Thursday, December 23, 2010

Complete DHS Daily Report for December 23, 2010

Daily Report

Top Stories

• All lanes of I-70 in Summit County, Colorado, were closed for several hours December 21 after a truck leaked 50 gallons of explosive gel, KUSA 9 Denver reported. (See item 5)

5. December 22, KUSA 9 Denver – (Colorado) I-70 back open after day-long Hazmat spill. Westbound and eastbound lanes of I-70 on the west side of the Eisenhower Tunnel in Summit County, Colorado, have reopened after 50 gallons of a material used to make explosives spilled on the highway December 21. A spokesman with the Colorado Department of Transportation (CDOT) said a larger tow truck ran into the back of a truck carrying about 40,000 pounds of the explosive gel. Lake Dillon Fire-Rescue said an estimated 50 gallons of a liquid blasting agent spilled. The crash happened around 2:35 p.m. The Colorado State Patrol’s hazmat team helped the Summit County hazmat team plug the leak. Eastbound I-70 reopened around 7 p.m. and westbound I-70 opened again before midnight. The tow truck driver was injured and taken to Summit Medical Center in Frisco. Both directions of I-70 were initially closed from Silverthorne to the Eisenhower Tunnel, including the tunnel itself. A CDOT spokeswoman said 4 hours was the minimum the closure would last because the company that owns the blasting gel was sending another truck to the scene to offload it. Hundreds, if not thousands, of travelers were affected. Lake Dillon Fire-Rescue said a tanker that carries such a hazardous substance would normally have been routed over Loveland Pass, but it was closed at the time due to the heavy snow. Lake Dillon Fire-Rescue also said the explosive gel is considered stable inside the container, but there were concerns static electricity could cause an explosion. As a result, crews were staying a third of a mile away from the spill site. Source:

• A blaze at an abandoned building in Chicago, Illinois, killed 2 firefighters and injured 17, December 22, according to the Associated Press. (See item 42)

42. December 22, Associated Press – (Illinois) 2 firefighters dead, 17 injured in Chicago blaze. A blaze at an abandoned building on the South Side of Chicago, Illinois left two firefighters dead and 17 injured December 22, the 100th anniversary of a grim milestone in U.S. firefighting history. The men who died were among four firefighters buried in debris when the South Side building’s roof and one wall collapsed. The injured included firefighters who rushed in to rescue trapped colleagues, a fire department spokesman said. Four of those hurt suffered critical injuries but all 17 are expected to survive. December 22 was the 100th anniversary of the Union Stock Yards fire, which killed 21 Chicago firefighters. That tragedy stood as the nation’s worst for firefighter deaths until the September 11 terrorist attacks. The 1-story brick commercial building had been abandoned for several years and utilities had long been cut off. The spokesman said the fire’s cause was uncertain, but that it was possible that squatters had been living in the building and burning debris inside to keep warm. “The fire had no other way of starting,” he said. Source:


Banking and Finance Sector

14. December 22, Atlanta Journal-Constitution – (Georgia) Dunwoody police hunt serial bank robber. The man who held up Best Bank in Dunwoody, Georgia, December 21 might be responsible for three other bank robberies in metro Atlanta, police said December 22. The December 21 robbery occurred at 10:45 a.m., when the suspect approached the counter, showed a semi-automatic handgun and demanded cash. He left the bank at 4498 Chamblee Dunwoody Road with an undisclosed amount of money, and ran toward Cotillion Drive. Dunwoody police are working with the FBI on the case. The suspect is a 6-foot 2-inch to 6-foot 4-inch black man, weighing 220 to 250 pounds. He was dressed in all-black clothing. Police released bank surveillance images of the suspect. Source:

15. December 22, Malden Patch – (Massachusetts) FBI offers reward in Citizens Bank robbery case. The FBI is offering a $10,000 reward for information leading to the arrest of a man suspected of robbing the 876 Main Street Citizens Bank near the Melrose line in Massachusetts December 16. The man is a suspect in two other robberies, in Lynnfield and Reading. The Massachusetts Bankers Association is offering an additional $2,000 reward, making the total amount available $12,000 for information that directly leads to an arrest. A press release issued by the FBI and circulated by Malden Police show two new surveillance photos, offering different views of the man exiting the bank December 17. Police said after the photos were taken, and the man realized he was trapped in the bank, he stood back and fired five rounds into the door. Source:

16. December 21, Torrance Daily Breeze – (California) Man believed to be the ‘Scanner Bandit’ robs Torrance bank. A man believed to be the so-called “Scanner Bandit” robbed a Bank of America branch December 21 in Torrance, California, the FBI said. The man walked up to a teller, claimed to have a bomb, and demanded money during the 3:35 p.m. crime at 1255 Sartori Ave., police said. The man, who fled the bank with an undisclosed amount of cash, carried what appeared to be a police scanner, the FBI said. He has been linked to December bank robberies in Whittier and Norwalk. The crimes were similar. “He threatens to have an explosive device, which he partially conceals inside a black folder,” an FBI spokeswoman said. “In addition, he carries a device which has been described as a police scanner.” The man was described as white, 40 to 50 years old, about 170 pounds, 5 feet 5 inches to 5 feet 7 inches tall. He wore a raincoat and a dark beanie. Source:

17. December 21, Ventura County Star – (California) 2 men sought in separate bank robberies. The FBI and Ventura and Santa Barbara police departments in California are trying to identify a man believed to be responsible for three recent bank robberies. The robberies occurred November 15 at a Chase Bank in Ventura, December 4 at a Bank of America in Ventura, and December 10 at a Rabobank in Santa Barbara. Called the “Groomed Beard Bandit” based on descriptions of his facial hair, the man is described as 38 to 40 years old, about 5 feet 9 inches and 160 to 170 pounds, authorities said. He has dark hair and light eyes and demands cash when he approaches the teller, according to reports. In the most recent robbery, authorities said he showed a black handgun tucked into his waistband and was seen leaving the bank in an older-model gold or brown automobile. Source:

Information Technology

45. December 22, Computerworld – (International) Researchers reveal attack code for new IE zero-day. Security researchers have released attack code that exploits an unpatched bug in Microsoft’s Internet Explorer (IE) and sidesteps defenses baked into Windows 7. “Microsoft is investigating new public claims of a possible vulnerability in Internet Explorer,” the director of Microsoft’s Trustworthy Computing group said in a statement. “We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact.” The bug first surfaced earlier this month when French security firm Vupen announced it had uncovered a flaw in IE’s HTML engine that could be exploited when the browser processed a CSS (Cascading Style Sheets) file that included “@import” rules. Unlike other recent IE bugs, this one can be exploited on the newest browser, IE8, running on Microsoft’s newest OS, Windows 7, by defeating the latter’s DEP (data execution prevention) and ASLR (address space layout randomization) anti-exploit defenses. It is possible the vulnerability will not be addressed until February. Source:

46. December 22, – (International) Microsoft BPOS cloud service hit with data breach. Company data belonging to customers of Microsoft’s hosted business suite BPOS has been accessed and downloaded by other users of the software. The issue affected the Offline Address Book of customers of the Business Productivity Online Suite (BPOS) Standard suite. Microsoft confirmed the data breach recently to Webwereld, a Dutch IDG publication. “We recently became aware that, due to a configuration issue, Offline Address Book information for Business Productivity Online Suite (BPOS) — Standard customers could be inadvertently downloaded by other customers of the service, in a very specific circumstance,” said the director of BPOS Communications at Microsoft. The data breach occurred in Microsoft data centers in North America, Europe, and Asia. The issue was resolved within 2 hours of being discovered, Microsoft said in a statement. However, during this time “a very small number” of illegitimate downloads actually occurred. “We are working with those few customers to remove the files,” the director said. Source:

47. December 22, Softpedia – (International) Facebook scams start attracting international audiences. Security researchers who analyzed recent Facebook survey scams said international users are clicking on spammed links in larger numbers than before. There are myriad scams running every day on Facebook, and many promise access to intriguing videos. The spam messages they generate usually start with “OMG” in order to make them more appealing to users. Researchers from Finnish security vendor F-Secure recently set out to investigate some of them and used Facebook’s search feature to locate posts that contained OMG and links. When they realized many scams were abusing the URL shortening service, which happens to provide statistics for the links it generates, they decided to check how successful they really are. One scam’s links registered a number of 50,377 clicks: 18,735 from the United States, 15,825 from Sweden, and 3,481 from Belgium. Another scam registered a number of 27,400 total clicks, which had a distribution of 12,445 clicks in the United States, 8,137 in Malaysia, and 2,373 in Singapore. “This is the first time that we’ve noticed people from such countries clicking on Facebook spam in such numbers. Typically we’ve seen such tabloid style spam pulling in folks from the USA/UK, or vice versa,” the F-Secure researchers noted. Source:

48. December 21, Softpedia – (International) Fake iTunes email alerts lead users to drive-by download. A wave of fake iTunes e-mails falsely alerting recipients about their accounts facing suspension directs them to a Web page that tries to install malware on their computers. The rogue e-mails are crafted to appear as if they originate from a contact@itunes(dot)com address and bear a subject of “iTunes account may be suspended.” This sounds like a phishing scam, but the general manager of the security software division at GFI said the intention of the attackers is to silently infect users. The cyber criminals behind the e-mails even try to earn people’s trust noting in the e-mail that “iTunes will never ask you for your password or any confidential information.” Satisfied this is probably not a phishing attack, users might click on the link to see additional information. If they do, they are taken to a page mimicking an Apple support article entitled “How to report an issue with Your iTunes Store purchase.” The site might look benign, but in the background it loads scripts that try to exploit vulnerabilities in outdated versions of Flash Player, Java, and even unpatched Windows installations, to download and install malware. Source:

49. December 21, Softpedia – (International) Hotmail phishers impersonate Microsoft employees. Security researchers from ESET warn of a phishing campaign targeting Hotmail users, which produces e-mails signed in the name of a Microsoft program manager. The rogue e-mails bear a subject of “Alert - Reset your Windows Live password” and appear to be sent to a members-services43@live(dot)com address. The message is poorly formulated and does not direct users to an external phishing Web site, like most attacks of this type do. Instead it asks recipients to fill in their username, password, date of birth, and country in a static form and send it back. The e-mails have a very professional feel to them because they were created based on an official communication from Microsoft. Source:

50. December 20, Softpedia – (International) Spamhaus attacked after putting spotlight on blackhat hosting provider. The Spamhaus Project, one of the world’s leading anti-spam outfits, was the target of a distributed denial of service (DDoS) attack recently after it publicly outed a Russian hosting provider harboring cybercriminal operations. On December 14, the organization issued a warning about a WikiLeaks mirror Web site which was hosted inside the IP space of Webalta (Wahome), a well known “bulletproof” hosting company used by Russian cybercriminals. On December 18, the www.spamhaus(dot)org Web site was hit by a moderate 2.1 Gbps DDoS attack and at first, it was assumed Anonymous, whose IRC server is also hosted at Webalta, was responsible. However, a more detailed analysis of the rogue traffic revealed it did not match the type of requests sent by the Low Orbit Ion Canon (LOIC) DDoS tool normally used by the hacktivist group. Source:

Communications Sector

51. December 22, Softpedia – (Minnesota) Minnesota man admits he hacked neighbor’s WiFi to impersonate him. A 45-year-old man from Blaine, Minnesota pleaded guilty to various offenses stemming from hacking into his neighbor’s wireless network and sending death threats to the U.S. Vice President. According to the Minnesota United States Attorney’s Office, 2 days into his trial, the suspect pleaded guilty to two counts of aggravated identity theft, one count of distribution of child pornography, one count of possession of child pornography, one count of unauthorized access to a protected computer, and one count of making threats to the President and successors to the presidency. The suspect was indicted June 23, 2010, after an investigation conducted by the Minnesota Cyber Crimes Task Force, which sees the participation of the FBI, U.S. Secret Service, the Blaine Police Department, and the Anoka County Sheriff’s Office. The suspect admitted that in February 2009, he hacked into the wireless network of his neighbor and created Yahoo! e-mail accounts using his name. He then used the rogue Internet connection and one of the fake mailboxes to send death threats to the Vice President, a Minnesota U.S. Senator, and the state’s governor. Source:

52. December 22, Watertown Daily Times – (New York) Some phone services still out. Some phones in Jefferson, Lewis, and St. Lawrence counties, New York have been out of service since December 20 because of a fiber-optic transmission outage caused by winter weather. The line is owned by National Grid. A spokesman said there is ice and snow damage to a line that runs from Pulaski north to Watertown. Paetec Communications, a national communications company based in Rochester, leases some of the fibers on that line. A spokesman said while National Grid works to repair the cut, Paetec is working on finding an alternative carrier. Since December 20, a number of local businesses and offices had to rely on e-mail and cell service for communication. The Dulles State Office Building, 317 Washington St., was unable to receive incoming calls, and all Lewis County government phones were not working December 21, although 911 was not affected. St. Lawrence County government also was experiencing outages December 21, though 911 service was working. Television station WWTI was unable to broadcast. A representative of WSYR, WWTI’s parent company, said engineers at the Watertown location are working on the problem. Westelcom has rerouted its long-distance service to enable customers to make local and long-distance calls. Source:

53. December 22, United Press International – (North Carolina) Armed standoff forces TV news off air. A TV newscast in Charlotte, North Carolina was knocked off the air December 21 when a woman entered the studio and put a gun to her own head, police said. WSOC-TV’s 5 p.m. news report had just begun December 21 when the producer suddenly directed the anchor to get off the air, the Charlotte Observer reported. The station went dark for nearly an hour. Police said the intruder’s gun was not loaded. The building was evacuated, but the intruder took no hostages, and no shots were fired. Officers persuaded the intruder to surrender and removed her on a stretcher just before 6 p.m. Police said she would be evaluated at a hospital, then booked into jail. Source:

54. December 20, CNET News – (International) Google DNS slowing down iTunes and Apple TV. AppleInsider reported December 22 on a potential cause for slow Apple TV and iTunes download speeds: the use of Google’s DNS servers. Last year Google started a public DNS service, promising faster speeds and security, but AppleInsider mentions that because some download services use the DNS server to locate the nearest download server, using Google’s DNS servers (which are at one location) will route everyone to the download server closest to them and bog it down. Source:

For another story, see item 50 above in the Information Technology Sector