Department of Homeland Security Daily Open Source Infrastructure Report

Monday, January 25, 2010

Complete DHS Daily Report for January 25, 2010

Daily Report

Top Stories

 According to the Associated Press, a man with a handgun fired several shots January 21 on the Texas Capitol’s south steps in Austin, but state troopers quickly tackled him and there were no reports of injuries. (See item 33)

33. January 21, Associated Press – (Texas) Police: Man arrested after firing shots on Texas capitol’s steps. A man with a handgun fired several shots Thursday on the Texas Capitol’s south steps in Austin, but state troopers quickly tackled him and there were no reports of injuries, the Texas Department of Public Safety said. The Capitol was on lockdown as officials searched as a precaution. The south steps were secured by yellow police tape. The shots rang out just after noon, and officers with rifles quickly swarmed the scene. More than a half dozen Department of Public Safety cars quickly appeared, and troopers quickly surrounded the building. “We’re not aware of any injuries,” a department spokesman said. An artist from New York City said she was just inside the front doors of the Capitol when the shots were fired. She ran out the doors in time to see troopers holding a man down on the ground. “They were all over him,” the witness said. “I could hear him saying ‘my hands are up.”‘ The Texas governor was not in the building at the time, his office said, and many lawmakers were away from Austin on Thursday because the legislature was not in session. Source:,2933,583564,00.html?test=latestnews

 WFTV 9 Orlando reports that Osceola County, Florida deputies spent hours late January 21 and early January 22 dismantling a meth lab that exploded inside the Carefree Inn and Suites hotel in Kissimmee. More than one hundred hotel guests were evacuated. (See item 53)

53. January 22, WFTV 9 Orlando – (Florida) Meth lab explosion rocks Kissimmee hotel. Osceola County, Florida, deputies spent hours late Thursday night and early Friday morning dismantling a meth lab that exploded inside a Kissimmee, Florida, hotel. Everyone staying at the Carefree Inn and Suites on Highway 192 had to be evacuated for hours Thursday night after the explosion caused a fire in the room on the third floor. Osceola County Sheriff’s deputies said two guests at the Carefree Inn and Suites were cooking methamphetamine in a third-floor room when the chemicals exploded. “The ground shook and then everybody said there was a bomb and that we need to evacuate,” said a hotel guest. The blast happened just before 7:00pm Thursday night and more than one hundred hotel guests were evacuated. Deputies say the two people staying in the room were cooking meth when the chemicals exploded, blowing the door off its hinges and shattering windows. Eyewitnesses said they saw two people running from the hotel after the explosion, but the two people, who were injured, were soon caught by law enforcement officials. “One has minor injuries to his legs and one was taken to Osceola Regional Medical Center,” said a spokesperson with the Osceola County Sheriff’s Office. The sheriff’s office says it is not uncommon to find meth labs inside hotel rooms, and it is a worst case scenario when an explosion happens because of the proximity of other residents. Both people will face felony charges, deputies said. Source:


Banking and Finance Sector

12. January 22, Bloomberg – (National) Obama calls for limiting size, risk-taking of financial firms. The U.S. President, tapping into voter anger over bank bailouts, called for limits on the size and trading activities of financial institutions in order to reduce risk-taking and prevent another financial crisis. The proposals, to be added to an overhaul of regulations being considered by Congress, would prohibit banks from running proprietary trading operations solely for their own profit and sponsoring hedge funds and private equity funds. He also proposes expanding a 10 percent market-share cap on deposits to include other liabilities such as non-deposit funding to restrict growth and consolidation. “While the financial system is far stronger today than it was one year ago, it’s still operating under the same rules that led to its near collapse,” the U.S. President said on January 21 at the White House after meeting with a former Federal Reserve Chairman who has been an advocate of taking such steps. “Never again will the American taxpayer be held hostage by a bank that is too big to fail.” The proposals could affect trading at some of the nation’s largest banks, including New York-based Goldman Sachs Group Inc., Morgan Stanley and JPMorgan Chase & Co., according to the chief market strategist at D.A. Davidson & Co. in Lake Oswego, Oregon. Source:

13. January 22, Dallas Morning News – (Texas) SEC sues Plano firm’s owner, alleging stock ‘pump and dump’. The Securities and Exchange Commission sued a Plano man and his firm on January 21, accusing them of helping stock promoters “pump and dump” shares of small companies for profit. The suit claims that the suspect of Plano and his Dallas-based company, Summit Advisory Group, helped three stock promoters advertise false information about three small companies so that investors would buy the shares and raise their stock prices. After the prices rose, the stock promoters sold their interests in the companies – My Vintage Baby, Alchemy and Beverage Concepts Inc. – and made at least $20 million, the suit said. The suit claims the suspect helped stock promoters – all named in separate SEC suits filed in recent years – to mislead investors about the health of the companies. Source:

14. January 21, Web CPA – (National) Auditors get more involved in credit card security. Internal auditors will soon be playing a larger role in ensuring the security of credit card information. In December, in response to an inquiry from the Institute of Internal Auditors, MasterCard Worldwide decided that beginning in June 30, 2011, merchants that process more than 6 million credit card transactions annually can use internal auditors to conduct annual on-site assessments of their compliance with the industry’s data security standards. Auditors need to have obtained training and certification in the Payment Card Industry Security Standards Council’s Data Security Standards in order to qualify. The council intends to offer the training and accreditation to internal auditors this year and will share additional information as the program develops. Source:

15. January 20, Reuters – (International) Saudi Kingdom Tower evacuated after bomb hoax. Saudi authorities ordered the evacuation of Kingdom Tower, a landmark in the capital Riyadh, as a precaution on January 20 after a bomb threat which turned out to be a hoax, an Interior Ministry spokesman said. “We confirm that this was a hoax ... The building and sites immediately close to it are being evacuated as a precautionary measure,” the Interior Ministry spokesman for security affairs told Reuters. “An unknown person called an employee at Samba (Financial Group) bank’s offices in the tower to say a bomb was placed in his car” he added. Bomb threats are rare in Saudi Arabia. The spokesman said earlier the anonymous caller told a Samba employee that the bomb was placed in a car in the parking lot of the bank’s main headquarters in Riyadh. Source:

16. January 20, WESH 2 Orlando – (Florida) Suspicious package prompts bank evacuation. A bank in Altamonte Springs is surrounded on January 20 after a suspicious package was reported. Altamonte police said someone left a suspicious-looking object on the sidewalk near the front door or the Wachovia bank located at 351 North state Road 434. Customers and employees in the bank have been evacuated. Hazmat and bomb squad crews are examining the object. Source:

Information Technology

44. January 22, Computerworld – (International) IE attacks pose small threat to U.S., big risk to China. Chinese computer users are five times more likely than U.S. users to be targeted by hackers exploiting the just-patched bug in Microsoft’s Internet Explorer, a Web metrics company said on January 22. The attacks, which Symantec researchers say are coming from hundreds of sites, are only able to compromise computers running Internet Explorer 6 (IE6), the nearly nine-year-old browser bundled with Windows XP. While less than 10 percent of U.S. computer users run the ancient IE6, 50 percent of the PCs in China use that browser to access the Internet, according to the most recent data from Worldwide, IE6 accounted for 21 percent of all browsers used last month to surf the 40,000 Web sites that monitors for its clients. Other sources say that China’s computer users are even more vulnerable to the growing attacks. StatCounter, an Irish metrics vendor, pegged IE6’s share of the China market last month at 62 percent, nearly 10 times greater than the 6.4 percent share the old browser enjoyed in the U.S. It’s ironic that Chinese users are more likely to fall victim to the attacks, since by most accounts the original exploit was created in China by Chinese hackers. Source:

45. January 21, The Register – (International) RockYou hack reveals easy-to-crack passwords. Analysis of the 32 million passwords recently exposed in the breach of social media application developer RockYou last month provides further proof that consumers routinely use easy to guess login credentials. Sensitive login credentials - stored in plain text - were left exposed because of a SQL injection bug in RockYou’s website. RockYou admitted the breach, which applied to user password and email addresses for widgits it developed, and pledged to improve security in order to safeguard against future problems. Database security firm Imperva analysed the frequency of password disclosed by the breach, prior to publishing a report on Thursday on Consumer Password Worst Practices, a problem illustrated by the top ten passwords thrown up by the RockYou security snafu. The five most common passwords used were 123456, 12345, 123456789, Password, and iloveyou. The trivial nature of the top ten RockYou passwords is bad enough, but worse is that nearly 50 per cent of passwords records exposed by the RockYou breach used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys), Imperva discovered. Password database breaches have happened before, of course, but the size of the RockYou breach allowed for the most in-depth analysis of real-world passwords to date. These days the average surfer maintains scores of login credentials for social networking and e-commerce sites. Source:

46. January 21, IDG News Services – (International) Widespread attacks exploit newly patched IE bug. The first widespread attack to leverage a recently patched flaw in Microsoft’s Internet Explorer browser has surfaced. Starting late on January 20, researchers at antivirus vendor Symantec’s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said a security intelligence manager with Symantec. Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name. As of midday January 21, Symantec had spotted hundreds of Web sites that hosted the attack code, typically on free Web-hosting services or domains that the attackers had registered themselves. The IE flaw being leveraged in these attacks was also used to hack into Google’s corporate network last December. It has been linked to similar incidents at 33 other companies, including Adobe Systems. Microsoft patched the vulnerability in an emergency security update in the morning of January 21. Source:

47. January 21, DarkReading – (National) New details on targeted attacks on Google, others, trickle out. New details about the targeted attacks against Google and other U.S. companies that resulted in the theft of source code and other intellectual property emerged Thursday, while Microsoft released an emergency patch for a flaw in Internet Explorer that was exploited in those attacks. The principal analyst for security and risk management at Forrester Research says Google the week of January 11 instituted an emergency update to its corporate VPN, raising questions about whether the network was in some way compromised in the attacks. But, she says, Google disputed her initial analysis that the attackers gained access to Google’s server via its corporate VPN. “This is the first we’ve heard about the VPN involvement at Google. I’m not sure this definitely qualifies as a VPN breach because we don’t know what the attacker did to the VPN system — it’s possible that the attacker used the user credentials to log in through the VPN without doing anything illegal to the VPN. Or it is possible that the attacker did attack the VPN system. But Google won’t say one way or another,” she says. A Google spokesperson declined to comment on her findings. Source:

48. January 18, AppleInsider – (International) Apple’s iPhone touchscreen supplier faces violent employee strike. More than 2,000 workers at a Wintek Corp. factory in Suzhou, China have gone on strike and destroyed equipment at their factory, potentially straining the supply of parts for Apple’s iPhone. According to China Daily, factory workers the week of January 11 damaged equipment and vehicles in response to a number of alleged deaths from overexposure to toxic chemicals. Employees said they did not accept the local government’s investigation into the matter. Bloomberg reported that the factory is a component supplier for the iPhone. On January 15, workers gathered in the morning and caused damage at the Suzhou Industrial Park. They also blocked off a road and threw rocks at police, though no casualties were reported. Various reports said that the workers were reacting to rumors of a canceled 2009 bonus, but one worker told China Daily the matter was not solely about money. Employees said there was a strong smell at the factory that they believe caused the deaths of four workers. The employees believe the deaths are attributed to an overexposure to hexane, a toxic chemical used to clean touchscreen panels at the factory. Source:

For another story, see item 52 below in the Communications Sector

Communications Sector

49. January 22, Computerworld – (Oregon) Prineville, Ore., pop. 10,000, is Facebook’s new friend. Facebook Inc. has selected Prineville, Oregon, as the home for its new data center. Among its attractions are good places for fishing and camping, as well as dry, cool air that’s conducive to running large data center operations. The rural community, with a population of about 10,000 located in the center of the state, depends largely on the production of forest-based products. Prineville was hit hard by the recession, as its unemployment rate hit 20 percent last year, said Prineville’s city manager. Facebook said it will hire 35 fulltime employees to work at the 147,000 square foot facility, which was announced on January 21. It will also create some 200 construction jobs, and ongoing jobs for contractors hired to maintain the facility. Facebook had been leasing data center space on the East and West coasts. The Prineville facility will be its first custom built data center. Facebook is not saying how many servers it will install there, but it’s a safe bet that the fast growing Palo Alto, California-based company will need an enormous IT operation that incorporates energy saving approaches. Source:

50. January 22, Columbia Missourian – (Iowa; National) Mediacom Internet outage affects 22 states. An Internet outage affected Mediacom customers the night of January 20 and morning of January 21 in 22 states. The outage, which began in some areas the night of January 19, stemmed from a problem at Mediacom’s Internet Network Operation Center in Iowa. A processing issue routed Internet network traffic incorrectly, a Mediacom spokeswoman said. It was not due to an equipment failure; traffic coding got changed within the system. This created problems with how the system responded and, in turn, caused customers to lose their Internet connections. Because the Internet and television signals are wired through different fibers, she said, the problem affected only Internet connections. Mediacom worked January 19 with its equipment vendors to identify the problem. Early January 21, Mediacom added additional monitoring technology to help address the issue. All customers in the 22 states affected should have Internet service now, and those customers still experiencing problems can try restarting their computers and rebooting modems or routers, she said. She said the company should be able to immediately address this issue should it arise again. Source:

51. January 22, Associated Press – (California) Computers down at all 168 California DMV offices. A systemwide computer failure at the California Department of Motor Vehicles caused several hours of delays at all 168 offices Thursday. The offices remained open, but with computers unable to connect to the state’s network, DMV workers were forced to do everything by hand, such as processing driver’s licenses and registrations, a DMV spokeswoman said. DMV offices began experiencing problems connecting to the state’s network around 11 a.m. Offices started to connect back around 2 p.m. The office of the state Chief Information Officer, which is in charge of state information technology, blamed the outage on equipment failure at the state’s data center in Sacramento. “It was a router switch that malfunctioned,” said a spokesman. “Network traffic was rerouted and the system is back up and running.” It was not clear how long customers were being delayed because of the failure. He said no other state agencies were impacted, contrary to initial reports that other offices were affected by the outage. Source:

52. January 21, The Register – (International) Targeted attacks replace botnet floods in telco nightmares. Targeted attacks against backend systems have replaced botnet-powered traffic floods as the main concerns for security staff at telcos and large ISPs. Only one in five of the 132 senior telco security experts quizzed by DDoS security and network management specialists Arbor Networks reported the largest attacks they observed as lying within the one-to-four Gbps range last year, compared to 30 percent in 2008. The most potent DDoS attacks recorded in 2009 hit 49Gbps, a relatively modest 22 percent rise from the 40Gbps peak reached in 2008. Although botnet-enabled DDoS attacks the top operational threats faced by the network operators surveyed by Arbor, this may change in future. One in three (35 percent) of security managers at ISPs and telcos across the world quizzed by Arbor reckoned more sophisticated service and application-layer attacks are the biggest threat they face over the coming year. By comparison, 21 percent thought large-scale botnet attacks would be their single biggest problem during 2010. Service level attacks, while also driven from compromised networks of zombie PCs, are designed to exploit service weaknesses, like back-end database flaws rather than simply flooding a site with more traffic than it can handle. Several of the senior techies quizzed by Arbor reported prolonged (multi-hour) outages of prominent internet services last year as a result of application-level attacks. Systems targeted included distributed domain name system (DNS) rigs, load balancers and SQL server back-end infrastructures. Source: