Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 3, 2009

Complete DHS Daily Report for August 3, 2009

Daily Report

Top Stories

 The Associated Press reports that officials believe a welding job likely sparked a fire on July 30 at the El Dorado Chemical Co. plant in Bryan, Texas that forced thousands of people from their homes and closed Texas A&M University’s main campus. The fire threatened to ignite explosive ammonium nitrate. (See item 5)

5. July 31, Associated Press – (Texas) Welding believed to have sparked fire at TX chemical plant that forced thousands to flee homes. Officials believe a welding job likely sparked a fire at a central Texas chemical plant that forced thousands of people from their homes and closed Texas A&M University’s main campus. The fire threatened to ignite explosive ammonium nitrate used as a fertilizer ingredient. A worker with Brazos County emergency management said on July 31 the investigation is continuing but “the best information we have” indicates the blaze started during a welding job. He says fewer than 1,000 people were out of their homes as the El Dorado Chemical Co. plant continued smoldering. He says authorities hope to get the remaining residents home soon. According to Texas A&M’s Web site, the campus would reopen on July 31. The fire began midday July 30 at the plant in Bryan, about 100 miles north of Houston. At least 34 people were treated for injuries. Source:,1,3386464.story

 According to USA Today, cybersecurity experts are racing to tame a fast-spreading computer virus, called Clampi, that takes aim at financial accounts that are universally used by businesses. At least 500,000 computers have been infected by Clampi since March, a researcher said recently at the Black Hat security conference in Las Vegas. (See item 13)

See Banking and Finance sector, below, for Item 13.


Banking and Finance Sector

13. July 31, USA Today – (National) Clampi virus targets companies’ financial accounts. Cybersecurity experts are racing to tame a fast-spreading computer virus that takes deadly aim at financial accounts that are universally used by businesses. The virus, called Clampi, “is pretty scary,” says the editor of DarkReading, a technology security news site. “It’s worth worrying about.” At least 500,000 computers have been infected by Clampi since March, and it is spreading “by leaps and bounds,” a researcher told cybercrime experts meeting recently at the Black Hat security conference in Las Vegas. Anti-virus programs can detect and block Clampi, but the attackers are adept at tweaking it so it gets through, the researcher says. Clampi is one of a few dozen “banking Trojans” that target online financial transactions. But unlike some that prey on consumers’ online banking accounts, the criminals behind Clampi “are going after bigger fish,” primarily companies, says a senior analyst at anti-virus firm F-Secure. Windows PCs can pick up the Clampi infection when a user clicks on a tainted Web page, including ones on innocuous-looking legitimate sites that have been hacked. An infected PC then waits to see if the user logs into personal accounts at any of 4,600 Web pages for a wide array of businesses and government agencies, and their banks. It then sets a trap to obtain the user name and password of network administrators who have clearance to access all of an organization’s Windows PCs. It logs on as the administrator, then spreads companywide. Attackers are then able to wire cash transfers to “mule” accounts they control using banks’ automated clearinghouse (ACH) systems. Because Clampi and other banking Trojans are so ubiquitous, businesses should make online financial transactions only on PCs dedicated to those tasks, and that are not used for e-mail, accessing social networks or browsing the Internet, the researcher says. Source:

14. July 30, Associated Press – (Texas) 34 taken to hospitals after woman sprays perfume in Texas call center. At first, fire officials suspected that carbon monoxide or some other toxic fumes had sickened almost 150 people at a Texas bank call center. It turned out that perfume was to blame. A MedStar ambulance spokeswoman says 34 people were taken to hospitals, 12 by ambulance, after reporting dizziness and shortness of breath on July 29 at a Bank of America call center in Fort Worth. An additional 110 were treated at the scene. The Fort Worth fire lieutenant says the incident started with two people complaining about dizziness after a co-worker sprayed perfume. Others reported being sick when an announcement was made that anyone with similar symptoms should exit the building. Investigators do not know what type of perfume was sprayed. Source:,2933,535501,00.html?test=latestnews

15. July 30, Associated Press – (New Jersey) NJ woman admits to $15M investment scam. The former operator of a Clifton-based real estate investment program has admitted that she fraudulently raised more than $15 million from hundreds of investors. The operator pleaded guilty on July 30 in federal court to a one-count information charging her with mail fraud. Under federal sentencing guidelines, she faces up to 78 months in prison when she is sentenced November 24. Prosecutors say the 51-year-old operated a Ponzi scheme from 2004 through December 2007, using money from later investors to pay earlier ones. Other funds raised were used to pay her mortgage and other personal expenses. She told investors their money would be invested in real estate in the U.S. and overseas and promised a 100 percent return within one year. Source:

Information Technology

38. July 31, – (International) Apple computers vulnerable to new cyber attacks, expert warns. Apple Mac computers are not foolproof and can be manipulated by hackers despite their virus-free reputation, a security expert has warned at a conference in Las Vegas. A Mac researcher said at the Black Hat security conference, which is one of the top conferences in the industry, that while Mac viruses remain rare they will become more popular as Apple gains market share. The researcher demonstrated a type of software that is designed to run on certain systems to steal information or control a computer. The “Machiavelli” technique effectively took advantage of vulnerabilities in Apple’s software that many users ignore, as the Mac computer is often marketed by Apple as hardware that does not attract viruses. “There is no magic fairy dust protecting Macs,” he told The Age. The researcher, who co-wrote “The Mac Hacker’s Handbook” with another computer researcher, pointed to research that shows Apple held 9 percent of the computer market in the second quarter of the year. The two also said that because the Mac software holds more code than Microsoft’s Windows operating system, there are more opportunities for hackers to take advantage of the software. Source:

39. July 31, Computerworld – (International) Adobe patches 12 Flash bugs, 3 caused by Microsoft. Adobe on July 30 patched 12 vulnerabilities in Flash Player, including three it inherited from faulty Microsoft development code and one that hackers have been exploiting for at least a week. In a security advisory published on July 30, Adobe briefly spelled out the dozen vulnerabilities, 10 that were pegged as potentially leading to hijacked systems or with hackers executing their own malware on a machine. The vulnerabilities affect the Windows, Mac, and Linux versions of Flash Player. Still to patch: the Solaris edition. Last week, Adobe had promised that it would patch Flash on July 30 after reports surfaced of attacks against both Flash and Adobe Reader, a popular PDF viewer. Hackers have been attacking users running Flash through drive-bys hosted on compromised Web sites, and targeting people running Reader via a bug in the Flash interpreter baked into that program. Reader and Adobe Acrobat are slated for an update on July 31. Adobe also took care of three vulnerabilities within Flash that were the result of the company’s developers using a buggy Microsoft code “library” when they built the program. On July 29, Adobe confirmed that it had used Microsoft’s flawed development code, specifically the Active Template Library (ATL), a code library included with Visual Studio, to create both Flash Player and Shockwave Player. The latter was patched that same day. Source:

40. July 30, Associated Press – (International) Anti-theft software could create security hole. A piece of anti-theft software built into many laptops at the factory opens a serious security hole, according to research presented on July 30. The “Computrace” software, made by Vancouver-based Absolute Software Corp., is part of a subscription service that is used to find lost or stolen computers. Many people do not know it is on their machines, but it is included in computers from the biggest PC makers. The software is built into computers at the factory because that embeds it so deeply that even the extreme act of uninstalling the operating software will not delete it. The software is included in a part of the computer known as the BIOS, which refers to programs used to boot the computer. The service Absolute sells can be valuable because sensitive data can be purged remotely from a stolen machine. The computer is still able to reach out to a specially designated Web site for instructions even if a criminal is tampering with the machine. But research by two individuals with Boston-based Core Security Technologies, and presented on July 30 at the Black Hat security conference in Las Vegas, shows it can cut two ways. If a criminal has infected a computer that has the Computrace technology, he can take deep control of a machine. That is because he is able to modify the computer’s settings to maintain a connection with that machine even if the operating software is uninstalled then reinstalled, an extreme way, but sometimes the only way, to make sure a computer is cleaned of viruses. Source:

41. July 29, CNET News – (International) Single misplaced ‘&’ caused latest IE exploit. A security hole in Internet Explorer that opened the browser to hackers since early July was caused by a single typo in Microsoft’s code. An errant ampersand (“&”) took the blame for the exploit, admitted Microsoft in a blog published on July 28 at its Security Development Lifecycle (SDL) Web site. A security program manager at Microsoft explained in his blog that the typo corrupted the code of an ActiveX control used by the browser. The control was created by Microsoft using an older library of code, which Howard admitted has flaws. Because of those flaws, the typo caused the code to write untrusted data, exposing the browser to the bad guys. Outside of its regular Patch Tuesday routine, Microsoft issued an emergency fix for IE, which it said would block attempts to exploit the flaw in ActiveX controls. Development tools like Microsoft’s own Visual Studio use the same library of code, known as Active Template Library (ATL). On the same day it released the emergency patch for IE, the company also released a Visual Studio fix. The manager said the typo would have been difficult to spot in a review of the code, and that none of Microsoft’s code analysis methods would have uncovered it either. Source:

Communications Sector

42. July 29, – (International) Apple claims jailbroken iPhones could harm cell towers. Furthering their long-standing opposition to people ‘jailbreaking’ the iPhone, Apple asserts that the practice could lead to massive denial of service attacks on cell towers. Apple’s claim is that people tinkering with the iPhone’s software innards could execute commands that would crash cell tower software, resulting in people being unable to make phone calls or otherwise causing havoc on local cell networks. They draw a comparison between people jailbreaking the iPhone to someone breaking into a corporate network and damaging computers. Source:

43. July 29, Quad-City Times – (Iowa) Internet provider suddenly goes offline. Clinton County administrative offices are among hundreds of businesses and homes who were left without online access, Web sites and e-mail after an area Internet provider shut down recently without notice. Since July 27, customers of CIS Internet Services flooded the Clinton Area Chamber of Commerce office with calls, trying to get information about why they have no Internet service, the chamber president said on July 29. All complaints are being referred to the Iowa Attorney General’s Office and Better Business Bureau. The company provides Internet service to the Clinton area, including Camanche, Low Moor, DeWitt, Bellevue, Maquoketa and Fort Madison in Iowa and Fulton and Morrison, Illinois. The Web site also was not functional on July 29. The Clinton County Board of Supervisors met in an emergency session on July 29 and decided to declare the county’s contract with CIS Internet Services void and move immediately to find a new provider, the County attorney said. The county’s Web site has been down since early in the week, and employees at the Clinton County Administration Building have been unable to receive e-mails, said an administrative assistant for the board. She said county officials were unable to reach anyone from the company to find out what was wrong. The assistant said the county has received good service from CIS in the past, but that Internet service and e-mail access are “essential for the function of government now.” Source: