Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, April 21, 2009

Complete DHS Daily Report for April 21, 2009

Daily Report

Top Stories

 According to the Associated Press, more than 27,000 gallons of hydrochloric acid leaked from a storage tank into a retention basin at Dover Chemical Corporation in Dover, Ohio on Saturday, spawning a massive vapor cloud that took hours to dissipate. (See item 5)

5. April 18, Associated Press – (Ohio) Vapor cloud from Ohio chemical leak dissipating. A large chemical spill on April 18 at an east-central Ohio plant spawned a massive vapor cloud that took hours to dissipate, officials said. No injuries were reported. More than 27,000 gallons of hydrochloric acid leaked from a storage tank into a retention basin at Dover Chemical Corporation around 12:30 a.m., the Dover Fire chief said. The leak was contained onsite, but a vapor cloud developed and lingered for hours after the leak was discovered, he said. Firefighters reported that the cloud had dissipated by mid-morning and that a structural defect in the tank was believed to have caused the leak. There were no evacuations, and police said residents in the area received a reverse 911 call telling them to keep doors and windows closed. The company, which makes chemical additives, pumped the spilled hydrochloric acid into tankers and other tanks to limit vaporizing, the Dover Chemical vice president of operations said. Firefighters used a vapor suppressant foam to help trap vapors, the company said. Source:

 The Associated Press reports that authorities evacuated the town of St. Charles, Minnesota on Friday as a large fire at the North Star Foods plant threatened the anhydrous ammonia tanks inside. A city administrator said there were about 30,000 pounds of anhydrous ammonia in the five tanks. (See item 26)

26. April 18, Associated Press – (Minnesota) Plant fire forces evacuation of entire Minn. town. Authorities evacuated the southeastern Minnesota town of St. Charles of about 3,600 Friday as a large fire at a meat processing plant threatened the anhydrous ammonia tanks inside but, despite a scare, firefighters were able to prevent the tanks from exploding. What happened, according the a spokeswoman for the emergency operations center for the incident , was that as crews were deliberately venting ammonia from the five tanks inside the plant, some ammonia in the pipes that run through the plant escaped, causing ammonia levels in the air to temporarily spike twice. She said the ammonia dissipated right away and posed no threat to emergency workers at the scene. A city administrator said there were about 30,000 pounds of anhydrous ammonia in the five tanks. The cause of the fire was not immediately known, he said. Civil defense sirens blared to warn residents to get out. Sheriff’s deputies began door-to-door evacuations of people and pets about 3:30 p.m., and evacuation centers were set up for displaced residents at a church and schools in nearby communities. Both major highways through town were closed. Only reported injuries were minor. Some 200 firefighters and emergency workers from several agencies responded to the fire, including a hazardous materials team from Rochester, and 70 firefighters were still on the scene late Friday to fight the blaze through the night. North Star Foods plant manager said the fire started late Friday morning above one of the ovens where chickens are cooked. “Within two to three minutes, there was smoke coming out of the room pretty heavy,” the manager said. Source:


Banking and Finance Sector

14. April 20, Associated Press – (South Dakota) Sioux Falls phone scam targets ATM cards. The Sioux Falls Police Department is warning people about an automated telephone scam. The call from a recorded voice tells people their ATM card has been canceled and they need to push “1” to reinstate it. Police say doing that ends the call, but people should just hang up and not press the number or give out any personal information. Calls on April 19 were coming from a phone number in the 514 area code, which is in Canada. It is not clear what information, if any, is gained from the calls. Source:

15. April 18, Associated Press – (Indiana) State warns of new mortgage fraud scheme. Indiana’s Attorney General is warning about a mortgage fraud scheme in which criminals exploit a loophole in state law to transfer the ownership of properties. The Attorney General said the thieves are not interested in the property they steal, but in using their “ownership” of a property to obtain a fraudulent loan. Once they get the money, they disappear with it and leave the true property owner with the debt. “The actual homeowners, through no fault of their own, are at risk of losing their home to foreclosure,” the Attorney General said. “Correcting the problem and clearing the cloud off the title could cost the homeowners thousands of dollars.” The Attorney General joined the Indiana Recorders Association and the Association of Indiana Counties in Indianapolis on April 16 to publicize the scheme. He explained that Indiana law does not allow county recorders to demand proof of identification from customers who are recording deeds and other notarized documents. “Criminals are exploiting a loophole to fraudulently transfer ownership of properties in an effort to steal money from lenders,” the Attorney General said during the announcement. The Allen County Recorder said the state’s recorders are looking at legislation similar to a law in California that would require a thumbprint along with a notarized signature. A similar requirement takes effect in Illinois this summer.


16. April 17, Missoulian – (Montana) State alleges Ponzi scheme: 2 Polson men accused of $14 million fraud. There are at least 100 victims of the largest Ponzi scheme ever perpetrated in Montana. On April 16, the state auditor and commissioner of securities announced her office has filed legal action against two Polson residents and their companies, Cornerstone Financial Corp. and K&B Investments. The state alleges the two men committed securities fraud via a Ponzi scheme involving more than $14 million According to the state auditor, the defendants allegedly offered high rates of return, typically 15 percent annually, and assured investors their money was safe because it was secured by real property with values equal to or higher than their investment. The two men also allegedly promised investors that more than $1.5 million of their funds had been reserved with an escrow service for disbursement back to the investors at a later date, but instead commingled that money with other Cornerstone operating funds. Additionally, the state’s complaint alleges that many of the notes were never secured by real property despite the promises, and for those that were; nearly all the properties securing the promissory notes are now in foreclosure. Source:

Information Technology

37. April 20, The Register – (International) Twitter riddled with worms and scams (again). Multiple new versions of the Mikeyy cross-site scripting worm spread across the Twitter micro-blogging network recently. The first in the latest batch of worms berated Twitter for poor security. The VXer who got a job in security days after creating the first Twitter XSS worm over the Easter holiday weekend has confessed to creating this worm too. A second worm, which began spreading on April 17, referenced Twitter users with a large number of followers (such as @oprah and @aplus) and came from compromised accounts that also referenced the increasingly annoying Mikeyy. On 18 April two more Mikeyy-type worms appeared, this time in the guise of Tweets from compromised accounts, featuring philosophical musings and the word “womp.” The second worm of the day built on infected profiles, changing the title of the profile to “Mikey and the Mysterious Treqz,” as explained in a blog posting by F-Secure. Twitter, not before time, suspended the VXer’s profile recently, and this might be the 17-year-old’s reaction, although this has not been confirmed. Security researchers, who criticize Twitter for its apparent inability to de-worm its site, advise users to turn off scripting, or use Firefox extension NoScript, when viewing users’ profiles in order to avoid getting caught out by the malware. “Once again, Twitter is left looking amateurish in its response as it clearly has not properly hardened its systems from these kind of cross-site scripting attacks,” writes a senior security consultant at anti-virus firm Sophos. April 20 brought yet more security problems for Twitter with the spread of messages promoting, a site linked to online scams. Twitter itself describes the issue as a “scam/phishing” problem unrelated to malware. It adds that the messages were sent via compromised accounts, which it is in the process of suspending. Source:

38. April 18, Computerworld – (International) Mac exploit enters system through VMWare. A bug in VMware’s Fusion virtualization software could be used to run malicious code on a Mac by exploiting Windows in a virtual machine, a security researcher said recently. VMware has released Fusion 2.0.4 to plug the hole. According to an exploit researcher at Immunity Inc., a critical vulnerability in VMware’s virtual machine display function can be used to read and write memory on the “host” operating system, the OS running the physical hardware. The researcher crafted an exploit for Immunity’s customers, the Miami-based company is best-known for its Canvas penetration testing tool, and posted a video clip that demonstrates an attack on a machine running Windows Vista Service Pack 1 (SP1) as the host operating system, and Windows XP as the “guest,” the OS running in a virtual machine. “This is indeed a guest-to-host exploit,” the researcher said in an e-mail on April 18. “It uses several vulnerabilities in the ‘Display functions’ (as VMware put it) that allow [someone] to read and write arbitrary memory in the host. Thus the guest can run some code on the host, effectively bypassing ASLR and DEP on Vista SP1.” The same tactics can be employed against a guest operating system, say Windows XP, running in Fusion on a Mac powered by Apple’s Mac OS X, the researcher confirmed. “The vulnerability is also present in VMware Fusion and as such would allow a guest (Windows or Linux) to run code on the Mac OS X host,” he said. “We did not implement this exploit though, but will probably in a near future.” Source:

Communications Sector

Nothing to report.