Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, January 7, 2010

Complete DHS Daily Report for January 7, 2010

Daily Report

Top Stories

 The Jackson Clarion-Ledger reports that Gulf South Pipeline is investigating a pipeline explosion in Flowood, Mississippi on Tuesday that sent debris hurling hundreds of feet and sprouted a flame two- to three-stories tall. (See item 1)

1. January 6, Jackson Clarion-Ledger – (Mississippi) Pipeline blast, fire extinguished quickly. A pipeline explosion on January 5 that sent debris hurling hundreds of feet and sprouted a flame two- to three-stories tall is being probed by Gulf South Pipeline, the line’s owner, fire officials said. No one was injured and no buildings damaged in the late morning blaze that took about 10 minutes to extinguish, a Flowood, Mississippi Fire Department lieutenant said. The explosion occurred at Gulf South’s facility located just west of Jackson-Evers International Airport. A salt bath heater failed and caused an ignition of natural gas at the company’s Jackson Dehydration Unit, a Gulf South spokeswoman said. She said the facility is fully operational. The fire department lieutenant said even though it was just burned grass, it was a massive fire. Gulf South is based in Houston and owns a pipeline system that stretches from Texas to Florida. It has offices in the five states along the Gulf of Mexico. Source:

 According to IDG News Service, the Duanesburg Central School District in New York has reverted to using paper checks after cybercriminals tried to steal about $3.8 million from its online accounts just before Christmas, prompting an FBI investigation. The school’s bank, NBT Bank, blocked the transaction and notified district officials. (See item 11 below in the Banking and Finance Sector)


Banking and Finance Sector

10. January 6, Chattanooga Times Free Press – (Tennessee) Rhea County: 2 nabbed in bank bomb threat. Officers arrested two people in connection with a bomb threat on January 5 that led authorities to evacuate and close some schools in Tennessee. Dayton Police officers along with the Rhea County Sheriff’s Office and the FBI arrested the two suspects around 10 p.m. on January 5, said the sheriff office’s special projects coordinator. Both men are charged with attempted bank robbery and several more charges are still pending, the coordinator said. Authorities evacuated three schools and dismissed classes at all city and county schools on January 5 after Dayton police read a typed note that had been posted on the First Bank of Tennessee front door. The note stated that six bombs, including some in schools, would blow up if “a large sum of money” was not placed outside the bank. No explosives were found an no money was turned over, authorities said. Source:

11. January 6, IDG News Service – (New York) FBI investigating online school district theft. A New York school district has reverted to using paper checks after cybercriminals tried to steal about $3.8 million from its online accounts just before Christmas, prompting an FBI investigation. For three days starting December 18, cybercriminals started transferring money overseas from the accounts of the Duanesburg Central School District, which has two schools with about 950 students about 20 miles west of Albany, New York. Hackers sent $1.8 million to an overseas bank on December 18, then sent several transfers totaling around $1.2 million on December 21, according to the district, which provided information on the theft on its Web site. The next day, hackers tried to send around $759,000 to multiple overseas accounts, but the school’s bank, NBT Bank, blocked the transaction and notified district officials. “At this time, the two previous transactions were also discovered,” the district wrote. “The FBI was contacted and launched a criminal investigation.” Since then, about $2.5 million of the $3 million has been recovered by NBT Bank. The district said it is “committed to doing everything in its power” to recover the remaining $497,200. The school district’s plight, reported on a security analyst’s Web site, is part of a rising trend of cybercrime aimed at government and business bank accounts, which have proved to be lucrative sources compared to consumer accounts. The organizations often use the ACH (Automated Clearing House) system for money transfers. In the written statements on its Web site, the school district did not indicate that the fraud is related to ACH. Source:

12. January 5, Agence France-Presse – (International) Some 30 million German bank cards hit by 2010 bug: banks. Around 30 million high-tech German bank cards could leave owners high and dry, bank associations warned on January 5 as the feared Y2K computer bug cropped up 10 years later than expected. The problem that hit cardholders trying to use cash machines or make payments throughout Germany and abroad stems from computer chips unable to recognise the year 2010, and could take up to a week to resolve, the DSGV savings and regional banking association said in a statement. A global alert had gone out 10 years ago amid widespread fears of a similar problem, dubbed Y2K for the year 2000. More recent cards that contain a computer chip designed to provide extra security have been affected while older ones with just a magnetic strip on the back appear to work normally. DSGV said around 20 million “electronic cash” (EC) cards, also known as “girocards,” and 3.5 million classic credit cards issued by its members had been affected. EC cards are direct debit instruments which do not allow owners to buy on credit. Source:

13. January 5, KCRG 9 Cedar Rapids – (Iowa) Collins Community Credit Union card holders targeted in phishing scam. Police are urging Collins Community Credit Union card holders to ignore any automated phone calls telling them their cards have been deactivated. Confused customers started calling Collins Community Credit Union administrators last night saying that they had received a robo-call telling them that their debit and credit cards were no longer valid and that they would have to call a 1-800 number to reactivate their accounts. A Cedar Rapids police sergeant says it’s a textbook “phishing” scam where some party, usually from out of state or even out of the country, targets a bank or credit union and uses robo-calls to get the personal account information of trusting account holders. The sergeant said that the credit union has had more than 20 calls from clients who called the 1-800 number and released their information. Source:

14. January 5, Naples Daily News – (Florida) Man accused of using skimming device on North Naples bank ATM. Collier County, Florida, deputies believe the same man, who was suspected of placing a skimming device on an ATM at a North Naples bank, has struck again. This time a skimmer was placed at the SunTrust Bank located on Laurel Oak Drive, North Naples, on November 27 and again on December 12. In the first incident, deputies say a skimmer was placed on an ATM at the SunTrust Bank, on Vanderbilt Beach Road, on November 14. Several customers subsequently reported the fraudulent use of their debit card numbers on the east coast of Florida. The Collier County Sheriff’s Office is asking the public for help in identifying the man and has released additional images of the suspect. Source:

Information Technology

39. January 6, – (International) US software firm sues China over Green Dam. U.S. internet filtering software firm Solid Oak Software is suing China’s government, along with the software developers employed by the country to censor the internet, for the theft of code. The California-based company alleges in a District Court filing that 3,000 lines of code from its flagship Cybersitter product were copied and used in China’s Green Dam software. Solid Oak Software has also accused the world’s largest computer manufacturers of knowingly shipping PCs with the code in order to benefit financially from the sales. Those accused include Sony, Toshiba, Lenovo, and Acer. A Lenovo spokesman said: “It is not our policy to comment on litigation. However, Lenovo no longer ships a Green Dam CD with every PC it sells in China, and has not done so for several months.” The other computer manufacturers did not respond to requests for comment. Source:

40. January 5, DarkReading – (International) New PDF exploit may be first of many in the New Year, experts say. A sophisticated, two-phase attack that hides in PDF documents could be the first in a long line of exploits that target vulnerabilities in Adobe applications, researchers said recently. In a blog an Internet Storm Center researcher describes a new JavaScript exploit that hides in PDF files and exploits a known vulnerability. The shellcode used for the exploit is remarkable in its small footprint and sophistication, the researcher reports. Just 38 bytes long, it works in two stages: The first stage seeks out targets and obfuscates the attack, then passes the baton to a second-stage shellcode that is capable of executing code on a victim’s machine. The exploit’s construction makes it not only difficult for traditional antivirus tools to detect, but also masks the execution of the code so that the end user might not even know anything has happened, he says. The new exploit feeds the fire of predictions that Adobe, not Microsoft, will be attackers’ chief target in the new year. In its new threat predictions report, security firm McAfee projects there will be more attacks on Adobe in 2010 than on Windows. Source:

41. January 5, The Register – (International) Hacker pilfers browser GPS location via router attack. If anyone is surfing the web from a wireless router supplied by some of the biggest device makers, there is a chance the author of Samy Worm can identify your geographic location. That is because WiFi access points made by Westell and others are vulnerable to XSS, or cross-site scripting, attacks that can siphon a device’s media access control address with one wayward click of the mouse. Once in possession of the unique identifier, the author can plug it in to Google’s Google Location Services and determine where you are. “It’s actually scary how accurate it is,” said the author of the worm, a self-replicating XSS exploit that in 2005 added more than 1 million friends to his MySpace account and in the process knocked the site out of commission. “I’ve found that with a single MAC address, I’ve always been spot on with the tests I’ve done.” The author, who tweeted about the vulnerability on January 5, has posted a proof-of-concept attack. For now, it works only on FiOS routers supplied by Verizon, and then only when users are logged in to the device’s administrative panel. With a little more work, he said he can make it exploit similar XSS holes in routers made by other manufacturers. With one very important difference, the author’s proof-of-concept is similar to a Firefox feature that allows users to get customized content by automatically sharing their location with websites they are visiting. Source:

42. January 5, DarkReading – (International) Researchers infiltrate Storm botnet successor. In an undercover mission to learn more about the size and scope of the son of the infamous Storm botnet, Waledac, German researchers have discovered the spamming botnet is much bigger and more efficient than previously thought. The University of Mannheim and University of Vienna team boldly infiltrated the Waledac botnet from August 6 through September 1 of l2009 using a cloned Waledac bot they built and code-named “Walowdac.” The phony bot injected the IP addresses of the researchers’ analysis systems into the botnet, and the researchers were able to collect detailed data on the botnet and its inner workings. They found Waledac runs a minimum of 55,000 bots a day, with a total of 390,000 bots — much larger than previous estimates of 20,000 or so bots. The researchers also were able to measure success rates of various spam campaigns launched by Waledac, and were able to observe up close Waledac’s newer features, such as the ability to steal credentials from bot-infected machines. Waledac changes up its malware variants about every two weeks, the researchers observed, and the U.S. is home to the majority of the bots and repeaters, with 17.34 percent of the spamming bots and 19.5 percent of the repeaters. And around 90 percent of the Waledac bots were 32-bit XP machines. The researchers were also able to get counts of information-stealing activity by Waledac. In addition, a researcher says Waledac steals SMTP server credentials, so it can spam using those servers, and also FTP user credentials, so it can log into FTP servers. “They are also stealing these FTP credentials to log into FTP servers and search for HTML pages to inject iFrames [into],” he says. “This is part of the propagation mechanism of Waledac.” Source:

Communications Sector

Nothing to report