Department of Homeland Security Daily Open Source Infrastructure Report

Friday, March 12, 2010

Complete DHS Daily Report for March 12, 2010

Daily Report

Top Stories

 According to the Associated Press, Connecticut authorities say a freight train carrying liquid ethanol derailed Thursday morning in Windham, but none of the four tankers that came off the tracks is leaking. Local officials say they were not notified until about 7:30 a.m., more than three hours after the derailment. (See item 2)

2. March 11, Associated Press – (Connecticut) Train carrying ethanol derails in eastern Conn. Connecticut authorities say a freight train carrying liquid ethanol derailed in Windham, but none of the four tankers that came off the tracks is leaking and there is no public safety threat. A Providence & Worcester Railroad spokeswoman said no injuries were reported after the four rear cars of the 80-car train derailed early Thursday morning. The cause is not clear. Local officials say they were not notified until about 7:30 a.m., more than three hours after the derailment. Equipment is being brought in to put the cars back on the tracks or haul them away. The train was headed to Providence, Rhode Island from North Dakota. Seventy-one cars continued on to Providence. The rail line serves only freight so no passenger trains are affected. Source:,0,5949319.story

 The Associated Press reports that the U.S. Army Corps of Engineers suspended repair work Wednesday on an area of Wolf Creek Dam at Lake Cumberland in southern Kentucky after sensors picked up movement near the dam’s foundation. (See item 62)

62. March 11, Associated Press – (Kentucky) Repair work suspended on area of Wolf Creek Dam. The U.S. Army Corps of Engineers has suspended repair work on an area of Wolf Creek Dam at Lake Cumberland in southern Kentucky. Work was suspended Wednesday after sensors picked up movement near the dam’s foundation. The project manager says the movement is near where grout was being injected underwater. He says analysis of instruments, drilling and grouting data and the dam’s stability could take four to six weeks, and after that, the Corps will decide how and when to continue repair work. Officials say work was halted on a 600-foot “critical area 1” where the earthen embankment meets the concrete dam, but work on non-critical areas will continue. The dam is 4,400 feet long and the rehabilitation project is expected to cost $584 million. Source:


Banking and Finance Sector

15. March 11, IDG News Service – (International) HSBC: Data theft incident broader than first thought. HSBC said on March 11 about 15,000 accounts of its Swiss private banking unit were compromised after an employee allegedly stole data, some of which ended up in the hands of French tax authorities. The latest figure is sharply higher than the one the bank gave in December, when HSBC said the number of account records taken was less than 10. HSBC said it does not think the records could be used to access an account. The data was allegedly stolen by a former IT employee about three years ago, HSBC said. The employee left Switzerland, and French authorities ended up with the files, which were then passed to the Swiss Federal Prosecutor. French authorities had been investigating up to 3,000 people thought to be avoiding taxes. Source:

16. March 11, Associated Press – (International) Greece hit by strikes, riots over austerity plan. Serious street clashes erupted between rioting youths and police in central Athens on March 11 as some 30,000 people demonstrated during a nationwide strike against the cash-strapped government’s austerity measures. Hundreds of masked and hooded youths punched and kicked motorcycle police, knocking several off their bikes, as riot police responded with volleys of tear gas and stun grenades. The violence spread after the end of the march to a nearby square, where police faced off with stone-throwing anarchists and suffocating clouds of tear gas sent patrons scurrying from open-air cafes. Rioters used sledge hammers to smash the glass fronts of more than a dozen shops, banks, jewelers and a cinema. Youths also set fire to rubbish bins and a car, smashed bus stops, and chopped blocks off marble balustrades and building facades to use as projectiles. Some private bank branches were open despite calls from the bank employees’ union to participate in the strike. Source:

17. March 10, Bloomberg – (National) Turkish bond scam funded cryogenics, porn, SEC says. Executives at an Illinois estate- planning firm raised more than $20 million for Turkish Eurobond investments, while diverting clients’ money for a stamp collection, Internet pornography and cryogenically frozen umbilical cords, U.S. regulators said. USA Retirement Management Services, which also has offices in California, and the managing partners were sued by the Securities and Exchange Commission today for operating a Ponzi scheme since 2005. A federal judge in Los Angeles froze their assets, the SEC said. At least 120 investors agreed to buy promissory notes guaranteed to generate 8 percent to 11 percent annual returns from investments in Turkish bonds, the SEC said. The managing partners also raised at least $14 million through a variety of channels since 2006, the agency said. They allegedly sent some funds to bank accounts in Turkey and spent money on luxury cars, housing and vacations. Source:

18. March 10, Consumer Affairs – (Mississippi) Scam targets Mississippi credit union members. A phishing scam targeting members of credit unions has emerged in Mississippi, and perhaps in other states. The Mississippi attorney general says his office has received a number of calls from potential and actual victims. The phishing attack targets mostly cell phones, with both calls and text messages. The messages warn victims that their credit union account has been frozen and instructs the victim to call a number to provide account information. If victims comply, the scammer steals their information. Several credit unions operating within the state have been targeted. “If you receive such a text, do not call that number,” Statewide Credit Union warns in a message on its Web site. “This is a “phishing” attempt to steal your member information and to try to steal funds from your account. We will not attempt to contact you through text messaging, or ask for your member information over the phone, since we already have it.” Source:

19. March 10, Miami Examiner – (Florida) Suspect threatens blowing up Miami bank. Police are searching for a suspect who walked into the Miami Dade Bank of America located in the 200 block of SW 127 on Thursday afternoon and threated to detonate an explosive device if not given cash. Police are still searching for the suspect. Two tellers at the bank were confronted by the suspect wearing a dark blue cap and sunglasses. He told one of the tellers in Spanish, “Give me the money or I’ll blow up the bomb.” According to Miami Dade Police, the other teller who was nearby hearing the suspect’s demands attempted to walk away and get help. The suspect noticed and ordered her to return. He repeated his demands and pulled out what appeared to be a detonating device and dynamite sticks. After seeing this, the first teller complied placing money in a plastic bag and handing it over. He was last seen fleeing on foot east on Quail Roost Drive. Source:

20. March 10, The Register – (International) UK plastic fraud losses fall for first time in 3 years. A rise in online banking fraud losses took some of the shine off the overall fall in debit and credit fraud in the UK last year. Official figures from the UK Cards Association, which represents UK credit and debit card providers, published on Wednesday show that fraud on debit and credit cards fell by 28 percent in 2009 to £440.3m in total, compared to £610m in 2008. The decrease in overall card fraud - the first since 2006 - is credited to the effects of Chip and PIN on retail fraud, improved fraud detection tools and law enforcement efforts. While other forms of fraud dropped online banking losses increased £59.7m in 2009, an increase of 14 percent on losses of £52.5m during 2008. Increasingly sophisticated malware attacks targeting bank customers and a 19 percent increase in phishing attacks in 2009 was blamed for the rise. Source:

Information Technology

46. March 11, – (International) ISP takedown hamstrings Zeus malware. Security firms chalked up a victory on March 10 with the takedown of dozens of malware botnets. Kazakhstan-based service provider Troyak was shut down on March 9, crippling six smaller ISPs which were helping to run botnets based on the Zeus malware infection. A coalition of six anonymous security firms convinced host companies of Troyak to shut down the firm’s systems, an act which took down the command and control servers for 68 of the 249 known Zeus botnets, including the network used to steal $415,000 (£277,000) from Bullitt County, Kentucky. The takedown could deal a significant blow to the criminals running Zeus. The malware has become notorious among security firms owing to its ease of use and ability to inject code directly into otherwise legitimate files. Two Cisco ScanSafe security researchers said that while the takedown may not by itself have a long-term impact on numbers, the tactic of pressuring legitimate host companies to cut ties with shady service providers and botnet operators could pay big dividends in the fight against cyber crime. Source:

47. March 11, The Register – (International) Bogus Playstation emulators pack Trojan payload. Retro gaming fans are being targeted in a new con designed to infect computers with a Trojan linked to scareware scams. Downloads posing as Playstation 2 emulators that allow games designed for Sony’s console to be played on PCs instead deliver only a Trojan. Emulators offered via Appzkeygen(dot)com, for example, come packing the CodecPack-2GCash-Gen Trojan, a researcher of Sunbelt software warns. So, apart from the dubious legality of emulators, gamers who search for the software packages risk being exposed to all manner of unpleasant scams. “In some cases, people have reported this particular attack resulting in rogue antivirus appearing on the compromised system – however, during testing nothing was downloaded onto the PC,” the researcher explains. “This doesn’t mean it won’t happen, of course – and you’ll still have the downloader onboard.” Source:

48. March 11, Help Net Security – (International) File sharing networks open door to identity theft. According to the Washington Post, in any given second, nearly 22 million people around the globe are on peer-to-peer file-sharing networks downloading and swapping movies, software and documents over the Internet. Unfortunately, these same networks also provide identity thieves an open door to consumers’ personal information. LifeLock wants to warn consumers about one of the latest identity threats facing consumers today. Cyber thieves are targeting their newest identity victims through the use of file-sharing networks. Consumers and their family members need to be wary about with whom they share music, photos or documents online because criminals could be downloading the information stored on personal computers, including Social Security numbers, home addresses and even health information. Users of file-sharing networks can inadvertently expose the contents of entire hard drives containing personal information to others on the network. By simply searching for specific keywords, identity thieves are able to access and download personal information of thousands upon thousands of individuals. Source:

49. March 11, The Register – (International) Password reset questions dead easy to guess. Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers. In the paper What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions (pdf), a researcher of the University of Cambridge and two colleagues from the University of Edinburgh show how hackers stand a one in 80 chance of guessing common security questions such as someone’s mother’s maiden name or their first school within three attempts. The academics reached their conclusion after analysing 270 million first and last names pairs extracted from Facebook. Online research about a subject or a pre-existing relationship makes the chances of figuring out the answer to password reset questions still easier. Source:

50. March 11, Help Net Security – (International) Employees continue to put data at risk. According to a Ponemon Institute study, business managers continue to pose the greatest threat to sensitive company information such as customer records, health information and other private data. Despite the best efforts of IT departments, business managers continue to disengage, or turn off, their laptops’ encryption solution - exposing company information to thieves should the computer go missing. The annual “Human Factor in Laptop Encryption” study tracks the perception of the effectiveness of encryption solutions and actions taken by IT and business managers to secure their laptops. This year’s expanded study was conducted in the United Kingdom, Canada, France, Germany and Sweden, in addition to the United States. The study found that 15 percent of German and 13 percent Swedish business managers have disengaged their encryption solution. In contrast, 52 percent of Canadian, 53 percent of British, and 50 percent of French business managers have disengaged their encryption, while U.S. business managers are the most likely to circumvent company data security policy - topping the survey at 60 percent. Source:

51. March 10, SCMagazine – (International) India, Mexico, Brazil have most Mariposa bots. An analysis of the dismantled Mariposa botnet has revealed that it consisted of 13 million infected PCs spanning 190 countries and 31,901 cities worldwide, according to anti-virus vendor Panda Security. The botnet, which took its name from the Spanish word for butterfly, infected PCs from almost every country around the world, stealing account information for social media sites, online email services, usernames and passwords, banking credentials, and credit card data, according to Panda. Compromised IP addresses included personal, corporate, government and university computers. The top five countries, by number of Mariposa-infected computers, were India, Mexico, Brazil, Korea and Columbia, according to Panda. The investigation into the botnet is still ongoing, but preliminary calculations of the losses through fraud, financial theft, data loss and cleanup costs are already estimated to be in the millions of dollars, a threat researcher at Panda told on March 10 in an email. Source:

52. March 10, DarkReading – (International) Top Google search items under siege. Search engine optimization (SEO) poisoning continues to be alive and well, with an unusually large wave of these attacks spotted during the past seven days targeting 284 of the top Google search terms. SonicWALL found 6,600 malicious URLs attacking the top search terms, including “what time do the oscars start 2010” and “disney princess half marathon.” As many as nine of these terms are under attack at any one time. More than 60 malicious URLs for the princess query appeared on Google’s top 30 search results between March 7 and 8, and 34 malicious URLs for the Oscars query. Why the spike in malicious URLs? “Based on the search terms that we observed, this jump can be correlated with huge public interest in finding out news related to Oscar awards,” says the lead malware researcher for SonicWALL. “A major spike was observed during the weekend of March 6 to 7, 2010. At one point, there were 1,200 malicious URLs appearing in the first 30 search results for the top Google search terms — and close to 50 percent of those were related to Oscars-related search terms.” Source:

53. March 10, DarkReading – (International) Security pros say apps are vulnerable — and constantly attacked. If an organization worries that its applications are vulnerable to attack, then it is not alone, according to study results released on March 9. In a survey at the RSA Conference 2010 in San Francisco recently, researchers from security vendor Fortify found that most security pros are stressed about potential attacks on their apps. In fact, 73 percent of respondents thought the applications in their companies had vulnerabilities that hackers could exploit.Most agreed it would be “ignorant” to say they didn’t. Twenty-six percent said they either did not know the answer or did not want to disclose the information. And hackers are seeking to exploit those vulnerabilities, attendees said. Forty-seven percent of respondents said their companies are targeted or attacked more than once a day; many said their organizations are attacked “hundreds of times a day” or “every moment.” Source:

Communications Sector

54. March 11, St. Joseph’s News Press – (Missouri) Lightning knocks out broadcast. FOX Channel 4 in Kansas City was knocked off the air for a period of time on March 10 when lightning struck the WDAF FOX 4 tower. The incident occurred roughly at 8:30 pm. The station came back on the air a little while later, with a local news broadcast. Source:

55. March 11, Rochester Democrat & Chronicle – (New York) Time Warner service restored to Rochester-area customers. Several thousand people in the Rochester region Thursday morning experienced problems with Time Warner Cable’s Internet and digital phone service. A company spokeswoman said Time Warner Cable started experiencing “intermittent outages” just before 7 a.m. Thursday. Service was restored by 9:45 a.m. She said a faulty router temporarily affected Time Warner Cable’s Road Runner Internet cable and digital phone services. Some customers experienced outages, others had extremely slow Internet access, and some experienced audio problems with digital phone service, she said. Several thousand customers scattered through Monroe County were affected by the problem. Source:

56. March 10, ComputerWorld – (International) T-Mobile explains BlackBerry outage, says it’s fixed. T-Mobile USA issued an explanation for the BlackBerry data outage affecting some nationwide users on March 8 and 9, saying it related only to Wi-Fi and not T-Mobile’s network, directly contradicting what some users reported. A company spokeswoman said via an e-mail late on March 10 that the outage impacted some customers across all North America carriers, not just T-Mobile, and that RIM technical support teams had resolved the matter. “This particular issue occurred only when customers attempted to send/receive data, browse the Web or send PIN-to-PIN (Peronal Identification Number) messages via Wi-Fi,” she said. “Services over T-Mobile’s network were operational throughout this time. T-Mobile instructed customers to turn off Wi-Fi and connect via our network.” However, the moderator for heard from several BlackBerry users affected by the outage, and told Computerworld that T-Mobile’s explanation of the problem was “almost opposite” of what happened. The moderator said that Wi-Fi-enabled BlackBerry devices, including his BlackBerry Storm, didn’t work for data transmissions on various carriers’ networks for some users for up to 24 hours on March 8 and 9 but did mostly work on Wi-Fi. Source:

For more stories, see items 46 and 52 above in the Information Technology Sector