Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, September 2, 2009

Complete DHS Daily Report for September 2, 2009

Daily Report

Top Stories

 According to the New York Daily News, a pair of security guards who were supposed to keep watch on the highly trafficked George Washington Bridge spanning the Hudson River were fired Monday after pictures of them repeatedly snoozing on the job were published on a Web site. The bridge is considered by law enforcement to be a key terror target. (See item 16)

16. September 1, New York Daily News – (New York) George Washington Bridge security guards fired after being photographed sleeping on the job. A pair of security guards who were supposed to keep watch on the highly trafficked George Washington Bridge were fired Monday after pictures of them repeatedly snoozing on the job were published on the Web site The slumbering guards worked for FJC Security Services. The Manhattan-based company is contracted by the Port Authority of New York and New Jersey, which controls the bridge — considered by law enforcement to be a key terror target. “The two guards have been fired by the security contractor,” the Port Authority said in a statement Monday. A commuter caught one of the guards catnapping inside a security booth twice Monday morning. The commuter told Cliffviewpilot he was fed up because he had spotted a different guard sleeping on August 5 and that it was the third time he had seen a guard napping. The guards, whose names were not released, were part of what one Port Authority official called “a comprehensive and overlapping” strategy to secure the famous Hudson River crossing. Source:

 KMBC 9 Kansas City reports that state authorities have issued an emergency license suspension to Mi Ranchito restaurant in Lenexa, Kansas after nearly two dozen people became ill Sunday night while eating there. (See item 23)

23. August 31, KMBC 9 Kansas City – (Kansas) Soda machine blamed in illness at restaurant. A Lenexa restaurant has been slapped with an emergency license suspension by state authorities. Nearly two dozen people became ill Sunday night while eating at the Mi Ranchito at Interstate 35 and 95th Street in Lenexa. It was not the first time diners at this restaurant had gotten sick, officials said. About half of those who fell ill went to area hospitals as a precaution, but no one was admitted. Managers of the restaurant told KMBC that carbonated drinks were the cause of the most recent illness. They blame the soda machine, which they said had backflow problems. That means carbonated water was coming into contact with copper lines, poisoning customers with copper. One problem with that theory is that not everyone who got sick drank sodas. Inspectors are also sampling chips and salsa. The inspectors do say that people with food poisoning do not fall ill as quickly as happened in this case. Health inspectors have not completed their investigation and the restaurant is currently closed. Source:


Banking and Finance Sector

12. September 1, Tempo Interactive – (International) Bank Rakyat Indonesia receives bomb threat. A branch office of Bank Rakyat Indonesia in Bengkulu province, Sumatra, received a bomb threat on September 1, the second threat made in less than six month and after the Jakarta Hotel bombings. A staff with the bank received the threat at 7:55 a.m. through a phone call, stating a bomb would explode at 10 a.m., a spokesman for the bank’s office said. He said customers were not immediately evacuated to prevent panic. Bengkulu Resort Police were sent to search the bank and found no suspicious objects at the end of the search at 9:30 a.m. The seat of Bengkulu province had previously received a bomb threat on July 26 after the twin suicide bombings at JW Marriott and the Ritz Carlton which killed nine people. A string of threats preceded and followed the twin suicide bombings. Source:,20090901-195585,uk.html

13. August 27, Brattleboro Reformer – (Vermont) Bank evacuated during fire. About 150 people were evacuated from the Chittenden Bank Operation Center on Putney Road in Brattleboro on August 27, after a smoky fire set off alarms in the building. A rack of backup batteries overheated and melted, filling the steel maintenance room behind the offices with smoke, the Brattleboro fire chief said at the scene. The chief said the fire was relatively easy to contain, but cutting off power to the building was challenging because of the large amount of machinery and technology in the building. He also said the backup generators had to be disconnected to make sure they did not kick in when the power was cut. The Putney Road office processes data from Chittenden Banks throughout New England, and the chief said his firefighters were working closely with bank officials throughout the afternoon. A spokeswoman for People’s United Bank, which owns Chittenden Bank, said the company was able to maintain business through the afternoon. The Putney Road security manager said the batteries that burned were fairly new and had been updated within the past 10 years and inspected. He did not know why the fire started. Source:

Information Technology

39. September 1, eWeek – (International) PowerPoint: New PowerPoint attacks hit old flaw. Researchers are tracking the emergence of a new set of malware attacks loaded into Microsoft PowerPoint documents that take aim at a long-patched vulnerability in the application. Highlighting the success that many attackers still have in launching threats that prey on vulnerabilities that should have been fixed long ago, the new PowerPoint attacks seek to exploit the issue identified by Microsoft as MS06-028, first patched in June 2006. Even those who remain unpatched could avoid the attack by avoiding unsolicited .PPT attachments, so clearly the threat is aimed at less savvy individuals, or those living in countries such as China where the popularity of pirated Microsoft software allows for old flaws to remain available targets. Among the researchers logging new waves of the .PPT campaigns was Sophos, which said it has seen a sharp increase in the attacks over the last several business days. For those who should be patched, the usability of the attacks shows how even a recent spate of .PPT-related zero day threats sometimes fails to motivate people to ensure their computers are completely up to date, experts with the company noted in a blog post. The attacks drops a Trojan, identified by the researchers as Troj/Protux-Gen, onto affected machines. A screen flicker is triggered by the involved shellcode, which also downloads and runs another executable, Troj/ReopnPPT-A, that shuts down any open PowerPoint processes, removes the shellcode from the malicious .PPT and re-opens PowerPoint with the newly disinfected presentation, Sophos reported. Source:

40. August 31, PC World – (International) Unpatched flaw could take down Microsoft’s IIS server. A hacker has posted code that could be used to take over a system running Microsoft IIS (Internet Information Services) server. The software, which was posted to the Milw0rm web site on August 31, could be a big problem for some webmasters, however the attack appears to work only on older versions of Microsoft’s products. It was not immediately clear how many versions of Microsoft’s products are vulnerable to the attack, and Microsoft did not immediately respond to requests for more information on the issue. The flaw lies in the File Transfer Protocol (FTP) software used by IIS to move large files around the Internet, so the victim would have to have FTP enabled in order to be vulnerable to the attack. According to the Milw0rm post, an attacker could use this code to install unauthorized software on the server. According to the Milw0rm poster, the code works on Microsoft’s decade-old Windows 2000 operating system, while running the older IIS 5.0 server. For the attack to work, the hacker would also need to be able to create a directory on the server, security experts say. Other versions of IIS are also at risk, according to a independent researcher who has studied the issue. However, newer versions of Microsoft’s operating systems have features that make it less serious, he added via instant message. Source:

41. August 31, The Register – (International) Microsoft says U.S. is top malware target. Windows users based in the United States are the most likely to benefit from Microsoft’s malicious software removal tool, which has removed malware from nearly 2.2 million U.S. machines, more than the other nine top countries combined. Over the same period, the MSRT has disinfected 383,378 machines in China, 282,152 in Brazil, 278,207 in the U.K., and 262,539 in Korea, according to statistics Microsoft published here. In all, 2.18 million U.S.-based machines were cleaned, compared with 1.87 million machines based in the other countries contained on the top-10 list. “The US is at the top of this list as it is by default the top target for most of the malicious code out there,” two members of the Microsoft Malware Protection Center wrote. “China and Brazil are actually a totally different story. While China is a top target for online games password stealers and the black market associated with it, Brazil is a prime goal for another breed of password stealers: those targeting bank accounts. Given these locations, it should come as no surprise that the top prevalent threats are what they are.” In August, Microsoft added a new trojan called Win32/FakeRean to its malware hit list. In the first two weeks the rogue anti-virus program was targeted, it was removed from 162,328 machines. A family of worms known as Win32/Taterf ranked No. 1, with 463,000 PCs cleaned. The worms spread over mapped drives in order to steal login and account details for popular online games. Win32/Renos, another rogue anti-virus program, and a data-stealing trojan known Win32/Alureon, ranked third and fourth, with 228,973 and 211,441 machines purged respectively. Source:

Communications Sector

42. August 31, Web Host Industry Review – (Virginia) ServerBeach goes offline after outage. Many customers of ServerBeach, a dedicated hosting subsidiary of PEER 1, experienced downtime on August 28 after the company’s Herndon, Virginia data center suffered a power outage, according to a report by Data Center Knowledge. Despite ServerBeach restoring the building’s power within an hour of the outage at 5:30 p.m. EST, some customers said that they were still experiencing issues well into August 29. ServerBeach posted a report on its customer forum addressing the incident on Saturday: “On August 28th, at approximately 17:39 PDT there was a power failure in our Virginia data center. Local staff confirmed with the building engineers that all of the Liebert UPS modules were offline. The building’s electrical service company MC Dean was on site doing a non-intrusive infrared scan of all of the critical electrical equipment during a scheduled maintenance tonight. They reached a point in the maintenance that required the system to be put into maintenance bypass. When they transferred to bypass one of the feeders behind a static transfer switch shorted to ground causing the UPS system to go offline. After identifying the problem the cable was repaired and the system was re-energized at 18:28PM PST.” Some customers contacted the web host, their servers would not restart properly, and ServerBeach continued to work on customer support requests on August 29. Source: