Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, December 15, 2009

Complete DHS Daily Report for December 15, 2009

Daily Report

Top Stories

 According to the Associated Press, a gas leak at Heartland Petroleum in Columbus, Ohio led to the evacuation of 1,000 to 2,000 people in the industrial area on Monday. (See item 1)

1. December 14, Associated Press – (Ohio) Fire crews evacuate hundreds in industrial area after gas leak at Ohio refinery. Officials say a gas leak led to the evacuation of several hundred people in an industrial area near the Columbus airport. A Columbus fire battalion chief estimates 1,000 to 2,000 people have been asked to leave due to high hydrogen sulfide levels on the morning of December 14, with transit buses assisting. He says emergency crews are evaluating about a dozen people who complained of breathing difficulties. The chief says a tank at Heartland Petroleum ruptured and crews are working to shut down the leak. He says the Environmental Protection Agency has been called to assist. Among the businesses evacuated was the corporate headquarters of footwear retailer DSW Inc. Media reports indicate Port Columbus International Airport is not affected. Source:,0,7618417.story

 The Associated Press reports that eight people were under arrest Saturday after protesters broke windows, lights, and planters outside the home of the chancellor of the University of California, Berkeley. Police also arrested 66 protesters demonstrating against state funding cuts at a campus classroom building that was partially taken over for four days. (See item 32)

32. December 12, Associated Press – (California) Eight arrested, incendiary devices thrown at police cars. Eight people were under arrest Saturday after protesters broke windows, lights and planters outside the home of the chancellor of the University of California, Berkeley. A University spokesman said 40 to 70 protesters also threw incendiary devices at police cars and the home of the University Chancellor about 11 p.m. Friday. There were no fires or injuries. The protest at the chancellor’s home came late the same day that police arrested 66 protesters at a campus classroom building that was partially taken over for four days. The protesters are demonstrating against state funding cuts that have led to course cutbacks, faculty furloughs and sharp fee increases. “The attack at our home was extraordinarily frightening and violent. My wife and I genuinely feared for our lives,” the Chancellor said in a statement issued through the university. The eight were arrested on suspicion of rioting, threatening an education official, attempted burglary, attempted arson of an occupied building, felony vandalism, and assault with a deadly weapon on a police officer. Source:


Banking and Finance Sector

16. December 14, Central Florida News 13 – (Florida) Three in custody in bomb hoax investigation. The investigation continues into an apparent robbery attempt at an Amscot Money Super store in Orlando. Police said a man walked into the store on December 13 with a suspicious device around his neck. That man is now behind bars at the Orange County jail. Two others are also in custody. Police are releasing no details about charges or names of the suspects. Investigators now believe he did not work alone and more arrests could be on the way. At first it looked like a bomb threat, but as investigators looked closer they discovered what may have been an elaborate robbery plot. Investigators are trying to determine how many suspects were involved in carrying out the crime and have detained several people. At 10:30 a.m. on December 13, deputies responded to the Amscot near the corner of Goldenrod and Lake Underhill. A man inside had what appeared to be an explosive device strapped to his neck. After about four hours, deputies determined that the device was safe. The man with the device was fine. Authorities were not sure if he was a victim or suspect. Deputies eventually arrested the man. He was first described as an innocent customer. They determined he put the device around his neck to rob the place. Source:

17. December 12, Wall Street Journal – (National) FDIC seizes three banks. State and federal banking regulators seized three small lenders on December 11, lifting the total number of bank failures this year to 133. The Federal Deposit Insurance Corp. estimated that the three failures—in Florida, Arizona and Kansas—would cost the agency’s cash-strapped deposit-insurance fund a total of about $252 million. The FDIC sold Miami-based Republic Federal Bank NA’s branches, deposits and most of its assets on December 11 to 1st United Bank of Boca Raton, Florida The failure, the 13th this year in Florida, is expected to cost the FDIC’s insurance fund $122.6 million. Later, federal regulators seized Valley Capital Bank NA of Mesa, Arizona, and sold the one-branch bank’s deposits and assets to Enterprise Bank & Trust of Clayton, Missouri. The FDIC estimated the failure, the fourth in Arizona this year, will cost its insurance fund $7.4 million. Finally, Kansas regulators shuttered SolutionsBank of Overland Park, marking the third bank to fail in Kansas this year. The FDIC sold the bank’s deposits, branches and assets to Arvest Bank of Fayetteville, Arkansas. The FDIC said the failure will cost its insurance fund about $122.1 million. In all three failures, the FDIC agreed to shield the acquiring banks from most losses on the failed banks’ assets. Source:

18. December 10, Washington Post – (National) Paper-based data breaches on the rise. More than one quarter of data breaches so far this year involved consumer records that were jeopardized when organizations lost control over sensitive paper documents. Experts say those incidents came to light in large part due to a proliferation of state data breach notification laws, yet current federal proposals to preempt those state measures would allow paper-based breaches to go unreported. According to the Identity Theft Resource Center, a San Diego based nonprofit, at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed or improperly disposed of. Some 45 states and the District of Columbia have enacted laws requiring companies that lose control over sensitive consumer data such as Social Security or bank account numbers to alert affected consumers, and in some cases state authorities. Concerned about the mounting costs of complying with so many different state breach regulations, businesses often find it easier and cheaper to adhere to the strictest state laws. The ITRC has chronicled 125 paper breaches so far this year, out of a total of 463. Businesses were responsible for 44 or 9.5 percent of the breaches; government agencies and the military caused 27 breaches, or 5.8 percent; lost, stolen or improperly disposed of medical records accounted for 5 percent; financial institutions caused 17 breaches, or 3.7 percent; and educational institutions were responsible for 14 paper breaches, or 3 percent of this year’s total. Source:

For another story, see item 39 below in the Information Technology Sector

Information Technology

39. December 14, – (International) Gartner in two-factor authentication warning. Organizations must employ a multi-layered approach to fraud prevention if they are to thwart increasingly persistent hacking attacks that can now circumvent two-factor authentication devices, according to analyst firm Gartner. In a new report released Monday, Where Strong Authentication Fails, Gartner recommends that organizations firstly monitor user access behavior, by analyzing all of a user’s web traffic and spotting any automated programs. Firms also need to keep an eye out for suspect transaction values, by looking at a particular transaction and comparing it to a profile of what constitutes “normal” behavior. Out-of-band transaction verification can be used to further secure a transaction, by enabling the user to verify via a phone call. The vice president of Gartner warned that while such attacks have thus far been targeted at financial institutions and their users’ accounts, they are likely to “migrate to other sectors and applications” that contain sensitive data in the future. Source:

40. December 14, Infosecurity – (International) SQL injection attacks hit 1.5m websites. Another 1.5 million websites associated with the newest series of SQL injection attacks have been found by network security specialist eSoft. The websites compromised by the SQL injection attacks, infect users with the trojan Trojan.Buzus, which runs silently in the background. The trojan steals passwords, financial data, and other sensitive information, the eSoft Threat Prevention Team said in a blog post. The same script is injected several times in and around the title and meta tags, and in other locations. The sites compromised by the SQL injection attacks share the common characteristics of “script src=http” and a varying script source, eSoft said.The domains host the same javascript using small or hidden iframes to redirect users to other malicious websites where the final payload is delivered. According to eSoft, the SQL injection attack uses the same technique described by Scansafe last week in the 318x injection where around 300 000 websites were compromised. eSoft said it is adding detection for the SQL injection attacks and flagging any compromised websites. Source:

41. December 11, DarkReading – (International) Old-school botnet still thriving. Some old botnets never die: An old-school botnet is alive and well and now silently propagating pay-per-install scams, according to a new research paper released today. SDBOT, an IRC-based botnet that has been around for more than five years, is a low-profile botnet whose infections often go unnoticed. Internet Relay Chat (IRC) botnets have slowly been fading in favor of more robust and stealthy types of botnets that use HTTP or peer-to-peer communications to control their infected bot machines. But according to Trend Micro, SDBOT and other botnets that use IRC operate almost silently. “These bot malware are neither heavy email spammers nor resource hogs. They hardly ever disrupt normal computer activities — say, Internet browsing — so their victims never notice that their computers have been infected,” Trend Micro researchers blogged today. SDBOT mainly attempts to download other malware files, including fake AV, Cutwail bot software, the Koobface worm, the Autorun worm, and other malware — most likely for money from other cybercriminals in a pay-per-install arrangement. “It appears that this botnet too is in the business of renting out its reach and download capability to cybercriminals,” Trend Micro blogged. “The use of the pay-per-install business model is also increasing as the model is easy to use.” Source:

42. December 11, IDG News Services – (International) FBI: Rogue antivirus scammers have made $150M. They are the scourge of the Internet right now and the U.S. Federal Bureau of Investigation says they have also raked in more than $150 million for scammers. Security experts call them rogue antivirus programs. The FBI’s Internet Crime Complaint Center issued a warning over this fake antivirus software on December 11, saying that Web surfers should be wary of sudden pop-up windows that report security problems on their computers. This software can appear almost anywhere on the Web. Typically, the scam starts with an aggressive pop-up advertisement that looks like some sort of virus scan. Often it’s nearly impossible to get rid of the pop-up windows. Of course, the scan turns up problems, and the pop-up windows say the only way to get rid of them is to pull out a credit card and pay. This is always a bad idea. At best, the software is subpar. At worst, it “could result in viruses, Trojans and/or keyloggers being installed on the user’s computer,” the IC3 said in its warning. The IC3 is run in partnership with the National White Collar Crime Center. “The assertive tactics of the scareware [have] caused significant losses to users,” the IC3 said. “The FBI is aware of an estimated loss to victims in excess of $150 million.” Source:

43. December 11, CNET News – (International) Bug keeps some Office users from their files. Some users of an older version of Microsoft Office may find that their protected documents are now not only protected, but completely inaccessible. Microsoft warned on December 11 that a glitch is causing users of Office 2003 to be unable to access files protected using Microsoft’s Rights Management Service. The software maker acknowledged the bug on its Office Sustained Engineering blog and said it is working to fix the issue. Starting on December 11, 2009, customers using Office 2003 will not be able to open Office 2003 documents protected with the Rights Management Service (RMS) or save Office 2003 documents protected with RMS. The following error message may be displayed when attempting to Open RMS Documents using Office 2003: “Unexpected error occurred. Please try again later or contact your system administrator” This symptom affects Office 2003 products used in conjunction with RMS, including Word 2003, Excel 2003, PowerPoint 2003, and Outlook 2003. It does not affect Office 2007. Source:

44. December 10, Forbes – (International) The year’s most-hacked software. At the beginning of this decade, Microsoft represented a cybercriminal’s dream target: universally-used software, brimming with bugs ready to be exploited to hijack users’ PCs. But as the software giant has slowly cleaned up its security flaws, hackers are looking toward another vendor whose products are nearly as ubiquitous and whose bounty of vulnerabilities are just being discovered: Adobe. According to Verisign’s bug tracking division iDefense, 45 bugs in Adobe’s Reader software were found by either cybersecurity researchers or malicious hackers this year and patched. In 2008, iDefense found 14 Reader bugs, double the number in 2007. Meanwhile, the number of bugs found in commonly-used Microsoft programs like Internet Explorer, Windows Media Player and Microsoft Office remained flat or dropped. Just 30 bugs were exposed in Internet Explorer compared with the same number last year, and 41 bugs were found in all of Microsoft’s Office programs like PowerPoint, Word and Excel, down from 44 in 2008. When Forbes asked a group of cybersecurity researchers from security firms TippingPoint, iDefense and Qualys to name software programs with vulnerabilities most often used by hackers to victimize users’ PCs this year, every one included Adobe Reader on their list. Source:

For another story, see item 36 below

36. December 14, The Register – (International) Hackers declare war on international forensics tool. Hackers have released software they say sabotages a suite of forensics utilities Microsoft provides for free to hundreds of law enforcement agencies across the globe. Decaf is a light-weight application that monitors Windows systems for the presence of COFEE, a bundle of some 150 point-and-click tools used by police to collect digital evidence at crime scenes. When a USB stick containing the Microsoft software is attached to a protected PC, Decaf automatically executes a variety of countermeasures. “We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding,” one of the two hackers behind Decaf told The Register in explaining the objective of the project. Microsoft has been providing COFEE to law enforcement officers since at least mid 2007. Short for Computer Online Forensic Evidence Extractor, it packages forensics tools onto an easy-to-use USB stick that allows investigators to collect browsing history, temporary files and other sensitive data from most Windows-based machines. COFEE is distributed through Interpol. Source:

Communications Sector

45. December 13, WQOW 18 Eau Claire – (Wisconsin ) Verizon Wireless service restored. Verizon Wireless customers should have clear service Monday morning after a temporary disruption over the weekend night. The company says it suffered an outage due to a call routing issue. Customers were unable to call from their phones starting at about 8 p.m. Sunday night. Verizon says service was completely restored just before 1 a.m. Monday morning. Source:

46. December 12, Jackson Weather Examiner – (West Virginia) NOAA picks West Virginia as emergency backup site. The National Oceanic and Atmospheric Administration (NOAA) , which provides data critical for weather and climate prediction have decided to build a backup emergency site for its environmental satellite network in Fairmont, West Virginia. NOAA says operations for its Geostationary Operational Environmental Satellite Series R system will transfer to Fairmont if facilities in Maryland and Virginia become inoperable. Fairmont met the agency’s requirement for antenna having a line-of-sight view of satellites orbiting more than 22,000 miles above the earth. The agency plans to build three antennas at the site, which will be located in Fairmont’s Technology Park. Construction is expected to begin by the end of next year. Source:

47. December 11, IDG News Service – (California) AT&T San Francisco outage caused by hardware problem. A hardware problem in downtown San Francisco caused an outage on AT&T’s 3G voice and data network Friday evening, but the carrier expected the problem to be fixed by about 6:15 p.m. Pacific time, an AT&T spokesman said. The problem was widely reported by AT&T customers in the area on Twitter, some of whom said they had not had voice, data or SMS (Short Message Service) capability for several hours. An AT&T spokesman said he did not have information about the length or geographic scope of the problem. The failure did not affect the carrier’s older, slower GSM (Global System for Mobile Communications) or EDGE (Enhanced Data Rates for GSM Evolution networks, according to the spokesman. Source: