Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, May 12, 2010

Complete DHS Daily Report for May 12, 2010

Daily Report

Top Stories

 According to CNN, more than 65,000 homes and businesses were without power throughout Oklahoma after a storm system spawned multiple tornadoes on Monday. The Oklahoman reports that a tornado knocked out primary and backup power to the Lake Draper Water Treatment Plant, which supplies half of Oklahoma City’s water. (See items 4 and 31)

4. May 11, CNN – (Oklahoma) Tornado-ravaged Oklahoma may face more storms. Forecasters warned that another round of severe weather may hit Oklahoma Tuesday, May 11, less than 24 hours after a storm system spawned multiple tornadoes and left five people dead. Officials said they planned to release more detailed damage estimates Tuesday — and decide how to manage clean-up efforts in areas where tornadoes left behind snapped utility poles, downed trees, and severely damaged homes. Rescuers were searching a 30-square-mile area Monday night to look for victims and clear away downed power lines and other hazards, the Oklahoma City fire chief said. More than 65,000 homes and businesses were without power throughout the state, emergency management officials said. Nearly 15,000 homes were without power in Norman alone, according to Oklahoma Gas & Electric. “It’s unknown when that power will be restored,” the Oklahoma City manager said. “Major transmission lines in the area have been damaged.” Source:

31. May 11, Oklahoman – (Oklahoma) Emergency crews start second search; water conservation urged. Emergency crews are doing a second search of a 49-square-mile area hard hit by tornadoes May 10. City officials say about 50 homes were destroyed and another 30 to 40 damaged, and about a half-dozen businesses were ruined Monday night when tornadoes raked the city. Oklahoma City’s main water treatment plant remains without power, causing widespread water outages and low pressure across the southern metro area. The tornado that hit the Choctaw Road area May 10 knocked out primary and backup power to the Lake Draper Water Treatment Plant, which supplies half the city’s water, a city utilities spokeswoman said. Oklahoma Gas and Electric Co. hopes to restore power to the plant by the end of the day. Crews are working to repair substantial damage to a major power source near the plant. The power outage halted a complex, time-consuming water-filtering process that makes water safe to drink. A spokesman said it is unclear how long it will take to restart that process once the plant’s power is restored. Because it is unclear how long water shortages could last, the city on Monday enacted a 48-hour mandatory outdoor-watering ban. Other neighboring communities that receive water from the plant have enacted similar water use restrictions. Oklahoma City water utility crews worked throughout the night to re-route water from the city’s Lake Hefner and Lake Overholser plants to customers across the southern metro area, but many are still without water, the spokesman said. Residents of Norman, Midwest City and Del City are being asked to conserve water as power is out to the Central Oklahoma Master Conservancy District, which controls the water supply from Lake Thunderbird that serves the three cities. Source:

 The Associated Press reports that authorities are investigating an explosion and fire at an Islamic center in Jacksonville, Florida to determine if it was a hate crime. Witnesses said they heard a loud noise on Monday as preparations were being made for the evening prayer. (See item 54)

55. May 10, The Birmingham News – (Alabama) Possible meth lab discovered in bathtub of motel in downtown Birmingham. Authorities found what appears to be a methamphetamine lab at a downtown motel May 10, after a caller reported “something cooking in the bathtub.” Birmingham Fire and Rescue officials shut down about a block radius around the Knights Inn at 1313 Third Ave. North. At least part of the motel was evacuated. Authorities were called to the motel about 1 p.m. by management. The owner was cleaning when he said he smelled a strange odor coming from the room, he told fire officials. He opened the door but the odor was so strong, it turned him back. The occupant of the room had checked out earlier May 10. Hazardous-materials crews and Drug Enforcement Administration agents also responded to the scene. Monitors taken into the motel room showed there was hazardous material inside. Source:


Banking and Finance Sector

14. May 11, Valley News Dispatch – (Pennsylvania) Oakmont bank gets bomb threat; police have suspect. Police said they have a female suspect in a case where a bomb threat was phoned in concerning the PNC Bank branch along Allegheny Avenue in Oakmont, Pennsylvania. The bank was evacuated May 10 after an Allegheny County 911 dispatcher fielded a bomb threat directed toward the bank. The call came in about 11:40 a.m. when the caller stated “the building was going to blow up.” The bank evacuated because a suspect, a woman, was known to bank personnel and “there was some bad history between them.” No arrest had been made as of last night. Source:

15. May 10, The H Security – (International) Police apprehend Romanian phishing gang. Romanian police investigators have exposed a gang of criminals who fraudulently gained online access to bank accounts and for months, continued to draw money from these accounts. The Romanian Directorate for Investigating Organised Crime and Terrorism (DIICOT) in Bucharest said that after conducting nationwide searches May 9, Romanian police questioned 28 suspects. Since October 2009, the gang is said to have obtained sensitive data, such as online banking and credit card user names and passwords, particularly of Bank of America customers, via phishing attacks. The criminals then transferred money from these accounts via the Western Union financial service and withdrew the money in Vienna, Munich, Prague and Romania. According to the DIICOT, the damages incurred amount to approximately $1 million (£665,000). Most of the suspects come from the Romanian city of Constanta on the Black Sea coast. The gang is said to have had 70 members in total. Romanian authorities collaborated with U.S. agencies in investigating the case. Source:

16. May 10, Savannah Morning News – (Georgia) Mysterious substance found at Ogeechee Road bank. Authorities have shut down a Wachovia bank branch in the 5700 block of Ogeechee Road in Savannah, Georgia after an unidentified substance was discovered on cash a customer deposited the afternoon of May 10. Fire crews from Savannah and Southside departments were at the scene, which Savannah-Chatham police have cordoned off. Hazardous-materials technicians, wearing protective bodysuits, entered the bank, near the Kroger grocery store at Berwick Boulevard. A female customer pulled into the drive-through about 2:45 p.m. and gave $1,400 in cash to a teller, who then stuffed cash into a money counter. A powdery substance plumed from the bills, causing irritation to at least one employee’s skin. At least eight people were exposed to the substance. Four were taken to Memorial University Medical Center as a precaution. Four others were treated at the scene. Crews were working to decontaminate the bank’s interior, contain the material, and identify the substance. Source:

17. May 10, U.S. Department of Justice – (International) Former ABN Amro Bank N.V. agrees to forfeit $500 million in connection with conspiracy to defraud. The former ABN AMRO Bank N.V., now named the Royal Bank of Scotland N.V., has agreed to forfeit $500 million to the United States in connection with a conspiracy to defraud the United States, to violate the International Emergency Economic Powers Act (IEEPA) and to violate the Trading with the Enemy Act (TWEA), as well as a violation of the Bank Secrecy Act (BSA). A criminal information was filed May 10 in U.S. District Court for the District of Columbia charging the former ABN AMRO, a Dutch corporation that was headquartered in Amsterdam, with one count of violating the BSA and one count of conspiracy to defraud the United States and violate the IEEPA and TWEA. The bank waived indictment, agreed to the filing of the information, and has accepted and acknowledged responsibility for its conduct. ABN AMRO agreed to forfeit $500 million as part of a deferred-prosecution agreement, also filed today in the District of Columbia. A U.S. district court judge May 10 accepted the agreement. Under the BSA, it is a crime to willfully fail to establish an adequate anti-money laundering program. The IEEPA and TWEA violations related to ABN AMRO conspiring to facilitate illegal U.S. dollar transactions on behalf of financial institutions and customers from Iran, Libya, the Sudan, Cuba, and other countries sanctioned in programs administered by the Department of the Treasury’s Office of Foreign Affairs Control. Source:

Information Technology

46. May 11, Computerworld – (International) New attack tactic sidesteps Windows security software. A just-published attack tactic that bypasses the security protections of most current anti-virus software is a “very serious” problem, an executive at one unaffected company said May 11. On May 5, researchers at outlined how attackers could exploit the kernel driver hooks that most security software uses to reroute Windows system calls through their software to check for potential malicious code before it is able to execute. Calling the technique an “argument-switch attack,” a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes. “This is definitely very serious,” said vice president of engineering at Immunet, a Palo Alto, Calif.-based anti-virus company. “Probably any security product running on Windows XP can be exploited this way.” According to Matousec, nearly three-dozen Windows desktop security titles, including ones from Symantec, McAfee, Trend Micro, BitDefender, Sophos, and others, can be exploited using the argument-switch tactic. Source:

47. May 10, IDG News Service – (International) Windows 7 ‘compatibility checker’ is a Trojan. Scammers are infecting computers with a Trojan horse program disguised as software that determines whether PCs are compatible with Windows 7. The attack was first spotted by BitDefender May 9 and is not yet widespread; the antivirus vendor is receiving reports of about three installs per hour from its users in the U.S. But because the scam is novel, it could end up infecting a lot of people due to the interest in Windows 7. The scammers steal marketing text directly from Microsoft, which offers a legitimate Windows 7 Upgrade Advisor on its Web site. “Find out if your PC can run Windows 7,” the e-mails read, echoing Microsoft’s Web page. Users who try to install the attached, zipped file end up with a back-door Trojan horse program on their computer. BitDefender identifies the program as Trojan.Generic.3783603, the same one that is being used in a fake Facebook password reset campaign. Once a victim has installed the software, criminals can pretty much do whatever they want on the PC. Source:

48. May 10, TechWorld – (International) Gumblar Trojan vanishes suddenly yet again. A prolific variant of the Gumblar Trojan has performed another vanishing act, disappearing suddenly from malware figures gathered by Kaspersky Lab. The company’s statistics for April show that the Gumblar.x downloader was nowhere to be seen after being the most recorded piece of malware for February and March. After appearing in March 2009, Gumblar and subsequent variants went to the top of various company’s malware league tables by October, at which point it started to die out. By January 2010 it had disappeared altogether before surging once again, seemingly from nowhere. Gumblar and its variants are effective and versatile pieces of malware, recording 453,000 infections detected by Kaspersky during February alone. Its main means of spread is to use compromised Web sites to serve malicious browser scripts, which redirect the PCs of infected users. It can also be used to steal FTP and other log-ins for Web sites. It is unusual for malware other than Internet worms to surge and recede in this fashion, but it is likely to be a technique to keep some of the compromised Web sites beyond the range of easy detection. Source:

49. May 10, – (International) Phishing scheme targets Apple gift cards. Hackers have constructed a bogus Web site designed to steal the account numbers and PINs of gift card holders. This latest consumer phishing scam uses a typosquatted Web site disguised as an official Apple site to trick users into entering their card numbers and PINs in order check the available balance on gift cards for Apple products. The scam is just the latest in a line of sophisticate phishing attacks that has security software companies and law-enforcement agencies urging consumers to take their time and pay close attention to where they are actually conducting transactions to avoid being ripped off. Source:

Communications Sector

50. May 11, Federal News Radio – (National) FCC to establish cyber certification program. The Federal Communications Commission (FCC) wants to establish a cybersecurity certification program for private sector telecommunications networks. In a Federal Register notice released May 11, the agency says the undertaking would be voluntary for broadband and other communication service providers. “The Commission’s goals in this proceeding are to increase the security of the nation’s broadband infrastructure, promote a culture of more vigilant cyber security among participants in the market for communications services, and offer end users more complete information about their communication service providers’ cyber security practices,” the FCC writes in the notice. The commission wants vendors to answers numerous questions about how such a program would work, what security criteria should be included, whether they have at the legal authority to even create such a certification program and more. “The security of the core communications infrastructure - the plumbing of cyberspace - is believed to be robust,” the FCC states. “Yet recent trends suggest that the networks and the platforms on which Internet users rely are becoming increasingly susceptible to operator error and malicious cyber attack.” PandaLabs reports that in 2009 it detected more new malware than in any of the previous 20 years. It also reports that in 2009, the total number of individual malware samples in its database reached 40 million, and that it received 55,000 daily samples in its laboratory, and this figure has been rising in recent months. The criteria for the voluntary program would address four areas: secure equipment management, updating software, intrusion prevention and detection and intrusion analysis and response. The FCC wants to make the private sector responsible for developing and maintaining the security criteria, accrediting auditors to conduct assessments and maintain a database of service providers who meet the standards. Source:

51. May 10, Associated Press – (West Virginia) W.Va. orders Verizon to establish escrow account. The West Virginia Public Service Commission (PSC) is ordering Verizon-West Virginia to deposit $72.4 million into an escrow account dedicated to improving service in the state. The May 10 order was a follow up to one issued in 2008 that directed Verizon-West Virginia to take actions to improve its services. Commissioners said the escrow account was ordered because the company’s efforts since 2008 were neither sufficient nor consistent. A PSC spokeswoman said Verizon has until May 14 to say how it will deposit the money. The money is to be used over the next several years to finance improvements ranging from restoring copper lines to conducting maintenance and hiring additional employees. A Verizon spokesman said the company is reviewing the commission’s order. Source: