Monday, August 17, 2009

Complete DHS Daily Report for August 17, 2009

Daily Report

Top Stories

 According to the Associated Press, six people were sent to the hospital suffering from cuts, burns, and smoke inhalation after a lithium battery exploded at Electrochem Solutions Inc. in Raynham, Massachusetts on August 13. About 130 employees were evacuated from the building. (See item 11)

11. August 14, Associated Press – (Massachusetts) 6 hurt in Mass. when battery explodes. Six people were sent to the hospital suffering from cuts, burns and smoke inhalation after a lithium battery exploded at a Raynham, Massachusetts factory. The fire chief says the explosion at Electrochem Solutions Inc. at about 7:30 p.m. on August 13 occurred as two men were assembling the roughly four-inch long battery inside a glass enclosure. The men suffered serious lacerations and facial burns but their injuries are not considered life-threatening. Four other employees suffered minor injuries. About 130 employees were evacuated from the building. The cause of the explosion remains under investigation, but the fire chief thinks it may have been caused by moisture. There was no threat to the surrounding area. Source:

 The Associated Press reports that a man suspected of making threats against the White House was pulled from his car August 13 after an hours-long standoff in the parking lot of the Federal Building in West Los Angeles. The Federal Building was locked down. (See item 34)

34. August 14, Associated Press – (California) Police standoff ends at LA federal building. A man suspected of making threats against the White House was pulled from his car August 13 after an hours-long standoff in the parking lot of the Federal Building in West Los Angeles. The man had refused to leave his car and withstood four rounds of chemical agents tossed inside the car after police broke a rear window. About an hour later, officers shot out the drivers window with a bean bag gun, used a Taser on the man and pulled him out. A Secret Service spokesman identified the suspect as a 56 year-old, from Los Angeles. The suspect is suspected of calling a police dispatch number Wednesday and making threatening statements about the White House. The Federal Building was locked down and employees were told to stay inside, an FBI spokeswoman said. Source:


Banking and Finance Sector

14. August 14, CNN – (National) Another setback for troubled Colonial Bank. Southern regional bank Colonial Bank is on the verge of failure, a federal judge said in granting a request made by Bank of America to freeze Colonial’s assets. A U.S. district judge ruled on August 13 in favor of Bank of America, which had requested a temporary restraining order to keep Colonial from liquidating or transferring assets worth $1 billion. Individual depositors are protected through the Federal Deposit Insurance Corp. A spokesman said the FDIC has no comment on the ruling at this time. “Viewing Colonial’s contractual breach in conjunction with the fact that Colonial is on the brink of collapse and is suspected of criminal accounting irregularities, the potential for immediate substantial injury to Bank of America is clear,” the judge said in his order. The lawsuit filed by Bank of America involved more than 6,000 mortgages issued by its subsidiary and held in trust by Colonial. According to the motion, Bank of America is owed more than $1 billion in assets but Colonial has failed to pay the amount owed. As of the end of June, Colonial had assets of $25.5 billion and liabilities of at least $24.2 billion, which includes deposits of $20 billion. Colonial BancGroup says it has 355 branches in five states: Alabama, Florida, Georgia, Nevada and Texas. Source:

Information Technology

47. August 14, IDG News Service – (International) Twitter used to manage botnet, says security expert. A security researcher has found that hackers are using Twitter to distribute instructions to a network of compromised computers, known as a botnet. The traditional way of managing botnets is to use IRC, but botnet owners are continuously looking for new ways to keep their networks up and running, and Twitter seems to be the latest trick. A now-suspended Twitter account was being used to post tweets that had links new commands or executables to download and run, which would then be used by the botnet code on infected machines, wrote a manager of security research at Chelmsford, Massachusetts-based Arbor Networks Inc., in a blog post on August 13. “I spotted it because a bot uses the RSS feed to get the status updates,” the manager wrote. The account, called “Upd4t3”, is under investigation by Twitter’s security team, according to the manager. But the account is just one of what appear to be a handful of Twitter command and control accounts, he wrote. The botnet the manger found is “an infostealer operation,” a type that can be used to steal sensitive information such as log-in credentials from infected computers. Source:

48. August 14, The Register – (International) MS Zero-day security bug was two years in the making. A flaw in Office Web Components which Microsoft fixed on August 11 was first reported to the software giant over two years ago, it has emerged. The time taken to release a patch has security vendors speculating that security only got around to fixing the software flaw at all because hackers have begun exploiting it over recent weeks. The arrival of the MS09-043 patch addressed a zero-day flaw that had become the fodder of drive-by download attacks from malicious web pages. The patch addressed four vulnerabilities in Office ActiveX control in total, including the zer0-day flaw. Users previously had to rely on workarounds published by Microsoft in a July advisory. The 0day security bug was discovered by a researcher and first reported to Microsoft in March 2007 via the Tipping Point Zero Day initiative scheme, which pays researchers for security exploits. Tipping Point uses this information to add signature detection against exploits based on the bug to its intrusion protection products. It also passes along the information to the relevant software developers, in this case Microsoft. Responding to question on the long delay, a ZDI manager told heise Security, “they [Microsoft] kept finding the need for more time to ensure the issue was completely addressed.” Source:

49. August 13, – (International) Craiglist, AutoCAD threats show virus variety. Malware authors continue showing their creativity, with new viruses making the rounds by targeting Craigslist fans and AutoCAD users. One of the new attacks is being spread by malicious links in spam purporting to be a message from Craiglist about a car sale, the product marketing manager at antivirus firm Red Condor, told The virus also escaped detection by a number of AV outfits, she added. “When we detected it, only 13 of 41 antivirus companies had detected it as a virus,” she said. “It takes companies a while to update their patterns. We’re more able to quickly update patterns.” Other viruses are attacking AutoCAD, raising eyebrows simply because there are so few viruses written for the software. One such virus surfaced last month, followed by a second last week. That could spell trouble, considering that AutoCAD security is not always in the headlines. “The last time Sophos wrote about AutoCAD malware was over two years ago,” a Sophos security expert wrote in his blog. “The typical AutoCAD user doesn’t place much importance in considering the security implications of what they’re doing and the script they’re running — which could lead to an unfortunate infection if you were unlucky enough to be in the firing line.” Source:

50. August 12, SCMagazine – (International) DNS changing Trojan hits Apple Macs when disguised as a MacCinema installer. A domain naming system changing Trojan that targets Apple Macs is spreading disguised as a MacCinema Installer. A technical communications spokesperson at Trend Micro claimed that this is the latest variant of OSX_JAHLAV.C, which was identified in June. It is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg, and as with earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address Once infected, a victim’s web traffic can then be diverted to the website of the attacker’s choosing. The spokesman said: “The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.” A Trend Micro advanced threats researcher claimed that the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts. The company warned Mac users to be wary of prompts to download software updates that do not come from Apple’s legitimate website. Source:

Communications Sector

51. August 14, Billings Gazette – (National) Bresnan working to fix Internet, phone outage. Bresnan engineers have been working through the night to fix a problem that disrupted Internet and telephone service in Montana, Wyoming, Colorado and Utah. The regional vice president of Bresnan Communications in Billings, said on August 14 there is no firm time on when full service will be restored but that many of the company’s markets are back up. “We’ve got every engineer we have working on it,’’ he said. The outage began at 7:10 p.m. on August 13, and it affected many of Bresnan’s markets in the four states, he said. The Billings area was one of the hardest hit. The vice president said he did not yet know what caused the outage. Source:

52. August 13, Washington Post – (Virginia) Damaged cable disrupts Pr. William 911 center. A damaged phone cable line is creating problems at Prince William County’s 911 center, with dispatchers reporting a number of dropped emergency calls. Since about 10:15 a.m. on August 13, emergency and non-emergency calls to the county’s Public Safety Communications Office in Woodbridge have been cut off and the county’s phone system has made “phantom calls” to randomly-generated numbers, said a Prince William County spokeswoman. “People are calling in but for some people, once they are on the call they are getting cut off,” she said. Dispatchers also reported receiving phone calls from confused residents who saw on their caller ID that they had received a “phantom,” or automatically-dialed, phone call from 911. The disruption is affecting both landline and cellphones, the spokeswoman said. It was unclear how many residents had been affected. The outages started at about 10 a.m. on August 13, when a Verizon contractor accidentally cut a fiber-optic cable near the intersection of Prince William Parkway and Telegraph Road, said a company spokesman. Source: