Wednesday, April 19, 2012

Complete DHS Daily Report for April 19, 2012

Daily Report

Top Stories

Two years of testing found a critical defect in a certain model of emergency air packs used in U.S. coal mines. However, federal regulators have no immediate plans to remove the more than 70,000 air packs that could remain in use. – Associated Press

3. April 18, Associated Press – (National) NIOSH, MSHA discussing what to do with 70,000 potentially defective air packs in US coal mines. Two years of testing found a critical defect in a certain model of emergency breathing devices used in U.S. coal mines, but federal regulators have no immediate plans to remove the more than 70,000 air packs that could remain in use, the Associated Press reported April 18. The SR-100 self-contained self-rescuers are belt-worn air packs about the size of three cake-mix boxes. They hold chemicals that help recycle exhaled breath, giving miners about an hour of oxygen and, ideally, time to seek refuge or escape from a fire or explosion. The Charleston Gazette said the National Institute for Occupational Safety and Health (NIOSH) issued a report the week of April 16 concluding the model manufactured by CSE Corp. of Monroeville, Pennsylvania, failed too many tests and therefore has a critical flaw. The NIOSH says 5 out of 500 randomly sampled SR-100 units had oxygen starters that failed. Under federal rules, no more than 3 in 500 can fail for the NIOSH to remain confident. The failure rate, the report said, means the units “no longer conform to the minimum requirements for the certification.” CSE’s president said the firm voluntarily stopped production of the SR-100 when internal quality-control teams identified problems. It has since redesigned the starter system and replaced the device with the SRLD model. Source:

After 3 years on the run, a former banker surrendered. He is accused of running a Ponzi scheme that stole more than $75 million from investors. – WRAL 5 Raleigh See item 14 below in the Banking and Finance Sector

An outbreak of Salmonella Bareilly infection has now sickened at least 141 people in 20 states and Washington, D.C. It has also led to the recall of all frozen, raw yellowfin tuna product distributed by a California company. – Food Safety News

21. April 18, Food Safety News – (National; International) Sushi-linked Salmonella outbreak reaches 141 cases. A multi-state outbreak of Salmonella Bareilly infection has sickened at least 141 people, up from the 116 confirmed cases reported the week of April 9, while the related recall has expanded to include all frozen raw, yellowfin tuna product — called Nakaochi Scrape — distributed by Moon Marine USA Corp, Food Safety News reported April 18. Nakaochi Scrape is the backmeat of tuna that, when scraped off the bones, looks like ground tuna, and is used to make sushi and similar dishes. The Centers for Disease Control and Prevention (CDC) said Moon Marine’s frozen raw Nakaochi Scrape tuna, imported from a single processing plant in India, is the likely cause of the outbreak. In an update April 17, the CDC said the illnesses extend across 20 States and the District of Columbia. New York has reported 28 cases; Maryland and Wisconsin 14; Illinois 13; Massachusetts 9; New Jersey and Virginia 8; Connecticut, Georgia, and Pennsylvania 6; Rhode Island 5; Missouri and Texas 4; Louisiana and South Carolina 3; Alabama, District of Columbia, Mississippi, and North Carolina 2; and Arkansas and Florida 1. April 13, the Cupertino, California-based Moon Marine agreed to recall 58,828 pounds of its frozen raw yellowfin tuna product, according to the Food and Drug Administration (FDA). In an update April 17, the FDA said Moon Marine is voluntarily recalling all frozen raw yellowfin tuna product from India, labeled as Nakaochi Scrape AA or AAA. The product is not offered for sale to individual consumers but went to outlets that used the tuna to make sushi and other dishes to be sold in restaurants and grocery stores. Source:

A power failure April 15 in Northbrook, Illinois, interrupted water service, caused 10 water mains to burst, and buckled streets throughout the town. – Northbrook Star

31. April 17, Northbrook Star – (Illinois) Ten Northbrook water main breaks in 12-hour period. A power failure April 15 in Northbrook, Illinois, caused an interruption in the main pump at the town’s water plant. Power was quickly restored, but the outage caused the transmission of water to spike and 10 water mains throughout Northbrook’s water system burst. Water was reportedly gushing through buckled pavement in several locations closing roads around the town. The violent storm, not the power company, was the trigger, the Northbrook village communications manager said. The village has seen more main breaks than ever, since the new, bigger water tower went on line in 2011. Those breaks have been mostly blamed on variations of pressure driven by the size of the tank. Conversely, several Northbrook public works experts suspect the answer to the latest incidents lies in the water plant, with backup pumps or backup power generation, or both. Water service interruption April 16 was limited to the vicinity of the breaks, officials said. Source:

The Virginia Department of Forestry said they suspect a 4,000-acre wildfire in Page County, Virginia, was started by an arsonist or arsonists who may have set 20 other fires in 1 day. – WTVR 6 Richmond (See item 51)

51. April 17, WTVR 6 Richmond – (Virginia) Arson suspected in Page County wildfire. The Virginia Department of Forestry said they suspect the 4,000-acre Shipwreck fire ignited in Page County the week of April 9 was started by one, or possibly more, arsonists. The announcement was made on their Web site April 16. They believe the same culprits may have been involved in lighting at least 20 other fires April 8 on First Mountain. “The lives and property of more than 250 residents and firefighters were directly threatened by these suspicious fires,” said the director of resource protection for the Virginia Department of Forestry. Wildfire arson is a felony in Virginia, punishable with up to 5 years in prison and a fine of up to $2,500. Source:


Banking and Finance Sector

9. April 18, Bangor Daily News – (Maine; Massachusetts; Rhode Island) Federal prosecutor seeks $153,000 cash seized from Chinese buffets in Maine. Federal prosecutors asked a judge to order the owners of 11 Chinese restaurants in 3 New England states to forfeit more than $153,000 seized from bank accounts in Maine. A complaint filed April 16 alleged a family organization skimmed nearly $2.9 million in cash transactions from the businesses in Maine, Massachusetts, and Rhode Island over a 10-month period. The family also hired and housed undocumented workers whom they paid in cash without withholding taxes, according to the complaint. The family owns Twin Super Buffet in Brewer, the New China Super Buffet in Lewiston, the Super China Buffet in Waterville, and the Kon Asian Bistro in Portland, Maine. It also owns five restaurants in Massachusetts, and two in Rhode Island. Eight family members were named in the complaint. In November 2011, the U.S. attorney’s office claimed the $153,000 seized in 2011 from seven bank accounts in Maine was earned illegally in violation of the following laws: transportation of illegal aliens; harboring of illegal aliens; conspiracy to violate the immigration laws; hiring at least 10 undocumented aliens during one 12-month period; conspiracy to defraud the United States and to violate its laws; money laundering and conspiracy to commit money laundering; and engaging in monetary transactions in criminally derived property in amounts greater than $10,000. Source:

10. April 18, Help Net Security – (National) New York top city for online fraud activity. New York is the nation’s epicenter for online fraudsters, followed by Atlanta, Chicago, Los Angeles, and Omaha, Nebraska, respectively, Help Net Security reported April 18. Leveraging a sample of nearly 1 billion transactions performed by select U.S.-based e-commerce merchants, ThreatMetrix reviewed the online activity for the first quarter of 2012, scoring each transaction with a fraud risk of low, medium, or high. High-risk transactions are typically rejected automatically by merchants while medium-risk ones tend to result in manual review. The top 150 U.S. cities were then ranked based on their percent of high- and medium-risk transactions. “New York was ranked No. 1 in e-commerce fraud risk with transactions 1.5 times as likely to be at risk in comparison to second-ranked Atlanta, and twice as likely in comparison to No. 3 Chicago,” the chief products officer with ThreatMetrix said. Source:

11. April 18, Allentown Morning Call – (Pennsylvania; New Jersey) FBI: ‘Silent bandit’ wanted for five area bank robberies. A man labeled by the FBI as the “silent bandit” is wanted for robbing 5 Allentown, Pennsylvania-area banks in the past 2 weeks, authorities said. The most recent robbery happened April 17 at a QNB Bank inside a Giant Food Market store in Richland Township, said a FBI news release. In that robbery, police said the man passed a “threatening note” to the teller. After receiving an undisclosed amount of cash, he fled. In each of the robberies, police said the suspect passed a threatening note to tellers at banks located inside grocery stores. The spree appears to have begun April 3 at the KNBT Bank in a Giant Foot Market in Bethlehem. In that case, police scanner reports said the man passed a note to the teller demanding cash and said two other people in the store were armed. He did not show a weapon. Other hold-ups connected to the suspect include April 4 at the PNC Bank inside a Shop Rite Grocery in Marlton, New Jersey; April 11 at the PNC Bank inside a Shop Rite Grocery in Warminster, Pennsylvania; and April 14 at a PNC Bank inside a Shop Rite Grocery in Hopewell, New Jersey. Source:,0,6745606.story

12. April 17, New York 1 – (New York) ‘White Glove Bandit’ said to have robbed fourth Manhattan bank. The so-called “white glove bandit” struck again, allegedly robbing his fourth bank in the New York City borough of Manhattan since January. Police said the man seen in the surveillance video robbed a HSBC Bank branch April 17. Investigators said he showed a gun to the teller and demanded cash. They also believe he robbed the same branch January 26 and also hit a Citibank branch twice. He wears white latex gloves during the robberies. He carries a black revolver and is usually seen with a backpack and all black clothing. Source:

13. April 17, New York Times – (National) Web site stole job seekers’ data in tax-fraud scheme. A Web site that promised to connect people with much-needed jobs during the recession was actually a means to steal applicants’ personal information in a scheme to file fraudulent tax returns, prosecutors said April 17. The site, called jobcentral2, listed nonexistent jobs and used applicants’ identities to file the bogus federal tax returns and collect tax refunds, the district attorney (DA) for the Manhattan borough of New York City said. A Russian citizen living in Brooklyn preyed upon unemployed people because they were unlikely to have income and unlikely to file a tax return, reducing the chances the fake returns would draw attention, the DA said. The man’s site claimed its job placement services were “sponsored by the government and intended for people with low income,” prosecutors said. He sent e-mails with links to his fake site through legitimate job search forums and college electronic mailing lists. He collected refunds in the names of 108 job seekers, an indictment said. The amount collected on each was about $3,500 to $6,500, which totaled more than $450,000. The man recruited 11 students from Kazakhstan, who let him use their bank accounts to cash the tax refunds, court documents said. He was charged with money laundering, identity theft, and other charges. Federal prosecutors in New Jersey, meanwhile, charged the same man April 17 with working with a ring that stole $1 million by hacking into retail brokerage accounts at Scottrade, E*Trade, Fidelity, Schwab, and other firms and executing sham trades. He was charged with conspiracy to commit wire fraud, unauthorized access to computers, and securities fraud. Source:

14. April 17, WRAL 5 Raleigh – (North Carolina; California) Fugitive Raleigh banker surrenders in alleged Ponzi scheme. After 3 years on the run, a former Raleigh, North Carolina banker surrendered April 16 to federal authorities in San Francisco on charges he ran a Ponzi scheme that bilked investors out of more than $75 million. He was indicted in March on 12 counts of mail fraud, 3 counts of wire fraud, and 1 count each of money laundering and conspiracy to commit fraud. The banker operated Millennium Bank from a west Raleigh office. He billed it as a unit of a Swiss bank based on the Caribbean island of St. Vincent, but federal authorities allege it was a front for a Ponzi scheme. The indictment said Millennium promised investors a 16 percent return on certificates of deposit (CDs), but the banker and a California woman used their money to repay earlier investors and fund lavish lifestyles. The indictment alleges Millennium sold close to $130 million in fake CDs between January 2004 and March 2009. The banker was ordered to pay more than $75 million to investors after failing to respond to a civil suit over the alleged scheme. His assets were seized and auctioned off to help repay investors. Source:

15. April 17, U.S. Department of Justice – (Florida) Loan officer pleads guilty for role in mortgage fraud scheme that resulted in more than $6.5 million in losses. A loan officer for a Florida mortgage company pleaded guilty April 16 in Florida to one count of conspiracy to commit wire fraud for his role in a mortgage fraud scheme. According to court documents, from about February 2006 through July 2008, the man was employed as a loan officer for Great Country Mortgage Bankers. In this role, he helped in the sales and financing of condominium units at two complexes in Florida — Dadeland Place and Pelican Cove on the Bay. The borrowers he assisted were unqualified to obtain mortgage loans due to insufficient income, high levels of debts, and outstanding collections. He admitted he conspired with others to create and submit false and fraudulent Federal Housing Administration mortgage loan applications and accompanying documents to a lender for the unqualified borrowers. He and others offered borrowers cash back after closing as an incentive for them to purchase the units. These payments were not disclosed properly during the loan application process. Court documents said the closing costs were paid on behalf of the borrowers by interstate wire. After the loans closed, the unqualified borrowers failed to meet their monthly mortgage obligations and defaulted on their loans. According to court documents, when the loans went into foreclosure, the Department of Housing and Urban Development (HUD), which insured the loans, was required to take title to the units and pay the outstanding loan balances to the lenders. As of the date of the plea agreement, the actual loss related to the man’s conduct that was paid by HUD was more than $6.5 million. Source:

16. April 17, Courthouse News Service – (National; International) Hedge funds get a new shot at securities claims. An appellate court ruled Cayman Island hedge funds can amend claims that U.S. investors defrauded them of $195 million in a classic “pump and dump” scheme, Courthouse News Service reported April 17. The Absolute Activist Value Master Fund and eight other hedge funds filed suit in 2009 over its dealings with Hunter World Markets on behalf of hundreds of investors worldwide and in the United States. The complaint alleges the defendants induced the hedge funds to buy U.S. penny stocks, and the defendants then artificially inflated the stock prices by repeatedly trading the stocks, often between the Cayman Island funds, generating substantial commissions for themselves and unlocking more stocks. Once they “had manipulated the prices of the U.S. penny stocks to the desired levels,” they dumped “the shares they had obtained fraudulently to the funds at inflated prices,” causing a $195.9 million loss to the funds, according to the court’s summary of the complaint. Source:

Information Technology

39. April 18, Help Net Security – (International) Malware disguised as new Instagram Android app. Instagram, the popular free photo sharing application for iOS devices, is now available for download for Android users on Google Play and Instagram’s Web site. However, a rogue malicious version of the app is also being pushed to Russian Android users, offered from a Web page that mimics the legitimate one. Once the app is downloaded and run, it prompts users to send an SMS message to a premium rate number to “activate” the app, and then connects to specific sites, likely set to download other malware onto the users’ device. Source:

40. April 18, H Security – (International) Oracle patch day addresses 88 vulnerabilities. Oracle released 88 security patches as part of its scheduled April Critical Patch Update. One of the patches affects a series of vulnerabilities in the Java JRockit VM with a Common Vulnerability Scoring System (CVSS) Base Score of 10.0 — this is the highest possible level of vulnerability in the system. Oracle also closed holes with a CVSS score of 9.0 in Grid Engine and the Windows version of the database component Spatial (in non-Windows versions the vulnerability score of this flaw is 6.5). All other vulnerabilities have scores of 7.5 or lower. Of the 88 released updates, 6 patch holes directly in Oracle’s Database Server and 6 others might affect it indirectly via Enterprise Manager Grid Control. Of the Grid Control vulnerabilities, four can be exploited remotely without authentication. The Oracle Fusion middleware software received 11 advisories, some of which affect Java and therefore also JRockit. Additionally, 17 patches were released for Oracle FLEXCUBE, 11 affect PeopleSoft Enterprise, and 6 relate to MySQL. Oracle released several patches for Solaris as well. Source:

41. April 18, H Security – (International) Google warns the operators of thousands of hacked web sites. The head of Google’s Webspam team announced that Google sent out a message to the webmasters of 20,000 sites informing them their sites may have been hacked. In the e-mail message, the firm warned operators that the affected sites appear to be being used to redirect visitors to a malicious site. Google asked the site administrators to check the files in their Web space for an eval(function(p,a,c,k,e,r) JavaScript code segment. The eval() function can be used to execute JavaScript character strings that may have previously been decrypted using an unpack feature. Google also warned of specially crafted .htaccess files. These may cause a file to be redirected only in certain circumstances, for example, when a visitor accesses the page via Google. Consequently, regular visitors to a site, such as the webmaster, will be unaware of the infection. The e-mail contains a link to Google’s Webmaster Tools support page with instructions designed to help webmasters clean up their sites. Administrators were also being asked to close the security hole that was exploited to infect the site. Source:

42. April 18, ZDNet – (International) Gmail hit by massive outage: Up to 35 million affected. Google suffered a serious outage to its Gmail Web e-mail service April 17, which could have left up to 35 million users without access to their messages. The outage, which lasted for more than an hour, affected up to 10 percent of its global users, leaving them unable to access their personal e-mail accounts — and in some cases, their work e-mail. While many Gmail and Google Apps users in the United States were left without access, it appeared the United Kingdom, Europe, and Asia remained mostly unscathed. Google initially said the outage affected less than 2 percent of the Gmail user base, with the estimated 5.3 million affected users “unable to access Google Mail.” Later, however, Google hiked the figure and said “less than 10 percent” of its user base was left without e-mail. Reports suggest that only the Web interface was affected by the outage, while those using IMAP/POP connections in a third-party desktop client, or mobile users, could still access their accounts and e-mail. Source:

43. April 17, Help Net Security – (International) Active fake AV spam campaigns hit Twitter. Two distinct malicious spam campaigns are currently targeting Twitter users and taking them to compromised sites serving rogue antivirus (AV) and scareware software, GFI warned. The messages are short and are disseminated from bot and compromised accounts. Both contain links to a .tk domain. Following the link in the first message lands victims on a page (detectoptimizersupervision(dot)info) serving the bogus Windows Antivirus 2012, which is currently detected by only 3 of the 42 AV solutions used by VirusTotal. The offered variant is changed every 3 to 6 hours. The second link redirects users to a Web site where the Blackhole exploit kit drops a first rogue AV then redirects to another page offering another AV named Windows Antivirus Patch. Twitter was notified of the campaigns. Source:

44. April 17, – (International) TapLogger Android Trojan cracks touchscreen passwords using handset movements. A team of security researchers developed an Android-based trojan capable of discerning a user’s screen lock code using the on-board accelerometers to detect small shifts that result from pressing the touchscreen. The trojan, nicknamed TapLogger, was shown to be able to crack passwords of four, six, and eight digits, comprising of the numbers between zero and nine. TapLogger was developed as a proof-of-concept and, according to the researchers, to highlight the need for smartphones to require security permissions before apps were able to access on-board sensor data, such as accelerometers. Source:

45. April 17, Infosecurity – (International) McAfee sheds light on the Darkmegi kernel rootkit. Darkmegi, malware that uses a kernel rootkit component to infect computers, has begun exploiting a flaw in Java to conduct drive-by attacks, according to McAfee Labs. Darkmegi was discovered several months ago when it exploited a musical instrument digital interface remote code executive vulnerability in Windows Media Player. The new drive-by attacks exploiting a Java runtime remote code execution flaw use the Gong Da Pack exploit kit, a McAfee researcher explained. Source:

46. April 17, CNET News – (International) Symantec: Flashback malware now down to 140K machines. The number of machines estimated to be infected by the Flashback malware has dropped, but that number did not go down as fast as experts expected, according to an April 17 report by Symantec. The security firm lowered its estimate of machines that still have the malware to 140,000, which is down considerably from estimates of more than 600,000 less than 2 weeks ago. Even so, the firm said it was expecting a lower tally. The lowered expectations were due in part to Apple releasing two separate software tools to users the week of April 9 that detect and remove the malware. Additionally, ahead of those official tools, Symantec, and security firms F-Secure and Kaspersky released their own detection and removal software. Flashback is a form of malware designed to steal passwords and other information from users through their Web browser and other applications. Source:

For more stories, see items 10 and 13 above in the Banking and Finance Sector

Communications Sector

See items 39, 42, and 44 above in the Information Techology Sector