Wednesday, December 5, 2012
Daily Report
Top Stories
• Separate accidents
at two West Virginia coal operations November 30 left one worker dead, two
others injured, and a fourth worker missing, company and State mine safety
officials said. It was the sixth mining fatality in West Virginia this year. – Associated
Press
2.
December 3, Associated Press – (West
Virginia) One dead, one missing in separate coal accidents. Separate
accidents at two West Virginia coal operations November 30 left one worker
dead, two others injured, and a fourth worker missing, company and State mine
safety officials said. An electrician was killed when he became caught between
a scoop and a continuous mining machine at the Pocahontas Mine A White Buck
Portal near Rupert in Greenbrier County, West Virginia, said a representative
of the State Office of Miners’ Health Safety and Training. The mine is owned by
White Buck Coal Co., a subsidiary of Virginia-based Alpha Natural Resources.
Alpha identified the victim as an employee of its Alex Energy subsidiary. It
was the sixth mining fatality in West Virginia this year. In north-central West
Virginia, emergency officials were draining a coal slurry pond to search for a
bulldozer operator who was unaccounted for after an embankment collapsed,
sending three into the water. U.S. Mine Safety and Health Administration
spokeswoman said a “massive failure” - 3 - occurred November 30 at the Nolans
Run impoundment of Pennsylvania-based Consol Energy’s Robinson Run mine in
Harrison County. One dozer operator and two engineers were on the platform when
it collapsed. Both engineers were rescued and were in non-critical condition.
Source: http://www.chem.info/News/2012/12/Safety-One-Dead-One-Missing-in-
Separate-Coal-Accidents/
• Customers of Bank of America, Citibank, and
the former Washington Mutual Bank were taken for $8 million after their accounts
were compromised as part of an intricate identity theft and bank fraud scheme
that was run for nearly 6 years from the Avenal State Prison in California. – BankInfoSecurity See item 8
below in the Banking and Finance Sector
• Systems that can track automotive traffic on
roadways have flaws that could allow a skilled hacker to break in, according an
advisory by the U.S. Industrial Control System Computer Emergency Readiness
Team, Government Security News reported December 3. – Government Security
News
11.
December 3, Government Security News –
(National) Highway traffic monitoring system has exploitable electronic
flaw, says CERT. Systems that can track automotive traffic on roadways,
providing speed and highway traffic behavior patterns has a flaw that could
allow a skilled hacker to break in, according to the U.S. Industrial Control
System Computer Emergency Readiness Team (ICS-CERT). A November 30 advisory
issued by ICS-CERT said a specific system used by some municipal governments
around the country has an authentication vulnerability that could allow unauthorized
access. The advisory said Post Oak Bluetooth traffic systems that use Anonymous
Wireless Address Matching (AWAM) were affected. AWAM systems detect vehicles
that have Bluetooth — enabled networking devices aboard, including cellular
phones, mobile GPS systems, telephone headsets, and in-vehicle navigation and
hands-free systems. Each of those devices contains a unique electronic address
that the AWAM system’s sensors can read as the device travels by on a roadway.
An independent research group said ICS-CERT on November 30 identified an
insufficient entropy vulnerability in authentication key generation in Post
Oak’s AWAM Bluetooth Reader Traffic System. By impersonating the device, an
attacker could obtain the credentials of the systems administrative users and
potentially perform a Man-in-the- Middle (MitM) attack, intercepting
communications within the organization. ICS- CERT said Post Oak has validated
the vulnerability and produced an updated firmware version that mitigates the
potential opening. ICS-CERT said Post Oak said its products are deployed in the
transportation sector, mainly in the U.S. Source: http://www.gsnmagazine.com/node/27933?c=cyber_security
• The U.S. Office of Inspector General, which
investigates health care fraud, expects to recover about $6.9 billion from
audits and investigations this year. Targets of investigations include
hospitals, nursing homes, and the pharmaceutical industry. – Cincinnati
Business Courier
20.
December 4, Cincinnati Business Courier –
(National) Health care fraud investigations to net $6.9B. The U.S.
Office of Inspector General (OIG), which investigates health care fraud,
expects to recover about $6.9 billion from audits and investigations this year,
the Cincinnati Business Courier reported December 4. Targets of investigations
included hospitals, nursing homes, and the pharmaceutical industry. OIG
reported 778 criminal actions against individuals or entities that engaged in
crimes against Department of Health and Human Services programs, along with 367
civil - 10 - actions. It also excluded 3,131 individuals and entities from
participation in federal health care programs. Source: http://www.bizjournals.com/cincinnati/blog/2012/12/health-care-fraud-investigations-to.html
Details
Banking and Finance Sector
7. December 3, Marina del Ray Patch – (California)
Marina del Rey man convicted of bank fraud. A federal judge November 30
convicted a Marina del Rey, California man of 18 felony counts of bank fraud,
identity theft, and money laundering that totaled $600,000. The man and his
brother were convicted of impersonating people to obtain credit card numbers
under the victims’ names and applying online for fraudulent credit cards. The
man’s brother pleaded guilty before the trial. The man also called several
banks, including Chase and Bank of America, and used a person’s credit rating agency
profile information to receive credit cards, which he and his brother then used
to withdraw money from ATMs and purchase department store gift cards. Source: http://marinadelrey.patch.com/articles/marina-del-rey-man-convicted-of-bank-fraud
8. December 3, BankInfoSecurity – (California) ID
theft scam run from prison. Customers of Bank of America, Citibank, and the
former Washington Mutual Bank were taken for $8 million after their accounts
were compromised as part of an intricate identity theft and bank fraud scheme
that was run for nearly six years from the Avenal State Prison in California,
BankInfoSecurity reported December 3. Federal authorities said members of the
Armenian Power gang worked from behind bars with street gangs and bribed bank
employees to steal personally identifiable information - including signatures,
telephone numbers, prior addresses, and property documents - about elderly
accountholders to impersonate them and take over their accounts. Defendants
used the stolen information to change accountholder phone numbers and addresses
in an effort to conceal their crime. Those changes put control of accounts into
the hands of criminals. The losses were suffered by the victims and the
affected institutions, according to the FBI. Two ring leaders accused of
organizing the scheme were sentenced to 25 years each in federal prison, even
while already serving time for other crimes. The two leaders of the fraud
managed to conceal their scheme by communicating in code with gang members on
the outside through phone conversations. Source: http://www.bankinfosecurity.com/id-theft-scam-run-from-prison-a-5327
9. December 3, CNN Money – (International) SEC
charges China affiliates of ‘Big 4’ accounting firms. The U.S. Securities
and Exchange Commission (SEC) announced charges December 3 against the China
affiliates of the “Big Four” U.S. accounting firms. The SEC accused
PricewaterhouseCoopers Zhong Tian, KPMG Huazhen, Ernst & Young Hua Ming,
and Deloitte Touche Tohmatsu of refusing to hand over auditing documents
related to Chinese firms that trade on U.S. markets. China’s BDO China Dahua
Co. Ltd. was also charged. Regulators said they have been trying for months to
gain access to audit documents for nine China-based companies that they are
investigating for potential wrongdoing. Deloitte, PricewaterhouseCoopers-China
and Ernst & Young Hua Ming blame the dispute on conflicting rules in China
and the United States. Under Chinese law, “accounting firms in China are not
permitted to produce documents, including audit work papers, directly to any
foreign regulator without Chinese government approval, so all firms in China
have been unable to produce documents requested by the SEC,” a Deloitte
spokeswoman said. Source: http://money.cnn.com/2012/12/03/investing/sec-china-accounting/
Information Technology Sector
28.
December 4, Softpedia –
(International) Hackers can use Twitter SMS vulnerability to post on users’
behalves, expert finds. A security researcher identified a vulnerability
which can be leveraged by cybercriminals in attacks against Twitter users.
According to the expert, an attacker only needs to know the mobile phone number
associated with the target’s Twitter account. Presuming that the victim has
enabled the SMS service and presuming that a PIN code is not set, the attacker
can publish posts on their accounts by sending messages from a spoofed number.
The researcher explains that many SMS gateways allow for the sender’s address
to be set to an arbitrary identifier. Similar to email messages, an attacker
can spoof the number to make it look like it comes from a specific number. The
researcher claims that Facebook and Venmo were also affected, but they
addressed the bug after he had reported the flaw to their security teams.
Twitter responded December 4 stating that they fixed the vulnerability. A
Romanian researcher that specializes in mobile security reveals that these
types of vulnerabilities do not affect just social media platforms, but other
services as well. “The problem is not only with Twitter, but also with other
services (even banks) that authenticate the user based only on the phone
number. It’s like just knowing someone’s username, no password needed, while in
this case it’s even easier as people do not consider their phone number as
something private.” Source: http://news.softpedia.com/news/Hackers-Can-Use-Twitter-SMS-Vulnerability-to-Post-on-Users-Behalves-Expert-Finds-311857.shtml
29.
December 4, Help Net Security –
(International) Tumblr worm proliferated due to XSS flaw. A December 3
worm rampage that left many a Tumblr site “defaced” with a message by Internet
troll group GNAA was the result of improper input sanitation. “It appears that
the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who
was logged into Tumblr would automatically reblog the infectious post if they
visited one of the offending pages,” explained a Sophos researcher. Those who
were not logged in would be redirected to the standard login page. Once logged
in, the offending post would the continued to do its activity and reblog the
post on their Tumblr. “It shouldn’t have been possible for someone to post such
malicious JavaScript into a Tumblr post - our assumption is that the attackers
managed to skirt around Tumblr’s defences by disguising their code through Base
64 encoding and embedding it in a data URI,” concluded the researcher. Tumblr
disabled posting for a couple of hours and proceeded to clear the affected
accounts. According to a Twitter post by the company, the issue was resolved.
Source: http://www.net-security.org/secworld.php?id=14060&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader
30.
December 4, Softpedia –
(International) RoTDL admits It was hacked, takes responsibility for Google
Romania hijacking. The week of November 26, a number of high-profile
Romanian Web sites – including Google.ro and Yahoo.ro – redirected their
visitors to a defacement page set up by an Algerian hacker. After concluding
that this was a case of DNS poisoning, experts revealed that this was most
likely the result of a breach that affected RoTDL. RoTDL, the handler of
Romania’s top level domains, had been quiet about the incident until December
3, when it came forward with a statement. According to the company’s
representatives, the attack against their .ro domain administration server took
place on the night between November 27 and 28. They reveal that the attackers
modified the name servers of several popular domains to redirect their visitors
to an arbitrary Web page. Immediate measures have been taken to prevent future
incidents. The security breach is currently being investigated. The
investigation’s results will be made public in the days ahead. RoTDL claims
that DNS servers have not been affected and that no financial information is
stored on the affected machines. Source: http://news.softpedia.com/news/RoTDL-Admits-It-Was-Hacked-Takes-
Responsibility-for-Google-Romania-Defacement-311941.shtml
31.
December 4, The H – (International) Fast
cracking of MySQL passwords demonstrated. A hacker by the name of Kingcope
has found another security problem with the popular MySQL database. Using an
already well-known characteristic of the database’s user management, it is
possible to significantly increase the speed of a brute force attack. The trick
allowed him to test up to 5000 passwords per second over the network if he has
some access to the database. For this, the attacker requires an unprivileged
account for the database. The script uses that account to log in and then uses
the command ‘change_user’ to attempt to change the account during the MySQL
session. Unlike presenting the password to the login process, this works with
an already established network connection and very quickly rejects incorrect
passwords. The hacker used the John The Ripper password cracker to create a
password list and has documented the attack with a Perl script and record of a
command line session. To crack a four-character password with remote access to
the MySQL database took just 20 seconds with over 100,000 character
combinations tested. Source: http://www.h-online.com/security/news/item/Fast-cracking-of-MySQL-passwords-demonstrated-1762031.html
32.
December 3, Threatpost –
(International) Bug hunter finds ‘blended threat’ targeting Yahoo Web site. A
Romanian bug hunter has discovered a “blended threat” targeting Yahoo’s
Developer Network Web site that allows unauthorized access to Yahoo users’
emails and private profile data. At a security conference December 2, the
researcher demonstrated an abbreviated version of an attack using the YQL
console on developer.yahoo.com. Authenticated users also can access tables with
their own Yahoo account data, such as emails and profile data, to mount
queries. According to Computerworld, the researcher showed how an attacker
could abuse a feature on the - 14 - site by loading a specific URL inside an
iframe that returned the visitor’s “crumb code” — session- and user-specific
authorization code generated when someone visits the YQL console page. To get
around a security measure, the security researcher used a fake CAPTCHA test to
generate a YQL query that could divulge the user’s Yahoo email account and
private profile data. Another step is needed to actually read the emails — a
step the researcher did not disclose to the conference audience. The
researcher, who had yet to share his discovery with Yahoo, recommended the
company mitigate the vulnerability by not permitting unauthorized third-party
Web sites from loading pages inside an iframe using the developer.yahoo.com
domain. Source: http://threatpost.com/en_us/blogs/bug-hunter-finds-blended-threat-targeting-yahoo-web-site-120312
33.
December 2, IDG News Service –
(International) Instagram vulnerability on iPhone allows for account
takeover. A security researcher published November 30 another attack on
Facebook’s Instagram photo-sharing service that could allow a hacker to seize
control of a victim’s account. The attack was developed by the researcher
around a vulnerability he found within Instagram in mid-November. The
vulnerability is in the 3.1.2 version of Instagram’s application for the
iPhone. The researcher found that while some sensitive activities, such as
logging in and editing profile data, are encrypted when sent to Instagram,
other data was sent in plain-text. He tested the two attacks on an iPhone 4
running iOS 6, where he first found the problem. The plain-text cookie can be
intercepted using a man-in-the-middle attack as long as the hacker is on the
same local area network (LAN) as the victim. Once the cookie is obtained, the
hacker can delete or download photos or access the photos of another person who
is friends with the victim. Security company Secunia verified the attack and
issued an advisory. The researcher continued to study the potential of the
vulnerability and found the cookie issue could also allow the hacker to take
over the victim’s account using Address Resolution Protocol (ARP) spoofing.
Source: http://www.computerworld.com/s/article/print/9234236/Instagram_vulnerability_on_iPhone_allows_for_account_takeover
For another story, see item 11 above in Top Stories
Communications Sector
Nothing to
report
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.