Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, March 10, 2010

Complete DHS Daily Report for March 10, 2010

Daily Report

Top Stories

 The Associated Press reports that a rock slide punched gaping holes in a bridge and left huge boulders on Interstate 70, closing a 17-mile stretch in western Colorado and prompting the governor to declare a disaster emergency Monday. The slide struck around midnight Sunday near Hanging Lake Tunnel in Glenwood Canyon. (See item 25)

25. March 9, Associated Press – (Colorado) Colorado rock slide rains boulders on bridge, highway. A rock slide punched gaping holes in a bridge and left huge boulders on Interstate 70, closing a 17-mile stretch in western Colorado and prompting the governor to declare a disaster emergency Monday. The slide struck around midnight Sunday near Hanging Lake Tunnel in Glenwood Canyon, a deep, narrow chasm about 110 miles west of Denver, the Colorado Department of Transportation said. No injuries or damage to vehicles were reported. All lanes were closed from Glenwood Springs east to the town of Dotsero. Up to 25,000 vehicles a day travel that section of the major east-west artery, a department spokeswoman said. Because of the rugged terrain, the shortest detour adds about 200 miles around the mountainous Flat Tops Wilderness Area. Adding to the traffic mess, U.S. 50 was closed over Monarch Pass due to adverse conditions. The rock slide took out median barriers, steel guardrails and at least one lightpole. The largest hole in the roadway was 10 by 20 feet in the westbound lane. About 20 boulders ranging from three to 10 feet long were scattered on the highway, with the largest weighing 66 tons, officials said. Crews were drilling holes in the large boulders to insert explosives and blast them into smaller pieces. She said once the crew clears the debris, they will be able to find out which lanes can be reopened. Source:

 According to the Associated Press, a 180,000 gallon tank that supplies water to roughly 600 residents of the Montana town of Belt is failing, and city leaders are scrambling for a fix. (See item 33)

33. March 9, Associated Press – (Montana) Montana town hurries to replace failing water tank. The tank that supplies water to the roughly 600 residents of the tiny Montana town of Belt is failing, and city leaders are scrambling for a fix. A Belt water and wastewater operator says the 180,000 gallon tank is leaking so badly that huge ice formations are visible on its outer walls, and steel reinforcement bars once inside the concrete are now exposed. An engineer with NCI Engineering of Great Falls says the tank is going to fail, perhaps catastrophically. He says a replacement could cost $1.2 million, but said the price may be trimmed to make it more affordable for residents. Belt missed out on $38 million in federal stimulus funding earmarked for water and sewer projects in Montana. Source:


Banking and Finance Sector

19. March 8, IDG News Service – (International) Thailand approves credit card hacker’s extradition to US. A Thai court has approved the extradition to the U.S. of a Malaysian man allegedly involved in hacking credit card information, causing massive losses for victims in the U.S. The suspect will first be held in Thailand for 30 days in case he decides to appeal the court ruling, an employee at Thailand’s Office of the Attorney General said by phone on March 8. The suspect, forty-four years old and also known by the alias Delpiero, is a suspected member of a crime ring that has caused more than 5 billion baht (US$150 million) in losses through hacking aimed at the U.S. and Southeast Asia, according to a report in the Bangkok Post. The man was arrested in Thailand after U.S. authorities filed a request with the Thai foreign ministry, the report said. He could be imprisoned for over a year if convicted, the paper said in another report. Source:

20. March 8, Associated Press – (Texas) Father, son shot by gunman in Dallas. A gunman apparently angry over business dealings wounded a father and son at their financial services company inside an office building Monday, then shot himself as police closed in, authorities said. The gunfire at about 10:30 a.m. created a frightening, grisly scene at the 15-story building, with one of the injured men making his way down an escalator with blood gushing from his neck and scared bank employees and customers locking themselves in vaults. After the two men were shot, the suspect apparently turned the gun on himself as three officers were coming down the hall toward the third-floor suite, said a Dallas police spokesman. The suspect was in critical condition on March 8. The gunman and the victims apparently had an ongoing dispute, the spokesman said. But it was not clear exactly why the suspect opened fire inside the offices of Smith Financial in northern Dallas. Source:

21. March 8, IDG News Service – (National) FDIC: Hackers took more than $120M in three months. Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation. Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented on March 5 at the RSA Conference in San Francisco, by an examination specialist with the FDIC. The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, the specialist said. Almost all of the incidents reported to the FDIC “related to malware on online banking customers’ PCs,” he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions. Source:

22. March 8, Minneapolis Star Tribune – (Minnesota) Sophisticated Minnesota fraud ring has global tentacles. A joint state and federal task force has been quietly targeting what investigators say is a sophisticated organized crime ring in the Twin Cities with about 200 members who have allegedly stolen identities, taken over bank and credit card accounts, distributed counterfeit checks and currency and defrauded businesses and banks nationwide. The ring recruits members on social networking sites like Facebook, buys stolen information from employees of check-cashing services and Internet data brokers, and has even sent trusted ring members to college and business schools to qualify them for jobs in financial institutions or other targeted businesses, investigators say. Some members have been charged, but neither the commander of the Minnesota Financial Crimes Task Force nor the U.S. attorney’s office would comment on specific cases. The ring is rooted in West Africa and Eastern Europe, the commander said. Taking it down could disrupt 30 to 40 percent of the fraudulent check activity in the Twin Cities, he said. Source:

23. March 8, Oregonian – (Oregon) ‘Phishing scam’ targets Bank of Cascades clients. Scammers claiming to be from The Bank of the Cascades are trying to raid people’s bank accounts. They are calling individual consumers in Central Oregon and warning them their bank records have been compromised, according to the Oregon Justice Department. The department received more than 20 complaints on March 8 from people who say the caller asks them to verify their bank account numbers. At least one consumer was duped into giving up their account number. Within minutes, the victim told state officials, $515 had been emptied out of his account and wired to Guadalajara, Mexico. “This is a phishing scam,” the department warned. “Never provide your bank account number over the phone or by email. No legitimate financial institution will call you and ask you for your bank account number or other sensitive financial information.” Source:

Information Technology

48. March 9, The Register – (International) Vodafone ships Mariposa-infected HTC Magic. Vodafone has been blamed for shipping Mariposa botnet malware and other nasties on a HTC Magic Android smartphones it supplied. The mobile phone giant’s Spanish arm supplied an HTC Magic smartphone preloaded with malware that attempted to establish a backdoor for stealing information on connected PCs during the synchronisation process. Vodafone acknowledged the problem but said that the incident was an isolated and local problem, which came to light because the customer affected works for Spanish anti-virus firm Panda Security. The extra code was a strain of the Mariposa bot client that attempted to connect to systems not associated with the recent arrests of three suspected botmasters in Spain, according to an analysis of the attack by a Panda Security researcher. The same mobile phone was also infected by Confiker and a Lineage password-stealing code, according to Panda. The incident came to light because the infected phone was sold to one of the researcher’s colleagues in Spain. Source:

49. March 9, – (International) Web malware scams go primetime. Interest in primetime TV shows has become a favourite lure for cyber criminals, according to security experts. The Academy Awards and upcoming premieres of new television shows are being targeted in search engine optimisation attacks. Security firm Sophos said that malware writers had loaded web pages with keywords relating to the Awards in order to achieve higher placement in search results. Users visiting what they believe to be news sites about the awards are then subjected to an anti-virus scam that attempts to trick them into purchasing fake security software. The targeting of current events and news items for malware infection has become a favourite technique for web-based malware attacks. Malware writers have long sought to lure victims by capitalising on interest in natural disasters, news events and cultural phenomena. Source:

50. March 9, – (International) Intel investigating fake processor shipments. Intel is investigating reports of counterfeit Core i7 processors being sold to businesses and consumers. The company is looking into claims that a shipment of 300 fake Core i7-920 processors had been sent to respected parts seller Newegg from a partner. “Newegg is currently conducting a thorough investigation surrounding recent shipments of questionable Intel Core i7-920 CPUs purchased from,” said the company in a statement. “Initial information we received from our supplier, IPEX, stated that they had mistakenly shipped us demo units. We have since come to discover that the CPUs were counterfeit, and are terminating our relationship with this supplier. “Contrary to any speculation, D&H Distributing is not the vendor that supplied us with the Intel Core i7-920 CPUs in question.” One buyer posted a video of his purchase on YouTube. The box looked realistic but contained a chip without mounting pins, a manual consisting of blank pages and a non-functional plastic model of a fan. Source:

51. March 8, Help Net Security – (International) Serious Apache vulnerability disclosed. A serious vulnerability in Apache’s HTTP web server that enables the attacker to gain remote access to the server and total control of a database, has been discovered by a researcher and consultant with Sense of Security Labs. The bug is localized in the Apache’s core “mod_isapi” module, and can be exploited to give access and system privileges to the attacker, which means that data can be manipulated, deleted or stolen. ZDNet Australia reports that the solution for the problem is simple - the user just needs to upgrade to the latest version of the software (2.2.15). It is recommended that all users do so as soon as possible, since it is difficult to tell if they have been targeted. The spokesman for Sense of Security says that for this bug to be exploited, the attacker must know how to write a “high level piece of code,” making less likely — but not implausible — the possibility that such an attack had already been or will be used “in the wild.” Source:

52. March 8, The Register – (International) Ubisoft undone by anti-DRM DDoS storm. Ubisoft has confirmed its rights management servers were hit by a fierce DDoS attack over the weekend that left some customers unable to play its games for much of March 7. The attack is an apparent protest at controversial new DRM controls by the video game publisher which mean customers have to be online in order to play its latest PC games such as Assassin’s Creed II and Silent Hunter 5. The introduction of so-called Online Services Platform technology last month means it’s impossible to play a game without an internet connection or save progress while playing a game if an internet connection is lost, as explained in a interview with Ubisoft by PC Gamer here. The controls, designed to combat piracy, have sparked much negative comment in the gamer community and apparently inspired action by hacktivists over the weekend that curtailed gameplay for some. Source:

Communications Sector

53. March 9, – (International) Google explains Google Apps datacenter failure. All Google App Engine applications were “degraded” from 7:48am to 10:09am PST on 24 February after a power failure at the company’s main datacenter, the firm said. About 25 percent of the servers failed within five minutes owing to a delay in back-up power generation. Google’s message boards started showing questions from users almost immediately. “By this time, our primary on-call engineer had determined that App Engine is down,” the report said. “The on-call engineer, according to procedure, paged our product managers and engineering leads to handle communicating the outage to users.” There was confusion about the instructions for switching to a back-up datacenter and the decision-maker for the crossover could not be found. The team then received data suggesting that the datacenter was recovering and that a changeover was not necessary. However, the data turned out to be inaccurate and this extended the outage considerably. By the time the move to the backup servers had been made, Google Apps had been down for more than two hours. The report found that Google had not developed plans for a partial datacenter failure, nor for determining whether the datacenter was able to continue running on such a reduced server count. Source:

For another story, see item 52 above in the Information Technology Sector