Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, February 16, 2010

Complete DHS Daily Report for February 16, 2010

Daily Report

Top Stories

 Reuters reports that two Houston refineries said their operations were unaffected on the morning of February 11 by the closure of a portion of the upper Houston Ship Channel due to a sunken tug boat and the search for a missing crewman. The tugboat is owned by a subsidiary of Kinder Morgan Energy Partners. (See item 7)

7. February 11, Reuters – (Texas) Refineries unaffected by Houston channel closure. Two Houston refineries said their operations were unaffected on the morning of February 11 by the closure of a portion of the upper Houston Ship Channel due to a sunken tug boat and the search for a missing crewman. Lyondell Basell’s 270,600 barrel-per-day Houston refinery is near where the tug sank in the Houston Ship Channel during the evening of February 10. Valero Energy Corp’s 145,000-bpd Houston refinery is west of the Lyondell plant. The shutdown could extend into February 12 while the search for the missing crewman is conducted and the tugboat is removed, said a Coast Guard captain, who is the deputy commander of Sector Houston-Galveston. “The tugboat is partially blocking the channel,” he said at a news conference. Two ships were prevented from coming into the upper channel and one ship was unable to exit on February 11. No ships were moving along a 4-mile stretch at the beginning of the 53-mile waterway between the Gulf of Mexico and the busiest U.S. petrochemical port, according to the Coast Guard. Dock employees from the Lyondell refinery rescued four crew members from the tugboat J.R. Nichols when it sank at about 10:30 p.m. on February 10. The tugboat is one of nine owned by a subsidiary of Kinder Morgan Energy Partners. The search must be completed before the tug can be taken from the channel. The shutdown of a section of the channel was also intended to prevent the spread of fuel leaking from the tug along the waterway, the Coast Guard said. Source:

 According to USA Today, about 10,000 airport security workers will get access to secret intelligence that could help stop terrorist attacks on planes. So far, 750 people have been cleared to get classified information, said a TSA spokeswoman, adding that it will take two more years to get all 10,000 workers cleared. (See item 16)

16. February 12, USA Today – (National) 10,000 TSA staff to get secret intel. About 10,000 airport security workers will get access to secret intelligence that could help stop terrorist attacks on planes. The Transportation Security Administration plan aims to help its officers spot terrorists by giving them more detailed information about tactics and threats, TSA officials and security experts said. The 10,000 people in line to get classified information are managers, supervisors, and “behavior detection officers” who roam airports looking for suspicious people. They represent about 20 percent of the TSA’s airport workforce and exclude screeners who scan passengers and bags. The information will give workers details about terrorist “tactics, planning, operations and threats,” a TSA spokeswoman said. Those details “give context to things they see every day which may otherwise not appear unusual” and let workers “exercise discretion” in dealing with travelers, she added. So far, 750 people have been cleared to get classified information, she said, adding that it will take two more years to get all 10,000 workers cleared. TSA workers are getting “Secret” clearance. “This is a brilliant idea,” said the director of the Institute for Homeland Security and a former National War College professor. “It shows the TSA is focusing more on where it should be focused — on the people getting on airplanes.” Others fear a greater risk that intelligence will be leaked. “When you open security secrets to that large a group, it could lead to somebody who’s dangerous finding out information that enables a terrorist attack itself,” said the head of the University of Maryland Center for Health and Homeland Security. Source:


Banking and Finance Sector

15. February 11, – (Michigan; Texas) Customer sues bank after phishing attack: MI-based business lost $550,000 in breach. A Michigan-based metal supply company is suing Comerica Bank, claiming that the bank exposed its customers to phishing attacks. A lawsuit filed by Experi-Metal Inc. (EMI) in Sterling Heights, Michigan alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank’s security software. EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures. EMI contends that Comerica’s actions opened its online bank account to a successful phishing attack where more than $550,000 was stolen from the company’s bank accounts and sent overseas. News of this suit comes days after news of another Dallas-based bank, PlainsCapital Bank, suing one of its customers in a dispute over a similar hack. EMI is but one of many companies across the U.S. being targeted by hackers in this fashion. The crimes have become so numerous that federal banking regulator, FDIC, issued a warning about this form of fraud. Source:

Information Technology

37. February 12, ZDNet Asia – (International) Microchip hack ‘absolutely’ a worry. A security researcher who highlighted at the Black Hat DC Conference 2010 last week that he had cracked an Infineon microchip, is warning customers that they should be “absolutely” worried. The principal engineer and owner of Flylogic Engineering told ZDNet Asia that the chip is “one of the most popular” and used in a myriad devices including the latest e-passports. Citing InformationWeek, he added that the U.K. government also certified Infineon’s chips for use in classified devices. In his presentation at the annual hacker event, he detailed his exploit of the Infineon SLE 66 CL PE, a chip widely used in computers, gaming systems, identity cards and other electronics, according to a report in Dark Reading. The researcher said he was able to bypass the security defenses of the chip and gain access to data such as encryption keys and unique manufacturing information. With the data, counterfeit systems are possible, he pointed out. Source:,39044215,62061150,00.htm

38. February 12, Secure Computing – (International) Cisco warns of new security flaws. Cisco has released an update which addresses a trio of vulnerabilities in its IronPort line of products. The company said that the flaws affect versions 6.2 and 6.5 of the IronPort Encryption appliance as well as IronPort PostX MAP. The company said that the IronPort C, M and S appliances were not believed to be vulnerable. Cisco reported that two of the flaws, if exploited, could allow an attacker to view sensitive system administration, while the third could allow an attacker to remotely execute code. The first of the information disclosure flaws was found in the appliance’s administration interface component, while the second vulnerability was found in the WebSafe Servlet component. The remote code execution vulnerability was found within the HTTPS server component. That vulnerability can be mitigated by restricting access to trusted IP addresses, the company said. Administrators looking to obtain and install the fixes are advised to contact Cisco’s IronPort technical support team. Source:,cisco-warns-of-new-security-flaws.aspx

39. February 12, Computerworld – (International) Microsoft stops serving Windows patch blamed for blue screens. Microsoft late Thursday said it had halted distribution of a security update linked to crippled Windows XP PCs that display the notorious Blue Screen of Death. According to users who posted complaints to Microsoft’s support forum, after installing the update, one of 13 released Tuesday, their machines refuse to start up. Instead, their systems shudder to a stop at the blue screen which in Windows indicates a serious software error and crash. “We stopped offering this update through Windows Update as soon as we discovered the restart issues,” said a senior manager with the Microsoft Security Response Center (MSRC). He also said that Microsoft was digging into the problem. “Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165),” he said. “However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software.” He also downplayed the extent of the blue screening, saying that only a “limited number” of users were affected. Source:

40. February 11, SC Magazine – (International) Mozilla recants assertion that Firefox add-on has Trojan. Mozilla has done an about-face after disclosing that two “experimental” add-ons for its Firefox browser contained malware targeting Windows users. The company admitted late February 9 that one of the plug-ins originally believed to contain a trojan, version 4.0 of the Sothink Web Video Downloader, is free of any malicious code. The extension allows Firefox users to easily download videos from the web. As it turned out, a software protection system that uses encryption to protect the add-on from pirates and malware actually was to blame. Shortly after Mozilla initially revealed that it believed the add-on was malicious, Sothink Media, which makes the video downloader, objected, saying the plug-in was validated by a third party as free of malware. It also included a link to a VirusTotal report, which turned up zero infections when the add-on was tested against 40 commonly used anti-virus products. The next day, in another blog post, Sothink Media explained why the add-on was marked as malicious: “In the version 4.0, the encryption program for Web Video Downloader used to be Armadillo. The false virus report was caused because of Armadillo’s own disadvantage. Armadillo isn’t a trojan in and of itself. It’s a compression utility that is often used to compress/hide malicious code in .exe’s. That’s the reason why the scans are hitting on the file as suspicious. So there isn’t any virus in Web Video downloader or in Armadillo actually.” Mozilla’s investigation did, however, confirm that the other add-on it identified as containing a trojan, Master Filer, actually did. But the company lowered its estimate of infected installations of that plug-in, which has since been removed from Mozilla’s archive of add-ons, from 6,000 to fewer than 700. Source:

41. February 11, SC Magazine – (National) Critical infrastructure encounters the most web malware, report. Critical infrastructure organizations, such as those in the energy, oil, pharmaceutical and chemical sectors, encountered at least twice as much web malware as other organizations during 2009, according to web security firm ScanSafe. More than any other verticals, the energy and oil sectors were pummeled with the greatest amount of data-theft trojans last year, according to ScanSafe’s “Annual Global Threat Report 2009,” released Thursday. Energy and oil companies experienced a 356 percent higher rate of direct encounters with data-theft trojans compared to other verticals, the report said. Also, those in the pharmaceutical and chemical sectors encountered 322 percent information-stealing malware compared to other verticals. The data came from more than one trillion web requests processed last year by ScanSafe’s Threat Center. Source:

Communications Sector

42. February 12, – (Oregon) Portland still trying to remove MetroFi antennas. MetroFi was at the center of the push for free, citywide Wi-Fi that failed once they found the business model unsustainable. In Portland, Oregon, efforts to sell MetroFi’s network failed, and the 600 or so antennas in the city remain. As the city feared, as reported in 2008, MetroFi never got around to removing the antennas — which the city then estimated would cost around $90,000 to remove. According to Oregon Live, the city is still trying to get the antennas removed, and put out a bid notice for the job that now estimates the cost at $200,000. The higher estimate is because some of the antennas are sitting in the middle of intersections and will require flaggers and work crews to remove. Source: