Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, April 7, 2009

Complete DHS Daily Report for April 7, 2009

Daily Report

Top Stories

 Bloomberg reports that Alaska’s Cook Inlet Pipeline Co. will suspend operations after Mount Redoubt erupted in the state on Saturday. A vice president with Cook Inlet Pipeline said it will not accept oil for storage or transport until activity at the volcano ceases. (See item 3)

3. April 5, Bloomberg – (Alaska) Alaska Cook Inlet pipeline to suspend operations after eruption. Alaska’s Cook Inlet Pipeline Co., jointly owned by Chevron Corp. and Pacific Energy Resources, will suspend operations after a volcano erupted in the state on April 4, according to a statement posted on the U.S. Coast Guard Web Site. Mount Redoubt had “a major eruption” and is experiencing “continued unrest,” according to the statement from the Unified Command, which includes Cook Inlet Pipeline, the Coast Guard, and the Alaska Department of Environmental Conservation. Cook Inlet Pipeline will not accept oil for storage or transport until activity at the volcano ceases, a vice president with Cook Inlet Pipeline said in the statement. A tanker ship is tentatively scheduled to arrive on April 5 at the Christy Lee platform to draw oil from the Drift River Terminal, with the goal to reduce stocks of the fuel by 60 percent, according to the statement. About 148,000 barrels of oil are at the terminal, according to the state. No spills had been reported as of April 4, according to a state report. The terminal and related pipeline were closed March 23 following an earlier eruption of Mount Redoubt. Source:

 According to Reuters, police were investigating a suspicious package containing white powder found Friday at a Citibank branch office in New York’s financial district. The building was evacuated, and the investigation was ongoing. (See item 14)

See Banking and Finance Sector


Banking and Finance Sector

14. April 3, Reuters – (New York) Suspicious package found at NY bank. Police were investigating a suspicious package containing white powder found on April 3 at a Citibank branch office in New York’s financial district, authorities said. The package was discovered shortly after 9 a.m. at the building at 100 Williams Street in downtown Manhattan, a spokesman for the New York Police Department said. The building was evacuated and the investigation was ongoing, the spokesman said. Citibank issued a statement saying: “We alerted authorities after discovering an envelope with an unknown substance at a Citibank branch on William Street. We have taken appropriate actions to ensure the safety of our employees, customers and our facilities. The branch is currently closed pending a police investigation.” Source:

15. April 3, Bloomberg – (Arizona) SEC sues Arizona accountant over $67 million fraud. U.S. regulators sued an Arizona accountant, claiming he ran a $67 million Ponzi scheme tied to real-estate investments. A certified public accountant from Scottsdale cheated about 125 people out of investments they made with four companies he had operated since 2001, the U.S. Securities and Exchange Commission said in a complaint filed on April 2 in federal court in Phoenix. Investors forced the accountant into bankruptcy in November 2008. The accountant misrepresented that investor funds would be invested in loans secured by real estate and promised returns ranging from 12 percent to 22 percent, according to the complaint. He also assured investors they could seek repayment within 48 hours. Investors were encouraged to borrow money from home equity loans and retirement funds to invest with the accountant, the complaint said. In exchange for investments, the accountant and his companies issued unsecured demand promissory notes stating returns of 3 percent to 20 percent a year. Source:

Information Technology

38. April 5, Computerworld – (International) Conficker copycat prowls for victims, says Microsoft. An old, but little-known worm has copied some of the infection strategies of Conficker, the worm that raised a ruckus recently, Microsoft Corp. security researchers said on April 3. Neeris, which harks back to May 2005, is now exploiting the same Windows bug that Conficker put to good use, and it is spreading through flash drives, another Conficker characteristic, said researchers at the Microsoft Malware Protection Center. According to the researchers, Neeris’ makers recently added an exploit for the MS08-067 vulnerability that Microsoft patched last October. The emergency update, one of the rare times Microsoft has issued a patch outside its usual monthly schedule, fixed a flaw in the Windows Server service, which is used for file- and print-sharing by Windows PCs. Conficker, the worm that began using a new communications scheme to receive commands from its hacker controllers on April 1, exploited the same MS08-067 vulnerability to devastating effect in late 2008 and early 2009. In January, for instance, Conficker infected millions of machines, many of them by exploiting MS08-067. “Neeris [also] spreads via Autorun,” the researchers said in an entry to the malware center’s blog. “The new Neeris variant even adds the same ‘Open folder to view files’ AutoPlay option that Conficker does.” Source:

39. April 3, SoftPedia – (International) Trend Micro rushes to patch 0-day vulnerability. The development department at anti-virus vendor Trend Micro has been recently hard at work to plug a hole in the Internet Security 2008 and 2009 products after someone posted a PoC exploit for it. Trend Micro is one of the largest providers of anti-virus and security solutions in the world. Its flagship product is PC-cillin Internet Security, currently known as Trend Micro Internet Security (TIS). The company also develops HouseCall, one of the first free online anti-virus scanners. On 30 March 2009, someone going by the handle of “b1@ckeYe” posted a proof-of-concept exploit code for a privilege escalation vulnerability, affecting TIS 2008 and 2009, both standard and professional editions, on the exploit-tracking Web site milw0rm. The flaw is located in the version of the tmactmon.sys (TrendMicro Activity Monitor Module) component and is classified by SecurityFocus as a boundary-condition error. The PoC creator credits research on driver flaws exploitation. Source:

Communications Sector

40. April 4, CNET News – (National) Comcast e-mail access suffers outage. Comcast e-mail servers experienced an outage, according to the company’s Twitter feed and a message on A fix arrived hours after expected. Users of the company’s e-mail service have been out of luck accessing the service since “at least” 6 a.m., according to an e-mail tip received by CNET News on April 4. Although Comcast did not immediately respond to a request for comment on the matter, its Comcastcares Twitter feed, as well as its service hub, did confirm the outage. It has been communicating with the “server company”— the maker of the server — to help resolve the problem. While a fix was previously expected at 11 a.m., according to the Twitter feed, e-mail is still down. “I do apologize,” tweeted the director of digital care for Comcast. “I am waiting for an update on the new errors.” No outgoing or incoming e-mail has been lost by users of its residential e-mail system, SmartZone. Those accounts come free with Comcast’s high-speed Internet service, to which he said 14.7 million people subscribe. “There’s quite a backlog” of messages in the server queue, the director said, that are expected to fully clear out in the next few hours, depending on the volume. A Comcast spokesman did not have a figure for how many subscribers actively use the free residential e-mail accounts, but he did clarify that Comcast’s paid business-class e-mail accounts, which rely on Microsoft Communication Services, were not affected by the outage. The spokesman said the company has not sent out an e-mail to subscribers regarding the outage. Source: