Department of Homeland Security Daily Open Source Infrastructure Report

Monday, April 13, 2009

Complete DHS Daily Report for April 13, 2009

Daily Report

Top Stories

 Platts reports that BP found on April 6 a potential problem with a natural gas pipeline that feeds part of its Alaska North Slope Prudhoe Bay oil field operations and will keep the line shut for further inspection. (See item 2)

2. April 9, Platts – (Alaska) BP says Prudhoe gas line may be at ‘risk’; idling some oil wells. BP has found a potential problem with a natural gas pipeline that feeds part of its Alaska North Slope Prudhoe Bay oil field operations and will keep the line shut for further inspection, a spokesman said on April 8. A company spokesman declined to estimate how much oil production may be curtailed or how many days it would take to resolve the issue with the gas pipeline. Gas from the line is used to boost liquids flow from oil wells. The spokesman, who is based in Alaska, but speaking from Houston, said he did not know how many wells were served by the gas line. “Our plan is to take pressure down on this line,” he said. “That will affect production at Prudhoe for a period of time.” A source at the field had characterized the cutback as “major,” adding it was initiated during the evening of April 8. On April 6, in the course of regular inspections, BP discovered “a potential external corrosion risk on one of our gas lines,” he said. “This is a potential problem spot. We need to take a closer look.” The area of line in question runs underground in a wildlife area, according to the spokesman. Source:

 According to the Associated Press, cell phone, Internet, and landline service is back in Silicon Valley, California after one or more vandals apparently severed eight fiber-optic cables on Thursday. (See item 36)

See Communications Sector below.


Banking and Finance Sector

10. April 10, San Diego Union-Tribune – (California) Bank warns customers after theft. The theft of seven laptop computers from an auditing firm has led the Borrego Springs Bank to send warning letters to all of its customers saying their personal financial information may be in the hands of criminals. The thefts occurred March 5, but the firm did not report them to the bank until March 18, the bank’s executive vice president and chief administrative officer wrote in the letter that most of the bank’s customers received Tuesday. “The service provider did not know if the data on the computers had been accessed or misused,” she said. She said the thefts were reported to the Orange County Sheriff’s Department’s Santa Ana office. She would not comment on the name of the accounting firm that was auditing the records or how or where the thefts occurred. The letter also says the computers contained information from the bank’s accounts “as well as information from a number of other financial institutions.” Source:

11. April 10, Philadelphia Business Journal – (National) Bank of America refinances mortgages under Fed plan. Bank of America Corp. has begun processing its first wave of mortgage-refinance applications under the U.S. Treasury Department’s “Making Home Affordable” program. The initiative provides refinance opportunities to homeowners who previously did not qualify. The plan allows homeowners with loans owned by Fannie Mae or Freddie Mac and who are current with their mortgage payments and whose home value is not more than 105 percent of the current mortgage balance to refinance their loans. Bank of America services one out of five mortgages in the United States. Charlotte-based Bank of America has extended its moratorium on the foreclosure of loans that may be eligible for the program until April 30. Source:

12. April 9, KSL 5 Salt Lake City – (Utah) Computer consultant accused of taking $1 million from credit union. A computer consultant is accused of bank fraud for allegedly programming himself $1 million in extra deposits from Family First Credit Union in Orem. According to the Daily Herald, a federal grand jury indicted the man on one count of bank fraud, and he was arrested on Wednesday. The FBI says he was hired to help the credit union with computer upgrades from June 13, 2008 through mid-January. Instead, they claim he used the passwords to create accounts and transfer money to himself. He now is in the Utah County jail. He could face a potential maximum sentence of 30 years in prison and a $1 million fine. The Herald says the man is co-owner of Lee & Morris Enterprises LLC. He was investigated after a business partner saw something suspicious and reported it. Source:

13. April 9, Kansas CW – (Kansas) Attorney General: Beware of Visa e-mail. The Kansas Attorney General is warning about a new e-mail scam that looks like it is from credit-card company VISA. The e-mails claim to be from VISA and highlight the “verified by VISA” fraud-protection program. The e-mail says all VISA customers will be required to enroll in the program or they will not be allowed to make on-line purchases. A form is attached asking for the customer’s credit card information. The e-mail is a scam. The Attorney General says, while the “verified by VISA” program is legitimate, it is not a requirement for VISA card holders. He also says that VISA will not contact customers by e-mail, or ask for any personal information by e-mail or phone. Source:

Information Technology

33. April 10, PC Magazine Security Watch – (International) Microsoft Conficker awakens, mutates, hustles. Reports are all over that a new and interesting version of the Conficker worm is around, and that it is pushing rogue anti-malware to its users. Thus a purpose to the whole endeavor begins to emerge: Money. But the vendor analyses of this new variant are not yet in synch; they disagree on some points and are confused on others. ESET calls this new variant Win32/Conficker.AQ; the names are really beginning to diverge among the vendors. The new variant is split into client and server components. The server, a Windows device driver, attempts to perform the infections of other systems through the MS08-067 vulnerability in Windows that made Conficker famous, but which had actually been removed from the previous variant. It also sets up an HTTP server on a random TCP port. Curiously, after May 3 the server part of the program will remove itself from the system as of the next reboot. The client program is a newly-obfuscated version of the old, familiar Conficker program. ESET says the new version dumps the domain name distribution scheme; this seemed clever, but was too susceptible to organized resistance by the industry and authorities. The new version attempts only to communicate through the already established peer network. They also suspect that the Autoun propagation system has been removed from it too, but have not completed analysis on that point. ESET has a removal tool for this variant. Symantec is reporting that the driver patches tcpip.sys in order to increase the number of concurrent connections on the system. They call this variant W32.Downadup.E. Symantec describes the DLL portion as the C variant and that the purpose of the infection is to install that C variant. This is not exactly what ESET says. Symantec also does not say that the Autorun propagation has been removed and they still recommend in their technical description disabling Autorun, but the description of E variant does not mention Autorun anymore. Source:

34. April 10, Softpedia – (International) Microsoft to patch 2 critical vulnerabilities in Vista SP1 and XP SP3. Microsoft is gearing up to patch a couple of Critical security vulnerabilities affecting Windows Vista Service Pack 1 and Windows XP SP3. Come April 14, the Redmond Company will release no less than eight bundles of patches aimed at a wide range of products. In addition to Vista and XP, Microsoft also plans to plug security holes in Windows Server, Internet Explorer, the Office System, Forefront, and ISA Server. The software giant did not indicate in any manner whether Windows 7, the next iteration of the Windows client, or Windows Server 2008 R2 were impacted by the vulnerabilities that put users of previous releases of the operating systems at risk. “As part of this month’s security bulletin release process, we will issue eight security bulletins — five rated ‘Critical,’ two rated ‘Important,’ and one rated ‘Moderate.’ These bulletins address vulnerabilities in Microsoft Windows, Microsoft Excel, Internet Explorer, and Microsoft ISA Server. Depending on the bulletin, a restart may be required. The updates will be detectable using the Microsoft Baseline Security Analyzer,” revealed the Microsoft Security Response center communications manager. “As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.” Source:

35. April 8, InformationWeek – (International) Scareware surging, Microsoft report finds. In its sixth Security Intelligence Report, released April 8 and covering the second half of 2008, Microsoft says scareware is on the rise. Scareware purports to be security software but is not. It is sold to technically naive users to address supposed computer security threats. But it generally offers little or no protection, and may act maliciously, by stealing information, for example. “The prevalence of rogue security software has increased significantly over the past [year and a half],” the report says. “Rogue security software uses fear and annoyance tactics to convince victims to pay for ‘full versions’ of the software in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both.” Microsoft’s report says that two rogue software families, Win32/FakeXPA and Win32/FakeSecSen, were detected on more than 1.5 million computers, putting them among the top threats for the second half of 2008. Illegal hacking nonetheless remains a problem, one that is increasingly focused on the application layer rather than the operating system. Almost 90 percent of vulnerabilities disclosed in the second half of 2008 affected applications, the report says. Source:

Communications Sector

36. April 10, Associated Press – (California) Phone, Internet service restored in Silicon Valley. Cell phone, Internet, and landline service is back in Silicon Valley after one or more vandals apparently severed eight fiber-optic cables. San Jose police said there was evidence that someone removed a manhole cover and cut four cables early April 9. The incident wiped out phone and Internet service for thousands in the area. Hours later, authorities in San Carlos reported that four cables there had also been cut. AT&T Inc., which owns some of the lines, is offering a $100,000 reward for information leading to an arrest. Late April 9, it said service had returned to most of the area. Source: See also:

37. April 10, Oregonian – (Oregon) Digging cuts 9-1-1 center’s phones. A construction mishap left many Washington County residents without access to a 911 call center earlier the week of April 6. On the morning of April 7, digging machinery doing street repair and maintenance in Hillsboro damaged fiber optic cables connected to a Verizon central office, said a spokeswoman for the Washington County Consolidated Communications Agency. Central offices serve as switching centers to route phone calls to their correct recipients, a Verizon spokesman said. Four fiber optic cables were damaged by the construction. The spokeswoman said 911 phone service was patchy throughout the county until the problem was fixed around 6 p.m. She estimates that 27,000 people were affected. The damage to the fiber optic cables, which carry phone calls between different areas, meant residents could not call outside of their immediate area. So North Plains residents could call each other, but they could not put a call through to Beaverton, where the 911 dispatch center is located. The spokeswoman said the call center has no way to determine whether phone lines are operating properly on a daily basis. On April 7, there was little indication anything was wrong. The damaged lines also affected non-emergency phone calls, as many people had intermittent phone service throughout the day. A widespread outage of 911 phone service is rare, she said. Source: