Monday, April 16, 2012

Complete DHS Daily Report for April 16, 2012

Daily Report

Top Stories

• Nearly 61 percent of 48 states are in abnormally dry or drought conditions, according to the U.S. Drought Monitor. These conditions have led to numerous wildfires and put many agricultural crops at risk. – USA Today

15. April 13, USA Today – (National) Drought expands throughout USA. The United States has not been as dry as it is now in almost 5 years, USA Today reported April 12. Still reeling from devastating drought in 2011 that led to at least $10 billion in agricultural losses across Texas and the South, the nation is enduring another unusually parched year. A mostly dry, mild winter put nearly 61 percent of the lower 48 states in “abnormally dry” or drought conditions, according to the U.S. Drought Monitor, a weekly federal tracking of drought. That is the highest percentage of dry or drought conditions since September 2007. Only two states — Ohio and Alaska — are entirely free of abnormally dry or drought conditions. The drought is expanding into some areas where dryness is rare. According to the U.S. Geological Survey, stream levels are at near-record or record lows in much of New England. The Drought Monitor lists all of Vermont as “abnormally dry,” just 6 months after the state’s wettest August on record that stemmed mainly from disastrous flooding by the remnants of Hurricane Irene. The rest of the East is also very dry. More than 63 percent of Georgia is in the worst two levels of drought, the highest percentage of any state. Wildfires and brush fires have been common along the East Coast from New England to Florida in recent weeks. Trouble also looms for water-dependent California. The state department of water resources announced the week of April 2 that water content in California’s mountain snowpack is 45 percent below normal. Source:

• Two U.S. Coast Guard members were found shot to death while at work in Kodiak Island, Alaska, in what officials said appeared to be a double homicide. – Associated Press (See item 29)

29. April 13, Associated Press – (Alaska) 2 dead in shooting at Alaska station; FBI on scene. Two U.S. Coast Guard members were found shot to death at work in Kodiak Island, Alaska, in what officials said appeared to be a double homicide. Another Coast Guard member found the victims April 12 at their work areas inside the communications station, a spokeswoman said. She said officials believed a third person was involved, but no suspect was in custody or identified as of April 12. A captain said he was not aware of any threats or anything else that might have indicated problems at the station. After the shooting, security was increased at the base, about 8 miles from the island’s largest city of Kodiak. Added security also was put in place at an adjacent school. A petty officer said the station has “secure front doors,” and requires staff and visitors to show identification. The spokeswoman said visitors and those not actually working at the station are usually provided escorts. Source:

• Oracle plans to release 88 patches April 17, including many that fix vulnerabilities that allow remote access to the Oracle database without a username and password. – IDG News Service See item 38 below in the Information Technology Sector

• Two reports found that scaffolding that collapsed and killed seven people during the Indiana State Fair in 2011 was subpar. The reports also indicate the fair’s commission did not have adequate emergency planning in place. – CNN

45. April 13, CNN – (Indiana) Reports: Indiana State Fair stage where seven died was inadequate. Scaffolding that collapsed during a storm and killed seven people during the Indiana State Fair in 2011 was not up to standard, and the fair’s commission did not have adequate emergency planning in place, according to two investigative reports presented April 12. “Calculations and in-situ physical testing determined the Jersey barrier ballast (support) system had grossly inadequate capacity to resist both the minimum code-specified wind speed (68 miles per hour) and the actual wind speed that was present at the time of the failure (approximately 59 miles per hour),” according to a report by Thornton Tomasetti Inc., an engineering firm. The National Weather Service had estimated winds of 60 to 70 mph were raking the area when the incident occurred in August 2011. A massive gust of wind brought down the stage, killing five people and injuring dozens. Two others later died as a result of the collapse. Source:


Banking and Finance Sector

7. April 13, Salt Lake Tribune – (Utah) Utah couple charged with interfering with IRS. A Taylorsville, Utah couple who have not filed tax returns since the 1990s has been indicted on charges that include an allegation they placed false liens against top tax officials, trying to collect nearly $2 million, the Salt Lake Tribune reported April 13. The couple is facing five counts of impeding the Internal Revenue Service (IRS) and filing false liens or encumbrances against government officials. The indictment alleges that starting in December 2010, the couple started filing documents with county clerks directed at high-ranking officials within the U.S. Department of the Treasury and mailing demands for money to the private residence of a Treasury official. The woman filed a false lien against an IRS commissioner and the comptroller of the currency for $949,471 at the Salt Lake County Recorder’s Office, the indictment alleges. The couple also mailed multiple “Demand for Payment” documents to the residence of the IRS commissioner in 2011 demanding payments of $949,471 and $984,661, court documents say. The couple was arrested April 10 and pleaded not guilty in federal court April 11. Source:

8. April 12, WPVI 6 Philadelphia – (Pennsylvania; Delaware) Police: Woman bank bandit, accomplice arrested in Delaware. Delaware State Police arrested a woman they say robbed four Wilmington, Delaware-area banks over the last 3 weeks. The woman and an accomplice were arrested April 11 and charged with robbery, conspiracy, and related offenses in connection with four holdups. Police say the latest robbery occurred April 11 at about 11:52 a.m. as a female suspect entered a PNC Bank located inside a Super G Food Market in Wilmington. She approached the teller and presented a demand note for money, implying she had a gun. The teller complied and the suspect fled the bank on foot with an undisclosed amount of cash. A short time later, a Delaware State trooper spotted a car matching the description of a suspect vehicle observed leaving the area of the robbery. Troopers conducted a vehicle stop. The occupants of the vehicle were identified as the suspects. Both were arrested. The woman was linked to three other holdups and charged. The accomplice was charged with the April 11 holdup. Source:

9. April 12, Federal Bureau of Investigation – (California) Former chief financial officer of Irvine technology firm indicted in embezzlement scheme and returned to California today. A federal grand jury returned an indictment April 11 that charges the former chief financial officer of an Irvine, California-based technology company with a fraud scheme to embezzle about $16 million from his employer, a U.S. attorney and the FBI announced. The defendant has remained in federal custody since he was arrested in March upon entering the United States through New York’s John F. Kennedy International Airport. According to a criminal complaint filed March 30, representatives for an Irvine-based company, Trustin Technology, contacted law enforcement with suspicions the man had embezzled funds prior to resigning from the company in February 2012. The complaint alleged company executives had approached him with growing concerns about the firm’s finances earlier in 2012 but were advised by the man that delinquent customer payments had caused a cash flow shortage. When he resigned, an analysis of Trustin’s accounting records revealed he had been diverting the company’s money to his personal bank accounts, the complaint said. According to the indictment, he had been misappropriating Trustin customer payments since at least 2009. He manipulated balance sheets to make it appear customer payments were directed to the company’s accounts, when they were actually controlled by the defendant. The indictment alleges he caused losses to Trustin Inc. in excess of $16 million. Source:

10. April 12, U.S. Commodity Futures Trading Commission – (Illinois; National) CFTC orders Rosenthal Collins Group, LLC, a registered futures commission merchant, to pay more than $2.5 million for supervision and record-production violations. The U.S. Commodity Futures Trading Commission (CFTC) announced April 12 the filing and simultaneous settlement of charges against Rosenthal Collins Group, LLC (RCG), a Chicago-based registered futures commission merchant, for failing to diligently supervise the handling by its officers, employees, and agents of an account held at RCG in the name of Money Market Alternative, LP (MMA). An employee used the MMA account in a multi-million dollar Ponzi scheme. According to the CFTC’s order, from April 1, 2006 until April 29, 2009, RCG failed to diligently supervise the handling of the MMA account. Specifically, the order finds RCG failed to follow its own compliance procedures that impose continuing duties to “know” its customers and detect and report “any suspicious money transfers, non-economic transactions, and other activity outside of the ordinary course of business.” For example, MMA stated in its account opening documents that it had a net worth of $300,000 and an annual income of $45,000, but deposits in the MMA account at RCG exceeded $2 million in 2006, $3 million in 2007, and $14 million in 2008. The MMA account also experienced losses of more than $17 million and generated $921,260.90 to RCG in gross commissions and fees. The order further finds RCG failed to investigate and report years of excessive wire activity relating to the MMA account. The order requires RCG to pay a $1.6 million civil monetary penalty, and to disgorge $921,260.90 to the scheme’s victims. Source:

Information Technology

34. April 13, Computerworld – (International) Apple delivers Flashback malware hunter-killer. Two days after Apple promised to decontaminate Macs infested with the Flashback malware, the company delivered. The newest Mac OS X Java update issued April 12 includes a tool that will “remove the most common variants of the Flashback malware,” Apple’s advisory read. April 10, Apple for the first time acknowledged the Flashback malware campaign that exploited a Java vulnerability to infect hundreds of thousands of Macs. At the same time, Apple pledged to craft a detect-and-delete tool that would scrub compromised machines of the attack code. The April 12 update also disables automatic execution of Java applets in the Java browser plug-in; the exploit used by Flashback to infect Macs was hidden inside a malicious Java applet hosted on compromised Web sites. One of the reasons Flashback was able to infect so many Macs was because the Java plug-in automatically ran the offered applet. Apple’s move is a step toward disabling Java, the advice most security experts suggest to users. Source:

35. April 13, The H – (International) Firefox gets click-to-play option for plugins. A software engineer at Mozilla created an implementation of “click-to-play plugins” for Firefox. With this enabled, the browser will require that content from plugins like Flash and Java be clicked before the plugin loads and runs. The feature, which Mozilla also calls “opt-in activation for plugins” is already accessible in nightly builds of Firefox and the engineer is working on giving the browser the ability to remember click-to-play settings on a site-by-site basis. A security benefit of the click-to-play approach is that plugins only get loaded when the user actually clicks on the content in question. This limits the opportunities for “drive-by” malware attacks by malicious content that targets plug-in vulnerabilities in Flash and Java. The feature could help prevent the spread of malware such as the Flashback trojan, as Java would only be loaded if the user expects legitimate Java content on the page in question and clicks on it. However, malware creators can still use social engineering to encourage users to click anyway. Source:

36. April 13, The Register – (International) New fake anti-virus shakes down frightened file-sharers. Security researchers discovered a strain of fake anti-virus software that tries to intimidate supposed file-sharers into paying for worthless software. SFX Fake AV, first detected by antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware trojans. The malware stops any legitimate antivirus package from running on compromised PCs. This particular strain of malware also stops Process Explorer and prevents browsers from loading — tactics designed to force users to complete the “input credit card details” screen and pay money for the scamware. The app also falsely tells victims they are going to be sued for breaching anti-piracy legislation, claiming it detected torrent links on PCs. It offers to get around this problem by activating an “anonymous data transfer protocol” for torrent links, another inducement aimed at persuading users into paying for the worthless security app. This latter feature differentiates the malware from strains of scareware seen in the past, which demand money after supposedly detecting “offensive materials” on PCs. The malware also performs a fake scan that classifies Windows Registry Editor as a pornography tool. The vice president of research at Malwarebytes said: “SFX Fake AV is morphing at a relatively fast rate, so it is something that signature-based vendors will have to watch out for as there will be an increasing number of variants in the wild. Also, the use of Dropbox as a delivery mechanism is something that the industry is going to have to take into account and protect against, as it is an emerging trend.” Source:

37. April 12, The H – (International) Facebook SDK hole leaves accounts vulnerable. A developer discovered a vulnerability in the Facebook software development kit (SDK) for Android that grants specially crafted Android applications unauthorized access to the smartphone owner’s Facebook account. Apps such as Foursquare use the SDK as a way to read users’ Facebook profiles or post photos to their walls; usually, this requires additional permissions to be requested from the user. Once those permissions are granted, the app receives an access token from the Facebook server that, until revoked, enables it to perform the requested actions. The developer found that, with the required permissions in place, the Facebook SDK writes a URL that contains the token to a log file on the smartphone — and this log file is accessible by any app given permission to “Read Sensitive Log Data” during installation. As many Android users automatically confirm permission requests when installing apps, it should not be difficult for attackers to obtain the required access. Using the stolen access token, a specially crafted app could then obtain any permissions granted to the token’s legitimate app. Source:

38. April 12, IDG News Service – (International) Oracle to issue 88 security patches on Tuesday. Oracle plans to release 88 patches April 17, covering vulnerabilities affecting a wide array of products, according to a pre-release announcement posted to its Web site April 12. The upcoming patch batch includes six fixes for Oracle’s database, three of which can be exploited remotely without a username and password. The highest Common Vulnerability Scoring System (CVSS) base score for the database bugs is 9 on the system’s 10-point scale. Another 11 patches cover Oracle Fusion Middleware, with 9 being remotely exploitable without authentication. Within this group, the highest CVSS base score is 10 for Oracle JRockit. Other affected products include BI Publisher and JDeveloper. The patch release also includes 6 bug-fixes for Oracle Enterprise Manager Grid Control; 4 for the E-Business Suite enterprise resource planning application; 5 for Oracle’s Supply Chain Suite; 15 for various PeopleSoft Enterprise applications; 17 for Oracle Financial Services software; 2 for Oracle Industry Applications; and 1 for Oracle Primavera. Another 15 cover Oracle Sun products, including the GlassFish application server and the Solaris OS. Oracle is also set to ship six patches for the MySQL database. Source:

39. April 12, Threatpost – (International) Tough love triumphs: SCADA vendor Koyo fixes Basecamp bugs. Industrial control system vendor Koyo moved to fix vulnerabilities in its ECOM brand programmable logic controllers (PLCs) after researchers, in January, revealed the devices were vulnerable to brute force password guessing attacks. The U.S. Industrial Control Systems Cyber Emergency Response Team issued an advisory April 11 that said the company issued a patch for affected ECOM modules that disables a vulnerable Web server and adds a “timeout” feature to prevent brute force attacks on the device password. Koyo was one of a number of supervisory control and data acquisition and industrial control systems (ICS) vendors whose products were targeted by researchers as part of Project Basecamp, a volunteer effort to expose rampant product insecurity in the ICS sector. Source:

For another story, see item 40 below in the Communications Sector

Communications Sector

40. April 13, IDG News Service – (International) ICANN postpones cutoff date for new gTLD applications after glitch. The Internet Corporation for Assigned Names and Numbers (ICANN) has postponed the last date for applications for new generic top-level domains (gTLDs) on its application system to April 20, after it detected a technical issue with the software. The organization said in a statement that it had to take the TLD application system (TAS) offline temporarily after it learned of a possible glitch in the software that has allowed “a limited number of users to view some other users’ file names and user names in certain scenarios. Out of an abundance of caution, we took the system offline to protect applicant data. We are examining how this issue occurred and considering appropriate steps forward,” ICANN’s chief operating officer said in a statement April 12. TAS will be shut down until April 17, unless otherwise notified before that time, the ICANN said. Source: