Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, April 1, 2010

Complete DHS Daily Report for April 1, 2010

Daily Report

Top Stories


 The Providence Journal reports that electric utility National Grid pleaded with customers in Rhode Island to conserve energy after seven of its substations around the state shut down due to unprecedented flooding. National Grid cautioned customers on Tuesday that 20 additional substations were in danger. (See item 1)

1. March 31, Providence Journal – (Rhode Island) Rhode Island swamped in floods “unprecedented” in state’s history. Electric utility National Grid pleaded with customers to conserve energy after seven of its substations around the state shut down. CVS pharmacy, headquartered in Woonsocket, announced that flooding had knocked out power to a national computer system affecting prescription services in all 7,000 of its drugstores. The biggest problem in Woonsocket, the mayor said, was a power failure on Main Street that knocked out City Hall phones for a time and traffic lights were out of service. The police were putting up temporary stop signs to control traffic. During an evening news conference, National Grid cautioned customers that 20 additional substations were in danger. If customers do not conserve energy, the company said, it would impose rolling blackouts. Source:

 According to the Associated Press, a huge fire broke out at the Coco Resources chemical warehouse in Denham Springs, Louisiana on Tuesday, rocketing 55-gallon drums into the sky, forcing the evacuation of about 200 people within a half-mile radius of the site, and pulling in about 100 firefighters. (See item 2)

2. March 31, Associated Press – (Louisiana) Fire at La. chemical warehouse forces evacuations. A huge fire broke out at a chemical warehouse in Denham Springs in southeastern Louisiana on March 30, rocketing 55-gallon drums into the sky, forcing the evacuation of about 200 people and pulling in about 100 firefighters, authorities said. An explosion inside the Coco Resources warehouse triggered the fire about 2 p.m., and two or three other buildings nearby in the industrial section also caught fire, a State Fire Marshal said. Over the next two hours, other barrels of chemicals exploded and smoke could be seen as far away as Baton Rouge, about 20 miles away. “They began to rupture and were throwing large debris like shrapnel,” said the director of Livingston Parish’s Office of Emergency Preparedness. “These 55-gallon drums were exploding and were flying through the air and landing in other places and starting fires there,” said a state police spokesman. Firefighters managed to contain the flames. The cause of the fire will not be determined until the fire is extinguished. The police spokesman said troopers who examined a list of materials kept at the warehouse found them to be a variety of chemicals, mostly in 55-gallon drums stacked on pallets. Authorities evacuated people within a half-mile radius around the site of the fire, according to a state police sergeant. Source:

Banking and Finance Sector

13. March 31, Van Wert Times Bulletin – (Ohio) Area telephone credit card scam reports increase. The latest credit card scam has affected many Van Wert, Ohio, residents in the past few days. Reports of telephone calls about a frozen bank account or debit card from an automated source have flooded area financial institutions. “The primary institution that is getting hit is us,” stated the branch sales manager of the Van Wert branch of Three Rivers Federal Credit Union. “I would say that two-thirds of all the calls we’ve been getting have been people letting us know that those calls are going out.” Hundreds of local residents have informed banks and credit unions about the calls. Some have reported other financial institutions named by the automated voice, sometimes even institutions where the person does not have an account. Other banks in the area have reported customers receiving the same calls. Often the person could not remember what financial institution was named by the voice. Source:

14. March 31, Associated Press – (Minnesota) MN money manager charged in $190M Ponzi scheme. An Apple Valley money manager is charged with orchestrating a Ponzi scheme that allegedly defrauded at least 1,000 victims out of $190 million. The 37-year-old suspect was charged on March 30 in federal court in Minneapolis with mail fraud and tax evasion. The charges say that from July 2007 to July 2009, the suspect told clients he had invest their money in a foreign currency trading program with annual returns of 10 to 12 percent. Instead, officials say, he used the money for personal expenses and to keep the scheme going. The suspect’s attorney told The Associated Press Wednesday that a plea agreement has been reached with prosecutors. Source:

15. March 30, Wilson County News – (Texas) Warning of fraudulent attempts to help secure SBA loans. The U.S. Small Business Administration (SBA) is warning small businesses to use caution if they are contacted by firms offering to help them apply for funds available through SBA programs. SBA and SBA’s Office of the Inspector General (SBA OIG) have received several complaints from small businesses about abusive marketing practices, scams, and exorbitant fees charged by firms offering to help them obtain a loan, grant, or other federal funds, from SBA. An example is firms charging small businesses high fees to provide assistance applying to SBA funding programs. Some firms allegedly guaranteed that the small business would obtain SBA funding if they paid the fee. SBA does not endorse or give preference to specific private companies or their clients. Another instance is firms charging small businesses for services never requested after the small business gave bank account and routing information to a caller claiming to be a firm offering assistance. SBA recommends that small businesses never provide social security numbers, bank account information, or credit card numbers to anyone; and, never over the telephone. Source:

16. March 30, KMSP 9 Twin Cities – (Minnesota) Credit card skimmer used at US Bank ATM in Eden Prairie. Police in Eden Prairie, Minnesota, are warning of credit card skimmers at ATM machines after a card scanner fell off a machine earlier this month. According to Eden Prairie police, a consumer was using an ATM at the US Bank at 300 Prairie Center Drive on March 19 when the scanner fell off. Police said the scanner was actually a skimming device attached by someone attempted to steal card information. Customers using an ATM cannot notice a difference because the card simply passes through the skimmer and then enters the actual bank scanner in the ATM. Victims still receive their money, with no sign their financial information has been compromised. Police say credit card skimmers are also in play through criminal groups getting servers hired at local restaurants to steal card information. Two similar cases have popped up in the Twin Cities metro this year — one involving a St. Louis Park Olive Garden server , and the other involving a Coon Rapids TGI Friday’s server. The suspects in those cases stole thousands of dollars from unsuspecting victims using skimmers. Source:

17. March 30, Lakeland Ledger – (Florida) Security breach pushes MidFlorida Credit Union to issue new debit cards. Some MidFlorida Credit Union members are getting new debit cards because of a fraud risk. The chief operations officer for Lakeland-based MidFlorida said the firm is issuing 12,000 new debit cards after recent fraud attempts stemming from a previous data breach at Heartland Payment Systems. Heartland, a major New Jersey-based payment processing company, announced a security breach in January 2009 that exposed information from 100 million credit and debit card transactions. MidFlorida issued new cards to about 5,000 of its members last year and is now sending out 12,000 new cards following recent fraud attempts on cards involved in the Heartland breach, the chief operations officer said. The credit union has about 80,000 debit card holders. Source:

Information Technology

44. March 31, The Register – (International) Security researchers scrutinize search engine poisonings. The techniques used by scammers who automate search engine manipulation attacks themed around breaking news to sling scareware have been unpicked by new research from Sophos. A research paper published on March 31 by Sophos researchers lifts the lid on the search engine optimization techniques used by hackers to hook surfers into their scams. Attackers use automated kits to apply blackhat SEO methods – cynically exploiting tragic or salacious breaking news stories – to subvert searches in order to point surfers towards scareware download portals or other scams. The deaths of celebrities, the release of Google Wave, and the marital strife of a popular celebrity are among the topics which have been used as themes for these attacks in the past. Just about any high-profile breaking news story is fodder for the crooks, so it came as little surprise that the deaths of 39 people in the Moscow metro suicide bombings on March 29 have also become themes for the latest run of black-hat SEO techniques. Cybercrooks behind the scams do not simply sit watching Google Trends or trending topics on Twitter, however. The process is increasingly becoming automated. Source:

45. March 31, IDG News Service – (International) McAfee: ‘Amateur’ malware not used in Google attacks. A misstep by McAfee security researchers apparently helped confuse the security research community about the hackers who targeted Google and many other major corporations in cyber attacks last year. On March 30, McAfee disclosed that its initial report on the attacks, which it branded Operation Aurora, had mistakenly linked several files to the attacks that had nothing to do with Aurora after all. Aurora is a sophisticated spying operation, set up to siphon intellectual property out of major corporations. It has been linked to attacks on Google, Intel, Symantec, Adobe, and other companies. Google took the attacks seriously. The files mistakenly linked to Aurora in McAfee’s initial research are actually connected to a still-active botnet network of hacked computers that was created to shut down Vietnamese activists. McAfee investigated more than a dozen companies that had been hit by Aurora and found the Vietnamese botnet on four of these networks, said McAfee’s vice president of threat research. At first, McAfee though they were part of the Aurora attack. McAfee has now “come to believe that this malware is unrelated to Aurora and uses a different set of command and control servers,” McAfee’s Chief Technology Officer said in a March 30 blog posting. Source:

46. March 31, – (International) Blue Coat stresses need to combat social engineering attacks. Administrators and security vendors must step up efforts to prevent social engineering attacks in the enterprise, according to security vendor Blue Coat Systems. The company said in its annual security report that, in addition to swifter analysis and protection, end users need to be aware of the practices commonly used to trick them into installing malware and releasing sensitive data. Blue Coat cited increasingly popular trends such as search engine optimisation and more sophisticated and targeted attacks, and said that companies need to make employees more aware rather than depend on new security tools and appliances. “The increasing use of link farms to manipulate search engine results and prey on the trust users have in their internet experience drove many of the malware exploits we saw in 2009 and are continuing to see in 2010,” said a Blue Coat senior malware researcher. The warning comes as people increasingly rely on the social networking platforms that are fertile ground for attacks. Source:

47. March 30, IDG News Service – (International) E-mail accounts of foreign journalists in China hacked. The e-mail accounts of eight foreign journalists working in China and Taiwan were hacked recently, leading Yahoo to suspend several of the accounts last week, the Foreign Correspondent’s Club of China (FCCC) said on March 24. Among the hacked e-mail accounts, the settings of one account were also modified to forward all e-mails to another e-mail address, it said. “Yahoo has not answered the FCCC’s questions about the attacks, nor has it told individual mail users how the accounts were accessed. Password security and malware are ongoing concerns, but it’s unclear whether they are related to this case,” the group said. The FCCC warned members to change their e-mail passwords and advised them to use other means of communication for arranging interviews or other “sensitive business.” Source:

48. March 30, ZDNet – (International) Hacker finds a way to exploit PDF files, without a vulnerability. A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. A researcher who found the flaw explained: “I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.” Although PDF viewers like Adobe Reader and Foxit Reader does not allow embedded executable (like binaries and scripts) to be extracted and executed, the researcher discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique. The researcher said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened. Source:

49. March 30, Network World – (International) MIT research project keeps apps running, even under attack. Researchers led by the Massachusetts Institute of Technology and funded by the Defense Advanced Research Projects Agency have developed software that keeps applications running during attacks, then finds and installs permanent patches to protect them. The ClearView system detects attacks by noting when applications perform outside their normal range of behavior, indicating an attack of some sort. To fend off attacks, it tries out a variety of patches on the fly, choosing the one that best returns the application to normal. The researchers are running a feasibility study to determine whether to develop the system into a commercial product, said the lead researcher on the project. Source:

50. March 30, IDG News Service – (International) Google: Malware targets Vietnamese activists. Google says that politically motivated malware has been used to spy on Vietnamese computer users and attack activist blogs over the past several months. “In January, we discussed a set of highly sophisticated cyber attacks that originated in China and targeted many corporations around the world,” wrote a Google engineer in a company blog on March 30. “We have gathered information about a separate cyber threat that was less sophisticated but that nonetheless was employed against another community.” The Vietnamese malware apparently began spreading in late 2009, when someone hacked into the Web site run by the Vietnamese Professionals Society and replaced a keyboard driver that’s offered for download on the site with a malicious Trojan horse program. The DDoS attacks linked to the Vietnamese botnet “tried to squelch opposition to bauxite mining efforts in Vietnam, an important and emotionally charged issue in the country,” the engineer wrote. Source:

51. March 30, Help Net Security – (International) Microsoft releases out-of-cycle IE security patch. Microsoft released a cumulative security update which resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated critical for the following supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6 SP1, Internet Explorer 6 on Windows clients, Internet Explorer 7, and Internet Explorer 8 on Windows clients. For Internet Explorer 6 on Windows servers, this update is rated Important. And for Internet Explorer 8 on Windows servers, this update is rated Moderate. The security update addresses these vulnerabilities by modifying the way that Internet Explorer verifies the origin of scripts and handles objects in memory, content using encoding strings, and long URL. Source:

52. March 30, The Register – (International) Weak passwords stored in browsers make hackers happy. Nearly a quarter of people (23 percent) polled in a survey by Symantec use their browser to keep tabs on their passwords. A survey of 400 surfers by Symantec also found that 60 percent fail to change their passwords regularly. Further violating the ‘passwords should be treated like toothbrushes’ maxim (changed frequently and not shared), the pollsters also found that a quarter of people have given their passwords to their spouse, while one in 10 people have given their password to a ‘friend’. Password choices were also lamentably bad. Twelve of the respondents admitted they used the phrase ‘password’ as their password while one in ten used a pet’s name. The name of a pet might easily be obtained by browsing on an intended target’s social networking profile. Eight percent of the 400 respondents said they used the same password on all their online sites, a shortcoming that means a compromise of one low-sensitivity account hands over access to a victim’s more sensitive webmail and online banking accounts. Source:

Communications Sector

53. March 29, Gannett Tennessee – (Georgia; Tennessee) Twitter reveals Comcast problems in Nashville. The social media site Twitter was besieged by angry Comcast customers Monday morning in Nashville and Atlanta who could not check their email, do work online, and felt otherwise stranded and frustrated when their Internet service went down. A Comcast spokeswoman said the problem was fixed “in a matter of hours” and was caused by network maintenance issues. A Comast executive in charge of online social media first confirmed on Twitter an outage in Nashville at 9:20 a.m. As of 10:48 a.m., he said there were some improvements. One person identifying himself as a Comcast employee on Twitter said there were “huge issues” in Nashville and Atlanta. Source:

For another story, see item 44 above in Information Technology