Monday, December 10, 2012

Daily Report

Top Stories

 • Researchers December 6 unleashed proof-of-concept code that would allow an attacker to effectively write himself a check from the victim organization’s accounting software. They said the same types of attacks could also be aimed against a variety of accounting packages. – Dark Reading See item 3 below in the Banking and Finance Sector

 • Grease and rags from a residential neighborhood clogged a 15-inch plastic sewer line in San Antonio December 4, causing 63,000 gallons of sewage to overflow. – San Antonio Express-News

7. December 7, Associated Press – (New York) Bus driver not guilty of manslaughter in NY crash. A casino bus driver at the helm of a New York crash that killed 15 people in 2011 was found not guilty of manslaughter and criminally negligent homicide December 7. He was found guilty on one count of aggravated unlicensed operation of a motor vehicle. The defense attorney said he was well-rested and the crash was the result of a tractor-trailer that swiped the bus and drove off, causing the bus driver to lose control. The bus was driving from a Connecticut casino to New York’s Chinatown when it crashed March 12, 2011. Authorities said the speeding bus ran off the highway, hit a guardrail, and then toppled. Source:

 • Two separate reports released December 6 showed that 94 percent of U.S. healthcare organizations have been hit by at least 1 data breach, and close to half suffered more than 5 breaches in the past 2 years. – Dark Reading

16. December 6, Dark Reading – (National) Most healthcare organizations suffered data breaches. Two separate reports released December 6 showed that 94 percent of U.S. healthcare organizations have been hit by at least 1 data breach and close to half suffered more than 5 breaches in the past 2 years. The estimated cost to the healthcare industry of these breaches is now at an average of $7 billion per year, a 15 percent increase over the past three years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security study by The Ponemon Institute, which was commissioned by ID Experts. According to a second unrelated report from The Health Information Trust Alliance (HITRUST), there were some 500 data breaches at U.S. healthcare organizations from 2009 to the present, with 21 million personal records exposed — an estimated cost of $4 billion in damages. HITRUST included only breaches affecting 500 or more individuals, and says the numbers, which come from U.S. Department of Health and Human Services (HHS) data, signal little improvement in preventing breaches. More than 60 percent of those breaches came at smaller-sized physician practices, of 1 to 100 employees. The data shows it takes a healthcare organization an average of 84 days to identify a breach, and 68 days to issue a notification of it. About half of the respondents in the Ponemon survey said their data breaches led to actual medical identify theft among their patients. Source:

 • According to Microsoft’s Malware Protection Center, the Necurs malware has been spotted on 83,427 unique computers in November alone. Experts revealed that the malware might even be capable of disabling Microsoft Security Essentials’ real time protection. – Softpedia See item 24 below in the Information Technology Sector


Banking and Finance Sector

3. December 6, Dark Reading – (International) ‘Project Mayhem’ hacks accounting software. Researchers December 6 unleashed proof-of-concept code that would allow an attacker to basically write himself a check from the victim organization’s account. The Python-based tool is just one example of the type of advanced financial fraud that could be perpetrated against accounting applications and databases, according to SecureState researchers, who at Black Hat Abu Dhabi demonstrated their tool and findings on threats to accounting software. They focused their efforts on Microsoft’s Dynamics Great Plains application, but they said the same types of attacks could also be aimed at other accounting packages. No vulnerabilities were discovered or exploited in the Microsoft product. The Mayhem script detects that the Microsoft software is running, and creates a backdoor for the attacker to remotely make SQL queries and commit all types of financial fraud. ―It doesn’t even need to install a traditional piece of [trojan] backdoor malware like‖ most financial fraud malware does today, said the manager of SecureState’s penetration testing team. ―We compare it with a banking trojan that hijacks [automated clearing house] ACH and wire transfers without the user’s knowledge, but this time we’re looking at the accounting system instead of the online banking session,‖ he said. Microsoft’s accounting program is not the only potential victim. The manager said the same concept could be applied to MAS 90, Peachtree, Oracle, and SAP. Source:

4. December 6, Associated Press – (Colorado) Federal fraud charges in Colorado bank failure. A former New Frontier Bank loan officer is facing federal fraud charges involving millions of dollars in the 4 years prior to the Greeley, Colorado bank’s shutdown by State regulators in 2009. The man appeared in U.S. District Court December 5. He was the chief loan officer at New Frontier, which had $2 billion in assets before lending practices turned it into one of the country’s most expensive bank failures in 2009, costing the Federal Deposit Insurance Corp. $670 million. The man was responsible for making more than $20 million in loans to borrowers in return for $4.3 million used to purchase New Frontier Bankcorp stock. He is also accused of trying to pocket $160,000 in illegally obtained money. Source:

5. December 6, IDG News Service – (International) Former Anonymous member convicted in attacks against PayPal, MasterCard, Visa. A U.K. man was convicted for his involvement in a series of distributed denial-of-service (DDoS) attacks launched by the hacktivist group Anonymous against PayPal, MasterCard, Visa, and other companies in 2010. The man was convicted December 6 in a London court on one count of conspiracy to impair the operation of computers, the U.K.’s Crown Prosecution Service said in a blog post. The man, who used the online handle ―Nerdo,‖ was arrested in January 2011 and was charged in September 2011 with computer-related offenses in relation to Anonymous’ ―Operation Payback‖ attack campaign. DDoS attacks launched as part of ―Operation Payback‖ originally targeted companies and organizations from the music industry. However, the campaign later switched its focus toward PayPal, MasterCard, Visa, and other financial companies. Three other men arrested in the U.K. in connection with the same attacks pleaded guilty earlier in 2012 to one count each of conspiracy to impair the operation of computers. According to the Crown Prosecution Service, the DDoS attacks cost PayPal, MasterCard, Visa, the British Recorded Music Industry, Ministry of Sound, and the International Federation of the Phonographic Industry $5.6 million in additional staffing, software, and loss of sales. Source:

Information Technology Sector

22. December 7, IDG News Service – (International) Tor network used to command Skynet botnet. Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It is likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7. The botnet is called Skynet and can be used to launch distributed denial-of-service (DDoS) attacks, generate Bitcoins — a type of virtual currency — using the processing power of graphics cards installed in infected computers, download and execute arbitrary files, or steal login credentials for Web sites, including online banking ones. However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol. Tor Hidden Services are perfect for a botnet operation, said a security researcher at Rapid7 in an email December 7. ―As far as I understand, there is no technical way neither to trace and definitely neither to take down the Hidden Services used for C&C.‖ The researcher published a blog post about the Skynet botnet December 6. He believes that the botnet is the same one described by a self-confessed botnet operator in a ―IAmA‖ (I am a) thread on Reddit seven months ago. Despite the wealth of information about the botnet offered by its creator on Reddit seven months ago, the botnet is still alive and strong. In fact, Rapid7 researchers estimate that the botnet’s current size is of 12,000 to 15,000 compromised computers, up to 50 percent more than what its operator estimated 7 months ago. Source:

23. December 7, Softpedia – (International) BlackHole exploit kit has difficulties in infecting Chrome users, experts say. The notorious Blackhole exploit kit has difficulties when its victims utilize Google’s Chrome Web browser. According to experts from Blue Coat, when potential victims are tricked into clicking on links that point to Blackhole-infested Web sites, they are presented with a ―loading‖ or a ―please wait‖ message, while in the background they are redirected to the exploit pages that infect their computers with a piece of malware. However, this only happens if the victim uses browsers such as Internet Explorer or Firefox. During the attack, when users are redirected to the exploit pages, a script checks the user agent to identify which browser is utilized. If Chrome is detected, the victims are not redirected to the Blackhole page. Instead, they are taken to another malicious page where they are urged to install a rogue Chrome update. This happens because Blackhole uses vulnerabilities in popular applications – such as Adobe Reader, Java, and the browser itself – to push malware onto the victim’s device. However, since Chrome renders PDF files by using its built-in reader, and it asks users for permission before running a Java applet, Blackhole cannot succeed in its malicious task. Source:

24. December 7, Softpedia – (International) Necurs malware infects over 83,000 machines in November 2012, Microsoft says. According to experts from Microsoft’s Malware Protection Center, the Necurs malware has been spotted on 83,427 unique computers in November alone. Researchers reveal the fact that Necurs is usually distributed via Web sites that host the BlackHole exploit kit. Once the threat finds itself on a computer, it downloads additional malicious elements, disables security applications, and hides its components. Furthermore, the malware also allows its controllers to gain complete control over the infected device through its backdoor functionality. It can also send spam and install pieces of scareware. Experts reveal that the malware might even be capable of disabling Microsoft Security Essentials’ real time protection. Microsoft researchers have published a technical analysis of how Necurs manages to accomplish all these tasks. Source:

25. December 7, The Register – (International) Rare critical Word vuln is the star of December Patch Tuesday. Microsoft is planning to release seven bulletins December 11, five of which tackle critical vulnerabilities, as part of its final Patch Tuesday update of 2012. All currently supported operating systems (including Windows 8 and Windows RT) will need patching. The updates feature critical updates for Internet Explorer (IE) 9 and IE 10 browser software, a critical update for Microsoft Word, and critical updates for some of Microsoft’s server products (Exchange and Sharepoint). Qualys’s chief technology officer singled out the Word update for particular attention. ―Bulletin 3 is special, as it affects Microsoft Word and is rated critical, which happens very rarely,‖ he said. Source:

26. December 7, Associated Press – (International) Hackers said to hit UN telecoms talks in Dubai. Organizers of a U.N. conference on global telecommunications said December 6 that hackers apparently blocked their Web site and disrupted the talks. The U.N.’s International Telecommunications Union said the Web site was hit December 5, blocking access to its main page and interfering with a closed-door working group. It says it is still investigating but initial signs pointed to hackers. The statement says Internet traffic was diverted to a backup Web site for 2 hours before normal operations resumed. Source:

For more stories, see items 3 and 5 above in the Banking and Finance Sector

Communications Sector

27. December 7, Lihue Garden Island – (Hawaii) Storm knocks KUAI 720AM off the air. A Kaua’i, Hawaii country radio station was knocked off the air in a December 4 electrical storm. KUAI 720 AM Eleele has been off the air since December 4 when both the power and telephone communication systems were impacted by the storm, the chief engineer and operation manager for the KQNG radio group said. The Kaua’i Island Utilities Cooperative was able to restore power to the antenna and transmission tower. The chief engineer and operation manager said Hawaiian Telcom was hoping to reach the tower December 7, but their crews were experiencing a heavier repair load than usual from the storm on the west side of the island. Both the power and telephone systems need to be operational before he can assess if there was any damage to the equipment at the studio. There was no estimated time as to how long it will be before the station is back on the air. Source:

28. December 7, New York Post – (New York) Mayor wants to have telecommunications services restored to Lower Manhattan by end of year. Speaking December 7 at a forum on New York City’s future after Hurricane Sandy, the city’s mayor disclosed that he had a ―long conversation‖ December 6 with the Verizon CEO and together they developed a plan to provide temporary telecommunications services to downtown buildings by the end of 2012. Verizon lost 95 percent of its copper wiring to the salt waters that enveloped its downtown system during the storm. The deputy mayor said Verizon has undertaken a monumental recovery effort and is replacing its unusable copper wires with advanced fiber optics. He said the company, with the city’s help, will also work to provide interim service to the affected buildings. Source:

29. December 6, CNET – (National) FCC fast tracks text-to-911 service. The Federal Communications Commission (FCC) chairman announced December 6 that the four largest wireless carriers in the U.S. have agreed to fast track a service that will let people text the emergency 9-1-1 line. AT&T, Verizon Wireless, Sprint, and T-Mobile have all signed on and major deployments are planned to roll out in 2013. The service should be fully available nationwide by May 15, 2014. Dubbed ―Next Generation 9-1-1,‖ the FCC has been working on this project for the last two years. The goal of the service is to offer people more ways to contact emergency officials, as well as improve the network to ensure it holds up for new communication technologies. According to the FCC chairman, a key component in Next Generation 9-1-1 is the rapid deployment of text messaging, photo, and video support. While the service is getting phased-in, the mobile carries will send an automatic ―bounce back‖ text message when any attempts to reach 9-1-1 via text message fail. This bounce back message would come before the text-to-9-1-1 service is available in a certain area. Source:

30. December 6, Visalia Times-Delta – (California) Visalia classic rock station knocked off air. KIOO 99.7 FM Porterville was knocked off the air when a delivery truck hit and destroyed its broadcast tower on Lewis Hill in California, Visalia Times-Delta reported December 6. There were no injuries as a result of the accident but the antenna was so badly damaged it had to be removed. Momentum Broadcasting, the Visalia-based owners of the station, were trying to get a limited signal going, but a new tower will have to be erected, which may take up to two days, station management said. Source:

For another story, see item 26 above in the Information Technology Sector

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.