Tuesday, September 18, 2012 

Daily Report

Top Stories

  Hundreds of residents in Mishawaka, Indiana, returned home September 15 after a chemical fire at a vacant plant in the midst of a federal cleanup forced them, and many area businesses to evacuate. – Associated Press

5. September 17, Associated Press – (Indiana) Evacuation order lifted after Indiana chemical fire. Hundreds of residents in Mishawaka, Indiana, returned home early September 15 after a chemical fire at a vacant plant in the midst of a federally supervised cleanup ousted them from their homes. The all-clear was given after air monitoring showed it was safe for residents to return home within a 1-mile radius of the old Baycote factory. The Mishawaka battalion chief said the September 14 fire released a chemical vapor cloud of unknown substances, noting that about 200 people live or work at businesses in the evacuation zone. The Baycote complex was once an electroplating and metal-finishing business, but it has been vacant since 2008. The U.S. Environmental Protection Agency (EPA) began cleaning up the site in the spring of 2012. The EPA on-scene coordinator said more than 50,000 gallons of liquid and solid chemicals were stored there when the cleanup started, but most of the material was already removed. He said chemicals that a crew put into a plastic-lined cardboard box self-combusted and caught fire early the evening of September 14 — hours after the workers left the building. He said the white cloud the fire made may have contained hydrogen cyanide, hydrogen sulfide, and sulfur dioxide. The fire was confined to the storage container. The EPA plans to analyze what caused the fire and reassess its approach to removing the remaining chemicals from the site, the on-site coordinator said. Source: http://www.manufacturing.net/news/2012/09/evacuation-order-lifted-after-indiana-chemical-fire

  A deadly, drug-resistant superbug outbreak that began during the 2011 summer at the National Institutes of Health Clinical Center claimed its seventh victim September 7. – Washington Post

21. September 14, Washington Post – (Maryland) NIH superbug claims 7th victim. A deadly, drug-resistant superbug outbreak that began during the 2011 summer at the National Institutes of Health Clinical Center claimed its seventh victim September 7, when a seriously ill boy from Minnesota succumbed to a bloodstream infection, officials said September 14. The boy was the 19th patient at the research hospital to contract an antibiotic-resistant strain of the bacterium Klebsiella pneumoniae that arrived in August 2011 with a New York woman who needed a lung transplant. But his case marked the first new infection of this superbug at NIH since January — a worrisome signal that the bug persists inside the huge brick-and-glass federal facility in Bethesda, Maryland. Source: http://www.washingtonpost.com/national/health-science/nih-superbug-claims-7th-victim/2012/09/14/09b3742e-fe9b-11e1-b153-218509a954e1_story.html

  Government safety regulators are investigating nearly 200,000 Ford Crown Victoria police cars due to complaints about defective steering columns. – Associated Press

27. September 15, Associated Press – (National) Safety regulators looking at Ford police cars. Government safety regulators are investigating Ford‘s Crown Victoria police cars due to complaints about defective steering columns, the Associated Press reported September 15. The probe affects about 195,000 cars from the 2005 through 2008 model years. The government has received three complaints that part of the steering column can separate and cause loss of steering control. No crashes or injuries were reported, the National Highway Traffic Safety Administration said in documents posted September 15 on its Web site. Investigators will determine if the cars have a safety defect and whether a recall is needed. So far the vehicles have not been recalled. A Ford spokeswoman said that the company is aware of the investigation and is cooperating. The investigation only affects police versions of the Crown Victoria, she said. The Montgomery County, Maryland, Police Department said earlier the week of September 10 it was inspecting its 324 Crown Victorias because of a steering problem with its cruisers. Police in Tucson, Arizona also recently began inspecting its fleet of Crown Victorias. The police officer union says that at least six vehicles were found to be deficient and in need of repair. Source: http://www.dailyherald.com/article/20120915/business/709159881/

  Microsoft researchers investigating counterfeit software in China found that new systems being booted for the first time were already compromised with botnet malware. – PCWorld See item 35 below in the Information Technology Sector

  A man accused of trying to detonate a car bomb outside a bar in Chicago was scheduled to appear in federal court September 17. – Associated Press; WMAQ 5 Chicago

42. September 17, Associated Press; WMAQ 5 Chicago – (Illinois) Teen charged with Chicago bomb plot due in court. A man accused of trying to detonate a car bomb outside a bar in downtown Chicago was scheduled to appear in federal court September 17. Prosecutors said an undercover agent gave the man a phony car bomb and watched him press the trigger. He was charged with attempting to use a weapon of mass destruction and attempting to damage and destroy a building with an explosive. Federal prosecutors said the device was harmless and the public was never at risk. An affidavit said the man was active in jihadist Internet forums. The FBI said he searched online for information about making bombs and he was offered several chances to walk away from the plot. He was arrested September 14. Source: http://www.nbcchicago.com/news/local/Teen-Charged-With-Chicago-Bomb-Plot-Due-in-Court-170010526.html#ixzz26kAmIgLL


Banking and Finance Sector

10. September 14, WAPT 16 Jackson – (Mississippi) Woman says men strapped bomb to her, told her to rob bank. A woman told police that she was forced to strap on a backpack she thought contained explosives and was told to rob a Canton, Mississippi bank, the Associated Press reported September 14. The woman walked into a Trustmark bank and told employees she had a bomb and they should call police, the Canton police chief said. She told police that two men attacked and kidnapped her near a gas station in Canton. The men threatened to kill the woman and hurt her child if she did not rob the bank, the police chief said. She told police the men told her to keep the bank doors open so they could watch her during the robbery. Police closed down some of the streets in the area for several hours and told residents they were to stay inside with their doors locked. FBI officials said it had not been determined if the device was an actual bomb. The backpack was safely detonated by bomb squad members. Source: http://www.wapt.com/news/central-mississippi/Police-Men-strapped-bomb-to-woman-told-her-to-rob-bank/-/9156946/16604466/-/r8nyof/-/index.html

11. September 14, KCBS 2 Los Angeles – (California) ‘Desperate Bandit’ strikes again in Tustin, Chino. Officials said the ―Desperate Bandit‖ hit a Tustin, California bank September 14, and also robbed a bank in Chino later that day. In the first robbery, the FBI said the man walked into a Bank of the West branch, passed a note to a teller, and left with about $240. The bandit is also believed to have previously robbed US Bank branches in Chino and Anaheim. In each of the reported robberies, the suspect has handed over typed notes and describes his financial situation as ―desperate,‖ hence the nickname. Source: http://losangeles.cbslocal.com/2012/09/14/desperate-bandit-strikes-again-in-tustin-chino/

12. September 14, Associated Press – (National) 7 charged in $17M multistate fraud schemes. A federal indictment unsealed September 14 charged seven people with running a multistate Ponzi scheme and related mortgage fraud scams that prosecutors said cost investors and lenders a combined $17 million. The years-long investigation resulted in the arrest of a man and his father-in-law, who were charged with operating Loomis Wealth Solutions, a fraudulent California-based investment fund that cost more than 100 investors more than $7 million. They and five other defendants are also charged in a 50-count indictment with costing lenders $10 million in losses through two mortgage fraud schemes involving about 200 properties in Arizona, California, Florida, and elsewhere. Source: http://www.mercurynews.com/breaking-news/ci_21548696/7-charged-17m-multistate-fraud-schemes

13. September 13, Bloomberg News – (National) Canadian man pleads guilty in $130 million Ponzi scheme. A Canadian man pleaded guilty to charges he ran a $130 million Ponzi scheme selling fraudulent certificates of deposit to 1,200 people through banking entities he controlled, U.S. prosecutors said. The man admitted that from January 2004 to March 2009 he and others sold more than $129.5 million of bogus CDs to investors, causing losses of more than $75 million. He pleaded guilty to 18 counts of conspiracy, mail and wire fraud, and tax evasion, prosecutors said. The man surrendered voluntarily, has been in custody since April, and is cooperating with the government to recover funds, his lawyer said. He faces as long as 20 years in prison and a fine of twice the loss for the most serious charges. Source: http://www.bloomberg.com/news/2012-09-14/canadian-man-pleads-guilty-in-130-million-ponzi-scheme.html

Information Technology Sector

31. September 17, The H – (International) Attackers exploit unpatched Internet Explorer vulnerability. According to a security specialist, a security hole in Microsoft‘s Internet Explorer (IE) Web browser is being used by cyber criminals to infect computers with malware. The vulnerability, which was apparently unknown and unpatched until now, appears to hinge on how IE handles arrays in HTML files. So far, the attackers only targeted versions 7 and 8 of IE on fully patched Windows XP SP3 systems; it is not yet certain whether the exploit can be used with other software combinations. The specialist discovered the code on a server apparently being used for targeted attacks by the Chinese hacker group known as the Nitro gang. The first exploit for the critical Java vulnerability Oracle fixed with an emergency patch in August was also found on a server that appears to be linked to the Nitro gang. In the current attack, a specially prepared Web page executes a Flash applet that uses heap spraying to distribute shellcode in the system memory. It then reloads an iframe that uses the IE vulnerability to run the shellcode. An analysis from security firm Alien Vault found the remote administration tool Poison Ivy is currently being distributed in this way to give the attackers complete access to the infected system. Source: http://www.h-online.com/security/news/item/Attackers-exploit-unpatched-Internet-Explorer-vulnerability-1709592.html

32. September 17, Help Net Security – (International) LinkedIn-themed spam using data stolen in June breach? Spoofed LinkedIn emails notifying recipients of messages requiring their attention are not new, but ones being distributed recently appear to be more targeted than usual. The emails supposedly come from LinkedIn Reminders and usually contain ―There are a total of messages awaiting your response‖ in the subject line. What makes this spam run different is that most of them landed in real accounts instead of spam traps, making Avira‘s researchers suspect the spammers have access to information stolen from the professional social network during the June breach. If that is true, the scammers are probably having more success than usual in trying to get users to follow the offered link. While the link‘s destination is an online pharmacy presenting no immediate danger to users, the destination can be changed at any time, and lead them to Web sites serving malware. Source: http://www.net-security.org/secworld.php?id=13607

33. September 15, V3.co.uk – (International) Stolen iOS data used as malware lure. The recent high-profile breach of Apple iOS device data has become the latest lure for malware writers looking to infect users. Researchers with McAfee discovered a series of files being advertised on download services as an archive of the data stolen by hackers affiliated with the Anonymous AntiSec campaign. Though the hackers claimed the data was lifted from the personal laptop of an FBI agent, the bureau denied the claim and a U.S. publisher later took the blame for the breach. According to a McAfee senior threat researcher, the attackers hid a trojan as a file made to look as if it contained the hacked data. ―As you might have guessed, this file is not the real list but an ‗exe‘ file and, of course, a malware,‖ he said. ―[W]e recommend you take care before downloading an alleged sensational file.‖ Source: http://www.v3.co.uk/v3-uk/news/2205805/stolen-ios-data-used-as-malware-lure

34. September 14, Threatpost – (International) Tool scans for RTF files spreading malware in targeted attacks. Exploits embedded inside Microsoft Office documents such as Word, PDFs, and Excel spreadsheets have been at the core of many targeted attacks during the past 2 years. Detection of these attack methods is improving and hackers are recognizing the need for new avenues into enterprise networks. Some have been finding success using rich text format (RTF) files to spread malware that exploits Office vulnerabilities. In June, a researcher reported she collected 90 RTF files over the course of 3 months, many with China-related file names and many targeting specific industries. All of them were exploiting CVE-2012-0158, a vulnerability in Active X controls within MSCOMCTL.OCX—OLE files developed by Microsoft to allow object linking and embedding to documents and other files. Source: http://threatpost.com/en_us/blogs/tool-scans-rtf-files-spreading-malware-targeted-attacks-091412

35. September 14, PCWorld – (International) Your PC may come with malware pre-installed. Microsoft researchers investigating counterfeit software in China found that new systems being booted for the first time were already compromised with botnet malware right out of the box. Microsoft filed a computer fraud suit against a Web domain registered to a Chinese businessman. The suit alleges the Nitol malware on the new PCs points the compromised systems to 3322.org. Microsoft believes the site is a major hub of malware and malicious online activity. Microsoft claimed that the site in question hosts Nitol, as well as 500 other types of malware. A Washington Post report stated it is the largest single repository of malicious software ever encountered by Microsoft. Source: http://www.pcworld.com/article/262325/your_pc_may_come_with_malware_pre_installed.html

36. September 14, Threatpost – (International) Fake ADP and FDIC notifications leading users to Blackhole Exploit Kit. The latest iteration of the Blackhole Exploit Kit hit the Web the week of September 10 and attackers spread links to get unsuspecting victims to click through to the first version of the kit. Email notifications claiming to come from Microsoft Exchange, ADP, the Federal Deposit Insurance Corporation (FDIC), and other purported ―trusted sources‖ were spotted leading Web users to pages hosting the original exploit kit. A notification claiming to come from payroll services company ADP tries to trick employees into clicking through to what appears to be their Online Invoice Management account to ―protect the security of [their] data.‖ An email disguised as a voicemail notification from Microsoft Exchange Server tries to get users to click a link to listen to a voicemail. An email that appears to be from the FDIC tries to get users to click to download ―a new security version.‖ Source: http://threatpost.com/en_us/blogs/fake-adp-and-fdic-notifications-leading-users-blackhole-exploit-kit-091412

Communications Sector

37. September 15, Greenville News – (South Carolina) Damage costly as highwire copper thieves disrupt cable service. Authorities in South Carolina are looking for the copper thief or thieves who ―somehow reached the cable/phone lines measuring from one telephone pole to another (which is approximately 400 feet and approximately 35 feet from ground), cutting them, stealing the copper wiring, fibrotic cables and metal conduit lines,‖ according to a Spartanburg County sheriff‘s report. Neighbors reported loss of service beginning September 14. The theft in Chesnee involved equipment belonging to Chesnee Communications and Charter Communications, and will result in roughly $10,000 in repairs for each company, a sheriff‘s deputy said. Source: http://www.greenvilleonline.com/article/20120915/NEWS/309150111/Damage-costly-highwire-copper-thieves-disrupt-cable-service?odyssey=tab|topnews|text|FRONTPAGE&gcheck=1&nclick_check=1

For another story, see item 33

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.