Monday, April 30, 2012

Complete DHS Daily Report for April 30, 2012

Daily Report

Top Stories

• A court required a man and his companies to pay a $5 million penalty for running a foreign currency scam that cheated at least 500 investors out of $85 million. – U.S. Commodity Futures Trading Commission See item 10 below in the Banking and Finance Sector

• Forty more illnesses were added to the multi-state outbreak linked to Salmonella-contaminated sushi tuna, bringing the total cases to 200 in 26 states. – Food Safety News

18. April 27, Food Safety News – (National) Multistate outbreak linked to raw sushi grows to 200 cases. Forty more illnesses were added to the multi-state outbreak linked to Salmonella-contaminated sushi tuna, the Centers for Disease Control and Prevention (CDC) reported April 26. The CDC also announced that health officials grouped a second strain of Salmonella Nchanga into the outbreak investigation. As of late the week of April 23, the CDC said there were 160 confirmed cases of Salmonella Bareilly linked to the same outbreak. Now, it is reporting 190 illnesses in 21 states linked to Salmonella Bareilly, and 10 illnesses in 5 states linked to Salmonella Nchanga. The product implicated, known as “tuna scrape,” is raw yellowfin tuna that has been shaved and recovered from tuna bones, which is served raw in sushi products, particularly spicy tuna rolls. The Nacaochi Scrape fish product was imported from India and has been recalled by the California-based distributor, Moon Marine USA. At least two more people were hospitalized since the CDC’s last update, bringing the total to 28. New York reported the most cases, with 35 sickened. Massachusetts had 24 cases. Maryland had 20 cases, while New Jersey had 19. Wisconsin reported 16, Illinois 15, Georgia 11, and Virginia 10. Connecticut had eight cases, followed by Pennsylvania with seven, and Rhode Island with six. Texas and Missouri were reporting four cases. South Carolina, North Carolina, and Louisiana each reported three. Alabama, Mississippi, and Washington, D.C. each had two. Arkansas and Florida reported one case. Source:

• A hacker who released source code from hypervisor VMware, a platform that runs guest operating systems for many businesses and organizations, threatened to release more data May 5. The source code could allow malicious actors to take advantages of vulnerabilities in such systems. – InformationWeek See item 36 below in the Information Technology Sector

• A researcher said a remotely exploitable vulnerability exists in all current versions of the Oracle database server. It allows an attacker to intercept traffic and execute arbitrary commands on the server.Threatpost See item 37 below in the Information Technology Sector


Banking and Finance Sector

7. April 27, Philadelphia Inquirer – (Pennsylvania; New Jersey) Glenside broker among six charged in loan-fraud case. Federal prosecutors in Philadelphia indicted a business-loan broker and his business partner April 26 on charges of fraud, conspiracy, and money-laundering, alleging the pair “defrauded more than 800 victims out of more than $10 million,” according to a statement from a U.S. attorney, FBI special agent-in-charge, and a U.S. Internal Revenue Service acting special agent-in-charge. The defendant is the founder and chairman of Philadelphia-based Remington Capital Group and related companies. Also charged with fraud were four brokers. According to the indictment, between 2005 and 2011 the two men and their brokers “fraudulently induced hundreds of people to pay Remington fees in excess of $10,000 apiece, based on false representations that Remington had lenders and/or investors ready to provide financing for the victims’ projects.” Victims included a New Jersey developer trying to raise $27.5 million for a Camden project and a Pennsylvania developer trying to raise $22 million for a solar electric farm, the indictment said. In many cases, according to the indictment, the suspect never had funding lined up but “fraudulently” took fees anyway. Source:

8. April 26, Minneapolis Star Tribune – (Minnesota) Ex-Centennial Mortgage executive pleads guilty to bank fraud. A former executive with Centennial Mortgage and Funding Inc. pleaded guilty April 26 in a Minneapolis federal court to defrauding various banks to cover the company’s losses and fund its operations. The executive was an accountant, senior vice president, and chief financial officer for the mortgage company in 2007 and 2008, when the alleged fraud took place. The government contended he was responsible for $8 million in losses. Centennial, a mortgage lender, had warehouse lines of credit with various banks, including American Bank. The executive admitted misleading lenders about the status of existing mortgage loans to get them to advance Centennial more money; helping conceal defaults on existing mortgage loans; hiding the fact that about 23 mortgage loans were double-funded; and kiting checks between Centennial’s various bank accounts. He used the money he obtained for payroll and other operating expenses, the government said. He said he did not do all those things personally, but he failed to inform the financial institutions about what he knew and aided others in the alleged fraud. Source:

9. April 26, Seattle Times – (Washington) Columbia City bank damaged by Molotov cocktail. A bank in the Columbia City section of Seattle damaged overnight April 26 when someone threw a Molotov cocktail at the side of the building, according to Seattle police. When employees arrived April 26, they discovered a broken window and burn marks on the side of the building. A police account of the incident said it appeared the gasoline-filled bottle struck and scorched the side of the bank. It did not cause significant damage. Source:

10. April 26, U.S. Commodity Futures Trading Commission – (California; National) Federal court enters order settling CFTC $85 million forex fraud action against a California resident and his companies SNC Asset Management, Inc. and SNC Investments, Inc. The U.S. Commodity Futures Trading Commission (CFTC) obtained a federal court supplemental consent order requiring a defendant and his companies, SNC Asset Management, Inc., and SNC Investments, Inc., to pay a $5 million civil monetary penalty, the CFTC announced April 26. The court’s supplemental consent order, filed in California, resolves a CFTC complaint that charged the defendants with operating an $85 million fraudulent foreign currency (forex) scam. According to the consent order, the defendants fraudulently solicited at least $85 million from at least 500 customers to trade forex. The defendants in their solicitations falsely claimed to be operating successful forex trading firms and guaranteed monthly returns generated by their trading, the order finds. These representations, and subsequent fictitious account statements depicting profitable returns on individual accounts, created the false impression the defendants were trading forex profitably, the order finds. However, only a small percentage of the $85 million solicited was traded and the defendants’ limited trading resulted in losses, according to the order. Rather than trade on behalf of customers, the defendants misappropriated customer funds for personal use. In a related criminal action, the defendant pleaded guilty April 9, 2010 to conspiracy to commit wire fraud and conspiracy to commit money laundering. Source:

11. April 26, Fox Business Network – (New York; National) NYSE receives credible cyber threat against website. The New York Stock Exchange (NYSE) received a credible threat to disrupt its external Web site as part of an apparent cyber attack attempt against many U.S. exchanges, the Fox Business Network reported April 26. The threat, which is not tied to NYSE’s trading systems, prompted the Big Board to beef up security and monitoring for a potential cyber attack, sources familiar with the matter said. The April 26 threats centered around a potential denial-of-service attack strictly focused on the exchange’s external Web site, and having nothing to with its trading systems, a source said. The cyber threat appears to be tied to an anti-capitalistic online posting by a cyber group called “L0NGwave99” that promised to hit stock exchanges with a denial of service attack April 26 in support of the “great and rooted 99% movement.” In addition to the NYSE, the group claimed it will put “into a profound sleep” the Web sites of the Nasdaq Stock Exchange, BATS, the Chicago Board of Options Exchange, and the Miami Stock Exchange. While the posting said it would start the operation at 9 a.m., none of those exchanges appeared to be suffering any Web site difficulties as of early the afternoon of April 26. Source:

Information Technology

33. April 27, Softpedia – (International) One vulnerable site can serve multiple cybercriminal groups, experts find. Security researchers found that a single vulnerable Web site may be used by a number of cybercriminal organizations, each one altering the site to serve its own purposes. In many cases, Web sites are compromised and altered to lead visitors to domains that push fake antivirus programs, which lately have become a great way for cyber criminals to earn a profit. A Zscaler expert explained that once the criminals overtake the site, they rely on Blackhat SEO techniques to increase traffic towards their malicious plots. In order to do this, they set up two different pages on the compromised domain. First, they create a spam page that search engines, security scanners, and blacklisting mechanisms see as harmless. This page does not contain obfuscated code and performs the redirect via a PHP or .htaccess file. The second page contains the redirect to a site in charge of performing the attack on users. More recently, researchers identified many overtaken Web sites designed to send users to fake antivirus were also infected with a malicious piece of JavaScript, which held an IFRAME injection that pointed to several different locations. Source:

34. April 27, H Security – (International) PHP 5.4.1 and PHP 5.3.11 released. The PHP developers released the first update for PHP 5.4, the latest version of their popular scripting language, and an update to PHP 5.3, the older stable branch of the language. The developers said “All users of PHP are strongly encouraged to upgrade” to the new releases. PHP 5.4.1 has more than 20 bug fixes, including some related to security. One security bug concerned insufficient validating of the upload name, which then led to corrupted $_FILES indices. Another notable change was open_basedir checks being added to readline_write_history and readline_read_history. The PHP 5.3.11 upate fixes nearly 60 bugs including correcting a regression in a previously applied security fix for the magic_quotes_gpc directive. A new debug info handler was also added to DOM objects, and the developers added support for version 2.4 of the Apache Web server. Source:

35. April 27, The Register – (International) Ghost of HTML5 future: Web browser botnets. During a presentation at the B-Sides Conference in London, England, April 25, a senior threat researcher at Trend Micro outlined how HTML5 could be used to launch browser-based botnets and other attacks. The new features in the revamped markup language — from WebSockets to cross-origin requests — could cause major issues for the information security arena and turn browsers such as Chrome and Firefox into complete cybercrime toolkits. Many attack scenarios involve using JavaScript to create memory-resident “botnets in a browser,” the researcher warned, which can send spam, launch denial-of-service attacks, or worse. Because an attack is browser-based, anything from a Mac OS X machine to an Android smartphone can run the platform-neutral code, simplifying the development of malware. Creating botnets by luring users into visiting a malicious Web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers many advantages to hackers. Malicious Web documents held in memory are difficult to detect with traditional file-scanning antivirus packages, which seek out bad content stored on disk. JavaScript code is also very easy to obfuscate, so network gateways that look for signatures of malware in packet traffic are easy to bypass — and HTTP-based attacks pass through most firewalls. Source:

36. April 26, InformationWeek – (International) VMware breached, more hypervisor source code to come. Hypervisors — such as VMware ESXi and Xen — provide the platform on which virtualized guest operating systems run, and are therefore a core component of any business’s virtual infrastructure. A 2010 study from IBM found that 35 percent of all vulnerabilities in a virtualized environment could be traced to the hypervisor. Those vulnerabilities are cause for concern in the wake of VMware’s April 23 confirmation that source code dating to 2003 and 2004 was publicly released by a hacker billing himself as Hardcore Charlie. Furthermore, he said the release was a “sneak peak” of the 300 MB of VMware source code he said is in his possession, which he said will be publicly released May 5. Charlie said he obtained the VMware kernel source code via March attacks against China Electronics Import & Export Corporation. Source:

37. April 26, Threatpost – (International) Critical bug reported in Oracle servers. There is a critical remotely exploitable vulnerability in all of the current versions of the Oracle database server that can enable an attacker to intercept traffic and execute arbitrary commands on the server. The bug, which Oracle reported as fixed in the most recent Critical Patch Update (CPU), is only fixed in upcoming versions of the database, not in currently shipping releases, and there is publicly available proof-of-concept exploit code circulating. The vulnerability lies in the TNS Listener service, which on Oracle databases functions as the service that routes connection requests from clients to the server itself. A researcher said he discovered the vulnerability several years ago and then sold the details of the bug to a third-party broker, who reported it to Oracle in 2008. Oracle credited the researcher for reporting the bug in its April CPU, but he said in a post on the Full Disclosure mailing list the week of April 23 that the flaw was not actually fixed in the current versions of the Oracle database server. Source:

For more stories, see items 11 above in the Banking and Financial Services Sector and 39 below in the Communications Sector

Communications Sector

38. April 27, WLUC 6 Marquette – (Michigan) Verizon Wireless service outages. Verizon Wireless was having outages in parts of the central and western Upper Peninsula of Michigan April 27, according to the Michigan State Police. Service started returning to areas around 10:30 a.m. Call service seemed to be impacted, but data and text was working during the outage. Source:\home\lists\search&id=747093#.T5rEDNkwJI4

39. April 26, IDG News Service – (International) Engineers look to fix Internet routing weakness. Information technology engineers are studying what may be an easier way to fix a long-existing weakness in the Internet’s routing system that has the potential to cause major service outages and allow hackers to spy on data, IDG News Service reported April 26. The problem involves the routers used by every organization and company that owns a block of Internet Protocol (IP) addresses. Those routers communicate constantly with other routers, updating internal information — often upwards of 400,000 entries — on the best way to reach other networks using a protocol called Border Gateway Protocol (BGP). Changes in that routing information are distributed quickly to routers around the world in as few as 5 minutes. But the routers do not verify the route “announcements,” as they are called, are correct. Mistakes in entering the information — or a malicious attack — can cause a network to become unavailable. It can also cause, for example, a firm’s Internet traffic to be circuitously routed through another network it does not need to go through, opening the possibility the traffic could be intercepted. The attack is known as “route hijacking,” and cannot be stopped by any security product. The solution is to have routers verify the IP address blocks announced by others’ routers actually belong to their networks. Source:

40. April 26, San Juan Journal – (Washington) Telephone and cellular phone service restored on Orcas. Telephone systems were back up and running on Orcas Island in Washington State April 26, according to the county Department of Emergency Management (DEM). Telephone connections, as well as cellular phone systems, went down early April 26 on Orcas. Century Link reportedly fixed failures in its systems by early the afternoon of April 26, the DEM said. While phone systems were inoperable, the Orcas Island Fire Department and local team of amateur radio operators handled 9-1-1 calls after the outage interrupted emergency calls on Orcas to the sheriff’s department headquarters in Friday Harbor. Source:

For another story, see item 35 above in the Information Technology Sector