Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, December 1, 2009

Complete DHS Daily Report for December 1, 2009

Daily Report

Top Stories

 The Associated Press reports that Somali pirates seized a tanker carrying crude oil from Saudi Arabia to the United States in the increasingly dangerous waters off East Africa, an official said on November 30, an attack that could pose a huge environmental or security threat to the region. (See item 1)

1. November 30, Associated Press – (International) Pirates hijack oil super tanker headed for U.S. Somali pirates seized a tanker carrying crude oil from Saudi Arabia to the United States in the increasingly dangerous waters off East Africa, an official said on November 30, an attack that could pose a huge environmental or security threat to the region. The Greece-flagged Maran Centaurus was hijacked on November 29 about 800 miles off the coast of Somalia, said a spokesman for the EU Naval Force. He said it originated from Jeddah, Saudi Arabia and was destined for the United States. The ship has 28 crew members on board, he said. The shipping intelligence company Lloyd’s List said the Maran Centaurus is a “very large crude carrier, with a capacity of over 300,000 tons.” Officials could not immediately say how many barrels of oil were on board, but its value would be in the millions of dollars. The hijacking of a tanker increases worries that the vessel could crash, be run aground or be involved in a firefight, said a piracy expert at London-based think tank Chatham House. Pirates typically use guns and rocket-propelled grenades in their attacks, and some vessels now carry private security guards, but the expert said oil tankers do not. Somali pirates are a separate group of criminals from the al-Qaida-affiliated Islamic militants who control large areas of southern Somalia, but anytime pirates hold such valuable and explosive cargo it raises international concerns. Source:,2933,577785,00.html

 According to the Associated Press, the Pierce County, Washington sheriff’s spokesman said warrants for first-degree murder have been issued against a man in the killings of four police officers who were gunned down in a coffee shop in suburban Parkland on Sunday morning at the start of their shifts. It was the second deadly ambush of police in the Seattle area in recent weeks, but the two cases are not related. (See item 38)

38. November 30, Associated Press – (Washington) Suspect in officer killings eludes law in Seattle. A heavily armed SWAT team stormed a Seattle home Monday where they thought they had cornered the suspect in the slaying of four police officers at a coffee shop, only to find out that he was not in the house and still on the loose. The discovery added new urgency to the manhunt as police canvassed the neighborhood with search dogs and hundreds of officers were deployed around Seattle for any sign of the suspect. Authorities put up a $125,000 reward for information leading to his arrest. The Pierce County sheriff’s spokesman said warrants for first-degree murder have been issued against the man in the killings of the officers from the Tacoma suburb of Lakewood who were gunned down in a coffee shop on Sunday morning at the start of their shifts. Authorities allege he killed four officers as they worked on their laptop computers at the beginning of their shifts. Investigators say they know of no reason for gunning down the officers, but court documents indicate the man is delusional and mentally unstable. The sheriff’s spokesman sketched out a scene of controlled and deliberate carnage that spared the employees and other customers at the coffee shop in suburban Parkland, about 35 miles south of Seattle. It was the second deadly ambush of police in the Seattle area in recent weeks, but the two cases are not related. Authorities say a man killed a Seattle police officer on Halloween night and also firebombed four police vehicles in October as part of a “one-man war” against law enforcement. A 41-year old man was arrested after being wounded in a firefight with police days after the Seattle shooting. The officers killed Sunday had received no threats, the sheriff’s spokesman said. “We won’t know if it’s a copycat effect or what it was until we get the case solved,” he said. Source:


Banking and Finance Sector

16. November 30, Akron Beacon Journal – (Indiana; Ohio) Akron offices of Fair Finance remain closed as customers visit. The Akron headquarters of Fair Finance Co. remained closed and empty Monday morning as a steady stream of worried customers drove in to try to check on their investments. The FBI last week raided the headquarters in Akron and a related business in Indianapolis. Investigators have been checking whether Fair Finance is able to pay its customers. The company’s investments are not federally insured. Some gathered at the headquarters’ front entrance, where a sign posted in the glass door said the offices were closed due to ‘‘unforeseen circumstances.’’ Fair Finance, which also does business as Fair Financial Services, was sold by the Fair family in 2002 to a company run by an Indiana businessman. The Ohio Division of Securities last week said it put on hold a Fair Finance request filed in late October that the company be allowed to sell up to $250 million in new securities in Ohio. The state says Fair Finance executives needed to answer more questions about its application. Some of the customers at the Akron offices said they had driven to other Fair Finance offices earlier in the morning only to find those closed as well. Source:

17. November 30, Associated Press – (International) EU agrees to supply bank data to U.S. in terror probes. European Union nations have agreed a controversial deal to allow the United States access to European banking data in antiterror probes. Monday’s decision by the EU’s 27 interior ministers comes a day before a new EU treaty comes into force that would have given more rights to lawmakers to question the deal. The Swedish justice minister said the temporary transfer agreement would only last nine months and will not allow the United States to hand over European banking data to other countries. The EU Justice and Home Affairs commissioner said the EU would in February seek a longer-term deal with Washington. Source:

18. November 29, Radio Business Report – (Minnesota) “Follow the Money” host sued by SEC over alleged Ponzi scheme. The host of syndicated “Follow the Money” and his partner have been sued by the SEC, which claims they stole $43 million of the $190 million they raised in a foreign currency Ponzi scam, the SEC said on November 24. In its complaint in Minneapolis Federal Court, Courthouse News says the SEC specifically filed that the two men misappropriated $42.8 million from more than 1,000 victims, including $18 million to buy “ownership interests in two trading firms,” $12.8 million they sent to Panama “to purportedly finance the construction of a casino,” $2.8 million one man used to buy a mansion in Minneapolis, and $4.8 million that the other man lost through gambling. They paid out another $51 million in Ponzi payments, the SEC said. They sold unregistered investments through their shell companies, promising to keep each investor’s account separate, and promising 10 percent to 12 percent annual returns. The SEC also sued the men’s unregistered companies, including UBS Diversified Growth LLC, Universal Brokerage FX Management LLC, Oxford Global Advisors LLC, Oxford Global Partners LLC, and others. Source:

19. November 28, Reuters – (International) Anti-WTO protesters in Geneva smash windows. Anti-capitalism demonstrators smashed windows of banks and watchmakers in central Geneva on Saturday during a protest against the World Trade Organization. Several people dressed in black used mallets to break windows at Credit Suisse and other institutions during the demonstration by at least 1,000 mostly peaceful people. They also smashed windows at a Starbucks cafe. A Reuters reporter at the scene said some demonstrators seemed to be smashing windows at every building they passed. Protesters also set off fireworks in the Swiss city’s main shopping street, which was lined with police in riot gear. The demonstration was called to protest against the WTO’s three-day ministerial conference that started on Monday. Source:

20. November 27, Cincinnati Enquirer – (Ohio) Man uses fake bomb to rob credit union. Cincinnati police are looking for a man who said he had a bomb and demanded money from the tellers at the Cincinnati Central Credit Union on Western Avenue shortly before 11 a.m. Friday. The man, described as wearing a surgical mask and carrying a black bag, ran out of the credit union after getting money from the teller, police said. They would not say how much. He ran northeast from the bank toward Winchell Avenue. A police K-9 unit called in to help track the man but could not get a scent. A bomb detection unit also was sent to the scene. Police said the man set a box, about 8 inches by 12 inches, on the counter and demanded money. “There is a bomb in the box,” he told the teller. The credit union was evacuated. Police interviewed employees. Officers opened the box and it contained two books. Source:

For another story, see item 44 in the Information Technology Sector below

Information Technology

42. November 30, IDG News Service – (International) Latest Microsoft patches cause black screen of death. Microsoft’s latest round of security patches appears to be causing some PCs to seize up and display a black screen, rendering the computer useless. The problem affects Microsoft products including Windows 7, Vista, and XP operating systems, said the CEO and CTO for the U.K. security company Prevx. Prevx was alerted to the problem by users of its security software last week, the CEO said. Microsoft apparently made changes to the Access Control List (ACL), a list of permissions for a logged-on user. The ACL interacts with registry keys, creating visible desktop features such as a sidebar. However, the latest patches appear to make some changes to those registry keys. The effect is that some installed applications are not aware of the changes and do not run properly, causing a black screen. Security applications seem to be particularly affected. The CEO said users of other security products have also complained about the issue, even going so far as trying to reinstall the operating system to fix it. Prevx has released software that fixes the registry to match the ACL settings, which should resolve the problem, the CEO said. Users could do this on their own by modifying their registry settings, but making alterations to those settings is risky since it can severely affect how the operating system runs. The CEO said Microsoft was likely just trying to fortify the security of the operating systems when it inadvertently made the error in its patches. Source:

43. November 29, WBRC 6 Birmingham – (National) UAB computer forensics finds virus disguised as Social Security download. Experts at the University of Alabama at Birmingham (UAB) say they have discovered a new spam campaign that is made to look like messages from the Social Security Administration. This new campaign was discovered by the team at the UAB Spam Data Mine. An expert on the team says the messages tell users that there are errors with their Social Security statement and links them to false pages that appear to be the Social Security Administration Web site. The fake Web site prompts users to enter their Social Security number before downloading a fake statement. The expert says the download is actually a virus that steals personal information. After falling prey to the scam, victims will have given up not only their Social Security number, but also their account numbers and bank passwords. The expert reminds that savvy computer users should never trust an email to update an account. Source:

44. November 27, Atlanta Journal-Constitution – (Georgia; Louisiana) Radiant Systems sued over hacked accounts. A group of Louisiana restaurant owners may proceed as a group in a lawsuit against the Georgia-based maker of a credit card payments system they say allowed hackers to steal customer account numbers. The seven restaurateurs, who filed suit in a Louisiana state court in March, are suing Radiant Systems of Alpharetta and Computer World, a Louisiana retailer that sold Radiant’s payment processing program called “Aloha.” The suit alleges the Aloha program illegally stored all the magnetic stripe information after the card was swiped. Storage of card information violates the security standards with Visa, MasterCard, American Express, and Discover. The Louisiana breaches were discovered after restaurant customers began reporting unauthorized charges. Radiant, facing a second suit in Louisiana with similar claims, says the charges are baseless, and such breaches are not uncommon in the restaurant industry. Computer World is named in the suit because its technicians installed a remote-access program on the Aloha system that allowed them to access the hardware and software off-site and fix any technical problems. That remote-access program was vulnerable to attack because the technicians used the same passwords and log-ins for all the restaurants. Source:

45. November 27, IDG News Service – (International) China warns about return of destructive Panda virus. A computer worm that China warned Internet users against is an updated version of the Panda Burning Incense virus, which infected millions of PCs in the country three years ago, according to McAfee. The original Panda worm, also known as Fujacks, caused widespread damage at a time when public knowledge about online security was low, and led to the country’s first arrests for virus-writing in 2007. The new worm variant, one of many that have appeared since late 2006, adds a malicious component meant to make infection harder to detect, said a McAfee Labs researcher. “It has gotten more complex with the addition of a rootkit,” the researcher said. The first Panda worm infected millions of PCs, according to Chinese state media. China’s national virus response center warned about the updated worm the week of November 23, but it dubbed the virus Worm_Piloyd.B and did not link it to Panda. The center said it had found a worm spreading online that infected executables and html files. The worm blocked a victim’s PC from restoring infected files, turned off active antivirus software, and directed the machine to Web sites to download Trojan horses and other malware, the center said. The new worm is unlikely to hit as many PCs as the first one. Chinese companies and Internet users are much more aware of malware than they were a few years ago, the researcher said. Source:

46. November 27, PC Advisor – (International) New malware scam targets Twilight fans. PC Tools’ Malware Research Center is warning Web users of another online scam that hopes to piggyback on hype surrounding the new Twilight New Moon film. The security software developer says the latest trick tempts movie fans by promising them they can watch the film for free, before installing malware on their computer. PC Tools said fans are baited with the text Web sites, chat rooms, and blogs that read: “Watch New Moon Full Movie.” Meanwhile, comment posts are filled with related keywords to attract search engines. Then, when fans search for the film, they find links to stolen images from the movie itself, convincing the fan the movie is only one click away. However, after clicking on the “movie player,” users are told to run a “streamviewer” that installs malware on their computers. This is the second malware scam targeting Twilight New Moon in a week. The week of November 16, PC Tools warned that malicious Web sites that claim to feature interviews with the author of the books were ranking high in a number of search engines. Instead of providing a video clip of the author, those visiting the site were directed to a window informing them they were infected with malware and then encouraged to download an antivirus solution to clean their PC. Source:

Communications Sector

47. November 30, – (International) UK webhost suffers defacement. An attack on U.K. web host Daily Internet Services left customers’ sites inaccessible late last week, replacing index pages with a cartoon featuring Tux the Penguin - the Linux mascot. As reported over on Softpedia, the attack - believed to have been carried out on Thursday by Heart_Hunter of the TH3_H4TTAB cracker group - saw all pages named ‘index’ replaced with a page containing the pro-Linux cartoon. As many sites rely on an index page to point browsers in the right direction, affected customers found their entire sites inaccessible. Daily Internet Services spotted the defacement attack at 09:52 Thursday morning, and by 21:00 that evening had successfully replaced affected pages with backup copies. What is slightly more concerning is the news that the company is still investigating the root cause of the attack: while an outdated version of PHP (Hypertext Preprocessor) is thought to have been at fault - which has since been rectified - the company is still unsure as to the exact mechanism used to gain unauthorized access to customer sites. Despite this, Daily Internet Services claims that it is “confident there will be no repeat events as all servers are locked down.” Source:

48. November 27, The Register – (International) Generators and UPS fail in London datacenter outage. Tata’s datacenter in the east end of London went down for two-hours on Thursday evening, following a power cut. Backup power systems also failed, downing servers belonging to hosting providers throughout three floors of the Stratford facility at about 5:20 p.m. Firms including C4L, ServerCity, and Coreix were hit by the outage. C4L’s report to its customers said: “We found it very difficult to get a hold of our supplier as it appears they base their entire operations out of this data centre, phones where down and emails simply bounced back.” An engineer who visited the datacenter found that the batteries in its uninterruptible power supply were flat, and three generators had failed to start. Grid power was eventually restored and servers came back online at about 7:30 p.m. A spokeswoman said Tata was still looking into what caused the outage and the subsequent failure of backup power. Stratford is the site of the massive Olympics development, so it is possible the power cut was caused by errant builders. Source: