Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, September 23, 2009

Complete DHS Daily Report for September 23, 2009

Daily Report

Top Stories

 According to the Washington Post, DHS and FBI officials sent a bulletin to transit agencies on September 18 repeating past warnings to be on guard for attacks on mass transit systems, and identifying hydrogen peroxide-based explosives as a specific risk. The advisory was issued in connection with the FBI investigation into a possible U.S. terrorism cell centering on a 24-year-old Afghan man who was ordered held without bond in Colorado on Monday. (See item 14)

14. September 22, Washington Post – (National) Terror probe puts U.S. mass transit systems on alert. A 24-year-old Afghan man at the center of an unfolding FBI investigation into a possible U.S. terrorism cell was ordered held without bond in Colorado Monday as authorities raced to learn more about an alleged plot using hydrogen peroxide explosives and who else might have been helping to carry it out. Meanwhile, authorities in Washington and elsewhere were stepping up safety patrols on mass transit systems in response to an advisory issued in connection with the probe. Officials with the Department of Homeland Security and the FBI sent a bulletin to transit agencies Friday repeating past warnings to be on guard for attacks on mass transit systems, and identifying hydrogen peroxide-based explosives as a specific risk. Federal officials called the notice “precautionary”, and said it included possible countermeasures such as random checks of stations, trains, and buses. Local officials in Washington said the bulletin specifically mentioned Grand Central Station in New York City, but said they have nevertheless increased the number of random patrols. Because there was no specific threat for this region, a Metro spokeswoman said police have not implemented random bag searches. In Denver, a federal judge followed the recommendation of Justice Department prosecutors Monday and refused to release the accused, a permanent U.S. resident, who allegedly told federal agents that he had received weapons and explosives training in a conflict-laden region of Pakistan with ties to al-Qaeda. Law enforcement officials described the investigation as fluid, with critical questions unanswered. Among them: Who else may have known about the alleged plot, the identities of others who may have been involved, and if there was a plot, how close the man and his alleged confederates had come to carrying out an attack. Source:

 The Associated Press reports that about 1,500 people have been evacuated from Trion, Georgia as the surging Chattooga River breached a levee. Atlanta water officials said Tuesday that flooding caused by the unprecedented rainfall event in Georgia severely damaged the RM Clayton Water Reclamation Center, with damage estimated in the tens of millions of dollars, according to WAGA 5 Atlanta. The Times-Georgian also reports that 45 to 50 roads in Douglas County are damaged or washed out. (See items 17, 21, and 36)

17. September 21, Times-Georgian – (Georgia) Floods ravage county; dozens of roads washed out. With approximately 45 to 50 roads damaged or under water, the Douglas County (Georgia) Department of Transportation director advised everyone to stay home Monday. He said the unprecedented rainfall event completely overwhelmed the county’s roads. Arterial roads, residential and collector streets were all affected, he said, with some closed because of damage. Post Road, Liberty Road and Dorsett Shoals Road experienced damage as a result of the heavy rains. There were so many problem spots that crews were all over the county Monday, putting up barricades. He said they have run out of the familiar orange barrels and are having to get them from other jurisdictions. The transportation department was putting together a spread sheet to document where all the trouble areas were. Bridges and culverts were also washed out. Also, the vice president of corporate and external affairs for GreyStone Power said that about 5,800 residents and businesses were without power. Source: &id=3669686-Floods+ravage+county-+dozens+of+roads+washed+out&instance=west_ga_news

36. September 21, Associated Press – (Georgia) Surging river breaches levee at Ga. town. About 1,500 have been evacuated from the northwest Georgia town of Trion as the surging Chattooga River breached a levee. The Trion mayor says Monday the town has not faced a flood of this magnitude since 1990. Crews of prison inmates worked furiously to shore up the levee with sandbags. Red Cross officials set up an emergency shelter for as many as 300 people at a nearby church. Volunteers say they have already helped about 40 victims. The county sits in northwest Georgia, near the border with Tennessee and Alabama. It is about 90 miles northwest of Atlanta. Source:


Banking and Finance Sector

12. September 21, Norwich Bulletin – (Connecticut) Bomb threat at Montville bank closes Route 32. Route 32 was closed and a bomb squad called in Monday after police said a woman robbed the Citizens Bank in Montville, Connecticut. The woman passed a note to the teller, told her a bomb was in the bag and demanded money, said a Montville police spokesman. The woman made off with an undisclosed amount of cash. The bank was evacuated while state and local police closed Route 32 for safety reasons in the event the bag did contain a bomb, the spokesman said. Traffic was rerouted to side roads. Bank employees huddled together in a parking lot across the street from the bank but declined to comment under direction from police. A state police bomb squad technician, dressed in a protective suit and helmet, entered the bank shortly before 2 p.m. and emerged several moments later to give the all clear, indicating the bomb threat was a hoax. Source:

Information Technology

29. September 22, Network World – (International) Scammers auto-generate Twitter accounts to spread scareware. Scammers are increasingly using machine-generated Twitter accounts to post messages about trendy topics, and tempt users into clicking on a link that leads to servers hosting fake Windows antivirus software, security researchers said Monday. The latest Twitter attacks originated with malicious accounts cranked out by software, said experts at both F-Secure and Sophos. The accounts, which use variable account and user names, supposedly represent U.S. Twitter users. In some cases, the background wallpaper is customized for each account, yet another tactic to make the unwary think that a real person is responsible for the content. Tweets from those accounts are also automatically generated, said a security advisor with the North American labs of Helsinki-based F-Secure. Some of the tweets exploit Twitter’s current “Trending Topics,” the constantly-changing top 10 list of popular tweet keywords that the micro-blogging service posts on its home page. Others are repeats of real tweets. All the tweets include links to sites that try to dupe users into downloading and installing bogus security software, often called “scareware” because they fool users with sham infection warnings, then provide endless pop-ups until people pay $40 to $50 to buy the useless program. Source:

30. September 22, The Register – (International) Chinese hackers target media in anniversary run-up. Chinese workers in foreign media outlets within China are in the firing line of a new wave of malware-laden emails. The timing of the emails, in the run-up to the 60th anniversary of the Communist Party’s rise to power in mainland China on 1 October, has sparked dark accusations (supported by circumstantial evidence) that the Chinese government might be behind the attacks. Human rights groups are also getting targeted in the latest wave of cyber-attacks, which are far from unprecedented. “There is definitely a pattern of virus attacks in the run-up to important dates on the Chinese political calendar,” a Human Rights Watch representative in Hong Kong told Reuters. The latest wave of attacks involves the forwarding of kosher emails from activist organizations together with a fake malware-ridden attachment. The tactic gets around earlier tell-tale signs of malicious emails, such as poor spelling. In addition, email addresses are spoofed to disguise their true origin. Source:

31. September 21, The Register – (California) Hardware biz issued trojan-laced drivers, says researcher. A maker of hardware for computer gamers has taken its support site offline following a report that it was surreptitiously distributing malware on its downloads section. Carlsbad, California-based Razer took the precautionary move after a senior security adviser in Europe with anti-virus firm Trend Micro, warned users could be at risk. “A large amount of the device drivers offered for download at the Razer support site were infected with a Trojan,” he wrote Monday. “It is unclear how long the problem has been ongoing, so in the meantime, if you downloaded anything from Razer recently, head over to HouseCall and run a full system scan and clean up if necessary.” A Razer spokesman said company officials were not immediately able to confirm the report, but decided to temporarily close the support site out of an abundance of caution. Source:

For another story, see item 33 below

Communications Sector

32. September 22, – (International) Pipe’s Guam cable carries first packets. Pipe Network’s PPC-1 fibre optic cable, set to be launched on 8 October, has sent its first packets to the United States, according to a statement by Pipe Networks and internet service provider, Internode. “PPC-1 has successfully demonstrated its performance by allowing Internode to send internet protocol (IP) packets end-to-end between Australia and the USA via Guam,” the Internode managing director said in a statement. Under the tests, the packets would have had done a round trip from Sydney to the western Pacific island Guam and on to San Jose before returning to Sydney via the same path. The PPC-1 cable itself runs for 6900 kilometres along the seabed between Sydney and Guam. The new cable travels a slightly further distance to the United States than the currently used Southern Cross Cable, which runs to the U.S. west coast via Hawaii, while Internode’s other cable, the Australia Japan Cable (AJC), also runs to a hub in Guam. While the PPC-1 cable suffers slightly higher latency levels — the lag time as data travels between two points — Internode’s managing director has positioned its value as a redundant path should either Southern Cross or AJC fail. Source:,130061791,339298674,00.htm

33. September 21, Connecticut Post – (Connecticut) Hackers break into Bridgeport website. The Bridgeport mayor’s photo at the center of the city’s official Web site was sandwiched between the phrase, “Hacked by KiAnPhP from Iran.” The cyber graffiti was posted Monday morning by Internet hackers who breached the security of the server maintained by SWB Consulting, the company that hosts the municipal site. Posted above the large type were the words, “In the name of Cyrus the Great,” which linked to the Wikipedia entry about Cyrus the Great, the Persian king. “The company has a server where they house our Web site and that is what was infiltrated,” said the mayor’s spokeswoman. As of 5 p.m., the large messages had been removed, but smaller postings of “Hacked by KiAnPhP” remained in the news update scroller on the right-hand side of the home page and in the options lists on either side. The spokewoman said the hackers did not have access to any data stored on the site. The hackers have even posted the motives for their handiwork, leaving behind messages like, “Be careful you are not secure” and “I’m sorry for you, your security is low.” The spokeswoman noted that the city soon plans to launch a redesigned Web site. Employee training for the new software will begin shortly, she said. Source: