Thursday, May 17, 2012

Complete DHS Daily Report for May 17, 2012

Daily Report

Top Stories

• Lightning strikes ignited fires in two, 250,000 pound storage tanks containing flammable chemicals at a Dow chemical plant in Bristol Township, Pennsylvania. The fumes from the fire forced several schools to close down and caused breathing problems for people dozens of miles away. –

3. May 16, – (Pennsylvania; New Jersey) County, DEP: Air quality tests show chemical vapors at a ‘minimum’. Lightning strikes early May 16 ignited fires in two, 250,000-pound storage tanks containing flammable chemicals at Dow Chemical’s Rohm & Haas plant in Bristol Township, Pennsylvania. The fires were extinguished after about 4 hours, but they put many chemicals in the air and the resultant fumes caused Bristol Township to close schools for the day, while an elementary school in Tullytown was dismissed early. The chemicals have a low-odor threshold, which means a small amount can be smelled at great distances. In this case, residents as far away as Lawrenceville, New Jersey, were reporting breathing problems from the vapors. When the tanks were breached, ethyl acrylate and butyl acrylate, both used in making acrylic paints, were released. The Bucks County emergency management and health departments issued a press release saying the chemicals can cause minor throat or eye irritation, headaches and nausea. The county initially advised area residents to stay indoors with windows closed. But air quality tests conducted by the county hazardous material team and state environmental officials about 8 to 9 hours after the fire showed remaining vapors were at a minimum. Dow workers removed the materials from the protective dike around the storage tanks that contained the spilled chemicals, a Dow spokeswoman said. Three emergency responders suffered minor injuries while fighting the fire and went to area hospitals. Source:

• After an explosion damaged four acid plants at the site, LSB Industries Inc said it would close its biggest chemical manufacturing facility in El Dorado, Arkansas, for an indefinite period. – Reuters

4. May 16, Reuters – (Arkansas) LSB Industries shuts Arkansas plant after explosion. LSB Industries Inc said it would shut its biggest chemical manufacturing facility for an indefinite period after an explosion caused significant damage. LSB said the direct strong nitric acid plant, which represents about 20 percent of its El Dorado, Arkansas facility’s total capacity, was damaged when a reactor exploded May 15. The explosion also caused minor damage to the three other acid plants at the facility, LSB’s CEO said. LSB, which makes heating, ventilation, and air conditioning and nitrogen-based chemical products, said it cannot estimate the extent of the damages. The CEO said it remains unknown how long the El Dorado facility will be out of production as the control room was also damaged. The El Dorado plant produces and sells about 470,000 tons of nitrogen-based products per year, according to the company’s annual report filed February 28. Source:

• U.S. nuclear power regulators overhauled community emergency planning for the first time in more than 3 decades, requiring fewer exercises for major accidents and recommending that fewer people be evacuated immediately. – Associated Press

7. May 16, Associated Press – (National) Evacs and drills pared near nuke plants. The nation’s nuclear power regulators have overhauled community emergency planning for the first time in more than three decades, requiring fewer exercises for major accidents and recommending that fewer people be evacuated right away, the Associated Press reported May 16. The revamp, the first since the program began after the Three Mile Island partial nuclear meltdown at a plant in Dauphin County, Pennsylvania in 1979, also eliminates a requirement that local responders always practice for a release of radiation. Under the new rules, the Nuclear Regulatory Commission and the Federal Emergency Management Agency, which run the program together, have added one new exercise: State and community police will now take part in exercises that prepare for a possible assault on their local plant. The change went into effect in December 2011. Source:

• Police in an Atlanta suburb were escorting school buses for six schools and guarding students at bus stops after a man aimed a rifle at a bus with children on board and dropped a notebook that listed bus numbers. – Associated Press

14. May 16, Associated Press – (Georgia) Police near Atlanta escort school buses, guard students after man seen aiming rifle at bus. After a man aimed a rifle at a school bus and dropped a notebook that listed bus numbers, police in an Atlanta suburb are escorting school buses and guarding students at bus stops. The man fled when witnesses confronted him May 14, but police recovered the rifle and notebook he dropped at the scene, just south of Atlanta. A Clayton County police officer said a witness saw the man pointing the rifle at a passing school bus. County school officials said another witness chased the man but stopped when the suspect fired a second gun at him. A schools spokesman said police are shadowing buses from six schools. Source:


Banking and Finance Sector

9. May 16, Jersey City Jersey Journal – (New Jersey) Man pleads guilty in scheme to steal credit card numbers from Jersey City diners. A man arrested at a New York airport after being deported from Mexico in February pleaded guilty to his role in a credit card fraud ring that stole credit card information from diners at two restaurants in Jersey City and Newark, New Jersey, officials said. He pleaded guilty to one count of identity theft May 14, a Hudson County prosecutor said. He was one of four people charged in August 2009 with possession of a forgery device, identity theft, and conspiracy to commit identify theft. All have now pleaded guilty to various charges. The ring involved a waiter who used an electronic skimmer to steal credit card information. Tens of thousands of dollars were then stolen from at least 100 patrons of the restaurants where he worked, officials said. The stolen credit card information was forwarded to a Belleville location, where another device was used to load the information onto other cards, which were then used to make purchases, officials said. Investigators executing a search warrant in 2009 found scores of credit cards encoded with stolen account information and numerous retail gift cards. Source:

10. May 15, Governor of New York State’s Press Office – (New York) Governor announces recovery of more than $50 million in fraudulent unemployment insurance payments. The governor of New York State May 15 announced $51.2 million in fraudulently-collected unemployment insurance benefits were returned to New York State’s Unemployment Insurance Trust Fund. The funds were recovered through the Treasury Offset Program (TOP), a State-federal partnership in which federal tax refunds are intercepted to cover delinquent debts. The program recovered the largest amount in the nation from more than 50,000 individuals. New York led the nation in recovery amounts by developing a low cost software tool that allows the state and federal collection systems to work together. This model has been shared with other States looking to participate in the TOP. The commissioner of Treasury’s Financial Management Service, which operates the program, said the program has “collected $174.9 million for the 14 participating states, including the District of Columbia.” The $51.2 million recovered was returned to the Unemployment Insurance Trust Fund to pay benefits to unemployed New Yorkers. Source:

11. May 15, Tampa Tribune – (Virginia; Florida) Businessmen accused of laundering money from fraudulent refunds. Two Florida businessmen were named in a federal indictment unsealed May 15 accusing them of conspiring to profit from fraudulent tax refund checks. In connection with the indictment, federal prosecutors are seeking the forfeiture of more than $26 million obtained from or linked to the offenses. The defendants and a brother of one of the men are accused of involvement in a fraud using stolen personal information to file tax returns with bogus financial data used to get tax refunds. Two of the men own convenience stores in Tampa, Florida, and Virginia. The third defendant was arrested May 15 as federal agents searched his home and his Tampa car businesses. According to the indictment, the three men used their businesses to launder the proceeds of tax fraud. Authorities said they purchased fraudulent income tax return checks and checks issued for refund anticipation loans and then presented them for payment at financial institutions in Virginia, Florida, and elsewhere. In total, the three are accused of fraudulently depositing more than $17.5 million. One of the defendants was recorded buying bogus U.S. Treasury checks from undercover detectives. In addition, agents analyzed 399 of the checks worth almost $1.7 million deposited into the Virginia man’s accounts, and found a majority of them were payable to out-of-State residents, primarily people in Tampa. Source:

12. May 15, Jacksonville Times-Union – (Florida) Bank robber sought by FBI after robberies in Duval, St. Johns, Volusia. The FBI asked for the public’s help in identifying a man believed responsible for at least three armed bank robberies in Florida’s Duval, St. Johns, and Volusia counties in the past 2 weeks, the Jacksonville Times-Union reported May 15. He walked up to the tellers, gave them a note demanding money, and said he had a gun, according to the FBI. The robberies were May 1 at a Bank of America in Jacksonville and a Wells Fargo in St. Augustine, and May 3 at a Wells Fargo in Edgewater. The FBI said he may be involved in other robberies. Source:

For another story, see item 37 below in the Communications Sector

Information Technology

29. May 16, H Security – (International) Avira update fixes Service Pack bug. Avira said it resolved the problems caused by a Service Pack released for its Windows products earlier the week of May 14. Users are advised to trigger a manual update to download the fix. Once installed, the update should prevent the program from blocking legitimate Windows applications on systems running Avira. May 14, Avira released “Service Pack 0” for all of its Windows products. Once the update was installed, the “ProActiv” behavioral monitoring component in Avira Antivirus Premium 2012 and Avira Internet Security 2012 blocked the execution of essential programs and trusted system processes. Those affected by the problem need to update Avira manually; once the update is installed, the ProActiv module can be reactivated. Source:

30. May 16, Computerworld – (International) Google releases Chrome 19, adds tab sync and patches 20 bugs. May 15, Google released Chrome 19, patching 20 vulnerabilities in the browser. Eight vulnerabilities were ranked “high,” seven were marked “medium,” and five were labeled “low.” Seven of the vulnerabilities were described in Google’s brief advisory as “out-of-bounds” read or write flaws, a category of memory bugs where a function does not check that input does not exceed allocated buffers. Google paid bounties to six researchers for reporting nine vulnerabilities, including two not strictly within Chrome. The 11 remaining bugs were uncovered by Google’s own security team or were credited to Microsoft, or were not significant enough to rate a bounty. Source:

31. May 16, H Security – (International) QuickTime for Windows update plugs security holes. Version 7.7.2 of QuickTime for Windows was released to address 17 security vulnerabilities in the media player. According to Apple, these include integer, stack, and buffer overflows, as well as memory corruption issues, all of which could be could exploited by an attacker to crash the application or execute arbitrary code on a victim’s system. For an attack to be successful, a user must first open a malicious Web site or a specially crafted file. The company notes that, on Mac OS X, many of the holes were already fixed in Mac OS X 10.7.3 and 10.7.4 Lion, and Security Updates 2012-001 and 2012-002 for Mac OS X 10.6.8 Snow Leopard systems. A majority of these vulnerabilities were discovered by members of TippingPoint’s Zero Day Initiative. Source:

32. May 16, Softpedia – (International) High-ranked sites blacklisted by Google after being hijacked. Zscaler experts scanned the first 1 million Web sites found in Alexa’s top listings and found 621 of them are blacklisted by Google, even though some of them are legitimate Web sites visited by numerous users every day. How can a legitimate Web site get on the Google Safe Browsing list? For instance, subtitleseeker(dot)com, a Web site that offers subtitles for movies and TV shows, is ranked 6,239. The site is not malicious in any way, though Google still cataloged it as such once it detected abnormal activity on it. According to Zscaler, Subtitle Seeker was compromised and altered to host a malicious JavaScript. Other examples include sites that promote “work from home” scams, adult content, and fake antivirus software, but the majority of them were altered to push malicious PDF files, adware, and other types of malware. Some sites were blacklisted because they were found to contain iframes and JavaScripts with malicious intent. Source:

33. May 15, The Register – (International) Scammers exploit wannabe demon-slayers hyped by Diablo III. Cybercriminals targeted the release of Diablo III, May 14, with scams themed around the widely anticipated video game. Blizzard’s games systems collapsed due to the higher than expected demand for the game, the London Guardian reported. The software company is attempting to stop pirates from stealing the new role-playing game by forcing users to log into its servers before they can start playing it. This created a bottleneck centered around log-in systems at Blizzard, which struggled to service demand. Technical glitches were an unexpected bonus for scammers, who launched scams featuring the promotion of bogus crack and key-gen sites. These fake sites might potentially be more attractive than they normally would be as gamers struggle to acquire legitimate content through regular channels. Some of the scam sites GFI Software identified included supposed online key purchasing sites that actually install malicious software. Other spam Diablo III-themed links collated by the security firm lead to unrelated flash games, spam linkdumps, and a “donation experiment” where installs of the software offered enter targets into a supposed prize draw giveaway. These various scams are being promoted through the Web at large and social media Web sites, including Facebook and Pinterest. Source:

34. May 15, Help Net Security – (International) Pinterest scam toolkits widen the pool of potential scammers. Pinterest scam toolkits are available for sale to inexperienced scammers, according to McAfee. Usually sold on underground forums, these toolkits contain many tools. All actions needed to scam users are included and automated: creating Pinterest invites and mass comments on posts, mass creation of links, and scraping Amazon for products based on given keywords and then submitting them to Pinterest. Pinterest scams usually work by luring people in with offers of free gift cards, and the offered links land them either on sites hosting survey scams, on Amazon or other sites (which results in the scammers earning money by referral), or lead them to premium rate trojans (if the Pinterest visitor uses a mobile device to visit the site). Source:

35. May 15, IDG News Service – (International) Wikipedia warns users about malware injecting ads into its pages. Visitors to Wikipedia who see advertisements on the site have most likely fallen victim to a browser-based malware infection, Wikimedia Foundation, the organization operating the Web site, said May 14. “We never run ads on Wikipedia,” said the director of community advocacy for the Wikimedia Foundation. “If you’re seeing advertisements for a for-profit industry ... or anything but our fundraiser, then your Web browser has likely been infected with malware.” One example of such malware is a rogue Google Chrome extension called “I want this,” the director said. However, similar malicious add-ons might also exist for Mozilla Firefox, Internet Explorer, and other browsers, he said. This type of malicious software is known as click fraud malware and can target multiple Web sites at once. Source:

36. May 15, Threatpost – (International) Stolen certificates found in malware possibly targeting Tibetan groups. The recent trend of attackers using stolen digital certificates to make their malicious executables look legitimate is continuing unabated, with researchers now having come across a series of variants of the Etchfro trojan that are using certificates taken from several companies and issued by VeriSign, Thawte, and other certificate authorities. After looking at recent examples of malware signed with stolen certificates, researchers at Norman ASA, a security firm in Norway, noticed there was an aberrant string in one specific optional field included in the stolen certificates. It is unclear what, if any, purpose the string serves, but Norman researchers started searching the company’s malware database, looking for other samples with the same string. The search yielded more than 20 samples with the same atypical string, and each of them included a stolen digital certificate. All of the malware samples, except one, was some version of the Etchfro trojan. The other one is a version of the Gh0st RAT tool. Source:

For another story, see item 37 below in the Communications Sector

Communications Sector

37. May 16, LaSalle News Tribune – (Illinois) Severed fiber optic line cuts off communication in, out of Mendota. A severed fiber-optic line a few miles west of Mendota, Illinois, at a bridge construction site cut off phone line and Internet communication into and out of the city for at least 6 hours May 15, Mendota police said. The city’s mayor said Mendota businesses had difficulties with computers, e-mail, and other things that rely on phone lines. During the outage, Mendota Community Hospital had difficulty calling the downtown fire and police stations, so the Mendota Fire Department brought two portable radios for use by emergency room staff. Mendota police’s land line was largely unavailable for out-of-town callers for about 6 hours. A Frontier Communications’ customer care advocate confirmed a fiber optic line outside of Mendota was cut. Utility-company service relocation work has been going on in recent days to make way for the bridge project, an Illinois Department of Transportation district engineer said. Source:

38. May 15, Lincoln Journal Star – (Nebraska) Time Warner outage affects parts of Lincoln. A private contractor accidentally cut an underground fiber bundle in downtown Lincoln, Nebraska, May 15, leading to outages for some Time Warner Cable customers. A Time Warner Cable spokesman said the outage affected about 10 percent of the company’s customers. He said the company was working to remedy the problem and hoped to have cable service restored May 15. He said it affected parts of downtown. Source: