Thursday, April 26, 2012

Complete DHS Daily Report for April 26, 2012

Apologies to all for the delay in this report! I normally obtain the full report directly from DHS at 5AM EDST. Today, as of 10:30AM it still is not available there so I obtained the full report from the InfraGard site!

Daily Report

Top Stories

• Four associates of a New York businessman convicted in a $400 million Ponzi scheme were arrested on charges they pocketed nearly $38 million in commissions for their role in the fraud. – Associated Press See item 17 in the Banking and Finance Sector

• A cruise industry group announced new safety policies in response to the January 13 wreck of the Costa Concordia that killed 32 people. – Miami Herald

24. April 25, Miami Herald – (International) Cruise industry responds to fatal Costa Concordia wreck with new safety rules. In response to the January 13 wreck of the Costa Concordia cruise liner that killed 32 people, the organization that represents the cruise industry announced new safety policies. The rules were issued April 24 by the Cruise Lines International Association and European Cruise Council. They include: having more lifejackets aboard ships than required by law; limiting access to a ship’s bridge at potentially dangerous times; and requiring cruise ship routes to be planned in advance and shared with all members of the bridge team. All policies were put into effect immediately. Two rules were directly related to errors believed to have led to the Concordia grounding and capsizing. The ship’s captain is accused of taking the ship on an unauthorized path too close to the Italian island of Giglio while he was reportedly distracted by guests on the bridge. The captain is under house arrest and faces charges that include manslaughter and causing a shipwreck.


• At least one major South Korean retailer suspended the sale of U.S. beef after authorities confirmed a case of mad cow disease in a dairy cow in California. – CNN

28. April 25, CNN – (National; International) S. Korea curbs U.S. beef sales after confirmation of mad cow disease. At least one major South Korean retailer suspended the sale of U.S. beef after authorities confirmed a case of bovine spongiform encephalopathy (BSE), sometimes called “mad cow disease,” in a dairy cow in central California, CNN reported April 25. Public health officials in the United States said the risk to the public was extremely low, and residents do not need to take any specific precautions. However, in South Korea, one of the largest importers of U.S. beef, the discovery was enough to prompt retailer LotteMart to remove American beef from store shelves. The South Korean government said it will step up checks on U.S. beef imports — but not halt them for now. In 2010, South Korea imported 125,000 tons of U.S. beef, a 97 percent increase from the year before, the U.S. Department of Agriculture said. The carcass was at a Baker Commodities Inc. rendering facility in Hanford, California, said the company’s executive vice president. The company renders animal byproducts and had randomly selected the animal for testing April 18, he said. The sample was sent to the University of California, Davis for initial testing, which came back inconclusive. It was then sent to the U.S. Department of Agriculture’s laboratory in Ames, Iowa, where it tested positive, the agency said. The carcass was in quarantine April 24. BSE is usually transmitted between cows through the practice of recycling bovine carcasses for meat and bone meal protein, which is fed to other cattle. In this case, the USDA reports it was a rare form of BSE not likely carried by contaminated feed. The Centers for Disease Control and Prevention reported the odds of a person contracting mad cow disease, even after consuming contaminated products, are less than 1 in 10 billion. Source:

• A group called the Threateners, which claimed responsibility for more than 100 bomb threats that caused dozens of evacuations at the University of Pittsburgh over several weeks, announced its campaign has ended. – New York Times

40. April 24, New York Times – (Pennsylvania) Group says it has ceased bomb threats on campus. As students headed to final exams at the University of Pittsburgh in Pittsburgh the week of April 23, they were hoping there would be no further evacuations now that a group that claimed responsibility for more than 100 bomb threats has announced its bomb threat campaign is over, the New York Times reported April 24. Calling itself the Threateners, the group claimed responsibility for dozens of bomb threats delivered by e-mail to Pittsburgh-area news outlets since March 30. The weekend of April 21, in an open letter to the university’s chancellor, the group said it would stop if the university withdrew its $50,000 reward for information leading to the arrest of the people behind the threats. In early April, on the advice of law enforcement officials, the university refused to negotiate with what appears to be the same anonymous group, university officials said. However, April 21, the offer of a reward vanished from the university’s Web site. Officials said no threats have been received since April 21. Bomb-sniffing dogs had been on the scene since February 13, when the first threat was found scribbled on a wall in a women’s restroom in a chemistry building. The Threateners, in an e-mail sent to the campus newspaper, the Pitt News, and addressed to the chancellor, claimed responsibility only for e-mail threats since March 30. While the bomb threats prompted some students to abandon dorms and classrooms and head home early this semester, university officials vowed to keep the campus open and operating, turning to Twitter and other social media tools to inform students of threats and when buildings were clear for them to return. Professors abandoned attendance policies and gave lectures online. Facebook pages and Google spreadsheets offered off-campus accommodations for students weary of being evacuated. The university announced security measures would be put in place for graduation April 29.


Symantec discovered new forms of Java malware that infect Mac and Windows computers. Both forms can launch a trojan that can trigger a backdoor on the computer, allowing unauthenticated access. – Threatpost See item 55 below in the Information Technology Sector


Banking and Finance Sector

14. April 25, U.S. Securities and Exchange Commission – (New York; National) Attorney, Wall Street trader, and middleman settle SEC charges in $32 million insider trading case. The U.S. Securities and Exchange Commission (SEC) April 25 announced a settlement in a $32 million insider trading case filed by the agency in 2011 against a corporate attorney and a Wall Street trader. The SEC alleged the insider trading occurred in advance of at least 11 merger and acquisition announcements involving clients of the law firm where the attorney worked. He and the trader were linked through a mutual friend, who acted as a middleman to facilitate the illegal tips and trades. The lawyer and trader used public telephones and prepaid disposable mobile phones to communicate with the accomplice in an effort to avoid detection. Source:

15. April 25, Financial Industry Regulatory Authority – (Texas; National) FINRA hearing officer expels Pinnacle Partners Financial Corp. and bars president for fraud. A Financial Industry Regulatory Authority (FINRA) hearing officer expelled Pinnacle Partners Financial, Corp., a broker-dealer based in San Antonio and barred its president for fraudulent sales of oil and gas private placements and unregistered securities, according to an April 25 press release. In addition, the president was found to have used customer funds for personal and business expenses. The hearing officer found that from August 2008 to March 2011, Pinnacle and its president operated a boiler room in which about 10 brokers placed thousands of cold calls on a weekly basis to solicit investments in oil and gas drilling joint ventures the president owned or controlled. They raised more than $10 million from more than 100 investors, diverting some customer funds for unrelated business and personal expenses. The hearing officer also found Pinnacle and its president included many misrepresentations and omissions in investment summaries for 11 private placement offerings, including grossly inflated natural gas prices, projected natural gas reserves, estimated gross returns, and estimated monthly cash flows.


16. April 25, Krebs on Security – (California) Skimtacular: All-in-one ATM skimmer. A security researcher recently received information from a law enforcement source in the California area about a recent ATM skimmer attack that showcased a well-designed and stealthy all-in-one skimmer, Krebs on Security reported April 25. The skimmer was recovered by a customer at a bank in the San Fernando Valley, who called the cops upon her discovery. Police in the region still have no leads on who might have placed the device. The numeral “5รข€³ engraved in the upper right portion of the skimmer suggests it was one in a series of fraud devices produced by the skimmer maker. The skimmer appears to be powered by a phone battery that connects to the card reader device and to the circuit board for a video camera. Flip the device around, and there is a tiny pinhole where the attached camera peers through the skimmer front to capture time stamped footage of victims entering their PINs. Source:

17. April 25, Associated Press – (New York; Florida) NY, Fla. associates of Ponzi schemer arrested. Four associates of a New York businessman convicted in a $400 million Ponzi scheme were arrested April 25 on charges they pocketed nearly $38 million in commissions for their efforts in advancing the fraud, federal prosecutors said. Three of the suspects were arrested without incident in New York and a fourth was taken into custody in Florida, an FBI spokesman said. The four were account representatives of Hauppauge, New York-based Agape World Inc. and Agape Merchant Advance (AMA), according to a criminal complaint. The two investment companies were run by a man who pleaded guilty to mail and wire fraud charges in a scheme that bilked more than 4,000 investors in a $400 million Ponzi scheme. The scheme targeted mainly blue-collar workers. The complaint unsealed April 25 alleges the four pocketed huge commissions for assisting the man and Agape in running the scheme. Agape promised huge returns on investments, which were to be used only to fund specific, short-term secured bridge loans to commercial borrowers or to make short-term loans to small businesses, prosecutors said. They said the defendants knew Agape and AMA did not produce or earn rates of return that could support the exorbitant returns promised to investors, but continued to solicit money from investors. Prosecutors said that the defendants learned in November 2008 that all of Agape’s 2007 bridge loans were in default or on extension, but failed to disclose that information to existing or new investors. Source:

18. April 24, Reuters – (Connecticut; International) Fugitive Swiss bank Wegelin forfeits $16 mln. Wegelin & Co, the oldest Swiss private bank, has forfeited more than $16 million held in a UBS AG account, after becoming the first overseas bank indicted in the United States for allegedly helping U.S. taxpayers evade taxes. In an order made public April 24, a U.S. district judge in New York entered the forfeiture order, covering money seized from a U.S. correspondent account held at UBS in Stamford, Connecticut. U.S. prosecutors accused Wegelin February 2 of helping clients hide more than $1.2 billion in offshore bank accounts. They said the tax fraud conspiracy ran from 2002 and 2011, and involved more than 100 U.S. taxpayers. A U.S. attorney in New York said the forfeited funds will be deposited with the U.S. Treasury. A U.S. district judge declared Wegelin a fugitive February 10 after it failed to answer the criminal charge. Wegelin has no branches outside Switzerland, and had followed the common industry practice of using correspondent banking services to handle money for U.S. clients. Source:

19. April 24, U.S. Securities and Exchange Commission – (National) H&R Block subsidiary agrees to pay $28.2 million to settle SEC charges related to subprime mortgage investments. The U.S. Securities and Exchange Commission (SEC) April 24 charged H&R Block subsidiary Option One Mortgage Corporation with misleading investors in offerings of subprime residential mortgage-backed securities (RMBS) by failing to disclose its financial condition was significantly deteriorating. Option One, which is now known as Sand Canyon Corporation, agreed to pay $28.2 million to settle the SEC’s charges. The SEC alleges Option One promised investors in more than $4 billion worth of RMBS offerings that it sponsored in early 2007 that it would repurchase or replace mortgages that breached representations and warranties. However, Option One did not tell investors about its deteriorating financial condition and that it could not meet its repurchase obligations on its own. According to the SEC’s complaint filed in California, Option One was one of the nation’s largest subprime mortgage lenders with originations of $40 billion in its 2006 fiscal year. When the subprime mortgage market started to decline in the summer of 2006, Option One experienced a decline in revenues and significant losses, and faced hundreds of millions of dollars in margin calls from creditors. At the time, Option One needed H&R Block, through a subsidiary, to provide it with financing under a line of credit to meet its margin calls and repurchase obligations. However, Block was under no obligation to provide that funding. Option One did not disclose this information to investors. The SEC further alleges Block never guaranteed Option One’s loan repurchase obligations, and that Option One’s mounting losses threatened Block’s credit rating at a time when Block was negotiating a sale of Option One. Source:

20. April 24, Federal Bureau of Investigation – (Oregon) Willamette Development Services executive’s wife indicted for investment fraud scheme. The spouse of the former chief executive officer (CEO) of Willamette Development Services LLC (WDS), was arraigned in federal court April 23. She was added as a defendant to an indictment charging her husband, the former investment relations manager for WDS, and the WDS Corporation with securities fraud, mail and wire fraud, and money laundering. The 22-count superseding indictment alleges she committed these offenses as an executive with Witham Investments LLC. The indictment also alleges the WDS CEO committed bank fraud and bankruptcy fraud. The indictment alleges that from April 2006 through January 2008, through misrepresentations by the CEO and investment relations manager, WDS obtained $5,285,300 from investors for the purpose of developing at least 10 real estate projects. The indictment also alleges WDS incurred $10,795,200 of additional indebtedness from lenders. By January of 2008, none of the projects were completed and WDS was insolvent. The investors lost their entire investment. Secured lenders recovered portions of their loans through foreclosures. The indictment alleges that the CEO lied about his background and prior experience. He and the investment relations manager are also alleged to have told investors that their money would be placed in a holding account until certain financial goals were reached. Investors were also told their money would be used for specific projects, but in fact the funds were allegedly diverted to non-project purposes without investor consent. The indictment also alleges the CEO’s wife laundered money through Witham Investments. Source:

21. April 24, KCBS 2 Los Angeles; KCAL 9 Los Angeles – (California) Investigators link ‘Snowboarder Bandit’ to another bank heist in Palm Springs. Authorities linked a man known as the “Snowboarder Bandit” to a bank heist in Palm Springs, California, KCBS 2 Los Angeles and KCAL 9 Los Angeles reported April 24. The bandit, who is on the FBI’s most wanted list of bank robbers, is now connected to 11 bank holdups in southern California. He is suspected of holding up a BBVA Compass branch April 20, an Orange County Sheriff’s Department spokesman said. After reviewing surveillance footage, investigators April 24 determined it was the Snowboarder Bandit, an FBI special agent said. Authorities believe it was the first time since he first began targeting banks in December 2011 that the suspect has ventured out of Orange County to commit a heist. A composite sketch of the suspect was released April 23. Authorities said that before the Palm Springs robbery, it had been just over a month since the Snowboarder Bandit had hit. The FBI said that someone inside of a Wells Fargo branch in Irvine recognized the snowboarder bandit April 19. He got just inside, inquired about a safe deposit box, and then quickly left. Source:

Information Technology

46. April 25, H Security – (International) Firefox 3.6.x reaches end of life. The 3.6.x branch of Mozilla’s Firefox Web browser reached its end of life April 24 — no further updates, including security updates and critical fixes, will be made available for the series. According to recent Platform Meeting Notes, users running Firefox 3.6.13 to 3.6.28 should have already started receiving “Major Update” prompts asking them to upgrade to the latest stable release of the browser. All of these users are advised to upgrade as soon as possible. A number of users and organizations previously stayed on the legacy branch of Firefox due to worries over Mozilla’s new Rapid Release process, which sees a new update to the browser arrive every 6 weeks. For enterprises, this meant they would not have sufficient time to test and certify any given version before the next one was released. To address these concerns, Mozilla created an Extended Support Release (ESR) of Firefox aimed at enterprises and other large organizations. Alongside the release of Firefox 12 April 24, Mozilla also updated Firefox ESR, which is currently based on Firefox 10, to version 10.0.4. The update is the first ESR release to complete the qualification phase of the ESR life cycle that is designed to ensure the quality of the release. The new ESR release fixes various bugs and closes a total of 11 security holes, including 6 critical vulnerabilities for problems related to WebGL, OpenType Sanitizer, font-rendering with airo, gfxImageSurface, IBMKeyRange, FreeType, and miscellaneous memory safety hazards. Source:

47. April 25, Wired – (International) Anti-viral: Facebook partners with security vendors to stop malware. Facebook is partnering with the Internet’s top security software vendors in an attempt to crack down on users sharing URLs that lead to phishing and virus-laden Web sites, the company announced April 25. Users can also get a free 6-month trial of the companies antivirus software to install on their computers. In the deal, Microsoft, McAfee, TrendMicro, Sophos, and Symantec will share with Facebook their databases of malicious URLs, adding to Facebook’s own system for preventing users from sharing known links to sites that could install malware. Source:

48. April 25, Help Net Security – (International) VMvare confirms server hypervisor source code leak. VMware confirmed a file from the VMware ESX server hypervisor source code was leaked by a hacker that goes by the handle “Hardcore Charlie.” The posted code and associated commentary dates to the 2003 to 2004 timeframe, said the director of VMware’s Security Response Center. He added there is a possibility more files may be posted in the future, as the hacker claimed to have in his possession around 300 MB of VMWare source code. He said the fact the source code may have been publicly shared does not necessarily mean there is any increased risk to VMware customers. The leaked file was part of a batch of documents released by the hacker. The provenience of the leaked code has not been confirmed, but it appears to originate from the servers of the China Electronics Import & Export Corporation, which recently suffered a breach, allegedly at the hands of Hardcore Charlie. According to Threatpost, the hacker boasted of breaching many big firms in the Asia-Pacific region, and said he possesses more than a terabyte of data stolen from their servers. He also claims he and his associates still have access to the networks of some of these firms. Some documents were already leaked online, and among them are shipping documents of U.S. military transports in Afghanistan.


49. April 25, H Security – (International) Online forums hacked and misused on a large scale. Online forums have, for some time, been the target of hackers who inject additional code looking for money. They steal Google traffic from the forums and exploit this traffic via ads. Their main targets appear to be forums based on the vBulletin software. These attackers have discreet working methods. They hide their code deep in a system and ensure redirections do not attract attention. Only users who visit forum pages for the first time via a search engine are redirected to a URL. The site first displays a strange blocking alert (“Access denied”) followed by arbitrary text and then loads a full-page ad by InfinityAds. The ads are probably a direct source of income for intruders even though each ad is only worth a few pennies. However, as some forum operators noted, their traffic has dropped by more than 70 percent, and the phenomenon seems widespread, so the overall yield could be considerable. Forum owners and regular forum users who access pages directly never encounter the redirection. Neither will those who try to reproduce the issue by repeatedly clicking through to the forum via Google be redirected, because a cookie already exists for the page. One way of reliably reproducing the redirection is to carry out a search with a browser in private or anonymous mode. Source:

50. April 25, H Security – (International) Thunderbird and SeaMonkey updates arrive, close security holes. Mozilla recently published updates to Thunderbird and SeaMonkey. The updates remedy 13 vulnerabilities in each application. Six of these are considered to be critical and originate in problems related to WebGL, OpenType Sanitizer, font-rendering with Cairo, gfxImageSurface, IBMKeyRange and miscellaneous memory-safety hazards. Four of the remaining issues are rated as “High” risk, while the three remaining bugs are “Moderate.” In the release announcement for Thunderbird, the developers also remind users the legacy 3.1.x branch of the application reached its end of life and no further updates, including security updates and critical fixes, will be made available for the series. Source:

51. April 24, Computerworld – (International) Mozilla delivers silent updating with Firefox 12 release. April 24, Mozilla released Firefox 12, patching 14 security bugs in the browser and moving it one step closer to silent updating. The latest in the line of updates that rolled off the Mozilla development line every 6 weeks since mid-2011, Firefox 12 fixed seven vulnerabilities labeled “critical,” the highest threat ranking in Mozilla’s four-step scoring, four bugs tagged “high,” and three pegged “moderate.” Mozilla also patched 19 other bugs, all critical, in the mobile edition of Firefox, which runs on the Android platform. Among the 14 desktop vulnerabilities, Mozilla patched 3 that could be used by hackers in cross-site scripting (XSS) attacks, one that applied only to Windows Vista and Windows 7 PCs with hardware acceleration disabled, and another in image rendering done by the WebGL 3D standard. Source:

52. April 24, U.S. Consumer Product Safety Commission – (National) Lenovo expands recall of ThinkCentre desktop computers due to fire hazard. The U.S. Consumer Product Safety Commission, in cooperation with Lenovo, announced a voluntary recall of about 13,000 Lenovo ThinkCentre M70z and M90z computers April 24 (50,500 were previously recalled in March). The manufacturer/importer of the product was Lenovo, of Morrisville, North Carolina. A defect in an internal component in the power supply can overheat and pose a fire hazard. Lenovo received reports of one fire incident and one smoke incident. The computers were sold online at Lenovo’s Web sites, by telephone, and direct sales through Lenovo authorized distributors nationwide from May 2010 through March 2012. Source:

53. April 24, Government Computer News – (International) FBI, working group reinforce effort to rid computers of DNSChanger. The FBI and a working group of security experts relaunched their campaign to rid computers of the DNSChanger malware that still threatens to cut hundreds of thousands of users off from the Internet in July. The ad hoc DNSChanger Working Group has a new Web site that links to instructions on how users and organizations can find and remove DNSChanger from their machines, along with updates on the effort. The FBI also has a Web page devoted to fixing the problem. DNSChanger infected as many as 4 million computers around the world as part of an Estonia-based clickjacking scheme the FBI busted in November 2011. The malware redirected infected computers to the ring’s servers, which then sent them to bogus sites, while also disabling antivirus software. After the FBI broke up the ring and arrested six of its principals, it received a court order to allow the Internet Systems Consortium to run temporary replacement DNS servers in place of the ring’s servers. Otherwise, infected computers would have had their DNS requests sent to servers that were taken offline, effectively cutting them off from the Internet. The original court order was to expire in March, but the FBI obtained an extension until July 9 to allow more time to clean infected machines. Much progress has been made in ridding machines of the malware, and federal agencies have largely been cleaned of infections, but an estimated 350,000 could still be at risk. The new campaign is designed to raise awareness about the threat, so users and organizations check for the malware and remediate the problem if it is on their machines. Source:

54. April 24, Threatpost – (International) OpenSSL releases new fix for CVE-2012-2110 ASN1 bug. The OpenSSL developers had to re-release the fix for a serious vulnerability in the software’s ASN.1 implementation that could allow an attacker to cause a denial-of-service or potentially run arbitrary code on a remote machine. The updated fix only applies to version 0.9.8v; all of the other previously affected versions are already protected with the existing patch. OpenSSL released the original advisory and fix for the CVE-2012-2110 vulnerability the week of April 16, fixing the bug in versions 0.9.8, 1.0.1a, and 1.0.0i. However, after releasing the fixes, Red Hat discovered the fix for version 0.9.8 did not completely address the vulnerability, hence the new patch. “The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key,” according to the description of the bug in the National Vulnerability Database. Source:

55. April 24, Threatpost – (International) New Java malware exploits both Windows and Mac users. Symantec discovered a new form of Java malware that infects Apple and Windows machines. The company’s research describes a strain of Java Applet malware that either drops a Python-based malware in Mac operating systems or an executable form of malware in Windows computers. If opened, both forms could launch a Trojan that could trigger a backdoor on the computer, regardless of the platform. The malware exploits the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download the malware. The post said the Mac trojan can currently only control polling times, or “how many times it gets commands from the server at certain time intervals.” If enabled however, the trojan can also download files, list files and folders, open a remote shell, sleep, or upload files. The trojan for Windows can send information about the infected computer and disk, its memory usage, OS version and user name, in addition to downloading and executing files and opening shells to receive commands. The news of this malware comes after the discovery of Flashback and SabPub, two forms of malware that targeted Mac users throughout the first quarter of 2012 via another vulnerability in Java. The vulnerability CVE-2012-0507 — an older Java flaw recently blocked by Mozilla’s Firefox — was used by some Flashback variants earlier in April, before being patched by Apple. Source:

Communications Sector

56. April 25, Brattleboro Reformer – (Vermont) Thieves steal live telephone lines. Police said someone cut down several telephone lines in Dover, Vermont, to steal the copper. According to the Dover police chief, at about 3 a.m. April 20 about 800 feet of cable was cut from the utility poles along North Street in the East Dover section of town. Police were first alerted to the theft after FairPoint Communications said they had received a report of an outage and discovered the missing telephone lines at the scene. The chief said he is looking into the possibility of bringing in the FBI to assist with the case. Source:

For more stories, see items 47, 49, and 51above in the Information Technology Sector