Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, March 12, 2009

Complete DHS Daily Report for March 12, 2009

Daily Report


 Reuters reports that Marathon Oil Corp. confirmed that a crude pipeline supplying its Garyville, Louisiana refinery had been shut following a blast on Tuesday that killed one worker and injured three others. (See item 1)

1. March 11, Reuters – (Louisiana) Marathon La. pipeline shut after deadly blast. Marathon Oil Corp. on March 11 confirmed that a crude pipeline supplying its Garyville, Louisiana refinery had been shut following a March 10 blast that killed one worker and injured three others. The company has enough crude oil in inventory to keep the 256,000 barrel per day (bpd) refinery running, a company spokeswoman told Reuters. “The St. James to Garyville pipeline is currently shut,” a Marathon spokeswoman said. “We’re working to get it restarted. Garyville has crude on hand and continues to operate.” Late on March 10, Louisiana State Police said the pipeline had been temporarily shut after the late-morning explosion. The four men were working as part of Marathon’s project to expand Garyville’s refining capacity by 180,000 bpd. State Police and St. James Parish representatives said the men were welding on a pipe connected to a sump tank when the blast rocked Marathon’s St. James pipeline facility located 56 miles west of New Orleans. Source:

 According to the Los Angeles Times, the FBI is investigating the Saturday firebombing of a vehicle owned by a UCLA neuroscientist who was targeted by an anti-animal research group for using primates in his study. (See item 26)

26. March 10, Los Angeles Times – (California) FBI investigates firebombing of UCLA researcher’s car. The FBI is looking into the firebombing of a vehicle owned by a UCLA neuroscientist who was targeted by an anti-animal research group for using primates in his study of psychiatric disorders. The March 7 incident involving a homemade incendiary device took place outside the faculty member’s home and caused no injuries, according to a FBI spokeswoman. The UCLA professor, who researches treatments for schizophrenia, drug addiction and other disorders, was not identified. The FBI spokeswoman said the investigation of the March 7 incident will be conducted by a Joint Terrorism Task Force that includes the FBI, the LAPD, the Los Angeles Fire Department, the UCLA Police Department and the Bureau of Alcohol, Tobacco, Firearms and Explosives. The Animal Liberation Front posted a message on its Web site on March 9 from a group that claimed responsibility for the firebombing. UCLA is offering a $25,000 reward for information leading to the arrest and conviction of anyone involved in the incident. Source:,0,6615727.story


Banking and Finance Sector

10. March 10, KBTX 3 Bryan/College Station – (Texas) Phishing scams flood the Brazos Valley. Phishing scams continue to plague the Brazos Valley with con artists hoping to reel in a big one. Phishing is the illegal attempt to defraud you out of your personal information. News 3 has received numerous emails and calls from viewers targeted by these frauds over the past few days. Many claim to represent Brazos Valley Schools Credit Union, but others say they are from credit cards or other financial institutions. The typical scenario starts with a phone call, often late at night, or an email or text message from someone claiming to represent a bank, credit union or credit card issuer. The message says there is a problem with your credit, debit or ATM card. Often they say someone is trying to illegally access it. The final step is to direct you to divulge credit card or bank account numbers so they can protect or reactivate your account. Source:

Information Technology

28. March 11, SmartHouse – (International) Beware of new Kido malware threat. Software security specialist Kaspersky Lab says it has detected a new modification of the Kido malware threat. This latest variant differs from previous ones in that it extends the Trojan functionality used in earlier versions of the malicious program. Net-Worm.Win32.Kido.ip,, and other variants are all representative of this latest modification of Kido, which is capable of preventing antivirus products from functioning effectively on infected machines. The new variant of the malicious program also generates a dramatically increased number of unique domain names which it can contact to download daily updates: 50,000 in contrast to the 250 generated and contacted by previous versions. “So far, the new version of Kido is not posing an epidemic threat,” said a senior antivirus expert. “However, if existing versions of Kido are replaced by the latest variant, this could make life a lot more difficult for those trying to combat the authors of this malicious program.” The Kido worm has Trojan Downloader functionality, which means that it delivers other malicious programs to infected computers. The first Kido infections were detected in November 2008. A record for new Kido variants was added to Kaspersky Lab antivirus databases on March 7. Source:

29. March 11, Enterprise Security – (International) Critical kernel fix stars in Patch Tuesday updates. Microsoft released the promised three patches on March 10, including one critical, as part of its regular Patch Tuesday update cycle. The critical patch in the batch covers input validation vulnerabilities in the Windows kernel. The flaws create a possible mechanism for hackers to inject hostile code onto vulnerable systems, although there are no known exploits. The two other updates released on March 10, both rated as “important,” cover vulnerabilities in Microsoft’s implementation of Secure Channel and a DNS spoofing risk, respectively. Probably more important than any of the three updates is the absence of a fix for an unpatched Excel vulnerability, which has been the target of hacking attacks over recent weeks. Source:

30. March 10, IDG News Service – (International) Bad Symantec update leads to trouble. Symantec says a buggy diagnostic program spurred a rash of Norton antivirus user complaints on March 9 and 10. Problems started around 4:30 p.m. Pacific Time on March 9, when Norton Internet Security and Norton Antivirus 2006 and 2007 users started receiving error messages connected to a Symantec software update that tried to download a program called PIFTS.exe. “In a case of human error, the patch was released by Symantec ‘unsigned,’ which caused the firewall user prompt for this file to access the Internet,” wrote a Symantec spokesman in a forum post explaining the problem. Users reported that Norton’s own firewall software was popping up error messages asking them if they wanted to install the PIFTS.exe file. Norton’s firewall would have let it pass, had it been digitally signed. The update was available for about three hours and was pushed out to a small, “limited number” of Norton users, said a group product manager of consumer products with Symantec. PIFTS (Product Information Framework Troubleshooter) is a diagnostic program that Symantec periodically sends out to users to anonymously collect information such as the operating system and version number of the product being used in order to get a snapshot of its user base. The troublesome, unsigned PIFTS.exe file is no longer being distributed, but it never represented any kind of security threat, the group product manager said. “If a user would have accepted it they should have been fine, and if they declined it they should have been fine.” Source:

31. March 10, IDG News Service – (International) Gmail down; outage could last 36 hours for some. Google Inc.’s Gmail e-mail service is down for an undetermined number of users, and while the outage has been partially fixed, some people could be locked out of their accounts for many more hours. Google said that it could take between 24 hours to 36 hours to restore all affected accounts. A Google spokesman characterized the problem as “a minor issue” that struck at 5 a.m. Within 30 minutes, the service had been restored for “nearly all affected users,” he said via e-mail at 4:30 p.m. on March 10. “We are working to fix the issue for the few users still affected. We know how important e-mail is to our users, so we take issues like this very seriously and apologize for the inconvenience,” he said. The issue, which at its peak affected “a small subset of users,” prevents people from accessing their accounts. About two weeks ago, Gmail suffered a major outage that affected many users worldwide and lasted for two and a half hours. The outages affect all types of people, from casual users, who use Gmail for personal communications, to those who rely on it for their work e-mail as part of the Google Apps hosted collaboration and communication suite. That is because Google serves all of its Gmail users from the same data center infrastructure, including Apps Premier users, who pay for their service and are covered by a 99.9 percent uptime commitment. Source:

32. March 10, PCWorld – (International) Device fingerprinting aims to stop online fraud. Device ID, the practice of fingerprinting the means by which an account is accessed, is seen as a growth security industry in 2009. The market for Device ID is currently dominated by financial institutions aiming to curb ID fraud and credit card account theft, but the chief executive of Threatmetrix said he sees social networking as an emerging growth space as well. He also said there is a market for retail sites both in affiliate programs and in processing Card Not Present purchases online. Threatmetrix, which is sold as a SaaS solution, provides a deep inspection of the TCIP packet so that when someone logs into a bank online, over 150 parameters are inspected in real time. Among these are use of a proxy, using a known compromised PC, and turning off Javascript or cookies. Threatmetrix scores these and delivers that final score to the enterprise customer. New in this version are tools to determine whether this is a single computer concurrently logging into several different account names, or one username being logged in by multiple PCs, activity say from a botnet. Additionally, the service looks at how fast a given account is accessed (humans can react only so fast). In most cases the abnormalities are fraud scenarios. Threatmetrix knows of about 200 million compromised machines worldwide, but he said his company only keeps an active database of about 12 million. Source:

33. March 9, CNET News – (International) Adobe issues fix for zero-day Reader vulnerability. Adobe Systems on March 10 issued a security update to fix a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months. Adobe alerted users about the vulnerability recently and promised to have a security update for it by March 11. Basically, attackers can take advantage of a hole on unpatched systems to overwrite memory with a buffer overflow and install a backdoor through which to control the system remotely. In its advisory, Adobe said it plans to provide security updates for Adobe Reader 7 and 8 and Acrobat 7 and 8 by March 18 and for Adobe Reader 9.1 for Unix by March 25. Meanwhile, US-CERT said on March 10 it is aware of public reports of two new attack vectors for the vulnerability involving the Windows Indexing Service that indexes PDF files and the Windows Explorer Shell Extension. The vulnerability can be exploited with little or no user interaction if the Windows Indexing Service processes a malicious PDF file stored on the system or Windows Explorer displays a folder containing a malicious PDF file, the CERT advisory said. Source:

Communications Sector

34. March 10, Xchange – (National) AT&T to invest billions in wireless and fiber. Femtocells; Wi-Fi; HSPA+; an almost doubling of its U-Verse footprint: AT&T Inc. said on March 10 that it plans to invest $17 billion to $18 billion this year. The carrier says it is still seeing increased demand for mobility, broadband and video, and especially for mobility, with a veritable explosion in demand expected once the economy turns around. It is wireless that will claim most of the limelight in terms of AT&T’s initiatives this year, with nods to fixed-to-mobile substitution and the increasing thirst for mobile Internet services. Notably, AT&T will finally start to trial femtocells more widely with the goal of taking its 3G MicroCell service mainstream. These home base stations add carrier backhaul capacity by plugging into a broadband connection in the home to boost wireless signals to broadband levels for voice and data. Since the consumer is typically paying for the broadband in the first place, it is an attractive way for a carrier to offload traffic and cost from the macro wireless network while encouraging broadband uptake. Meanwhile, it also plans to double its 3G network capacity by adding 850MHz spectrum to the mix, which is a frequency that provides better in-building coverage than the current network. It will also add 2,100 new cell sites and 20 new markets this year. And, in addition to its previously announced trials of 7.2mbps HSPA+, it said it plans to evolve to support speeds as high as 20mbps. And along with all of this will be a continuing expansion of AT&T’s Wi-Fi footprint and infrastructure, building from the 20,000 hotspot footprint created in 2008 with the acquisition of Wayport. Source: