Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, July 16, 2009

Complete DHS Daily Report for July 16, 2009

Daily Report

Top Stories

 The Barstow Desert Dispatch reports that the Burlington Northern Santa Fe Railway yard in Barstow, California was evacuated for more than four hours after a bomb threat was found at the yard the night of July 12, but no bombs were found in the area. (See item 20)

20. July 13, Barstow Desert Dispatch – (California) Bomb threat temporarily closes BNSF yard. The Burlington Northern Santa Fe Railway (BNSF) yard in Barstow was evacuated for more than four hours after a bomb threat was found at the yard the night of July 12, but no bombs were found in the area. A city spokesman said BNSF employees reported a bomb threat to the Barstow Police Department after two written threats were found in employee bathroom stalls at 11:50 p.m. July 12. The threat said bombs were strategically placed in two BNSF buildings to “kill them all” according to the spokesman. The spokesman said the buildings were evacuated and a 300-yard perimeter was set up around the buildings. Bomb dogs from the Marine Corps Logistic Base were called in by the police and were unable to locate any explosive devices. The yard was reopened at 4:21 a.m. according to the spokesman. A BNSF spokeswoman said around 90 BNSF employees were evacuated and the yard was shut down after the bomb threat. The main rail line through Barstow was also closed for an hour, she said. Source:

 According to the Associated Press, security was upgraded in Yemen’s capital this week after intelligence reports warned of attacks planned against the U.S. embassies in Algeria and Yemen, a senior security official said Tuesday. (See item 30)

30. July 14, Associated Press – (International) Yemeni official: Intelligence warn of attacks. Security was upgraded in Yemen’s capital this week after intelligence reports warned of attacks planned against the U.S. embassies in Algeria and Yemen, a senior security official said Tuesday. The official, who spoke on condition of anonymity because he was not authorized to speak to the media, did not reveal the origin of the intelligence. In the wake of the report, the chief of the intelligence issued directives Monday to increase security around diplomatic missions in the capital and elsewhere in the country. A copy of the directive was shown to the Associated Press. Yemen’s Interior Ministry also issued a statement Monday in which it said it was increasing security around foreign diplomatic missions and commercial interests as a “preventive measure” against potential “terrorist attacks.” The move came as a Yemeni court sentenced six al-Qaida militants to death after convicting them of a string of attacks a year earlier, including a deadly assault on the U.S. embassy in September which left 19 people dead. Source:


Banking and Finance Sector

13. July 15, Bloomberg – (International) HSBC, Herald sued over $578 million ‘fake’ profit from Madoff. HSBC Holdings Plc and a Cayman Islands-based hedge fund were sued by the trustee liquidating the business of the mastermind behind the largest ponzi scheme in history over claims they withdrew $578 million in “fake” profit from the con man’s firm before it collapsed. The lawsuit, filed on July 14 by the trustee in U.S. Bankruptcy Court in Manhattan, claims London-based HSBC withdrew most of the money on behalf of its client, Herald Fund Spc, less than 90 days before the ponzi artist’s firm began liquidating. The trustee says such transfers are recoverable under U.S. bankruptcy law. The so-called clawback lawsuit against HSBC and Herald is one of at least eight filed against the biggest investors in York-based Bernard L. Madoff Investment Securities LLC. The earlier complaints seek a total of $13.7 billion in damages to be used to repay victims of the ponzi artist’s fraud. The lawsuit names Herald Fund’s beneficiary bank, London- based HSBC Bank Plc, and its asset custodian, HSBC Securities Services (Luxembourg) SA. In April, Herald Fund filed a lawsuit in a Luxembourg court against the same HSBC unit, seeking 1.6 billion euros ($2.15 billion) in assets the bank allegedly reported in its last value calculation. Source:

14. July 15, Bloomberg – (National) Bair, Bernanke want tougher curbs on biggest banks. The Federal Deposit Insurance Corp. chairman, with support from Federal Reserve officials, is pushing for tougher measures to curb the size and risk-taking of the nation’s largest financial firms. The FDIC will propose slapping fees on the biggest bank holding companies to the extent that they carry on activities, such as proprietary trading, outside of traditional lending. The idea goes beyond the U.S. Presidential Administration’s regulation-overhaul plan, which would have the Fed adjust capital and liquidity standards for the biggest firms, without any pre-set fees. “What we have suggested is financial disincentives for size and complexity,” the chairman said in a July 9 interview. The Federal Chairman told lawmakers last month that restricting size is a “legitimate” option. Size limits would overturn decades of regulatory tradition that promoted the view that large, diversified institutions were more immune to risks when specific industries or regions slumped. Source:

15. July 14, Associated Press – (Nebraska) Nebraska officials warn of another lending scam. Nebraska officials are warning of another scam targeting people trying to borrow money. The department says it has gotten complaints about the company. And the department says it also got a warning from a licensed mortgage company from Phoenix called Hamilton Lending, which has a branch in Lincoln. The department says most of the scammers ask for fees upfront, then do not provide the loan money. In June, the department warned consumers about a company calling itself Hillsboro Financial Group that listed a false Omaha address. Source:

Information Technology

36. July 15, Reuters – (International) French workers threaten to blow up Nortel factory. Workers at the French arm of telecommunications manufacturer Nortel have threatened to blow up their factory unless they secure decent layoff terms, but gas cylinders placed around the plant were empty, a newspaper said. French daily Le Parisien said on July 15 the workers had placed gas cylinders in front of the plant in the Yvelines area near Paris, where 480 jobs are set to be axed following bankruptcy proceedings. In the second threat by French workers to blow up a factory in a week, the paper said the workers had threatened to stage an explosion as early as July 15 if their demands were not met, but said the gas cylinders were empty. No immediate comment was available from Toronto-based Nortel, once the largest North American telecommunications equipment manufacturer but which filed for bankruptcy protection in Canada and the United States in January. The workers were also bitter about the way the authorities handling the case in France were proceeding, the paper said. Source:

37. July 14, IDG News Service – (International) Probe into cyberattacks stretches around the globe. British authorities have launched an investigation into the recent cyberattacks that crippled Web sites in the U.S. and South Korea, as the trail to find the perpetrators stretches around the world. On July 13, the Vietnamese security vendor Bach Khoa Internetwork Security (Bkis) said it had identified a master command-and-control server used to coordinate the denial-of-service (DDoS) attacks, which took down major U.S. and South Korean government Web sites. A command-and-control server is used to distribute instructions to zombie PCs, which form a botnet that can be used to bombard Web sites with traffic, rendering the sites useless. The server was on an IP (Internet Protocol) address used by Global Digital Broadcast, an IP TV technology company based in Brighton, England, according to Bkis. That master server distributed instructions to eight other command-and-control servers used in the attacks. Bkis, which managed to gain control of two of the eight servers, said that 166,908 hacked computers in 74 countries were used in the attacks and were programmed to get new instructions every three minutes. But the master server is not in the U.K.; it is in Miami, according to one of the owners of Digital Global Broadcast, who spoke to IDG News Service on July 13. The server belongs to Digital Latin America (DLA), which is one of Digital Global Broadcast’s partners. Digital Global Broadcast was notified of a problem by its hosting provider, C4L, the owner said. His company has also been contacted by the U.K.’s Serious Organized Crime Agency (SOCA). A SOCA official said she could not confirm or deny an investigation. Source:

38. July 14, The Register – (International) BlackBerry update bursting with spyware. An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life. Sent out as a WAP Push message, the update installs a Java file that one curious customer decided to take a closer look at, only to discover an application intended to intercept both email and text messages, sending a copy to an Etisalat server without the user being aware of anything beyond a slightly excessive battery drain. It was, it seems, the battery issue that alerted users to something being wrong. Closer examination seems to indicate that all instances of the application were expected to register with a central server, which could not cope with the traffic — thus forcing all the instances to repeatedly attempt to connect while draining the battery. A more phased reporting system might have escaped detection completely. The update is labelled: “Etisalat network upgrade for BlackBerry service. Please download to ensure continuous service quality.” The signed JAR file, when opened, reveals an application housed in a directory named “/com/ss8/interceptor/app”, which conforms to the Java standard for application trees to be named the reverse of the author’s URL. No one from Etisalat, RIM, or SS8 is saying anything about the issue, despite the fact that the application appears remarkably difficult to remove. Source:

39. July 13, BBC News – (International) Snooping through the power socket. Security researchers found that poor shielding on some keyboard cables means useful data can be leaked about each character typed. By analyzing the information leaking onto power circuits, the researchers could see what a target was typing. The attack has been demonstrated to work at a distance of up to 15m, but refinement may mean it could work over much longer distances. “Our goal is to show that information leaks in the most unexpected ways and can be retrieved,” wrote two individuals of security firm Inverse Path, in a paper describing their work. The research focused on the cables used to connect PS/2 keyboards to desktop PCs. Usefully, said the pair, the six wires inside a PS/2 cable are typically “close to each other and poorly shielded.” This means that information travelling along the data wire, when a key is pressed, leaks onto the earth (ground in the U.S.) wire in the same cable. The earth wire, via the PC’s power unit, ultimately connects to the plug in the power socket, and from there information leaks out onto the circuit supplying electricity to a room. Even better, said the researchers, data travels along PS/2 cables one bit at a time and uses a clock speed far lower than any other PC component. Both these qualities make it easy to pick out voltage changes caused by key presses. A digital oscilloscope was used to gather data about voltage changes on a power line and filters were used to remove those caused by anything other than the keyboard. Source:

Communications Sector

40. July 15, Gainesville Sun – (Florida) Fraud investigation leads FBI to raid cable provider. A small Dixie County coastal community was the site of an FBI raid on July 13 in which a couple apparently is suspected of satellite TV piracy. Residents reported seeing several agents and a large enclosed trailer on the property known as Griner’s Island on July 13. County records show that the approximately 10-acre property is owned by two individuals who operate American Cable TV Inc., which is the cable television provider for the unincorporated community of Suwannee. A source close to the investigation told The Sun that the search warrant focuses on allegations of satellite piracy, specifically that the couple may have intercepted satellite transmissions and rebroadcast them over their cable system. The system was off the air on July 13, according to several customers who had been receiving the cable service. Source:

41. July 15, Eagle-Tribune – (Michigan) Hydrogen sulfide leak forces evacuation of Andover office building. An industrial-size battery used to power the backup electrical system at an Andover, Michigan office building overheated around 1 p.m. causing a potentially harmful amount of hydrogen sulfide to leak into a first-floor utility room the afternoon of July 14. The Andover fire deputy chief said it was an “extremely high concentration” of the gas, but that only one person complained of shortness of breath. He said that person chose not to be transported by medical personnel. The leak forced hundreds of Verizon employees to wait for hours in the parking lots surrounding the building as firefighters worked to clear the gas from inside. The deputy chief said about 400 Verizon employees work in the building. Just a few breaths of air containing high levels of hydrogen sulfide can be lethal, according to the Web site of the U.S. Department of Health and Human Services. The employees were allowed to re-enter the building about 4 p.m., the deputy chief added. Source: