Wednesday, November 28, 2012


Daily Report

Top Stories

 • The undamaged westbound side of New York’s Ocean Parkway was reopened for 4.8 miles between Cedar Beach and Tobay Beach November 26. The 15.5-mile long road sustained unprecedented damage during Hurricane Sandy and has been closed since October 30. – Examiner.com

10. November 26, Examiner.com – (New York) Ocean Parkway reopens. The undamaged westbound side of New York’s Ocean Parkway was reopened for 4.8 miles between Cedar Beach and Tobay Beach November 26. The 15.5-mile long road sustained unprecedented damage during Hurricane Sandy and has been closed since October 30. Approximately 5 miles of the eastbound section of the road and its protective sand dunes were severely damaged; one-half mile of the roadway, and 1.6 miles of the sand dunes east of Gilgo were completely destroyed. New York State Department of Transportation (NYSDOT), the New York State Parks Recreation and Historic Preservation (NYSOPRHP), and the Department of Environmental Conservation are working with the Federal Highway Administration and the Army Corps of Engineers to develop a coastal barrier protection roadway repair project to restore Ocean Parkway to its pre-storm condition. NYSDOT and NYSOPRHP are also collaborating to design a project to rebuild damaged lanes to the traffic circle in Robert Moses State Park. New York State is examining options to strengthen those sections of the protective sand dunes that were damaged to provide better stability and resiliency to future storms. In addition to providing needed sand, the dredging project will also make the Fire Island Inlet safe for commercial and recreational boating. Source: http://www.examiner.com/article/ocean-parkway-reopens

 • The U.S. Food and Drug Administration (FDA) suspended Sunland Inc.’s operations November 26. The New Mexico food producer is linked to Salmonella-tainted peanut butter that has sickened at least 41 people in 2012. – Reuters

15. November 26, Reuters – (National) FDA suspends peanut butter plant linked to Salmonella outbreak. The U.S. Food and Drug Administration (FDA) suspended Sunland Inc.’s operations November 26. The New Mexico food producer is linked to Salmonella-tainted peanut butter that has sickened at least 41 people in 2012, the agency said in a statement. The FDA said a review of Sunland Inc.’s product testing records showed that 11 product lots of nut butter tested positive for Salmonella between June 2009 and September 2012. Between March 2010 and September 2012, a portion of eight product lots of nut butter containing Salmonella was distributed by the company to consumers, the organization said. Additionally, the FDA found the presence of Salmonella during its inspection of the plant in September and October, both in samples taken in food production areas and in food products themselves. In a November 15 statement the company said “at no time in its twenty four year history has Sunland, Inc. released for distribution any products that it knew to be potentially contaminated with harmful microorganisms.” Source: http://www.reuters.com/article/2012/11/27/usa-salmonella-peanuts-idUSL1E8MR00L20121127

 • An attorney, an accountant, and two medical administrators were convicted November 26 for their parts in a $154-million insurance fraud scheme in which hundreds of healthy patients from across the U.S. were recruited to undergo unnecessary and dangerous surgeries to fraudulently bill insurance providers, Orange County, California prosecutors said. – Los Angeles Times See item 5 below in the Banking and Finance Sector

 • New York health officials asked the federal government for almost a half-billion dollars worth of special Medicaid funding for hospitals, nursing homes, and clinics affected by Sandy, WNYC 93.9 FM New York City reported November 26. – WNYC 93.9 FM New York City

21. November 26, WNYC 93.9 FM New York City – (New York) NY seeks Medicaid funds for State’s Sandy-affected healthcare providers. New York health officials asked the federal government for almost a half-billion dollars worth of special Medicaid funding for hospitals, nursing homes, and clinics affected by Sandy, WNYC 93.9 FM reported November 26. Much of the money is to repair damaged buildings and equipment, but some is also intended to compensate places that either have closed and lost patients, or stayed open and received evacuees. The $427 million application is for up to three weeks of special funding. Close to $200 million of that would be for hospitals, with the rest going to nursing homes, clinics, housing for the mentally ill and disabled, substance abuse centers, and medical transportation companies. State officials estimated more than 5,000 patients were displaced by Sandy, and they say healthcare facilities have experienced more than a billion dollars worth of physical damage and lost income. Source: http://www.wnyc.org/articles/wnyc-news/2012/nov/26/state-seeks-medicaid-funding-sandy/

Details

Banking and Finance Sector

5. November 26, Los Angeles Times – (California; National) Four convicted in $154-million medical insurance fraud. An attorney, an accountant, and two medical administrators were convicted November 26 for their parts in a $154-million insurance fraud scheme in which hundreds of healthy patients from across the U.S. were recruited to undergo unnecessary and dangerous surgeries to fraudulently bill insurance providers, Orange County, California prosecutors said. A jury found the four defendants guilty of charges related to revenue and tax fraud for the massive scheme. Each of the four also faces at least 100 additional felony counts because the court has broken the scheme into multiple cases because of its size, prosecutors said. Those additional charges include conspiracy, paying for referrals, grand theft, insurance fraud, making false and fraudulent claims, and filing a false tax return. A number of other defendants, including three doctors, previously pleaded guilty to charges related to conspiracy and insurance fraud. Employees of Unity Outpatient Surgery Center in Buena Park were named as participating in the fraud, which recruited 2,841 healthy people from across the country to receive unnecessary surgeries in exchange for money or low-cost cosmetic surgery. Source: http://latimesblogs.latimes.com/lanow/2012/11/4-convicted-medical-insurance-fraud.html

6. November 26, Sarasota Herald-Tribune – (Florida) Mortgage banker pleads guilty in flipping fraud case. Shortly after being indicted for bank fraud, a former Sarasota, Florida mortgage banker pleaded guilty to conspiring to make false statements to a federally insured lender, the Sarasota Herald-Tribune reported November 26. He was the 20th person to be indicted in the massive flipping fraud scheme masterminded by two former Sarasota real estate agents that borrowed over $200 million from local banks. In 2006 and 2007, the banker made at least 19 home equity loans to members of the conspiracy. In both cases, one of the real estate agents forged the names of his relatives on the loan applications and the banker notarized the fraudulent signatures, the plea agreement states. Eighteen members of the conspiracy have been sentenced thus far and more indictments are expected. Source: http://insiderealestate.heraldtribune.com/2012/11/26/mortgage-banker-pleads-guilty-in-flipping-fraud-case/

7. November 26, The Register – (International) Claimed $400m Google buyout is fake, ICOA boss warns. Wireless hotspot provider ICOA appeared to fall victim to what looks like a classic pump-and-dump stock scam after a fake press release announcing that Google had paid $400 million to buy the company, The Register reported November 26. A press release posted on PRweb announced the purported deal and caused heavy trading in the firm’s shares. However, the company’s Chief Financial Officer confirmed that the story was not true. “It’s a false release,” he stated. “The [U.S. Securities and Exchange Commission] SEC has been notified.” ICOA is firmly in the penny share category, with shares trading on the OTC Pink sheets for fractions of a cent. Nevertheless, the press release more than quadrupled the share price, and at its peak over 500 million shares were traded, indicating that someone made off with at least $200,000 in profit. Source: http://www.theregister.co.uk/2012/11/26/icoa_google_buyout_fake/

8. November 26, Detroit Free Press – (Michigan; National) Michigan AG charges Georgia woman with racketeering in ‘robo-signing’ mortgage fraud scheme. Michigan’s attorney general announced November 26 that he is filing a criminal charge against the former executive of a Georgia-based document processing firm where workers allegedly forged close to a million signatures on home mortgage documents nationwide, including more than 1,000 signatures for Michigan mortgages. The former president of DocX of Alpharetta, Georgia, was to be charged in Kent County, Michigan with racketeering for what the attorney general described as having orchestrated a vast mortgage document “robo-signing” scheme. Earlier this month the woman agreed to plead guilty in Missouri to felony counts of forgery and perjury and a misdemeanor count of making a false declaration. She also pleaded guilty in U.S. District Court in Florida to conspiracy to commit mail and wire fraud. The attorney general said that from 2006 through 2009, the woman directed her employees to fraudulently sign various bank officials’ names on mortgage documents. The attorney general said arrangements are presently being made for the woman to surrender to Michigan authorities. Source: http://www.freep.com/article/20121126/BUSINESS/121126038/Michigan-AG-announces-racketeering-charged-forged-signature-case

Information Technology Sector

26. November 27, Help Net Security – (International) Go Daddy says DNS records hijacking was due to phishing. Go Daddy’s director of information security operations stated November 26 that the compromise of domain name system (DNS) records at Go Daddy hosted Web sites the week of November 19 was due to phishing and not a vulnerability in the My Account or DNS management systems. The DNS records were compromised so that malware peddlers could redirect victims to malicious sites hosting the Cool exploit kit and ultimately leading to ransomware. “Go Daddy has detected a very small number of accounts have malicious DNS entries placed on their domain names. We have been identifying affected customers and reversing the malicious entries as we find them. Also, we’re expiring the passwords of affected customers so the threat actors cannot continue to use the accounts to spread malware,” the director said. He advised customers located in the U.S. and Canada to enable two-step authentication to help protect their accounts and prevent this from happening to them. Source: http://www.net-security.org/malware_news.php?id=2334&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader

27. November 27, Softpedia – (International) PlugX RAT developers release new version, become more confident. The PlugX Remote Administration Tool (RAT) has been around for quite some time and, according to researchers, its developers continue to improve it. The latest version comes with some interesting changes in terms of logging activity. Kaspersky Lab Experts reveal that a new version, which was landing in the inboxes of a company, shows that the developers are becoming more confident in their work. The old variant contained numerous lines of code designed to process potential errors. The new version does not contain this logging function. Experts believe that this demonstrates the fact that the author trusts that the code flow runs successfully. It is likely that the cyber criminals have managed to infect a large number of computers, which allowed them to properly test their malicious tool. Now that they are done checking the new version, they are probably ready to move forward in development. Source: http://news.softpedia.com/news/PlugX-RAT-Developers-Release-New-Version-Become-More-Confindent-310014.shtml

28. November 27, Softpedia – (International) Piwik.org hacked, attacker adds malicious code to installation files. Piwik.org, the official Web site of the free software Web analytics system for PHP/MySQL webservers, was hacked. The attacker planted a piece of malicious code inside the .zip file containing Piwik 1.9.2. According to Piwik representatives, the incident affects only users who updated or installed Piwik 1.9.2 on November 26 between 15:43 UTC and 23:59 UTC. Customers who believe they might be impacted are advised to check for a piece of malicious code at the end of the Loader.php file located in the Core directory. If the code is present, they must back up config.ini.php, delete the Piwik directory, and download a clean version from piwik.org. The hacker gained access to the company’s servers by leveraging a
vulnerability in a WordPress plugin. “The website Piwik.org is running WordPress and got compromised, because of a security issue in a WordPress plugin. As far as we know, the Piwik software does not have any exploitable security issue,” the Piwik team wrote. Fortunately, since the Web site does not track any Web analytics data from users, no personal or sensitive data was obtained by the attacker. Piwik is currently working on implementing new mechanisms to avoid such incidents from occurring in the future. Source: http://news.softpedia.com/news/Piwik-org-Hacked-Attacker-Adds-Malicious-Code-to-Installation-Files-310082.shtml

29. November 26, Dark Reading – (International) Evolving DDoS attacks force defenders to adapt. In the past, attackers using distributed denial-of-service (DDoS) attacks to take down Web sites or network servers typically adopted one of two tactics; flooding the site with a deluge of data or overwhelming an application server with seemingly valid requests. Yet increasingly, attackers are using a hybrid approach, using multiple vectors to attack. The attacks that hit financial firms in September and October, for example, often used a massive flood of data packets that would overwhelm a victim’s network connection, while a much smaller subset of traffic would target vulnerable applications functions, consuming server resources. The one-two punch is potent. Many financial firms thought they had the defenses in place to defeat such attacks but had problems staying accessible during the onslaught. Companies prepared to handle application-layer attacks or smaller volumetric attacks could not handle the 20Gbps or more that saturated their Internet connection. A recent report from network-security firm Prolexic found that the average attack bandwidth increased to nearly 5Gbps, with 20Gbps attacks quite common. In a year, the average volume of attacks had doubled, the firm found. Source: http://www.darkreading.com/security-services/167801101/security/perimeter-security/240142616/evolving-ddos-attacks-force-defenders-to-adapt.html

30. November 26, Help Net Security – (International) DIY mass iFrame injecting Apache module sold online. A Webroot researcher recently spotted an Apache 2.x module for automated mass iFrame injection being sold in an underground market advertisement. “The Apache 2.x based stealth module is capable of inserting and rotating iFrames on all pages at a particular website hosted on the compromised server. The process will only work with a cookie+unique IP in an attempt by the cybercriminal behind the kit to make the process of analyzing the module harder to perform. The module would also not reveal the iFrame URL to search engines, Google Chrome and Linux users, as well as local IP,” he shares, adding that this makes it virtually impossible for a webmaster to remove the infection from their Web site. The module is for sale for $1,000, and in order to incite buyers, the seller offers statistics that apparently prove that the return on investment is good. The seller also reveals in the ad that the module has already been successfully use in a number of security incidents across the globe. Source: http://www.net-security.org/malware_news.php?id=2332&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader

For more stories, see items 7 above in the Banking and Finance Sector

Communications Sector

31. November 27, Softpedia – (Nevada) 4 Las Vegas news Web sites disrupted by DDOS attacks. Over the weekend of November 24, four news Web sites owned by Greenspun Media Group – vegasinc.com, vegasdeluxe.com, lasvegassun.com, and lasvegasweekly.com – were disrupted after being hit by a distributed denial-of-service (DDOS) attack. The servers that hosted the Web sites were overwhelmed by the large number of packets going their way, causing the Web sites to experience outages for several hours, the Las Vegas Sun reported. Currently, the sites are back online and Greenspun Media Group representatives have notified authorities. Source: http://news.softpedia.com/news/4-Las-Vegas-News-Websites-Disrupted-by-DDOS-Attacks-310139.shtml


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.