Department of Homeland Security Daily Open Source Infrastructure Report

Friday, February 12, 2010

Complete DHS Daily Report for February 12, 2010

Daily Report

Top Stories

 The Chicago Sun-Times reports that a 12-hour standoff at an oil recycling plant in the Chicago suburb of McCook ended Thursday morning with no injuries after the owner had barricaded himself inside the business following his attempted arrest by federal agents from Missouri for a weapons violation. More than 100 police officers and emergency personnel were on the scene during the incident. (See item 1)

1. February 11, Chicago Sun-Times – (Illinois) Barricade situation in McCook refinery over. A 12-hour standoff at an oil recycling plant in the Chicago suburb of McCook is over with no injuries after the owner had barricaded himself inside the business following his attempted arrest by federal agents from Missouri for a weapons violation. The man was taken into custody without resistance at 5:20 a.m. Thursday after SWAT officers forced their way in and stormed the building he was inside at Ortek, Inc., 7601 W. 47th St., according to the McCook Police chief. The man was not injured or armed. As of 6:45 a.m., agents were still searching the building. The fire chief said he probably will not face any charges filed by McCook police because he made no threats to anyone. The Illinois Environmental Protection Agency lists the man as the owner and operator for Ortek, Inc. Federal agents from Missouri were initially sent to the plant in McCook to arrest a man wanted on a federal warrant for a firearms violation, said a spokesman for the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives. “We’re using extreme caution because this man has a military background and has had a history of making anti-government remarks,” the Bureau spokesman said. “We don’t know for sure if he has any weapons with him, but he may be able to manufacture some weapons on the premises.” During the work week, the man lives in the garage — which is nowhere near the process area where oil is processed, the police chief said. A hazardous materials alarm that was initially called because of the nature of the materials inside was canceled at 8:30 p.m. Wednesday. The fire chief said the possibility was “very slim” for any type of explosion to occur. The company is an oil refinery plant that processes used oil and is open 24-hours. There were three employees who remained working inside the facility. More than 100 police officers and emergency personnel were on the scene during the incident. Source:,mccook-barricade-021010.article

 According to the Associated Press, an explosion in a transformer underneath a Manhattan sidewalk sent flames up the front of a landmark building Thursday, forcing the evacuation of 50 to 100 people. Businesses in the building include Radio Shack, Bally’s Total Fitness, and Papyrus. Firefighters had been out all night to deal with manhole fires because of runoff from snow and salt coming into contact with electrical grids below ground. (See item 50)

50. February 11, Associated Press – (New York) Transformer explosion shatters NY building windows. An explosion in a transformer underneath a Manhattan sidewalk sent flames up the front of a landmark building Thursday, shattering windows and blackening the front of several stories. No injuries were reported .A Consolidated Edison spokesman said the transformer was in a vault below the front of the seven-story building. An investigation was under way into the cause. The deputy fire chief said firefighters were initially called out for a report of smoke coming out of a manhole. He said firefighters had been out all night to deal with manhole fires because of runoff from snow and salt coming into contact with electrical grids below ground. An employee at an office furniture dealership on the sixth floor of the building on Sixth Avenue in the Chelsea district said she detected a sulfur odor as she approached the building at 10:30 a.m., but as she got to the entrance the smell faded and she went inside. Firefighters arrived at 10:44 a.m. to respond to the report of smoke and evacuated a Radio Shack store. Building workers were told via the public address system that there was a fire on the sidewalk but not to be alarmed. About 11:20, the explosion happened, with the fireball reaching three stories high. Another announcement instructed those in the building to evacuate using a back staircase. About 50 to 100 people were evacuated from the commercial building. It took firefighters an hour and 45 minutes to bring the blaze under control, but there was minimal damage to the building because it is fireproof. The front door of the Radio Shack store was blown out by the force of the explosion. Other businesses in the building include a Bally’s Total Fitness gym and a Papyrus stationery store. The building also houses the Apex Technical School on the opposite end from where the damage occurred. The building is part of the Ladies’ Mile Historic District. Source:


Banking and Finance Sector

11. February 11, SC Magazine – (International) PCI DSS regulations should not be written off as being unsuitable, as an understanding of the terms and options are often ignored. Credit card companies should be encouraged to work with smaller vendors when it comes to compliance, but it is too soon to write off PCI regulations. Following claims made on February 10 that the Payment Card Industry Data Security Standard (PCI DSS) are not suitable for small businesses, and that enforcements could cause a business to go under, the head of PCI at ProCheckUp Labs agreed with the principal that PCI DSS is by no means a ‘one-size fits all’ standard, but complaining about it will not get companies anywhere. Commenting on the claims that PCI could ‘cripple an organization’, the head of PCI at ProCheckUp Labs said that simply getting away from the flashy devices that claim to solve ‘all your PCI DSS headaches in one box’, companies will find cost-effective solutions to meet the intent of the requirements. Source:

12. February 10, SC Magazine – (National) ID theft still on the rise, but victims respond faster. Incidents of identity fraud and the total cost of fraud once again climbed last year, but consumers are becoming better equipped to respond to the occurrences of theft, according to a report released on January 10 by Javelin Strategy & Research. The seventh annual “2010 Identity Fraud Survey Report,” which polled more than 5,000 U.S. consumers, concluded that the number of victims rose to 11.1 million adults in 2009, an increase of 12 percent. Meanwhile, the total annual fraud amount experienced by these victims jumped 12.5 percent to $54 billion. This is the second straight year that both of those statistics have risen. But there were some silver linings to be found. The study showed that the average fraud resolution time fell 30 percent to 21 hours, thanks to increased consumer awareness, as well as banks helping victims better respond to incidents through fraud detection and real-time alerts. And victims are more commonly filing police reports, which allowed the number of arrests and convictions of the culprits to double. Source:

Information Technology

40. February 11, The Register – (International) Aussie anti-censor attacks strafe gov websites. The Anonymous denial of service campaign against Australian government websites on February 10 in protest against mandatory net filtering plans was a relatively modest affair, but still managed to disrupt the access to targeted websites. Arbor Networks, which markets security technology that helps service providers to mitigate DDoS attacks, reports that the peak size of the attack against Australian government websites was a relatively low 16.84 Mbps. By comparison, one in five service providers reported botnet-fueled attacks that in the 1-4 Gps range last year, with the worst attack hitting 49 Gbps, according to an annual review by Arbor. Operation Titstorm, launched on February 10, also involves a campaign of spam emails, junk faxes and prank phone calls along the lines of earlier attacks against the Church of Scientology, also spearheaded by the loose-knit Anonymous collective. The DDoS attacks in the Australian attacks appear to be hand-cranked rather than launched through zombie networks of compromised machines. Even so, the ongoing attacks reportedly blocked access to the Australian government website,, and, the Australian parliament’s homepage, overnight as part of a protest against controversial plans to filter the Internet and block access to sites featuring extreme sexual content. Source:

41. February 11, Computerworld – (International) Windows patch cripples XP with blue screen, users claim. The February 9 security updates from Microsoft have crippled Windows XP PCs with the notorious Blue Screen of Death (BSOD), users have reported on the company’s support forum. Complaints began early on February 10, and gained momentum throughout the day. To regain control of their PCs, users were told to boot from their Windows XP installation disc, launch the Recovery Console and enter a series of commands. Unfortunately, that left netbook users out of luck, since most of the lightweight, inexpensive laptops lack an optical drive, and so can not boot from an XP installation disc. Several users tentatively identified the MS10-015 update as the one which triggered the BSOD, and claimed that uninstalling that security fix — which was labeled as KB977165 — returned their PC to working condition. Source:

42. February 10, DarkReading – (International) ‘Aurora’ attacks still under way, investigators closing in on malware creators. The targeted attacks that hit Google, Adobe, and other U.S. organizations are still ongoing and have affected many more companies than the original 20 to 30 or so reported by Google and others. Security experts who have worked on forensics investigations and cleanup of the victim organizations from the attacks that originated out of China say they are also getting closer to identifying the author or authors of the malware used to breach Google and others. “The attack called Operation Aurora is larger than just [the attacks acknowledged at the] 30 companies. That attack is still in operation and is much larger,” says the founder and CEO of HBGary, which on February 10 published a report on Operation Aurora that recaps where things stand with the investigation. He and other forensics firms say they have no direct evidence implicating the Chinese government in the Aurora attacks, but that does not mean other investigators or officials have it and just are not sharing it publicly, he says. HBGary has found trails left behind in the Aurora code by its creators that are “very specific to the developer who compiled the malware,” he says, and it has Chinese language ties. HBGary has identified registry keys, IP addresses, suspicious runtime behavior, and other data about the Aurora malware and its origins using the firm’s latest analysis tool, the CEO says. Source:

43. February 10, Computerworld – (International) Simulated cyber-attack to test government response. Security industry analysts and lawmakers will get an unprecedented chance next week to evaluate how the government might respond to a cyber-attack on critical infrastructure targets. The Bipartisan Policy Center (BPC), a Washington-based non-profit established in 2007 by several lawmakers, will host a simulated nation-wide cyber-attack on February 16 for a group of former administration and national security officials, who will be playing the roles of Cabinet members. The goal of the simulation, called Cyber ShockWave, is to see how officials in key government positions would react to a real-time cyber- attack, and to evaluate the split-second decisions they may be required to take to deal with it, a BPC alert noted. Those playing the roles of various cabinet members include a former Department of Homeland Security secretary, the former Director of National Intelligence, the former White House Homeland Security advisor and the former White House press secretary. The participants, none of whom will have any advance information on the simulated attacks, will be expected to advise the President on the unfolding attacks and craft a response to them. Source:

44. February 9, ZDNet – (International) Reports: SQL injection attacks and malware led to most data breaches. With millions of personal records and payment card information stolen on a regular basis, several recently released reports independently confirm some of the main sources of breaches. Not surprisingly, that is not zero day flaws, not even insiders, but good old fashioned SQL injections next to malware infections. With companies investing more resources into ensuring their networks and employees are protected against the very latest threats, some are clearly overlooking the most basic threats, usually requiring simple or average attack sophistication on behalf of the cybercriminal. Source:

Communications Sector

45. February 11, SC Magazine – (International) Attacks on phone calls step up as users assume voice calls to be the most secure vehicle for confidential information. Cyber criminals are now targeting confidential information that is being transmitted by voice calls. GSMK CryptoPhone warned that unencrypted voice calls and texts are under attack and called on network security providers to do more in the fight against malicious phone fraudsters by ensuring end-to-end security measures for clients. The CEO of GSMK CryptoPhone claimed that standard security measures cannot give customers the 360-degree protection they need, particularly when travelling abroad. This follows a recent discovery of a basic vulnerability that was found in 12 out of 15 voice encryption products. Using a readily available wiretapping utility and a homemade Trojan, a blogger, known as Notrax, was able to bypass encryption and eavesdrop by capturing conversations from the microphone and speaker in real-time. By suppressing any rings, notifications or call logs, these attacks go completely undetected, and while Trojans can be installed manually by someone with access to the phone, they could equally be delivered via email, SMS or a mobile application. Source:

46. February 11, WTOV 9 Wheeling – (West Virginia) Phone service knocked out in parts of Marshall, Wetzel counties. Phone service was out Wednesday in Marshall County and parts of Wetzel County, leaving residents unable to call 911. The problem as of noon was with the 686 exchange. People could call within the 686 exchange to another 686 number, but they could not call out of the exchange or call 911. Phone service was restored in Cameron as of 9:30 a.m. Thursday, officials said. Frontier crews were trying to fix the problem and officials in Marshall County were putting extra measures in place to keep people safe. Residents said they felt like they were trapped on an island and, with cable and power still out in some areas, they said it could not have come at a worse time. The Marshall County Emergency Management Agency director said he is not sure if the phone outage is a result of the power outage or if something may have cut a phone line. The National Guard is on its way in to help in the Hundred area of Wetzel County, where the problem may lie. Police are increasing patrols and encourage anyone who needs emergency help to try to flag them down. In the meantime, residents are urged to call Cameron police directly at 304-686-2213 instead of calling 911. “We still do have communication. It’s just going to be a little bit cumbersome,” said the Cameron Police chief. Officials said they were not sure when phone service would be restored. The emergency management director said people need to drive anywhere from five to 10 minutes to get in the cell phone service range. Source:

47. February 10, The Register – (New York) Webhost in five day server FAIL. New York-based webhost HostV — a division of Cirtex — is five days into a server node outage that has left customer websites completely inaccessible. A London-based Register reader said the outage has brought down 10 of his sites, and many others are complaining of downed sites in the HostV forums. The CEO of Cirtex told The Register that the outage has affected thirty to forty customers. Cirtex’s HostV division offers virtual private server (VPS) as well as dedicated server hosting. On February 2, with a Twitter post to a feed that provides server status updates, the company indicated that its VPS infrastructure was under attack. “We are experiencing some serious issues,” the post read. “It seems like some kind of attack on our servers. Several nodes are down at the moment.” Over the next 21 hours, regular Tweets alerted customers to failures and repairs of various server nodes. Then, at midday on February 4, the feed went silent. According to the last three Tweets, one server node was still down, and it seems the failure was related to RAID problems rather than some sort of server attack. The company’s last public post came on February 8. “As for an ETA on the restore, we don’t have one,” a company representative said. “However, it does look like its going to take a fair amount of time. More than 24 hours. Possibly more than 48 hours.” Source:

48. February 10, Roanoke Times – (Virginia) Outages hit Verizon Wireless customers. Some Verizon Wireless customers in the Roanoke and New River valleys experienced intermittent outages in cellphone service for several hours Tuesday morning. The outage was caused by a component that needed to be adjusted in the switch, which is the computer that routes signals and completes calls in a specific region, said Verizon representatives. The problem was resolved in the late morning. A representative did not know how many customers were affected by the outage. Source:

49. February 10, IDG News Service – (National) Google to build ultra high-speed networks in the U.S. In its continuing quest to speed up the Internet, Google has decided to build what it calls “ultra high-speed” broadband networks in some parts of the U.S., the company announced Wednesday. The fiber networks will deliver 1Gbps connections to homes at prices that will be “competitive,” the company said. The services would cover between 50,000 and 500,000 people. “Our goal is to experiment with new ways to help make Internet access better and faster for everyone,” wrote two Google product managers in a blog post. Google wants to help promote the creation of ultra high-speed networks because they are necessary for next-generation Internet services and applications that are bandwidth intensive in areas like education, health and entertainment. Google will offer its networks through what it calls an “open access” model, so that customers have access to multiple service providers. Source: