Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, March 18, 2009

Complete DHS Daily Report for March 18, 2009

Daily Report


 The Associated Press reports that a section of Colorado 139 in Grand Junction has reopened after a semitrailer hauling coal collided with a pickup carrying hydrochloric acid on Monday. Hazardous materials teams contained up to 600 gallons of hydrochloric acid. (See item 4)

4. March 17, Associated Press – (Colorado) Highway reopens after coal truck hits pickup. A section of Colorado 139 has reopened on the Western Slope after a two-vehicle accident that left one person dead. A Grand Junction Fire Department spokesman says the highway reopened at Douglas Pass at about 11:30 p.m. Monday after being closed for some 15 hours. The closure came after a semitrailer hauling coal collided with a pickup carrying hydrochloric acid at 8:45 a.m. Monday, about 18 miles north of Loma. Family members say the man who was driving the coal truck died in the crash. Hazardous materials teams from the Grand Junction and Lower Valley Fire Department worked with the Colorado Department of Transportation to contain up to 600 gallons of hydrochloric acid. The cause of the crash is under investigation. Source:

 According to the Gary Post-Tribune, a levee along the Yellow River in Starke County, Indiana burst over the weekend, flooding nearly 9,000 acres of farm fields. (See item 39)

39. March 17, Gary Post-Tribune – (Indiana) Levee bursts sending river across counties. A levee along the Yellow River in Starke County burst over the weekend of March 14 and 15, flooding nearly 9,000 acres of farm fields. Rushing waters overtopped a bridge south of the intersection of Indiana 8 and Indiana 39 and washed out part of the road, according to the Indiana Department of Transportation (INDOT). The water is already receding, but a North Judson farmer who is helping plug the levee, said it could be three to four days before that job is complete. Officials are not certain when the levee broke, but farmland — mostly south of Indiana 8 and west of Indiana 39 — began filling with water early Sunday. Local police agencies began closing roads in the area. Monday morning, moving water washed out dirt under the pavement on Indiana 39. “It caved in,” said an Indiana state trooper, who was turning around travelers south of the collapsed road. He pointed to a portion of the blacktop at the County Road 50N and Indiana 39 intersection. As result, the highway is closed south of Indiana 8. An INDOT spokesperson said sand and large rocks will be brought in to shore up the road, but they will not know the full extent of the damage until the waters recede. It will be tested before it is reopened to drivers. The Department of Natural Resources and INDOT have been jointly working to repair the levee. Source:,flood.article


Banking and Finance Sector

10. March 17, Bloomberg – (National) AIG may have to reveal more pay data, faces subpoena. American International Group Inc., the U.S. insurer that has been bailed out four times by taxpayers, may have to reveal more details of $165 million in bonus payouts after criticism by the U.S. President and the New York Attorney General. The U.S. President on March 16 called the bonus payments an “outrage” and demanded AIG rescind or repay them. The New York Attorney General said he would subpoena the insurer that got a $173 billion taxpayer bailout. AIG has faced pressure to disclose more about its operations since the United States took a stake of almost 80 percent last year. AIG has named at least 20 banks that received money to avoid losses after buying credit-default swaps from the insurer. The derivatives almost bankrupted AIG, and the bonuses the U.S. President cited went to employees who created or sold them, transactions that helped trigger the global credit crisis. Source:

March 17, Barre Times-Argus – (Vermont) State police warn of potential phone scam. Vermont State Police in Middlesex received multiple reports from Washington and Orange County residents on March 14 that they had received calls in reference to fraudulent use of their credit cards. Residents reported receiving calls from an automated messaging system claiming someone had gained access to credit card account information. In order to cancel the account, the caller asked for the residents’ provide credit account information. Residents reported receiving calls in reference to accounts with various financial institutions and credit accounts with Central Vermont Hospital Credit Union. Police said they spoke with Central Vermont Hospital personnel, who reported receiving multiple calls about the apparent scam but said to their knowledge no one from the business office was making the calls. Vermont State Police are reminding residents to never provide personal information over the phone or online without first confirming the source. Legitimate financial/ business institutions will never claim fraudulent charges on an account and then ask you to verify the same account information that they are calling on and for Personal Identification Numbers. Source:

11. March 16, WAVE 3 Louisville – (Indiana) Phishing scam targets Southern Indiana bank. First Harrison Bank is one of the latest targets in a telephone phishing scam. Since March 14 concerned customers and non-customers alike have flooded the lines, after getting a strange call about their bank card. “Today we probably had 500 phone calls in the first two hours,” said the First Harrison Bank chief executive.” A lot of non-customers have been calling our bank saying I do not even bank with you why would I get this phone call?” The chief executive said bank officials are not sure how scammers accessed the phone numbers, but they are “confident that they did not get into our systems to access numbers.” That is because most inquiries are coming from people who are not even customers with First Harrison Bank at all. Some callers reported speaking to a person over the phone while others a voice recording. The message said “We are representing First Harrison Bank” and your card has been canceled. To reactivate we will need the card number, pin number and the expiration date” to reset. The chief executive said the criminals mask their numbers so when customers call back they get an unrelated business not the bank. First Harrison has traced the calls to Spain and stopped all transactions there along with Italy and three other countries. They have taken additional steps to keep criminals from cashing in. Source:

Information Technology

32. March 17, USA Today – (International) Website-infecting SQL injection attacks hit 450,000 a day. Cybercriminals are spreading invisible infections far and wide across the Internet by hammering hundreds of thousands of Web sites each day with so-called SQL injection attacks. The trend started last summer and has continued to accelerate. IBM Internet Security Systems says it identified 50 percent more infected Web pages in the last three months of 2008 than it did in all of 2007. Click on one and an individual would not notice anything. But the PC gets turned into an obedient “bot,” short for robot, deployed to attack other computers. All sensitive data get stolen. SQL attacks take aim at the database layer of Web sites. They typically were manual attacks designed to pilfer customer data from merchant Web sites. But last June 2008, someone figured out how to automate the attacks, and use them to plant infections. “It was a brilliant tactical move. You sit back and wait for someone to visit the site, and soon you infect thousands of PCs,” said the Breach Security’s director of research. An infected PC thereafter gets put to work delivering spam and spreading more infections. And any sensitive data, such as log-ons and account numbers, get stolen. Source:

33. March 17, IDG News Service – (International) Browser add-on locks out targeted advertising. A Harvard University fellow has developed a browser extension that stops advertising networks from tracking a person’s surfing habits, such as search queries and content they view on the Web. The extension, called Targeted Advertising Cookie Opt-Out (TACO), enables its users to opt out of 27 advertising networks that are employing behavioral advertising systems, wrote the individual who developed it, on his Web site. The individual, a fellow at the Berkman Center for Internet and Society at Harvard and a doctoral candidate at Indiana University, modified a browser extension Google released under an Apache 2 open-source license. Google’s opt-out plugin for Internet Explorer and Firefox blocks cookies delivered by its Doubleclick advertising network. A cookie is a small data file stored in a browser that can track a variety of information, such as Web sites visited and search queries, and transmit that information back to the entity that placed the cookie in the browser. Google’s opt-out plugin comes as the company announced plans last week to target advertisements based on the sites people visit. Targeted advertising is seen as a way for advertisers to more precisely find potential customers as well as for Web site publishers to charge higher advertising rates. Source:

34. March 16, Computerworld – (International) Microsoft patch leaves users vulnerable, says nCircle researcher. One of the patches Microsoft Corp. issued last week is nothing of the sort, according to a researcher who, on March 16, accused Microsoft of making functionality a higher priority than security. According to a senior security engineer at nCircle Network Security Inc., the MS09-008 update which was released on March 10, does not fix the problem for all users, many of whom may not realize that they are still vulnerable to attack. “When you get a patch from a vendor, you expect it to provide some level of security,” said the engineer. “But MS09-008 only mitigates the problem, it does not patch it.” MS09-008, one of three security updates released March 10, addressed four separate flaws in Windows’ DNS and WNS servers, and required that network administrators patch all currently supported server editions of Windows, including Windows 2000 Server, Server 2003 and Server 2008. The engineer has taken exception with the part of the update that addresses a vulnerability in the WPAD (Web Proxy Auto-Discovery) functionality of Windows DNS Server. “WPAD is a way to automatically configure proxy servers on machines,” he explained. “When the browser, like Internet Explorer, is configured to ‘Automatically Detect Settings,’ it will look for and attempt to resolve and pull down a configuration file. But if an attacker can manipulate the WPAD entry, all the traffic from those machines will go through his server. That would let him run ‘man-in-the-middle’ attacks to steal passwords or any other information.” Source:

35. March 16, CNET News – (International) Scammers customize news to deliver you malware. Security experts warned on March 16 of a new insidious e-mail scam that features false information about a bomb explosion in the recipient’s hometown and leads to a malicious Web site. The subject lines include “Take Care!” and “Are you and your friends in good health?” The e-mail includes a link to what looks like a news article on a Reuters page about the bombing. But the Web page and the news are fake, according to e-mail security provider Marshal and antivirus firm Sophos. The scammers are using IP address geolocation techniques to figure out what city the recipient lives in and are localizing the fake bomb news to that location. Meanwhile, clicking on the fake Reuters video page leads to malicious Waledac code being downloaded on the computer, the security firms said. Source:

Communications Sector

36. March 16, CNET News – (National) Comcast passwords leaked onto the Web. A list of thousands of user names and passwords for Comcast customers was removed from document sharing Web site Scribd on March 16, two months after it was posted there. Scribd removed the list of more than 8,000 passwords and user names after being contacted by a journalist at the New York Times. The journalist wrote that he was contacted by a Comcast customer who happened across the list after doing a search on his own e-mail address on search engine Pipl. A Comcast spokeswoman told the New York Times that the list was probably compiled from phishing or some other related type of attack and not from inside Comcast. Comcast is freezing the e-mail accounts of customers whose data was exposed and is contacting them, she said. Half of the items are duplicates, so only about 4,000 customers had information exposed, according to Comcast. Source:

No comments: