointestinal symptoms resembling norovirus upon returning from New Zealand to Sydney, according to a Royal Caribbean blog report November 23. Those infected with the stomach bug responded well to over-the-counter medications administered on board the ship. Cruise officials notified passengers November 23 that they would begin cleaning and sanitizing guest rooms per Centers for Disease Control and Prevention recommendations. Because of these events, big lines were formed at the Overseas Passenger Terminal in Circular Quay, which stretched hundred of meters. The Voyager of the Seas can hold 3,138 passengers and over 1,100 crew members. Norovirus is spread person to person particularly in crowded, closed places. Source: http://www.examiner.com/article/norovirus-outbreak-sickens-140-on-royal-caribbean-s-voyager-of-the-seas

 • Peanut products, manufactured by Sunland Inc. in Portales, New Mexico, responsible for sickening at least 41 people in the U.S. with Salmonella have fallen under the scrutiny of international food safety authorities, Food Safety News reported November 26. – Food Safety News

11. November 26, Food Safety News – (International) Sunland recall goes international. Peanut products manufactured by Sunland Inc. in Portales, New Mexico, responsible for sickening at least 41 people in the U.S. with Salmonella have fallen under the scrutiny of international food safety authorities in recent weeks, Food Safety News reported November 26. Consumers in Canada, Hong Kong, France, the United Kingdom, Italy, and Norway have received warnings about the potential danger of imported Sunland products. November 21, the UK’s Food Standards Agency issued a warning to UK consumers concerning Sunland’s products, noting that while Sunland products were likely not sold in UK supermarkets, they may be sold by some online retailers who import American foods. Consumers in Hong Kong were warned of Sunland peanut butter back November 8. Two Sunland-brand Valencia peanut butter products were imported to Hong Kong and may be contaminated. Canadians received a number of warnings about Sunland products as well, with many of the products recalled in the U.S. also having been shipped to Canada. Source: http://www.foodsafetynews.com/2012/11/sunland-recall-goes-international/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+foodsafetynews/mRcs+(Food+Safety+News)

 • Two individuals watching the Macy’s Thanksgiving Day Parade in New York City November 22 discovered that shredded documents containing sensitive police information were among the confetti being thrown for the parade. – Help Net Security

18. November 26, Help Net Security – (New York) Shredded police documents showered down on Macy’s parade spectators. Two individuals watching the Macy’s Thanksgiving Day Parade in New York City November 22 discovered that shredded documents containing sensitive police information were among the confetti being thrown for the parade. After picking it up and examining it, they realized it contained numbers and the acronym “SSN.” They thought the number was likely a social security number, and decided to gather more of the confetti strips laying around. They realized that some contained entire phone numbers, addresses, more social security numbers, license plate numbers, and other confidential information. Some contained information regarding police incident reports and police controlled events. The logo and the information on the shredded documents made it possible to tie them to the Nassau County Police Department, which polices parts of Long Island. It was unknown how the strips ended up at the parade, but after being notified of the matter, the Nassau County Police Department stated that they will be conducting an investigation into this matter as well as reviewing their procedures for the disposing of sensitive documents. Macy’s said that they used only commercially manufactured multicolor confetti for the parade. Source: http://www.net-security.org/secworld.php?id=14012

 • A utility worker responding to reports of a natural gas leak in Springfield, Massachusetts, punctured a pipe and an unknown spark ignited a massive explosion that injured 18 people and damaged 42 buildings November 23. – Associated Press

27. November 25, Associated Press – (Massachusetts) Utility worker pierced pipe before Springfield, Mass., gas explosion that injured 18 people and damaged 42 buildings. A utility worker responding to reports of a natural gas leak in Springfield, Massachusetts, punctured a pipe and an unknown spark ignited a massive explosion that injured 18 people and damaged 42 buildings, the State fire marshal announced November 25. The November 23 natural gas blast in the city’s entertainment district was caused by “human error,” the fire marshal said at a news conference. The worker was trying to locate the source of the leak with a metal probe that tests natural gas levels when the probe damaged the underground pipe, he said. A flood of gas then built up in a building that housed a strip club, and a spark touched off the blast, officials said. Preliminary reports showed the blast damaged 42 buildings housing 115 residential units. Three buildings were immediately condemned, and 24 others require additional inspections by structural engineers to determine whether they are safe. The building that housed the Scores Gentleman’s Club was destroyed. After the pipe was ruptured, authorities evacuated several buildings. Most of the people injured were part of a group of gas workers, firefighters, and police officers who ducked for cover behind a utility truck just before the blast. The truck was destroyed. Source: http://www.nydailynews.com/news/national/utility-worker-pierced-pipe-mass-gas-explosion-article-1.1207741

Details

Banking and Finance Sector

6. November 25, KFVS 12 Cape Girardeau – (Missouri; Michigan) Forgery suspects found in Perryville. A Michigan man’s stolen credit card information lead to three arrests in Perryville, Missouri, where three men were arrested for credit card fraud. The Michigan man reported his card being used fraudulently in Perryville November 23. Police then used surveillance video to identify the suspects, who were later found at a local hotel. Police obtained a search warrant for the room where the suspects were found. Officers said they found a laptop computer connected to stripe card reader/writer. They also found 112 credit cards and gift cards. Police said the suspects were creating usable credit cards and gift cards by transferring other persons personal information onto the cards. Police also found 23 more cards inside a vehicle owned by one of the suspects. They also found more than $1,000 worth of cigarettes, which were purchased using the fraudulent credit cards. Source: http://www.kfvs12.com/story/20177571/forgery-suspects-found-in-perryville

7. November 24, Orange County Register – (California) Police arrest suspect in ‘desperate bandit’ robberies. Law-enforcement authorities believe they arrested the “desperate bandit” November 23, wanted in connection with numerous bank robberies in California’s Orange, Riverside, and San Bernardino counties. Indio police arrested a man after a bank robbery in that city. A FirstBank branch was robbed after a man approached the teller with a note demanding money. Police radioed the car’s description and an officer spotted a vehicle matching that description on westbound I-10 about a mile west of the bank, an Indio police spokesman said. The car was pulled over and the driver arrested. A two-liter plastic bottle filled with clear liquid and suspicious wiring was found by investigators during a search of the car. The Riverside Sheriff’s Department sent out its Hazardous Device Team in response and determined that the device was not a bomb. FBI officials suspected the man might be connected to the nine robberies that occurred over the past year because of the nature of the crime and the man’s physical description. Source: http://www.ocregister.com/news/bank-378651-police-downing.html

Information Technology Sector

22. November 26, Threatpost – (International) Researcher finds nearly two dozen SCADA bugs in a few hours’ time. A researcher at Exodus Intelligence says that after spending a few hours looking for bugs in SCADA applications, he came up with more than 20, several of which are remote code-execution vulnerabilities. The vice president of research at Exodus said that finding the flaws was not even difficult. In fact, he said that locating the software was more difficult than finding the bugs themselves. He said he decided to go after the SCADA apps, which he had never researched before, after seeing a video posted by ReVuln the week of November 19. In the video, ReVuln researchers say they have server-side remote code-execution flaws in software from GE, Schneider Electric, Siemens, Kaskad, ABB/Rockwell, and Eaton. The Exodus researcher also found flaws in Schneider Electric, Rockwell, and Eaton apps, as well as in software from Indusoft and RealFlex. ReVuln does not disclose vulnerabilities to vendors, but instead keeps the information to itself and sells it to customers. The Exodus researcher, meanwhile, said he plans to disclose all of the bugs he found to the Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT). Of the 23 bugs he discovered, 7 of them were remotely exploitable code execution flaws. Source: http://threatpost.com/en_us/blogs/researcher-finds-nearly-two-dozen-scada-bugs-few-hours-time-112612

23. November 25, The H – (International) eBay closes critical security holes. The online auction house eBay has fixed two vulnerabilities in its U.S. Web site. One of the vulnerabilities was a critical SQL injection hole in the site’s selling area that gave potential attackers unauthorized read and write access to one of the company’s databases. The hole was discovered by a security researcher, who confidentially reported the security issue to eBay. The researcher said that the company responded quite quickly and closed the hole after 20 days. The other hole was a cross-site scripting (XSS) vulnerability that enabled attackers to inject JavaScript code into the eBay server for execution via a specific URL. The vulnerability could have been exploited to steal other eBay users’ access credentials. The company told The Register November 22 that the hole had been fixed. Source: http://www.h-online.com/security/news/item/eBay-closes-critical-security-holes-1756422.html

24. November 23, Threatpost – (International) Symantec warns of new malware targeting SQL databases. Symantec is warning of a new bit of malware that appears to be modifying corporate databases, particularly in the Middle East, though its showing up elsewhere in the world too. W32.Narilam, first discovered November 15, follows a similar pattern of other worms by copying itself onto infected machines, adding registry keys and propagating through removable drives and network shares. “What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd,” wrote a Symantec security researcher. Once Narilam finds the targeted databases, it looks for financial terms such as “BankCheck,” “A_sellers” and “buyername” and Persian terms like “Pasandaz” (“Savings”) and “Vamghest” (“Instant Loans”). The malware also deletes tables with the following names: A_Sellers, person and Kalamast. “The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” the researcher wrote. The overall infection rate is low at the moment, but those whose networks are not properly protected could see business disrupted, he said. Source: http://threatpost.com/en_us/blogs/symantec-warns-new-malware-targeting-sql-databases-112312

25. November 23, Softpedia – (International) Numerous .eu domains registered to host BlackHole exploit kit. Security researchers from Sophos reveal that a number of malicious .eu domains have been registered by cybercriminals and set up to host the infamous BlackHole exploit kit. In order to avoid security filtering, cybercrooks have registered several domains, which they use to infect the computers of unsuspecting internauts. After closely analyzing the domains, experts have noticed that they all resolve to the IP address of a server located in the Czech Republic. The server hosts over 100 domains utilized as exploit sites and gateways for adult Web sites. The cybercriminals seem to have a clever method of keeping their operations online. This month they registered domains such as nrxpxq.eu, vjtjpy.eu, xzjvhs.eu, or xipuww.eu, while a few months ago they registered domains hosted on the .in Top Level Domain (TLD). Each of the domains is active only for a short period of time and all their names appear to follow this pattern of 6 random characters. One connection between the domains appears to be Finland. The .in domains were all registered by someone apparently from Finland and the .eu registrant’s language was set to Finnish. Source: http://news.softpedia.com/news/Numerous-eu-Domains-Registered-to-Host-BlackHole-Exploit-Kit-309360.shtml

Communications Sector

Nothing to report


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.