Monday, April 9, 2012

Complete DHS Daily Report for April 9, 2012

Daily Report

Top Stories

• The Federal Aviation Administration is investigating an air traffic controller accused of ignoring a request for an emergency landing in Denver. The pilot reported smoke in the cabin of a United Express plane April 3. – Associated Press

18. April 6, Associated Press – (Colorado; Illinois) FAA investigating after plane emergency ignored. The Federal Aviation Administration (FAA) is investigating after an air traffic controller was accused of ignoring a request for an emergency landing in Denver after a commercial airline pilot reported smoke in the cabin, the Associated Press reported April 6. The controller thought the call was a prank and dismissed the emergency call minutes later, according to recordings obtained by KUSA 9 Denver. The United Express plane from Peoria, Illinois, was evacuated April 3 after the plane landed at Denver International Airport. An FAA report said firefighters extinguished a fire in the instrument panel. Airline analysts say fake calls are a problem that can originate from anyone near the airport with a radio. Controllers apparently realized the mistake when the pilot made another emergency call saying the plane had already landed and was evacuating on the runway. It was only then that fire trucks responded. One of the 21 passengers was taken to the hospital. The National Transportation Safety Board said the investigation has been turned over to the FAA. Source:

• The University of Pittsburgh evacuated four buildings April 5 after receiving a bomb threat. Over the last 3 weeks there have been 23 threats to university buildings, but no explosives have been found. – WESA 90.5 FM Pittsburgh

32. April 5, WESA 90.5 FM Pittsburgh – (Pennsylvania) More bomb threats at the University of Pittsburgh. The University of Pittsburgh evacuated four buildings April 5 after receiving a bomb threat aimed at the Cathedral of Learning, the Chevron Science Building, Frick Fine Arts Building, and Posvar Hall. Over the last 3 weeks there have been 23 threats, but no explosives have been found. The university’s vice chancellor for public affairs said the investigation continues into these threats, and a $50,000 reward is now being offered for information. The bomb threats have been made against several buildings on campus, and the university is very concerned about the psychological effect of these threats. He added that even though the threats so far have turned out to be hoaxes, they must be taken very seriously. Pittsburgh police have enlisted the help of the FBI and handwriting experts while trying to solve the case. They have said that they intend to prosecute anyone connected to the threats to the “fullest extent possible” under federal and state laws. Source:

• U.S. water and energy utilities face constant cyber-espionage and denial-of-service attacks, according to a DHS cyber response team, which took 17 fly-away trips in 2011 to assist utilities in network and forensics analysis. – Network World See item 39 below in the Information Technology Sector

• A Navy fighter jet crashed into an apartment complex near Virginia Beach, Virgina, April 6. Both crew members and five civilians were taken to local hospitals. At least five buildings were heavily damaged. – Raycom News Network

47. April 6, Raycom News Network – (Virginia) Pilots delayed jet crash to avoid school. An F/A-18D Hornet Navy fighter jet crashed into an apartment complex near Virginia Beach, Virgina, sending fuel and debris flying and erupting into flames April 6. Both crew members — who ejected at the very last moment to avoid a nearby school — and five civilians on the ground were treated at local hospitals. An eyewitness to the plane crash said that within 200 or 300 yards of where the plane crashed, the aircraft emptied its jet fuel, with its nose up, and crashed into a building at the Mayfair Mews Apartments. At least five buildings were heavily damaged. The Associated Press reported the fire was out, and crews were going through the buildings to check for anyone who may have been injured. One of the pilots was found on the ground, still strapped to his seat, in shock, according to a witness. The crash site is just north of Oceana Naval Air Station in Virginia, where the crew is based. Source:

• New documents released the week of April 2 show that a cascade of missteps combined with weather conditions to produce the 6-square-mile fire that killed 3 people and destroyed dozens of homes near Denver. – Associated Press

51. April 5, Associated Press – (Colorado) Report: Colo. wildfire a deadly cascade of missteps. New documents released the week of April 2 show that a deadly cascade of missteps combined with the vagaries of wind and fire to produce another tragedy in the Rocky Mountains, according to an April 5 report from the Associated Press. The Colorado State Forest Service conducted a 50-acre prescribed burn on March 22, part of a normal plan to consume fuel in the foothills southwest of Denver. Once the fire was out, crews patrolled the perimeter daily. March 26, they spotted an ember blown across the perimeter and lighting grass. In all their methodical planning, they had not asked for real-time weather forecasts that would have predicted vicious, swirling winds. The 6-square-mile blaze killed three people, destroyed dozens of homes near Conifer, and raised questions about what could have been done to contain the human and material losses. Volunteer firemen responding to the first reports of smoke could not talk to the state crew because it used a different radio frequency. Dispatchers, too, were in the dark, reassuring some frightened residents as the smoke and winds gathered that events were under control. When authorities realized more than 3 hours later that, in fact, nothing was under control, they sent out waves of emergency evacuation telephone calls — some of which reached no one, while others went to out-of-state numbers. Some early callers died in the inferno. Harried dispatchers hung up on other callers, too overwhelmed to respond. The first evacuation orders did not go out until at least 3 hours after the embers ignited. The family of a deceased victim said the victim did not receive an evacuation call because her property was listed at the wrong address. Some residents said they never knew about the controlled burn, despite policies mandating the public be informed well in advance. Ultimately, residents of some 900 homes were evacuated amid rapidly changing weather conditions typical of Colorado’s foothills and mountains. Source:


Banking and Finance Sector

8. April 6, U.S. Securities and Exchange Commission – (Florida) SEC charges south Florida man in investment fraud scheme. The U.S. Securities and Exchange Commission (SEC) charged April 6 that a south Florida investment manager defrauded investors by making false claims about his investment track record and providing bogus account statements that reflected fictitious profits. In the complaint, the SEC alleges that since 2005, the manager and International Consultants & Investment Group Ltd. Corp. pulled in at least $11 million from investors by falsely claiming annual returns as high as 26 percent, and that he transferred more than $2.5 million of investor funds to two entities he controlled, Elia Realty, Inc., and 212 Entertainment Club, Inc. He told investors that he had extensive experience in day trading stocks and exchange-traded funds, but his trading resulted in losses or only marginal gains, and the quarterly account statements he sent to clients overstated their returns, the SEC alleged. In a parallel criminal case, a U.S. attorney announced the manager was also indicted on one count of wire fraud. Source:

9. April 6, U.S. Securities and Exchange Commission – (National; International) SEC freezes accounts of six Chinese citizens and one offshore entity charged with insider trading. The U.S. Securities and Exchange Commission (SEC) announced April 6 it has obtained a court-ordered freeze of the assets of six Chinese citizens and one British Virgin Islands entity charged with insider trading in Zhongpin Inc., a China-based pork processor whose shares trade in the U.S. The SEC’s complaint, filed April 4 in a U.S. district court in Chicago, alleges the defendants reaped more than $9 million by trading in Zhongpin ahead of a March 27 announcement of a proposal to take the company private. The complaint names as defendants one entity, Prestige Trade Investments Ltd., and six individuals. The SEC alleged that one of the individuals formed Prestige in January and funded its U.S. brokerage account in March with $29 million transferred from a Hong Kong bank. According to the complaint, the seven defendants bought substantial quantities of common stock and call options in Zhongpin between March 14 and March 26. Zhongpin’s stock price jumped 21.8 percent March 27 when the company publicly announced that its chairman and chief executive officer had made a non-binding offer to acquire all of Zhongpin’s outstanding stock at $13.50 a share, a 46 percent premium over the previous day’s closing price. “The defendants in this action – all with seemingly limited resources - suddenly and inexplicably purchased more than $20 million in Zhongpin securities just before an important public announcement,” the director of the SEC’s Chicago Regional Office said. The SEC alleges that the purchases of Zhongpin stock and options were inconsistent with the defendants’ financial situations and prior investment behavior. Source:

10. April 6, Newark Patch – (New Jersey; Georgia; South Carolina) Man pleads guilty in mortgage fraud. A man admitted April 5 in a Camden, New Jersey federal court to taking part in a $40.8 million mortgage fraud scheme in which he helped find phony buyers for vacation properties in New Jersey and two other states. He pleaded guilty to conspiracy to commit wire fraud and conspiracy to commit money laundering. Authorities said the defendant recruited “straw buyers” for his co-conspirators to purchase oceanfront condominiums overbuilt by financially distressed developers in Wildwood Crest, as well as in vacation destinations in Georgia and South Carolina and properties in New Jersey owned by financially distressed homeowners facing foreclosure. His co-conspirators caused fraudulent mortgage loan applications and supporting documents to be submitted to mortgage lenders in the straw buyers’ names, attributing inflated income and assets to the buyers in order to induce the lenders to approve the loans. Once the loans were approved and the mortgage lenders sent the loan proceeds in connection with the real estate closings on the properties, the man and his co-conspirators took a portion of the proceeds from the fraudulent mortgage loans. Source:

11. April 6, Associated Press – (North Carolina) FDIC sues failed Cape Fear Bank for $11 million. Federal regulators sued several former directors and officers of North Carolina’s failed Cape Fear Bank to recover more than $11 million in losses the bank suffered on 23 commercial loans. The Star-News of Wilmington reported that the suit filed April 4 by the Federal Deposit Insurance Corp. (FDIC) said the risky acquisition, development, and construction loans were approved between 2006 and 2009. The Wilmington-based bank failed in April 2009 and was taken over by First Federal of Charleston. The suit said the loans and other negligence caused the bank’s losses. The FDIC wants to recover about $11.2 million plus interest and costs from the bank’s former officers. Source:

12. April 6, U.S. Securities and Exchange Commission – (Texas) SEC charges Texas bank holding company’s CEO and CFO with misleading investors about loan quality and financial health during the financial crisis. The U.S. Securities and Exchange Commission (SEC) announced April 6 it charged Texas-based Franklin Bank Corp.’s former chief executives for their involvement in a fraudulent scheme designed to conceal the deterioration of the bank’s loan portfolio and inflate its reported earnings during the financial crisis. The SEC alleges that Franklin’s former chief executive officer (CEO) and chief financial officer (CFO) used aggressive loan modification programs during the third and fourth quarters of 2007 to hide the true amount of Franklin’s non-performing loans and artificially boost its net income and earnings. The Houston-based bank holding company declared bankruptcy in 2008. According to the complaint filed in a Texas district court April 5, as Franklin’s holdings of delinquent and non-performing loans rose significantly in the summer of 2007, the CEO and CFO instituted three loan modification schemes that caused Franklin to classify those loans as performing. By the end of September 2007, they had used the loan modification programs to conceal more than $11 million in non-performing single family residential loans and $13.5 million in non-performing residential construction loans. As a result of the loan modifications, Franklin overstated its third-quarter 2007 net income and earnings by 317 percent, and 77 percent, respectively. Source:

13. April 5, Kansas City Star – (Kansas; Missouri; National) Raymore man admits to Petro America securities fraud, pleads guilty. A man pleaded guilty April 5 in a U.S. district court in Kansas City, Kansas to participating in a $7.2 million securities fraud involving thousands of investors around the country who bought shares in Petro America Corp. He is the fourth defendant to plead guilty in the government’s case against Petro, which claimed to have assets in oil and 30 to 40 gold mines. According to a statement from the U.S. attorney’s office, the man admitted he participated in a conspiracy to commit securities and wire fraud beginning in September 2008. He promoted Petro America and sold shares to investors, despite cease-and-desist orders from state securities regulators in Kansas and Missouri. He also was not licensed to sell securities. He made at least $172,774 from the sale of Petro stock to about 57 investors, in addition to $13,300 that he received from Petro for consulting fees and other payments, federal prosecutors said. After state regulators barred the sale of unregistered Petro stock, he and others “devised a plan to obtain money by gifting shares” to other investors, federal investigators said. When he sold the stock, investigators said he never mentioned that he was not licensed to sell securities, nor did he disclose the state regulatory actions or that Petro shares were unregistered. Source:

14. April 5, Federal Bureau of Investigation – (New York; International) Importers charged with securities fraud. Three principals of a company that imported paving stones from Australia were charged with conspiracy, securities fraud, and money laundering in an indictment unsealed April 5 in federal court in Central Islip, New York. The charges against the men arose from their solicitation of investor money for, and their operation of, Permapave Industries and Permapave USA. Permapave marketed porous paving stones in the United States that were manufactured in Australia. According to the indictment, the defendants issued promissory notes to investors and promised to use the proceeds to finance shipments of Permapave paving stones from Australia. The indictment and court filings charge that from 2006 to 2010, the defendants operated Permapave as a Ponzi scheme, raising approximately $26 million through false representations and paying back some investors from the investments of other investors because of the minimal revenues Permapave generated. The government’s pleadings also allege that the defendants converted more than $3 million of investor funds for their personal use. Source:

15. April 5, Dark Reading – (International) Phishers use web analytics to gauge success. In yet another indication of cybercriminals operating more like a business, researchers have discovered a major phishing campaign that relied on Web analytics to hone its attack against a bank, Dark Reading reported April 5. Researchers at security firm RSA say a phisher targeting a specific bank in South America used a free Web analytics tool to gather statistics on how his attacks performed and details about his victims’ systems. He configured it like any other Web analytics service, using embedded JavaScript code on his Web page visited by victims who fell for the phishing attack. The code records data such as the number of “hits” on the page, as well as specifics like the user’s operating system and browser type. A communications specialist for RSA’s FraudAction Knowledge Delivery said the attacker can glean plenty of valuable information from Web analytics: traffic trends and intelligence on the best time to send out its spam phishing run. “Using Web analytics stats, they can get quite a bit of information: number of hits — how credible was the spam e-mail?; best time for blasting out their campaigns — night/weekends?; pages viewed per visitor — did the consumer go through the whole phishing kit?; success of a particular spam e-mailing list they’ve purchased; or the success of an underground spamming service they’ve paid for,” she said. Source:

Information Technology

36. April 6, H Security – (International) Google Chrome fixes seven high-risk vulnerabilities. Google has announced updates to the Stable and Beta channels of their Chrome browser, fixing several bugs and 12 security vulnerabilities. Seven of the 12 security fixes were classed as high-risk problems and Google paid a total of $6,000 to the researchers who discovered the bugs. The seven high risk vulnerabilities are bugs that left several Chrome components open to being exploited by using memory after it had been freed. The Chrome developers have also fixed several cross-origin problems and two issues where the browser could be exploited to read from memory where it should not. Source:

37. April 6, IDG News Service – (International) Sophos takes down partner portal after signs of hacking. Security firm Sophos has taken its partner portal offline and will reset every user’s password after it found signs of a potential security breach on the server hosting it during a routine security check April 3. “Two unauthorized programs were found on the server, and our preliminary investigations indicate that these were designed to allow unauthorized remote access to information,” Sophos said in a security alert posted on its Web site. Sophos could not establish if the data stored in the Web site’s database — which includes partners’ names and business addresses, e-mail addresses, contact details, and hashed passwords — had been stolen. However, it decided to proceed under the assumption that it had. The Web site will be restored after the security audit is completed and the problem is remediated. The company advised its partners to also change their passwords on other Web sites where they might have used them, and to be on alert for potential phishing e-mails that claim to originate from Sophos. Source:

38. April 5, Microsoft Certified Professional Magazine – (International) Six bulletin items announced ahead of April’s Microsoft security update. Microsoft will release six bulletin items in its April security update, according to the Microsoft Security Bulletin Advance Notification. The monthly patch will feature four “critical” items and two “important” bulletins. All four of the critical bulletins will address remote code execution vulnerabilities in Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft SQL Server, Microsoft Server Software, and Microsoft Developer Tools. As for the two important bulletin items, the first addresses an information disclosure flaw in Microsoft Forefront United Access Gateway, and the second targets an additional remote code execution hole in Microsoft Office. After March’s alleged leak of RCP code, a security researcher at Rapid7 discussed the possible tightening of security procedures when it comes to releasing security information to Microsoft partners. Source:

39. April 4, Network World – (National) DHS: America’s water and power utilities under daily cyber-attack. America’s water and energy utilities face constant cyber-espionage and denial-of-service attacks against industrial-control systems, according to the team of specialists from the U.S. Department of Homeland Security (DHS) who are called to investigate the worst cyber-related incidents at these utilities, Network World reported April 4. Out of the 17 fly-away trips taken in 2011 by DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to assist utilities in network and forensics analysis, 7 of the security incidents originated as spear-phishing attacks via e-mail against utility personnel. An ICS-CERT leader said 11 of the 17 incidents were very “sophisticated,” signaling a well-organized “threat actor.” She said DHS believes that in 12 of the 17 cases, if only the compromised utility had been able to practice the most basic type of network security for corporate and industrial control systems, they would likely have detected or fended off the attack. One of the basic problems observed at utilities is that “a lot of folks are using older systems previously not connected to the Internet,” she said. Another ICS-CERT leader said the count of “incident tickets” related to reported incidents at water and power-generating utilities is going up. While only 9 incidents were reported in 2009, in 2011 this grew to 198 incident tickets. Just over 40 percent came from water-sector utilities, with the rest from various energy, nuclear energy, and chemical providers. He said in many cases the attacks do not seem to be coming directly through the Internet via Internet Service Providers, for example, but are often traced to outside companies that provide services to the attacked utilities, raising the question of compromises there. Source:

For more stories, see items 15 above in the Banking and Finance Sector and 44 below in the Communications Sector

Communications Sector

40. April 6, WYMT 12 Hazard – (Kentucky) Phone service knocked out again in Letcher Co. Copper thieves struck again in Letcher County, Kentucky, WYMT 12 Hazard reported April 6. The thieves took 200 feet of copper wiring, leaving many homes and businesses around the Isom area without phone service for most of the day April 5. Kentucky State Police confirmed that this outage was the result of copper thieves. Source:

41. April 5, – (Alabama) Central Alabama weather radio outage fixed. As severe thunderstorms threatened the state, forecasters from the National Weather Service (NWS) office in Birmingham, Alabama, warned residents April 5 their weather alert radios might not receive alerts, but the NWS reported the problem has been identified and resolved. The outages — reported in Montgomery and Anniston but possibly occurring elsewhere — meant some weather radios did not sound when a watch or warning was issued. Weather service technicians worked to identify and correct the problem, according to the NWS. The outage was reportedly caused by a hardware failure. Source:

42. April 5, Vancouver Columbian – (Washington) Software glitch knocks out Internet in east county. A rare software-related problem triggered an outage of Internet access to some 1,800 Frontier Communications customers in Camas and Washougal, Washington, that began the evening of April 4 and extended into mid-day April 5, according to the utility’s general manager. Internet service has been restored to all Frontier customers, he said. The outage affected about half of the utility’s Washougal and Camas customers with Internet services, primarily residences and small businesses. The problem emerged in software used in some of Frontier’s newest switches and routers, the manager said. Source:

43. April 5, Wausau Daily Herald – (Wisconsin) Charter Internet service out for some Wausau-area customers. Some Wausau, Wisconsin-area residents were experiencing an Internet outage April 5 that was expected to last for several hours. A company supervisor said at 9:15 p.m. that a “fluctuating signal” was to blame for the outage in the Wausau area and other parts of the state, according to a company supervisor at Charter Communications. A total of 1,200 customers across the state were affected, the supervisor said. The estimated time for repairs was 3 to 4 hours, according to the supervisor. Source:|newswell|text|FRONTPAGE|s

44. April 5, Help Net Security – (National; International) Fake AT&T wireless bill links to malware. Large outbreaks of phony AT&T wireless e-mails were distributed in the last 2 days, Commtouch said April 5. The e-mails describe very large balances ($943), that are sure to get aggravated customers clicking on the included links. Every link in the e-mail leads to a different compromised site with malware hidden inside. The pattern is: legitimate domain / recurring set of random letters / index.html. The index.html file tries to exploit at least the following known vulnerabilities: Libtiff integer overflow in Adobe Reader and Acrobat — CVE-2010-0188; and Help Center URL Validation Vulnerability — CVE-2010-1885. Source: