Wednesday, December 5, 2012

Daily Report

Top Stories

• Separate accidents at two West Virginia coal operations November 30 left one worker dead, two others injured, and a fourth worker missing, company and State mine safety officials said. It was the sixth mining fatality in West Virginia this year. – Associated Press

2. December 3, Associated Press – (West Virginia) One dead, one missing in separate coal accidents. Separate accidents at two West Virginia coal operations November 30 left one worker dead, two others injured, and a fourth worker missing, company and State mine safety officials said. An electrician was killed when he became caught between a scoop and a continuous mining machine at the Pocahontas Mine A White Buck Portal near Rupert in Greenbrier County, West Virginia, said a representative of the State Office of Miners’ Health Safety and Training. The mine is owned by White Buck Coal Co., a subsidiary of Virginia-based Alpha Natural Resources. Alpha identified the victim as an employee of its Alex Energy subsidiary. It was the sixth mining fatality in West Virginia this year. In north-central West Virginia, emergency officials were draining a coal slurry pond to search for a bulldozer operator who was unaccounted for after an embankment collapsed, sending three into the water. U.S. Mine Safety and Health Administration spokeswoman said a “massive failure” - 3 - occurred November 30 at the Nolans Run impoundment of Pennsylvania-based Consol Energy’s Robinson Run mine in Harrison County. One dozer operator and two engineers were on the platform when it collapsed. Both engineers were rescued and were in non-critical condition. Source: Separate-Coal-Accidents/

 • Customers of Bank of America, Citibank, and the former Washington Mutual Bank were taken for $8 million after their accounts were compromised as part of an intricate identity theft and bank fraud scheme that was run for nearly 6 years from the Avenal State Prison in California. – BankInfoSecurity  See item 8 below in the Banking and Finance Sector

 • Systems that can track automotive traffic on roadways have flaws that could allow a skilled hacker to break in, according an advisory by the U.S. Industrial Control System Computer Emergency Readiness Team, Government Security News reported December 3. – Government Security News

11. December 3, Government Security News – (National) Highway traffic monitoring system has exploitable electronic flaw, says CERT. Systems that can track automotive traffic on roadways, providing speed and highway traffic behavior patterns has a flaw that could allow a skilled hacker to break in, according to the U.S. Industrial Control System Computer Emergency Readiness Team (ICS-CERT). A November 30 advisory issued by ICS-CERT said a specific system used by some municipal governments around the country has an authentication vulnerability that could allow unauthorized access. The advisory said Post Oak Bluetooth traffic systems that use Anonymous Wireless Address Matching (AWAM) were affected. AWAM systems detect vehicles that have Bluetooth — enabled networking devices aboard, including cellular phones, mobile GPS systems, telephone headsets, and in-vehicle navigation and hands-free systems. Each of those devices contains a unique electronic address that the AWAM system’s sensors can read as the device travels by on a roadway. An independent research group said ICS-CERT on November 30 identified an insufficient entropy vulnerability in authentication key generation in Post Oak’s AWAM Bluetooth Reader Traffic System. By impersonating the device, an attacker could obtain the credentials of the systems administrative users and potentially perform a Man-in-the- Middle (MitM) attack, intercepting communications within the organization. ICS- CERT said Post Oak has validated the vulnerability and produced an updated firmware version that mitigates the potential opening. ICS-CERT said Post Oak said its products are deployed in the transportation sector, mainly in the U.S. Source:

 • The U.S. Office of Inspector General, which investigates health care fraud, expects to recover about $6.9 billion from audits and investigations this year. Targets of investigations include hospitals, nursing homes, and the pharmaceutical industry. – Cincinnati Business Courier

20. December 4, Cincinnati Business Courier – (National) Health care fraud investigations to net $6.9B. The U.S. Office of Inspector General (OIG), which investigates health care fraud, expects to recover about $6.9 billion from audits and investigations this year, the Cincinnati Business Courier reported December 4. Targets of investigations included hospitals, nursing homes, and the pharmaceutical industry. OIG reported 778 criminal actions against individuals or entities that engaged in crimes against Department of Health and Human Services programs, along with 367 civil - 10 - actions. It also excluded 3,131 individuals and entities from participation in federal health care programs. Source:


Banking and Finance Sector

7. December 3, Marina del Ray Patch – (California) Marina del Rey man convicted of bank fraud. A federal judge November 30 convicted a Marina del Rey, California man of 18 felony counts of bank fraud, identity theft, and money laundering that totaled $600,000. The man and his brother were convicted of impersonating people to obtain credit card numbers under the victims’ names and applying online for fraudulent credit cards. The man’s brother pleaded guilty before the trial. The man also called several banks, including Chase and Bank of America, and used a person’s credit rating agency profile information to receive credit cards, which he and his brother then used to withdraw money from ATMs and purchase department store gift cards. Source:

8. December 3, BankInfoSecurity – (California) ID theft scam run from prison. Customers of Bank of America, Citibank, and the former Washington Mutual Bank were taken for $8 million after their accounts were compromised as part of an intricate identity theft and bank fraud scheme that was run for nearly six years from the Avenal State Prison in California, BankInfoSecurity reported December 3. Federal authorities said members of the Armenian Power gang worked from behind bars with street gangs and bribed bank employees to steal personally identifiable information - including signatures, telephone numbers, prior addresses, and property documents - about elderly accountholders to impersonate them and take over their accounts. Defendants used the stolen information to change accountholder phone numbers and addresses in an effort to conceal their crime. Those changes put control of accounts into the hands of criminals. The losses were suffered by the victims and the affected institutions, according to the FBI. Two ring leaders accused of organizing the scheme were sentenced to 25 years each in federal prison, even while already serving time for other crimes. The two leaders of the fraud managed to conceal their scheme by communicating in code with gang members on the outside through phone conversations. Source:

9. December 3, CNN Money – (International) SEC charges China affiliates of ‘Big 4’ accounting firms. The U.S. Securities and Exchange Commission (SEC) announced charges December 3 against the China affiliates of the “Big Four” U.S. accounting firms. The SEC accused PricewaterhouseCoopers Zhong Tian, KPMG Huazhen, Ernst & Young Hua Ming, and Deloitte Touche Tohmatsu of refusing to hand over auditing documents related to Chinese firms that trade on U.S. markets. China’s BDO China Dahua Co. Ltd. was also charged. Regulators said they have been trying for months to gain access to audit documents for nine China-based companies that they are investigating for potential wrongdoing. Deloitte, PricewaterhouseCoopers-China and Ernst & Young Hua Ming blame the dispute on conflicting rules in China and the United States. Under Chinese law, “accounting firms in China are not permitted to produce documents, including audit work papers, directly to any foreign regulator without Chinese government approval, so all firms in China have been unable to produce documents requested by the SEC,” a Deloitte spokeswoman said. Source:

Information Technology Sector

28. December 4, Softpedia – (International) Hackers can use Twitter SMS vulnerability to post on users’ behalves, expert finds. A security researcher identified a vulnerability which can be leveraged by cybercriminals in attacks against Twitter users. According to the expert, an attacker only needs to know the mobile phone number associated with the target’s Twitter account. Presuming that the victim has enabled the SMS service and presuming that a PIN code is not set, the attacker can publish posts on their accounts by sending messages from a spoofed number. The researcher explains that many SMS gateways allow for the sender’s address to be set to an arbitrary identifier. Similar to email messages, an attacker can spoof the number to make it look like it comes from a specific number. The researcher claims that Facebook and Venmo were also affected, but they addressed the bug after he had reported the flaw to their security teams. Twitter responded December 4 stating that they fixed the vulnerability. A Romanian researcher that specializes in mobile security reveals that these types of vulnerabilities do not affect just social media platforms, but other services as well. “The problem is not only with Twitter, but also with other services (even banks) that authenticate the user based only on the phone number. It’s like just knowing someone’s username, no password needed, while in this case it’s even easier as people do not consider their phone number as something private.” Source:

29. December 4, Help Net Security – (International) Tumblr worm proliferated due to XSS flaw. A December 3 worm rampage that left many a Tumblr site “defaced” with a message by Internet troll group GNAA was the result of improper input sanitation. “It appears that the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages,” explained a Sophos researcher. Those who were not logged in would be redirected to the standard login page. Once logged in, the offending post would the continued to do its activity and reblog the post on their Tumblr. “It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post - our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” concluded the researcher. Tumblr disabled posting for a couple of hours and proceeded to clear the affected accounts. According to a Twitter post by the company, the issue was resolved. Source:

30. December 4, Softpedia – (International) RoTDL admits It was hacked, takes responsibility for Google Romania hijacking. The week of November 26, a number of high-profile Romanian Web sites – including and – redirected their visitors to a defacement page set up by an Algerian hacker. After concluding that this was a case of DNS poisoning, experts revealed that this was most likely the result of a breach that affected RoTDL. RoTDL, the handler of Romania’s top level domains, had been quiet about the incident until December 3, when it came forward with a statement. According to the company’s representatives, the attack against their .ro domain administration server took place on the night between November 27 and 28. They reveal that the attackers modified the name servers of several popular domains to redirect their visitors to an arbitrary Web page. Immediate measures have been taken to prevent future incidents. The security breach is currently being investigated. The investigation’s results will be made public in the days ahead. RoTDL claims that DNS servers have not been affected and that no financial information is stored on the affected machines. Source: Responsibility-for-Google-Romania-Defacement-311941.shtml

31. December 4, The H – (International) Fast cracking of MySQL passwords demonstrated. A hacker by the name of Kingcope has found another security problem with the popular MySQL database. Using an already well-known characteristic of the database’s user management, it is possible to significantly increase the speed of a brute force attack. The trick allowed him to test up to 5000 passwords per second over the network if he has some access to the database. For this, the attacker requires an unprivileged account for the database. The script uses that account to log in and then uses the command ‘change_user’ to attempt to change the account during the MySQL session. Unlike presenting the password to the login process, this works with an already established network connection and very quickly rejects incorrect passwords. The hacker used the John The Ripper password cracker to create a password list and has documented the attack with a Perl script and record of a command line session. To crack a four-character password with remote access to the MySQL database took just 20 seconds with over 100,000 character combinations tested. Source:

32. December 3, Threatpost – (International) Bug hunter finds ‘blended threat’ targeting Yahoo Web site. A Romanian bug hunter has discovered a “blended threat” targeting Yahoo’s Developer Network Web site that allows unauthorized access to Yahoo users’ emails and private profile data. At a security conference December 2, the researcher demonstrated an abbreviated version of an attack using the YQL console on Authenticated users also can access tables with their own Yahoo account data, such as emails and profile data, to mount queries. According to Computerworld, the researcher showed how an attacker could abuse a feature on the - 14 - site by loading a specific URL inside an iframe that returned the visitor’s “crumb code” — session- and user-specific authorization code generated when someone visits the YQL console page. To get around a security measure, the security researcher used a fake CAPTCHA test to generate a YQL query that could divulge the user’s Yahoo email account and private profile data. Another step is needed to actually read the emails — a step the researcher did not disclose to the conference audience. The researcher, who had yet to share his discovery with Yahoo, recommended the company mitigate the vulnerability by not permitting unauthorized third-party Web sites from loading pages inside an iframe using the domain. Source:

33. December 2, IDG News Service – (International) Instagram vulnerability on iPhone allows for account takeover. A security researcher published November 30 another attack on Facebook’s Instagram photo-sharing service that could allow a hacker to seize control of a victim’s account. The attack was developed by the researcher around a vulnerability he found within Instagram in mid-November. The vulnerability is in the 3.1.2 version of Instagram’s application for the iPhone. The researcher found that while some sensitive activities, such as logging in and editing profile data, are encrypted when sent to Instagram, other data was sent in plain-text. He tested the two attacks on an iPhone 4 running iOS 6, where he first found the problem. The plain-text cookie can be intercepted using a man-in-the-middle attack as long as the hacker is on the same local area network (LAN) as the victim. Once the cookie is obtained, the hacker can delete or download photos or access the photos of another person who is friends with the victim. Security company Secunia verified the attack and issued an advisory. The researcher continued to study the potential of the vulnerability and found the cookie issue could also allow the hacker to take over the victim’s account using Address Resolution Protocol (ARP) spoofing. Source:

For another story, see item 11 above in Top Stories

Communications Sector

Nothing to report

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.