Department of Homeland Security Daily Open Source Infrastructure Report

Monday, April 5, 2010

Complete DHS Daily Report for April 5, 2010

Daily Report

Top Stories

 The San Diego Union-Tribune reported that just past midnight on April 1, the state’s grid operators asked San Diego Gas & Electric to cut power to 250,000 homes and businesses rather than risk an uncontrolled blackout that could spread up the Pacific coast. The reason is not exactly clear, but in general terms it came down to the fact that power plants in the region were not making enough electricity, and managers did not want to rely too much on power coming in from elsewhere.

3. April 2, Casper Star-Tribune – (Wyoming) Power outage leads to toxic spill at Newcastle refinery. Newcastle residents witnessed dramatic flares March 30 at Wyoming Refining Co.’s oil refinery located on the northwest edge of town by the high school. On March 30, there were two separate power outages and two subsequent flaring events at the refinery, according to the Wyoming Department of Environmental Quality (DEQ). The first occurred from 1:30 to 3 p.m. and the second occurred from 7 to 11:45 p.m. “We’re used to flares because every time there’s a power outage there’s a flare. It’s not usually horrible,” a resident said. “This time, however, it was really dramatic. Bigger than most of us have seen before.” DEQ officials said the refinery reported no injuries related to the incidents, and there was no evacuation of the refinery. Some residents also reported a ground fire at the refinery on Tuesday. But DEQ officials said it was not yet clear whether there was a fire. Wyoming Refining Co. officials did not immediately return calls to the Star-Tribune on April 1. DEQ will perform its own follow-up investigation of the toxic releases at the Newcastle refinery this week. Source:

 WKYC 3 Cleveland reported that the FBI announced the arrest of eight men on April 2, charging them with using other people’s credit card information to buy as much as a million dollars in merchandise from Northeast Ohio stores. See item 16 below in the Banking and Finance Sector.


Banking and Finance Sector

14. April 2, WESH 2 Orlando – (Florida) Ocoee Publix employees find skimmer on ATM. Employees at one Orange County Publix said they found a skimming device on the store’s ATM. Police were called to the store on South Maguire Road in Ocoee April 1. The device steals data from users who put a card into the machine. Police said it’s not known how long the skimmer was there. Anyone who has used the machine is advised to call their bank. Source:

15. April 2, Associated Press – (Pennsylvania) Pa. investment manager charged in Ponzi scheme. A suburban Philadelphia financier is facing charges that he bilked investors out of millions of dollars in a Ponzi scheme. Federal prosecutors on April 1 charged a 38-year-old suspect with diverting $26 million for his personal use at the investment advisory business he ran in Kennett Square, about 30 miles west of Philadelphia. Investigators say the suspect used the money to finance a lavish lifestyle that included homes in Florida and Maine, a horse farm in Pennsylvania and a personal chef. Authorities say the suspect generated false financial statements for his clients and paid out bogus earnings using money coming in from new customers. Source:

16. April 2, WKYC 3 Cleveland – (Ohio) FBI: Million-dollar credit card fraud ring busted in Cleveland. The FBI announced the arrest of eight men, charged with using other people’s credit card information to buy as much as a million dollars in merchandise from Northeast Ohio stores. “These are stores that we all frequently visit with store credit cards that many of us carry in our wallets,” said the special agent in charge of the Cleveland division of the FBI. He named Lowe’s, Home Depot, Staples, Best Buy, hhgregg, Macy’s, Nordstrom, Saks Fifth Avenue, and Sears as among the local stores victimized. In the scheme, the FBI says an inmate at a federal prison in Fort Dix, New Jersey, used a cell phone to access and alter existing credit card accounts. They say he fraudulently added new users to other people’s accounts, and that the new users would make big-ticket purchases at Northeast Ohio stores. The FBI says the prisoner was persistent in calling customer service departments until he was successful in gaining access to someone else’s personal or business account. He would then modify the account and make one of the Cleveland men authorized users. At times he would use bits and pieces of public information, and use either guesswork or persistence, to finally gain access to the credit card accounts, according to the FBI. Source:

17. April 1, Associated Press – (South Dakota) Scam artists using census to try and get bank account, Social Security numbers. South Dakotans are being cautioned about a scam circulating under the guise of a 2010 census form. The state attorney general’s office says official-looking requests for financial information are not part of the census. Scam artists have sending letters and e-mails and even showing up at homes seeking Social Security numbers and information about bank accounts. The attorney general’s office says the census does not ask for that information, and residents should not give it out.


18. April 1, Sheboygan Press – (Wisconsin) National Exchange Bank in Elkhart Lake robbed; robber locked tellers in vault, made off with between $10,000 and $100,000. A gun-wielding bank robber made off with more than $10,000 on April 1 after locking the employees of a downtown bank in a vault, said the Elkhart Lake police chief. In a heist the FBI says is similar to a Cedarburg bank robbery in the summer 2009, the carefully disguised robber left behind a suspicious package with flashing lights that was eventually detonated inside the bank by the Milwaukee County Bomb Squad. The police chief said the man entered National Exchange Bank & Trust at 8:35 a.m. — five minutes after it opened — and displayed a gun to the three tellers inside. The suspect refused money that was offered from a teller station. “He eventually took the three tellers into the vault and got a large sum of money, locked them inside a gated portion of the vault,” the police chief said. The robber left a suspicious box near the vault and told tellers they would receive an electrical shock if they left before the box’s lights turned to a solid color, but the tellers quickly exited using a key one of them had. They walked out to find their manager had unknowingly arrived in the middle of the heist. Source:

19. April 1, WPTV 5 West Palm Beach – (Florida) 2nd suspicious package at bank. The Palm Beach County Sheriff’s Office returned to a Chase bank at 328 Northlake Boulevard after a second suspicious package was found in the afternoon of April 1. In the morning of April 1, the bank was evacuated as a precaution. The Palm Beach County Bomb Squad and fire rescue set up a staging area in a nearby Publix shopping center. The investigation started when a box with wires sticking out of it was found at the bank. The package was later destroyed and those evacuated were allowed to return. A second suspicious package turned up in the after afternoon around 4 p.m. West Palm Beach Police had received a bomb threat at a Chase bank on March 31 but no location was given. Source:

Information Technology

39. April 2, Help Net Security – (International) Botnets drive the rise of ransomware. Ransomware is the dominating threat with nine of the detections in the malware top ten list resulting in either scareware or ransomware infesting the victim’s PC. Fortinet observed the primary drivers behind these threats to be two of the most notorious botnet “loaders” - Bredolab and Pushdo. Another important finding is the aggressive entrance of a new zero-day threat in FortiGuard’s top ten attack list, MS.IE.Userdata.Behavior.Code.Execution, which accounted for 25 percent of the detected activity last month. Key threat activities for the month of March include: SMS-based ransomware high activity, botnets, and zero day attacks. A new ransomware threat, DigiPog, is an SMS blocker using Russian language, locking out a system and aggressively killing off popular applications like Internet Explorer and FireFox until an appropriate code is entered into a field provided to the user. Sasfis, another botnet loader, moved up eight positions in our Top 100 attack list from last month, landing just behind Gumblar and Conficker network activity in the fifth position. Sasfis is just the latest example of simplified botnets, which are used heavily for malicious business services (crime as a service). A new zero-day threat aggressively entered FortiGuard’s top ten attack list: MS.IE.Userdata.Behavior.Code.Execution - this exploit triggers a vulnerability in Internet Explorer, making remote code execution through a drive-by download (no user interaction required) possible. Source:

40. April 1, IDG News Service – (National) DHS studying global response to Conficker botnet. One year after the Conficker botnet was front-page news around the world, the U.S. Department of Homeland Security is preparing a report looking at the worldwide effort to keep it in check. The report, to be published within the month of April, shows how an ad hoc group of security researchers and Internet infrastructure providers banded together into an organization they called the Conficker Working Group. Its goal was to address what was at the time the world’s most serious cyberthreat. “We said, ‘This was a very good example of the private sector, globally, working together to try to solve a cybersecurity attack, so let’s fund the creation of a lessons-learned report to just document what worked, what didn’t work,’“ said a program manager with the Department of Homeland Security’s Science & Technology Directorate. The report could provide a template for future cyber-responses, security experts say. Source:

41. April 1, eWeek – (International) Adobe discusses PDF attack as Foxit adds warning. Foxit Software says it plans to add a warning to protect users from a new attack vector involving PDF files that can affect users without exploiting a software vulnerability. Adobe, which already has a warning built in, says the issue is being discussed. Foxit Software plans to follow Adobe Systems’ lead and add a dialog box giving users a heads-up about a new attack tactic involving malicious PDF files. The security issue was uncovered by an IT security consultant with Contraste Europe, who discovered a way to get PDF viewers such as Adobe Reader and Foxit Reader to execute embedded executables using a launch action triggered when the PDF file is opened. In Adobe Reader, the situation is mitigated by a warning that pops up and forces the user to click open before the executable is run. However, Foxit currently allows the embedded executable to run without either a warning or user interaction. Source:

42. April 1, Network World – (International) Protecting network endpoints is getting complicated. Users say protecting network endpoints is becoming more difficult as the type of endpoint devices — desktops, laptops, smartphones — grows, making security a complex moving target. The problem is compounded by the range of what groups within corporations do on these devices, which translates into different levels of protection for classes of users on myriad devices. Deciding the appropriate device defense becomes the No. 1 job of endpoint security specialists, says the CISO of Carolina Advanced Digital consultancy. Depending on the device and the user’s role, endpoints need to be locked down to a greater or lesser degree. Source:

43. April 1, Associated Press – (International) Google: Online attacks aimed at Vietnam’s critics. Google Inc. accused Vietnam on March 31 of stifling political dissent with cyberattacks, the latest complaint by the Internet giant against a communist regime following a public dispute with China over online censorship. Like China, Vietnam tightly controls the flow of information and has said it reserves the right to take “appropriate action” against Web sites it deems harmful to national security. The cyberattacks targeted “potentially tens of thousands,” a posting on Google’s online security blog said. It said it was drawing attention to the Vietnam attacks because they underscored the need for the international community “to take cybersecurity seriously to help keep free opinion flowing.” Google apparently stumbled onto a scheme targeting Vietnamese-speaking Internet users around the world while investigating the surveillance of e-mail accounts belonging to Chinese human rights activists, one analyst suggested. Source:

44. April 1, Infosecurity – (International) eBay comes under attack, says Red Condor. In an advisory published on April 1, Red Condor said that a phishing mail sent by scammers reporting an eBay security alert differs from conventional phishing emails. This one tells victims that they must download a Security Shield program, which is in fact a Trojan that harvests their passwords and presumably carries out other malicious activities on their machines. Traditionally, phishing email relies on victims entering information about their accounts on spoof websites designed to look like the targeted company’s genuine site. However, this mail directs victims to a web page containing a Download Now button to download software that directly compromises their machine. This constitutes a blended threat, according to Red Condor. It is similar in concept to a recent attack carried out on Facebook users, that asked them to download a piece of software that would help them to reset their password. However, this phishing attack differs in that it uses a compromised server within eBay’s domain to host the software download button, Red Condor said. Source:

45. March 30, Assocaited Press – (National) US govt effort against ID theft said to fall short. An internal review has found that the Justice Department has not done enough to fight identity theft, the fastest-growing crime in the country. The Justice Department inspector general says in a report that the department is falling short in efforts to combat identity theft, and that the issue has faded as a priority over the past two years. Federal authorities reported last year that identity theft affects an estimated 10 million Americans annually. A Justice Department spokeswoman says the agency agrees with the inspector general’s recommendations to improve coordination among law enforcement offices, and is implementing them. Source:

Communications Sector

Nothing to report.