Thursday, January 19, 2012

Complete DHS Daily Report for January 19, 2012

Daily Report

Top Stories

• A January 13 report from the Pentagon’s top tester said the U.S. Air Force grounded its F-22 Raptors in 2011 “due to suspected contamination problems” associated with the environmental control system and onboard oxygen generation system. – Defense News (See item 9)

9. January 13, Defense News – (National) DoD tester: Toxins suspected in 2011 Raptor grounding. A January 13 report from the Pentagon’s top tester said the U.S. Air Force grounded its F-22 Raptors in 2011 “due to suspected contamination problems associated with the aircraft environmental control system and associated onboard oxygen generation system form later April through late September 2011 (sic).” Compiled by the Pentagon’s chief operational tester, the review confirms Defense News’ July 25, report that toxins entering the cockpit of the Raptor caused more than a dozen incidents that resembled hypoxia. Since the grounding was lifted in September, the Raptor has flown more than 6,000 times. More incidents have occurred, despite Air Force precautions that include installing charcoal-based filters and having pilots wear pulse-oximeters to alert them of problems. A scientific advisory board quick-look study ordered in 2011 by the Air Force secretary should be finalizing its report either in late January or early February. Sources indicate the service investigators have not found any single explanation for the Raptor’s woes. The problem cannot be duplicated on the ground, nor do the hypoxia-like incidents occur during any consistent altitude or phase of flight — if in fact the cause happens in the air. Source:

• Symantec Corp said a 2006 breach led to the theft and January 2012 publication of the source code to its flagship Norton security software. The company reversed its previous position that it was not hacked. – Reuters. See item 47 below in the Information Technology Sector


Banking and Finance Sector

11. January 18, Associated Press – (New York) Bank of New York Mellon in partial settlement of fraud charges tied to currency trades. Bank of New York Mellon and the Justice Department (DOJ) have reached a partial settlement regarding charges the bank defrauded customers by offering them unfavorable rates on currency transactions. Under the settlement, announced January 17 by the top federal prosecutor in Manhattan, the bank must disclose how it comes up with currency exchange rates for customers who buy and sell foreign securities or receive foreign dividends. A federal lawsuit filed in October alleged the bank provided customers exchange rates at the outer margins of what banks offer to each other and made money on the difference. Bank of New York Mellon agreed to stop telling customers they were getting “best execution” prices. Federal prosecutors have sought hundreds of millions of dollars in civil penalties against the bank. The DOJ and the bank will continue contesting that part of the lawsuit. Source:

12. January 18, Associated Press – (New York; Massachusetts) 7 charged in $61M single-trade stock fraud case. A hedge fund co-founder, four financial analysts, and a Dell Inc. employee teamed up in a record-setting insider trading scheme that netted more than $61.8 million in illegal profits based on trades of a single stock from 2008 through 2009, authorities said January 18 as they described a network of friends in finance who made the most of their connections with corrupt employees of technology companies. The scheme was described in a criminal complaint in a U.S. district court that charged four of the men with conspiracy to commit securities fraud and securities fraud, among other charges. Three analysts have already pleaded guilty and are cooperating with the government, according to the court papers. The insider trading plot as authorities described it would be noteworthy for its size. A co-founder at former hedge fund group Level Global Investors LP was among three men arrested January 18. He surrendered to the FBI. An analyst at Sigma Capital Management, an affiliate of hedge fund SAC Capital Advisors in Manhattan, was arrested at his New York City home, while a hedge fund portfolio manager, was arrested in Needham, Massachusetts. It was not immediately clear if the fourth man charged in the complaint was in custody. The illegal profits in the case were made after tips were shared among co-conspirators about upcoming earnings announcements regarding Dell and Nvidia Corp., according to court papers. Source:

13. January 18, The Register – (International) New stealthy botnet Trojan holds Facebook users hostage. A new strain of cybercrime trojan is targeting Facebook users by taking over their machines and shaking them down for cash, The Register reported January 18. Carberp, like its predecessors Zeus and SpyEye, infects machines by tricking users into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information and harvest credentials for e-mail and social-networking sites. A new configuration of the Carberp trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to steal log-in info, so this latest trojan, spotted by security firm Trusteer, can be considered an escalation. The Carberp variant replaces any Facebook page the user navigates to with a fake page notifying the victim their Facebook account is temporarily locked. The page asks the mark for their first name, last name, e-mail, date of birth, password, and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account. The use of anti-debugging and rootkit techniques make Carberp trojan difficult to detect, warns security consultancy Context Information Security. Context said: “Carberp is also part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.” Context adds Carberp, which creates a backdoor on infected machines, can be controlled from a central administrator control panel, allowing botnet herders to more easily mine stolen data. Trusteer said it has reported the attack to Facebook. Source:

14. January 17, WAPT 16 Jackson – (Mississippi) Bank evacuated after smoke fills building. The Trustmark Bank at Metrocenter Mall in Jackson, Mississippi, was evacuated January 17 after smoke filled the building. Firefighters had to tear the roof to get to the source of the smoke. Witnesses said the smoke started in the attic and then spread into the building, forcing everyone outside. The source appeared to be an electrical short, bank officials said. The bank is expected to remain closed until at least January 20. Source:

15. January 17, Bloomberg – (International) Russian father-son team accused of online fraud by U.S. A Russian father and son from Moscow have been charged by federal prosecutors in New York with taking part in a scheme to gain illegal computer access to U.S. bank accounts through bogus e-commerce Web sites. The pair was named in an indictment unsealed January 17 in federal court that alleges they and others controlled U.S.-registered companies and operated a business that bought and sold securities. The defendants took unauthorized charges on customers’ credit cards by buying the numbers illegally or by malware they surreptitiously installed on victims’ computers. The father, arrested last March, arrived in New York January 16 following his extradition by Swiss authorities, the Manhattan U.S. attorney’s office said. His son remains at large. The pair held out U.S.-registered firms Sofeco LLC, Pintado LLC, and Tallit LLC as legitimate Internet merchants with Web sites that appeared to offer goods and services. They also engaged in a scheme from June 2004 to February 2005 to gain access to accounts of U.S. victims, and attempted to transfer hundreds of thousands of dollars into bank accounts they controlled at JPMorgan Chase & Co. and a company identified as Asia Europe America’s Bank, prosecutors said. The defendants, through Rim Investment Management Ltd., maintained an account at Ameritrade Inc. and bought and sold securities in publicly traded companies. The two men are accused of committing securities fraud by buying and selling thousands of shares of companies by trading in the accounts of U.S. victims, prosecutors said. The indictment describes July 2004 meetings between the pair and unidentified others in Cyprus. Unnamed co-conspirators transferred almost $300,000 from the financial services account of a person in the U.S. to a bank account controlled by the pair. Source:

16. January 17, Arizona Republic – (National) Chandler man Edward Purvis admits huge Ponzi scam. For more than 6 years, a con man maintained his innocence in a fraud that bilked millions from churchgoers in Arizona and 12 other states. But January 17, the man pleaded guilty to orchestrating a Ponzi scheme that involved fake gold mines, phony businesses, and a bogus promise to fund Christian causes with investor money. The man, who has served more than 2 years in state prison for bribery and harassment, was on the verge of going to trial on fraud charges when he withdrew his not guilty plea. As part of a deal with state prosecutors, he admitted illegally controlling an enterprise and fraud, which carries a minimum prison term of 42 months. Authorities said hundreds of victims across the country were duped into giving money to a Christian non-profit owned by the defendant called Nakami Chi Group Ministries International. A partner in 2009 turned state’s evidence against the defendant and admitted Nakami was a fraud. The pair promised investors they would receive 24 percent annual returns, and that their money would be used to support Christian causes around the globe. Instead, the defendant used their money for personal investments and expenses. In 2008, the men and their wives were ordered by a civil-court judge to pay $11 million to investors. The chief investigator for the Arizona Corporation Commission testified in 2010 that the defendant and his wife were also tied to an international money-laundering operation involving Caribbean, Swiss, Chinese, and Australian corporations. He said the accounts of one company had been used to pay the wife $5,000 a month since it was opened in 2008. Money was also being sent to Vanuatu Project Limited and a company called California Ore Processing, both of which involve a purported gold mine in the South Pacific. One of Nakami’s key investment plans involved gold ore the defendant told investors was worth $120 billion, but in reality was worthless. Source:

17. January 17, WBOC 16 Salisbury – (Delaware; Pennsylvania) Police in Del. seeking fraud suspects. Delaware State Police (DSP) detectives are asking for the public’s help in identifying three suspects wanted in connection with a credit card fraud investigation involving more than 100 victims, WBOC 16 Salisbury reported January 17. The investigation began in April after a man contacted DSP Financial Crimes Unit detectives to report someone had made several unauthorized transactions in Philadelphia using his credit card number. Police said that since the initial report was taken, there have been more than 100 victims of the same type of fraud. Detectives have learned the suspects were able to obtain the victim’s credit card numbers and then produced new credit cards. The method the suspects used to obtain the stolen number is still under investigation, according to police. Source:

18. January 17, Newark Star-Ledger – (National) Newark-based Prudential reaches settlement over death benefits. Prudential Financial has agreed to improve its practices for identifying deceased life insurance policyholders and pay beneficiaries as part of a settlement reached January 13 with 20 state governments. The life insurer said in a Securities and Exchange Commission (SEC) filing January 13 that it increased its death benefit reserves by $139 million to make payments on potential claims. The settlement, announced by Massachusetts and California officials, was the result of a 2008 probe into 21 insurance companies’ compliance with state laws on unclaimed property. State governments were concerned insurance firms sometimes failed to pay death benefits in a timely manner or pay them at all if beneficiaries were not aware of the policies’ existence. As part of the settlement, Prudential will review life insurance policies and contracts that were active between 1992 and 2010 using an expanded set of criteria for identifying deceased policyholders and finding their beneficiaries. The criteria includes searching for beneficiaries whose identifying information may be incorrect or incomplete, such as transposed Social Security numbers or misspelled names, a Prudential spokesman said. The settlement could pay up to $20 million to the families of deceased California policyholders alone, the California controller said. So far more than 1,000 Prudential policies, with an average value of $2,000, have been found for individuals in California who have been dead for more than 15 years, he said. Source:

19. January 17, Reuters – (National) UBS unit pays $300,000 to settle SEC charges. An investment advisory arm of Swiss bank UBS will pay $300,000 to settle charges it misled investors by incorrectly pricing certain securities in three of its mutual funds, the Securities and Exchange Commission (SEC) said January 17. The SEC’s administrative action against UBS Global Asset Management came on the heels of a referral from SEC examiners who were conducting a routine inspection of the firm. The SEC alleged UBS’s failure to properly price securities resulted in a misstatement to investors of the net asset values of those funds. The SEC also claimed UBS did not follow the mutual funds’ fair valuation procedures in pricing certain fixed-income securities. In 2008, the UBS unit purchased around $22 million worth of fixed-income securities, most of which were risky mortgage-backed securities not guaranteed by Fannie Mae or Freddie Mac, according to the SEC’s order. UBS then valued most of the securities “substantially” higher than what it paid — 100 percent higher in some cases, the government said. The unit had relied on pricing data from third-parties rather than the purchase prices, a violation of the funds’ own valuation procedures, the SEC said. UBS did not correct the mistake until more than 2 weeks later, which led the funds’ values to be off during part of that time period between 1 cent and 10 cents per share, according to the government. Source:

20. January 16, WMAZ 13 Macon – (National) Man accused of over $1.5 million financial fraud in Baldwin jail. A man facing dozens of financial fraud charges in five states has been booked in to the Baldwin County, Georgia jail, WMAZ 13 Macon reported January 16. A Baldwin County Sheriff’s Office captain said the man faces financial card transaction fraud and theft charges after the debit card information of a person living in Baldwin County was stolen and used in the Atlanta area. The captain said photos at the bank where the fraudulent transaction was made identified the suspect. He also faces 60 similar counts in Cobb county and 30 in Cherokee, the captain said. He said the suspect is also accused of about $1.5 million in credit card fraud in California. Source:

Information Technology

43. January 18, H Security – (International) Oracle updates close 78 holes. Oracle released 78 security patches in its January Critical Patch Updates. The company said these patch day updates address vulnerabilities in “hundreds of Oracle products.” Sixteen of the vulnerabilities patched are remotely exploitable without authentication. Affected products include Oracle Database 10g and 11g, Fusion Middleware 11g, Application Server 10g, Outside In Technology, WebLogic Server, versions 11i and 12 of its E-Business Suite, Oracle Transportation Management, JD Edwards, Sun Ray, VM Virtualbox, Virtual Desktop Infrastructure, MySQL Server, and PeopleSoft Enterprise CRM, HCM, and PeopleTools. A vulnerability in Solaris 9, 10, and 11 Express’s TCP/IP is the highest rated of these with a CVSS score of 7.8 out of 10.0. The company advises users to install the patches as soon as they become available, because of “the threat posed by a successful attack.” Executive summaries of the vulnerabilities can be found in the security advisory. Source:

44. January 18, IDG News Service – (International) Secunia sets six-month deadline for vulnerability disclosures. Vulnerability research firm Secunia announced, effective from the beginning of 2012, software vendors will have a 6-month deadline to fix vulnerabilities reported through its Vulnerability Coordination Reward Program. Secunia’s previous deadline established in 2003 was 1 year. The decision to reduce it came after studying the history of the company’s vulnerability coordination efforts. Source:

45. January 18, Help Net Security – (International) Facebook ‘free mobile recharge’ scam hijacks accounts. A phishing and survey scam rolled into one is currently targeting Facebook users and ends up hijacking their accounts and makes it difficult for users to get them back, warns a McAfee researcher. The victims are lured with messages seemingly posted by friends claiming they received a “100rs free recharge.” Following the offered link, users connect to a page asking them to enter Facebook log-in credentials to receive it. Once the account details are entered and the “Log In” button is pressed, the page redirects users to a page mimicking a Facebook one, which asks the user to complete a survey to unlock the recharge option. In the background, the page sends the recorded log-in credentials — in clear text via a HTTP POST request — to a remote server operated by the scammers. The scammers then use the credentials to access the victims’ Facebook accounts, change information contained in them (including the password and the e-mail address), and post the same message that lured in the victims in the first place. The affected users are unable to immediately do anything about it. “Even if the victims try to reset their passwords, they will never get the password reset email from Facebook,” said the researcher. Source:

46. January 17, CNET News – (International) McAfee software lets scammers hijack PCs to send spam. McAfee is looking into a problem with a service in its SaaS Endpoint Protection software that appears to be allowing computers to serve as open proxies for sending spam, the company told CNET January 17. “We are aware of the issue and have both threat analytics and development teams diligently analyzing the problem and possible solutions,” the company said in a statement. “We will have more information on the issue shortly. “The problem was reported by McAfee customers on the Web who complained their e-mails were being blocked by e-mail providers and their IP addresses were being blacklisted for sending spam. The problem appears to be in the RumorServer Service myAgtSvc.exe, McAfee Peer Distribution Service, which is part of McAfee SaaS Endpoint Protection Suite, previously known as Total Protection Service, according to the Kaamar Blog. The technology, used for delivering updates to computers without a direct Internet connection, serves as an Open Proxy on Port 6515, which effectively opens the computer up to being used to send spam to other sites that looks like it is coming from that IP address, the blog post said. Source:

47. January 17, Reuters – (International) Symantec says hackers stole source code in 2006. Symantec Corp said a 2006 breach led to the theft of the source code to its flagship Norton security software, reversing its previous position that it had not been hacked. The world’s biggest maker of security software previously said hackers stole the code from a third party, but corrected that statement January 17 after an investigation found Symantec’s own networks were infiltrated. The unknown hackers obtained the source code to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack, and pcAnywhere, a Symantec spokesman said. The week of January 9, the hackers released the code to a 2006 version of Norton Utilities and said they planned to release code to its antivirus software January 17. It was unclear why the source code was being released 6 years after the theft. The spokesman said the 2006 attack presented no threat to customers using the most recent versions of Symantec’s software. Yet, an analyst with ITIC who helps companies evaluate security software, said Symantec’s customers should be concerned about the potential for hackers to use the stolen source code to figure out how to defeat some protections in Symantec’s software. Symantec said earlier in January its own network was not breached when the source code was taken. However, the spokesman said January 17 an investigation into the matter revealed the company’s networks were compromised. He also said customers of pcAnywhere, a program that facilitates remote access of PCs, may face “a slightly increased security risk” as a result of the exposure. Source:

48. January 11, Cisco – (International) Cisco security response: Wi-Fi protected setup PIN brute force vulnerability. On December 27, the U.S. Computer Emergency Readiness Team released Vulnerability Note #723755, describing a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode. Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network. A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time. Now, Cisco announced exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released. The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the 8-digit PIN are known. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours. While the affected devices implement the WPS 1.0 standard that requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days. It is Cisco’s recommendation to disable the WPS feature to prevent exploitation of this vulnerability. Source:

For more stories, see items 12, 13, and 15, above in the Banking and Finance Sector, and 51 below in the Communications Sector

Communications Sector

49. January 18, Green Bay Press-Gazette – (Wisconsin) WYDR The Drive back on the air after power failure. The frequency for radio station WYDR The Drive in Neenah, Wisconsin, went dead January 18 for several hours after a power failure at its transmitter site resulting from the cold weather. The classic rock station that broadcasts to the Fox Cities was silent at about 6:15 a.m. but was live again at around 11 a.m. Its sister stations in Green Bay, 99.7 and 101.9, and the online stream were unaffected. The power outage resulted from freezing temperatures in the transmitter building, according to the station. Source:|defcon|text|GPG-News

50. January 18, Raleigh News & Observer – (North Carolina) Time Warner Internet blackout not SOPA related. A major Internet outage kept Time Warner customers across North Carolina offline the morning of January 18. Internet services were restored, as of 9:09 a.m., a Time Warner spokesman said. “We did some maintenance overnight. An issue affected both Internet and TV services. The outage began around 6 a.m.,” the Time Warner spokesman said. Source:

51. January 18, Chillicothe Gazette – (Ohio) Weather, water disrupt TV, Internet services. Storms January 17 resulted in Horizon warning Ohio customers about service outages. A power outage in Columbus caused WCMH-TV (Channel 4, NBC) and WBNS-TV (Channel 10, CBS) to lose power at their transmission towers. Horizon customers January 17 lost those two channels until power could be restored at the tower location, which was expected to happen by the morning of January 18. The channel outages also impacted DirectTV subscribers. Internet service also could be affected because of a broken water line in a Columbus building that houses Internet connection equipment for several Internet service providers around Ohio. A Horizon spokesman said January 17 that power to that building had to be shut off until the water line could be fixed. Auxiliary power had to be used, but had the potential to shut off and cause Internet service interruptions. Source:

52. January 17, Rochester Democrat and Chronicle – (New York) WXXI radio tower damaged. Repairs to the damaged WXXI radio tower in Rochester, New York, took the AM station off the air for several hours January 17. WRUR-FM (88.5) remained on the air while WXXI-AM (1370) was off, a spokeswoman for the public radio station said. She gave no specifics on the damage to the tower. A statement on the station’s Web site shortly before 1 p.m. said, “AM 1370 is now back on the air. We will continue broadcasting on FM 88.5 today, through the end of All Things Considered. At 6 p.m., WRUR will resume its regular programming.” Source:|head

53. January 17, WHNS 21 Greenville – (South Carolina) Weather radio transmitter broadcasting again. The weather radio transmitter in South Carolina that was damaged the week of January 9 was back on the air January 17, according to the National Weather Service (NWS). Officials said the transmitter on Paris Mountain in Greenville County, which broadcasts on a frequency of 162.55 megahertz, experienced a major hardware failure. On January 17, the NWS said a temporary antenna was brought in to provide service until the main antenna can be replaced. They said the temporary transmitter was broadcasting, but only at half the power. The NWS said the main antenna will be replaced sometime late this winter. Source:

For more stories, see item 13 above in the Banking and Finance Sector and 45 above in the Information Technology Sector