Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, January 20, 2010

Complete DHS Daily Report for January 20, 2010

Daily Report

Top Stories

 According to the Associated Press, two rival groups of Somali pirates had a shootout Sunday just before a $5.5 million ransom was delivered to free a supertanker loaded with combustible crude oil and destined for the United States, prompting the pirates onboard to call the anti-piracy force for help. (See item 2)

2. January 19, Associated Press – (International) Rival Somali pirates exchange gunfire before oil tanker is released. Two rival groups of Somali pirates had a shootout just before a $5.5 million ransom was delivered to free a supertanker loaded with combustible crude oil, prompting the pirates onboard to call the anti-piracy force for help, a European Union naval spokesman said Monday. Helicopters dispatched from a warship ended the standoff that could have caused a catastrophic explosion aboard the Maran Centaurus, which is carrying about 2 million barrels of crude oil destined for the United States. The ship’s cargo is so flammable that smoking is forbidden on deck. The supertanker was seized about 800 miles off the Somali coast with a crew of 28. The crude oil onboard was estimated to be worth roughly $150 million at the time of the November 29 attack. The spokesman for the European Union Naval Force said a rival group of pirates had attacked the gunmen holding the Greek-flagged ship Sunday just before the ransom was to be delivered, prompting the pirates onboard the tanker to call for assistance from the anti-piracy force. A Somali middleman, who helped negotiate the ship’s release, said a nearby warship had dispatched two helicopters to hover over the attackers’ two skiffs, frightening them off. The pirates onboard the ship then collected $5.5 million, which was parachuted out the back of two planes, he said. The pirates left the ship Monday morning and the helicopter did not fire any shots, he said. In a prepared statement, the ship’s owner declined to give any details about how it negotiated the release of the Maran Centaurus. The Maran Tankers Management Inc. said the crew members are safe and well. Source:

 Multiple sources report the following due to heavy rains over the weekend in California: Power outages were affecting 96,000 customers in PG&E’s entire service area; the access road to the San Onofre Nuclear Generating Station’s emergency operations facility was inaccessible due to road flooding; 16 or more inches of rain is predicted in Mt. Wilson, where transmitter facilities are located for TV stations serving Los Angeles; and L.A. County Public Works crews have raised dams in some of the smaller debris basins, and used backhoes to dig out more capacity in others. (See items 1, 12, and 64 below and 59 in the Communications Sector)

1. January 19, KGO 810 San Francisco – (California) Storm leaves 56,000 without power. Stormy weather has left 56,000 PG&E customers in the Bay Area without power Tuesday morning, a utility spokeswoman said. Nearly half of those outages are on the Peninsula, where 25,000 customers are affected, a PG&E spokeswoman said. Another 15,000 outages are reported in the East Bay, 14,500 in the South Bay, 1,500 in the North Bay, and 150 in San Francisco, she said. PG&E expects storms to continue affecting service throughout the week, she said. “We have been preparing for this and we have all hands on deck.” The region’s coastal and wooded areas pose the biggest challenge for repair crews because of high winds and the concentration of trees, she said. She estimated that outages are affecting 96,000 customers in PG&E’s entire service area, which stretches from Eureka to Bakersfield. Source:

12. January 18, U.S. Nuclear Regulatory Commission – (California) Emergency operations facility inaccessible due to road flooding. The following event notification was issued by the NRC: “On January 18, 2010, at about 1950 PST, the access road to the SONGS MESA facilities became flooded after a day of rain. The San Onofre Emergency Operations Facility (EOF) is located at the MESA and because of the flooding, is inaccessible to passenger vehicles. While the EOF itself is operable, in the event of an emergency at San Onofre, SCE [Southern California Edison] would direct EOF emergency responders to the alternate EOF located in Irvine, California. SCE is reporting this occurrence to the NRC in accordance with 10CFR50.72(b)(3)(xiii). “At the time of this occurrence, Unit 2 was shutdown for a Steam Generator Replacement outage and Unit 3 was operating at about 100% power. SCE will notify the NRC Resident Inspectors about this occurrence and will provide them with a copy of this report.” Source:

64. January 18, KPCC 89.3 Pasadena – (California) Foothill communities get ready for mudflow threat. This week, Los Angeles County emergency teams are working to protect homes from heavy rains and mudslides in the foothill communities. An official with L.A. County Public Works says the big question this week will be how much mud will flow how fast. Officials expect the heaviest rain and mudflows Wednesday and Thursday. He says public works is keeping close tabs on the 28 debris basins in the burned areas — especially the smaller ones. “The fact is, though, we have a couple of our basins not designed for what we call our typical design event,” he says. “Those are the hotspots.” Public Works crews have raised dams in some of those smaller debris basins, and used backhoes to dig out more capacity in others. But it is not safe to empty them when it is raining. “When there’s a dry spell we can dewater the basin. We can try to get some of the material out. It all depends on the weather,” he says. “At some of the critical inlets, we have staff out there trying to ensure that they don’t plug with debris.” Public works officials say they have planned well enough to capture debris brought down by all the storms this week. Source:


Banking and Finance Sector

22. January 20, Credit Union Times – (National) Mobile phishing highlights need for greater security. At least nine credit unions were subject to a mobile phone phishing attack that sought to lure credit union members into giving up their financial information to fraudsters. The attack both speaks to the appeal of mobile banking as well as the pressing need to continue to develop its security. The thieves launched the attack using downloadable applications that they wrote and branded with logos from the financial institutions, which included a number of banks as well as credit unions. They launched the applications on Google’s Android mobile phone platform that Google is using as the operating system for its own phone and that a number of different cellular phone networks have offered on their own phones as well. The applications were all developed by a person or group calling itself “09Droid” and contained the phrase “happy banking” on the summary statement that each application uses to advertise itself to potential users. In the attack, a mobile phone user would have seen that the application was available on the Android Marketplace and purchased it for about $1.50. The user then would have likely logged on to his or her account with the application, which would then capture their password and other information to add to the credit or debit card information that the user had already provided when purchasing the application. Source:

23. January 18, Computerworld – (International) Hackers are defeating tough authentication, Gartner warns. Security measures such as the use of one-time passwords and phone-based user authentication — considered among the most robust forms of IT defenses — are no longer enough to protect online banking systems against fraud, a Gartner Inc. report warns. Cybercriminals are using increasingly sophisticated tactics to outmaneuver security systems so they can steal customers’ log-in credentials and pillage their bank accounts, according to a Gartner analyst who wrote the report. Trojan horse programs lurking inside a customer’s Web browser can steal one-time passwords and immediately transfer funds, or intercept a transaction between a bank and a customer and make changes unbeknownst to the user or the bank, the analyst said. In cases where a bank uses a phone-based, “out of band” authentication system, criminals use call forwarding so that the fraudster, not the legitimate customer, gets the call from the financial institution, the analyst said. Banks need to quickly implement additional layers of security, she advised. Source:

24. January 18, Bellingham Herald – (Washington) Industrial Credit Union warns of text fraud. The Industrial Credit Union reports that some members have been getting fraudulent cell phone text messages. The messages claim that the member’s account has been suspended, and the trouble can be cleared up by calling a phone number provided to report personal credit card and account numbers. In a warning on its Web site, ICU says it is not sending out the text messages, and no other local credit union is doing so, either. The text messages appear to be part of the nonstop, worldwide blizzard of fraudulent e-mails, automated phone calls, and text messages that attempt to trick unwary people into disclosing sensitive financial information. Criminals can use the information to empty bank accounts or make phony credit and debit card charges. Source:

25. January 16, – (National) Smaller merchants may offer less credit card security. According to a recent survey, credit card security may not be as alive and well as most consumers assume. The study surveyed 560 U.S. and multinational organizations for the degree to which they complied with the Payment Card Industry’s Data Security Standard (PCI DSS). The survey was conducted by the Ponemon Institute, a company specializing in research into privacy and information security policy. The PCI DSS is an industry standard introduced in June 2005 by major credit card companies. It outlines the essential security measures companies must take to guard the credit card information and other customer payment data companies collected during credit card transactions. The survey found that many smaller merchants do not make the investment necessary to comply with PCI DSS. While almost three out of four large merchants with 75,000 or more employees complied with the standards (70 percent), only about one in four (28 percent) of smaller companies with 501 to 1,000 employees said they were compliant. Indeed, of the companies surveyed, 55 percent only secured credit card information, but not other vital personal data involved in identity theft, such as Social Security number, driver’s license numbers, or bank account details. At the same time, the need for greater protection of credit card information was underscored by one sobering fact: 79 percent of respondents said they had had at least one data breach involving loss or theft of credit card information. Source:

26. January 15, Dow Jones Newswires – (Illinois; Minnesota; Utah) Regulators close 3 banks in Minnesota, Illinois, Utah. Three U.S. banks were shuttered on January 15 by state regulators, bringing the total number of bank failures this year to four, the Federal Deposit Insurance Corporation said. In Illinois, state regulators shut down Town Community Bank and Trust in Antioch. Town Community Bank and Trust, which only had one branch, had approximately $69.6 million in assets and $67.4 million in total deposits as of September 30, 2009, according to the FDIC. Under the deal, the FDIC and First American Bank will share in losses on about $56.2 million of Town Community Bank and Trust’s assets. The FDIC estimated the failure will cost its deposit-insurance fund $17.8 million. State regulators in Minnesota, meanwhile, closed St. Stephen State Bank, which is based in St. Stephens. The First State Bank of St. Joseph agreed to assume the deposits of St. Stephen State Bank through a deal with the FDIC. St. Stephen State Bank had approximately $24.7 million in total assets and $23.4 million in total deposits as of Sept. 30, 2009. The FDIC and First State Bank of St. Joseph will share in losses on about $20.4 million of St. Stephen State Bank’s assets. Then in Utah, state regulators also closed down the Kaysville-based Barnes Banking Company. Unable to secure a buyer, the FDIC said it has created a bridge bank called the Deposit Insurance National Bank of Kaysville which will remain open until February 12, 2010 so customers can transfer their accounts to other banks. As of September 30, 2009, Barnes Banking Company had $827.8 million in total assets and $786.5 million in total deposits. The FDIC estimated the failure of Barnes Banking Company will cost its deposit-insurance fund $271.3 million. Source:

Information Technology

50. January 19, Computerworld – (International) Hackers wield newest IE exploit in drive-by attacks. Hackers are attacking consumers with an exploit of Internet Explorer (IE) that was allegedly used last month by the Chinese to break into Google’s corporate network, a security company said on Janaury 18. That news came on the heels of warnings by the information security agencies of the French and German governments, which recommended that IE users switch to an alternate browser, such as Firefox, Chrome, Safari or Opera, until Microsoft fixes the flaw. In a January 18 alert Websense said it identified “limited public use” of the unpatched IE vulnerability in drive-by attacks against users who strayed onto malicious Web sites. The site Websense cited in its warned has since been yanked from its hosting server. According to Websense, the attack code it spotted is the same as the exploit that went public last week. That code was quickly turned into an exploit module for Metasploit, the open-source penetration testing framework, by HD Moore, the creator of Metasploit and chief security officer for security company Rapid7. Websense also said its researchers were working with Microsoft to identify sites serving up the exploit. Source:

51. January 19, IDG News Service – (International) China: We are biggest victim of cyberattacks. On January 19, China denied any role in alleged cyberattacks on Indian government offices, calling China itself the biggest victim of hackers. When asked about Google’s allegation that cyberattacks launched from China hit the U.S. search giant, a foreign ministry spokesman said Chinese companies were also often hit by cyberattacks. “China is the biggest victim of hacking attacks,” the spokeman said, citing the example of top Chinese search engine being hacked recently. An Indian official has reportedly said local government offices including that of India’s National Security Advisor were also targeted last month by hackers believed to be from China. The spokesman said the allegation was baseless. Source:

52. January 19, The Register – (International) IE6 exposed as Google China malware unpicked. Fresh analysis has revealed the sophistication of malware used in attacks against Google and other hi-tech firms originating from China last month. It is now known that the attack took advantage of a zero-day vulnerability in Internet Explorer — CVE-2010-0249 — to drop malware onto compromised systems. After backdoor components (malicious Windows library files) are loaded, pwned systems attempt to contact command and control (C&C) servers. Security analysts at McAfee have discovered that this communication uses a custom encrypted protocol on port 443. This is normally utilised by the HTTPS protocol, used by SSL ecommerce transactions. The cracking techniques used in the assault used multiple malware components, with highly obfuscated code designed to confound security researchers. This marks it out as one of the most sophisticated hacking attacks to date, writes a McAfee researcher. “This attack involved very advanced methods, with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website,” he explains. “This way, the attackers were able to covertly gather all the information they wanted without being discovered.” The attack — codenamed Operation Aurora — affected Google and at least 20 other firms, including Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec. Source:

53. January 19, Techworld – (International) Internet heading for ‘perfect storm’. Attacks on the cloud could cause major global outages and the service providers are now quietly worried at the potential for chaos, a survey of the sector has found. According to Arbor Networks’ latest annual Infrastructure Security Report (Volume 5) survey of 132 large IP operators from across the world, 35 percent of respondents put this at the top of their worry list for the next year, ahead even of the traditional anxiety over botnets and DDoS. Evidence for attacks on the nascent cloud industry are thin on the ground compared to other sectors, but it is easy to see where the anxiety comes from. In principle, a single vulnerability in any part of the various software elements on which a cloud provider bases its services could compromise not just a single application but the whole virtualized cloud service and all its customers. Botnets came second on 21 percent, marginally ahead of ID and credential theft on 20 percent, with DNS cache poisoning, BGP route hijacking, system compromise and Internet worms all under the 10 percent worry mark. Perhaps the biggest challenge revealed by the survey is simply the sheer number of challenges that have come along at once, what Arbor describes as a ‘perfect storm’ of problems. Source:

54. January 18, IDG News Service – (International) Google cyberattack probe includes employees. Google’s investigation of a cyberattack that rocked the company’s infrastructure in mid-December includes a probe of its staff in China, a source familiar with the investigation said on January 18. However, Google does not consider the attack an inside job, as 20 other companies were affected by similar intrusions originating from China, the source said. Source:

55. January 18, IDG News Service – (International) Gmail of foreign journalists in China hijacked. The Gmail accounts of foreign reporters in at least two news bureaus in Beijing have been hijacked, a journalists’ group in China said on January 18. The hijacked Gmail accounts used by the journalists in Beijing had been set to forward all e-mails to a stranger’s address, the Foreign Correspondents’ Club of China said in an e-mail to members. The group did not name the news organizations hit by the attack or say when the hijacking occurred. “We remind all members that journalists in China have been particular targets of hacker attacks in the last 2 years,” the group’s e-mail said. Last year the group said it had received reports that the news assistants of foreign reporters in China were being targeted by e-mailed viruses. Source:

56. January 15, Computerworld – (International) U.S. to lodge formal protest with China over alleged cyberattacks. The U.S. will lodge a formal protest with China over the nation’s alleged involvement in cyberattacks against Google. The U.S. Department of State will issue an official demarche in Beijing early in a short period of time expressing U.S. concerns over the attacks and demanding an explanation, a State Department spokesman was quoted as saying in a Reuters report. Google recently said that it had been the target of cyberattacks by agents who appeared to be working at the behest of the Chinese government. More than 30 other companies also appear to have been targeted in the same attacks prompting widespread concern over state-sponsored cyberattacks originating from China. Source:

Communications Sector

57. January 19, WSAZ 3 Huntington, Charleston – (West Virginia) Phone outage fixed in Mason County; service restored. Phones are again working in Mason County, West Virginia, following an outage on January 19. That outage also knocked out calls to Mason 911 in Point Pleasant. A Verizon spokesperson says a problem with power equipment in the Point Pleasant switching office caused the service interruption around 3:30 a.m on January 19. The spokesman says the initial outage impacted about 4,000 lines, including some wireless lines. Service was restored to everyone by around 11 a.m. During the outage, 911 calls were redirected to Jackson County, West Virginia then relayed back to Mason County 911. Source:

58. January 19, Phone+ – (International) AT&T mends mobile Facebook glitch. AT&T Inc. wireless customers logging into their Facebook accounts no longer should sign into someone else’s page. That was happening over the weekend in what AT&T termed “a limited number of instances.” A server software glitch put some AT&T customers using their mobile devices into the wrong Facebook accounts. AT&T says it installed new security measures and had Facebook disable subscriber identification information that let people automatically log in. The problems added another layer of concern over Facebook and privacy — over the mobile Web, in particular. Until this weekend, however, no one had reported being able to access someone else’s page and view — not to mention, have the ability to change — their private data. If such issues continue, though, AT&T, other wireless carriers and mobile users will be open to all kinds of security nightmares. And the number of people using Facebook Mobile does not stand to decrease. Source:

59. January 18, Television Broadcast – (California) Storms threaten access to Mt. Wilson. The raging wildfires in the fall of 2009 continue to make life difficult for the TV transmitter engineers in Los Angeles. The terrain denuded of vegetation is now vulnerable to mudslides from driving rains hitting the West Coast. One of the heaviest storm systems in years is expected to dump several inches of rain across Southern California, an effect of El Nino throughout the week. Mt. Wilson, where the transmitter facilities are located for TV stations serving Los Angeles, is in an area where 16 or more inches of rain is predicted. The main road in, the Angeles Crest Highway, was closed between Mt. Wilson and Mt. Islip as of Sunday evening, the Los Angeles Times said. The heaviest rains on Mt. Wilson are expected on January 18. Fire officials in the affected area are preparing rescue teams for flooding emergencies. Source:

60. January 18, Associated Press – (Alaska) Two more arrested for theft of MTA copper wire. Palmer, Alaska, police say two more men have been arrested in the theft of copper wire from Matanuska Telephone Association. A detective sergeant said a 40-year-old and 48-year-old were taken into custody when they arrived by ferry in Juneau. Source: