Friday, June 1, 2012

Complete DHS Daily Report for June 1, 2012

Daily Report

Top Stories

• The U.S. Transportation Department shut down 26 bus companies as imminent safety hazards, closing dozens of routes out of New York City’s Chinatown area in the government’s largest safety sweep of the motor-coach industry. – Bloomberg

12. May 31, Bloomberg – (National) 26 Chinatown bus companies shut down by feds. The U.S. Transportation Department shut down 26 bus companies as imminent safety hazards, closing dozens of routes out of New York City’s Chinatown area in the government’s largest safety sweep of the motor-coach industry, Bloomberg reported May 31. The enforcement action primarily targeted three popular Chinatown operations in New York and Philadelphia: Apex Bus Inc., I-95 Coach Inc., and New Century Travel Inc. The government ordered 10 bus company owners, managers, and employees to cease all passenger transportation business, including selling tickets, said a Transportation Department statement. “The egregious acts of these carriers put the unsuspecting public at risk, and they must be removed from our highways immediately,” the Federal Motor Carrier Safety Administration chief said in the statement. “We are putting every unsafe bus and truck company on notice to follow the safety laws or be shut down.” The National Transportation Safety Board reported October 2011 that these curbside operators had a fatal crash rate seven times higher than terminal-based operations. In 2011, at least 28 people died in fatal crashes, including 3 in an 11-week period involving carriers operating out of, or carrying passengers between, Chinatown neighborhoods in East Coast cities. Source:

• The TSA was investigating how a man newly paroled from jail breached airport security and boarded a commuter flight at the San Diego International Airport before he was arrested. – Reuters

13. May 31, Reuters – (California) Parolee bypasses security at San Diego airport and boards plane. The U.S. Transportation Security Administration (TSA) was investigating how a man newly paroled from jail breached airport security and boarded a commuter flight at the San Diego International Airport in San Diego before he was arrested, authorities said May 30. The would-be stowaway was removed from a United Express plane at the gate just before it was scheduled to depart on a flight to Los Angeles May 29 and was taken into custody, police said. The man entered the commuter terminal at Lindbergh Field, walked through an unlocked emergency exit onto the tarmac, and onto the airplane with 27 passengers bound for Los Angeles, about 130 miles away. He was held on suspicion of violating his parole and two misdemeanor offenses for breaching security. He was arraigned May 31. Source:

• More than 1,500 gallons of chemicals sent toxic fumes into the air from the Darigold Milk Factory in Portland, Oregon, sending nearly a dozen people to the hospital. – KPTV 12 Portland

18. May 31, KPTV 12 Portland – (Oregon) Chemical mix-up causes toxic fumes at Darigold Milk Plant. More than 1,500 gallons of chemicals sent toxic fumes into the air from the Darigold Milk Factory in southeast Portland, Oregon, May 30 sending nearly a dozen people to the hospital. Portland firefighters said the incident happened after a big tanker truck came to unload cleaning acid. Somehow the acid went into a wrong holding tank that already had 1,100 gallons of caustic liquid inside. The truck ended up dumping an additional 450 gallons of acid into the tank. It caused a chemical reaction that created a dangerous chlorine gas that made 11 people sick. Victims reported having trouble breathing and were taken to different hospitals. So many people were affected that firefighters called it a “mass casualty hazmat incident.” Workers in the area were evacuated. HAZMAT crews noticed the temperature inside the tank was dangerously hot, threatening to melt the plastic holding tank and cause a spill. So they had to pump the chemical into a black holding tank and cool it down with a pool of water underneath before removing it. Fire officials said the Darigold plant was expected to reopen for business May 31. Source:

• A large water main broke beneath a busy, downtown intersection in Washington, D.C., closing many streets and forcing 10 buildings to lose water service. – DCist

25. May 31, DCist – (Washington, D.C.) Water main bursts near Dupont Circle, creating rush hour nightmare. A large water main beneath the intersection of Connecticut Avenue and N Street NW near Dupont Circle in Washington, D.C., broke during rush hour May 31. The burst opened a sinkhole in the intersection causing street-level flooding. Initial reports cited the pipe that broke as a 12-inch main, however, a D.C. Water spokesman said the agency believes the trouble spot emanated from an 8-inch main beneath the sidewalk on Connecticut Avenue. Connecticut Avenue was closed between R and N streets NW and the Metro rerouted its 42, 43, N2, and N4 bus lines between 20th and 17th streets. Crews from D.C. Water, D.C. Fire and EMS, and other agencies responded. Ten buildings lost water service and some reported a loss of air conditioning. Many people reported they could not get to work. If the 8-inch pipe is the source, D.C. water said restoring service will only require switching it off and restarting the 12-inch main. Source:

• A man in Seattle killed five people, including four at a cafe, in two shootings before using the gun to kill himself. – CNN

48. May 31, CNN – (Washington) Shootings stun Seattle residents; gunman, 5 victims dead. A man in Seattle killed five people in two shootings before turning the gun on himself, CNN reported May 31. The suspect died several hours after he shot himself in the head as a 5-hour police manhunt came to an end May 30. Detectives believed the man was behind both shootings. The first, at a coffeehouse in the city’s University District, left four people dead and one critically injured. The second occurred about 30 minutes later near downtown Seattle, when a woman was shot dead in what police described as a possible carjacking. Source:


Banking and Finance Sector

8. May 31, San Francisco Chronicle – (California) 3 accused in $21 million investment fraud scheme. Federal prosecutors in California accused three men May 30 of defrauding elderly clients out of $21 million with false statements that money from their retirement accounts would be invested in profitable, low-risk real estate projects by a Bay Area partnership. Most of the funds the company, S3 Partners, solicited between 2006 and 2009 were used by the three men for personal business ventures and other unapproved purposes, resulting in a near-total loss to investors, prosecutors said. A federal grand jury indictment unsealed May 30 charged the men with fraud and conspiracy. One of the men, who had control of the money, had his California real estate license suspended in 1978, the indictment said. Source:

9. May 31, Softpedia – (International) Researchers present Tinba, 20KB Trojan banker. CSIS Security Group discovered Tinba, what they believe to be “the world’s smallest [t]rojan-banker,” Softpedia reported May 31. The malicious element belongs to a new malware family and is designed to steal sensitive information by attaching itself to a Web browser and intercepting network traffic. Similar to other banking trojans, Tinba, also known as Zusy, utilizes webinjects and Man-in-the-Brower attacks in order to trick the potential victim into handing over transaction authentication numbers (TAN), two factor authentication codes, and other valuable details. When executed, it uses an obfuscated injection routine that allows it to avoid being detected by security solutions. After that, it creates a new process called Version Reporter Applet (winvert.exe) which is located in the System folder. Tinba also injects itself into processes such as svchost and explorer. There are 4 hardcoded domains used by the malware for communicating with its command and control servers, allowing it to continue operating even if one of the domains fails to respond. In order to compromise the web browsers, the trojan injects itself into processes like firefox.exe and iexplorer.exe, allowing it to manipulate network traffic through the web browser’s APIs. “Tinba, like its equals, targets financial websites, but only a very small list of specific URLs,” a partner and security specialist at CSIS explained. Source:

10. May 30, KAMR 4 Amarillo; KCIT 14 Amarillo – (Texas) Borger Police investigate fraudulent money orders in the mail. Police in Borger, Texas, received a tip May 25 about numerous fraudulent U.S. Postal Service money orders. The Borger Police Department’s Criminal Investigations Division was already conducting an investigation into the suspected money orders because several already were passed at a local Federal Credit Union. Upon further investigation, the Borger Police Department was given consent to search a moving truck. They found a bank bag containing 600 fraudulent money orders. Each one had already been pre-printed with an amount. If each money order had been cashed or deposited, the total amount would have a little more than $600,000. A suspect was questioned regarding this incident and was cooperating with Borger police. The suspect was incarcerated on unrelated charges. Source:

For more stories, see items 33 below in the Government Facilities Sector and 41 in the Information Technology Sectory

Government Facilities Sector

33. May 31, Omaha World-Herald – (Nebraska) UNL undergrad suspected in NU hacking. The University of Nebraska-Lincoln (UNL) police chief said a UNL undergraduate student was a suspect in the security breach of the Nebraska Student Information System database, which serves the University of Nebraska and the State colleges, the Omaha World-Herald reported May 31. The breach may have exposed the financial information and Social Security numbers of thousands of students, alumni, and employees. The student’s computer and related equipment were confiscated and are being analyzed by police and the FBI, officials said. The security breach was discovered May 23. The police chief said the student was identified by the university’s computing services personnel through Internet Protocol addresses used to access the system. Source:

Information Technology Sector

38. May 31, Softpedia – (International) Hackers breach, site taken offline. UGNazi hackers took credit for breaching, the Web site of the free, open source, bulletin board, Softpedia reported May 31. The site’s administrators confirmed the hack and immediately acted on taking down the Web site. “Last night our domain name and hosting accounts were compromised by hackers. Users of MyBB should not be concerned about their own installations. There is nothing to indicate the MyBB software itself contributed to the hacking in any way,” the Web site’s owners wrote. “We hope to restore access to all services in the next 12-24 hours. At this stage we don’t believe our database was compromised, however we recommend users stay vigilant to unauthorized access of their accounts.” The hacker known as Cosmo, who was allegedly taken into custody by authorities for his involvement in the WHMCS breach, posted a tweet claiming the UGNazi hackers still had “full access” to the Web site. Even though MyBB representatives stated the database was not compromised, the hacktivist wrote the group would make it public soon. Source:

39. May 31, IDG News Service – (International) GameReplays lets hackers probe site after data breach. The owner of invited ethical hackers to probe the Web site for vulnerabilities after a recent compromise that resulted in 10,000 member accounts being exposed. May 28, a hacker who claims to be affiliated with Anonymous and uses the Twitter handle EcecusHxc, published a list of 5,000 GameReplays accounts copied from the site’s database after exploiting a vulnerability. The leaked information included e-mail addresses and password hashes, as well as the corresponding salts — secondary keys used to encrypt password hashes so they cannot be cracked. May 29, the hacker published a list of an additional 5,000 GameReplays member e-mails and passwords, raising the total number of exposed accounts to 10,000. According to GameReplays’ co-owner and general manager, Ececus sent an e-mail to the Web site’s administrators May 27, claiming he found a vulnerability and was willing to share the technical details if he was given proper credit for the discovery. Source:

40. May 31, Wilmington Patch – (Massachusetts) Ozone leak sends six employees to hospital. Six Analog Devices employees were transported to hospitals in the Wilmington, Massachusetts-area following a chemical exposure that was controlled quickly due to the firm’s emergency management plan. Wilmington Fire Department’s deputy chief said crews received a call May 30 for an ozone leak at a processor inside the building. By the time crews responded, the building was evacuated and all chemical readings were at zero. The six employees in the area of the processor when the leak was reported were transported to the hospital, but it was strictly for precautionary reasons, the deputy chief said. He said the company shut down for the night after the incident and planned to reassess what may have gone wrong May 31. Source:

41. May 30, Threatpost – (International) FBI warns users of new ‘Reveton’ scareware scam. The FBI is warning consumers about a new scam using a piece of malware called Citadel to redirect users to a scam site that installs scareware on their machines and demands a $100 payment to unlock them. The twist in this scam is it uses the threat of prosecution by the Department of Justice as the prompt to get victims to pay. “In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud,” the FBI warning says. Source:

For more stories, see items 33,above in the Government Facilities Sector and 42, 44, and 45 in the Communications Sector

Communications Sector

42. May 31, Burlington Hawk Eye – (Iowa) Cable cut by storm; Mediacom service down after fire at system site. A storm system that passed through southeast Iowa May 31 knocked out Mediacom service to most of the area when the company’s equipment site was damaged by fire. A Mediacom spokeswoman said all Mediacom services to Burlington, West Burlington, Middletown, and Danville were knocked out, and high-speed Internet and phone services were knocked out in Lee, Henry, and Louisa counties. The spokeswoman called the cause of the outage “quite rare” and said fire officials on the scene had not yet determined the cause. She said no timeline had been set for re-establishing service, but equipment was on the way from other locations. Source:

43. May 30, Wheeling Intelligencer; Wheeling News-Register – (West Virginia) Phone service interrupted by cable break. Hundreds of Wellsburg, West Virginia area residents were without land line telephone service May 30 after a cable serving the area was struck by crews installing a utility pole. A spokesman for Frontier Communications said the crews, who were with another company, drilled through the cable, severely damaging it, but service was expected to be restored within 48 hours. The West Virginia Division of Highways had announced earlier that a section of W.Va. 27 would be closed while crews affiliated with Mon Power replaced a utility pole. The Brooke County sheriff said a temporary emergency 9-1-1 center was set up at the Franklin Fire Department because the county courthouse was without phone service. Calls made by dialing 9-1-1 were being received and forwarded by the Hancock County Emergency 9-1-1 Center, and those dialed to the sheriff’s department’s number were being routed through a cell phone, he said. Source:

44. May 30, New Jersey Herald – (New Jersey) Truck fire causes phone, Internet, outages; Route 206 closure. Traffic on Route 206 was detoured in the area of Paterson Avenue in Newton, New Jersey, May 30 as crews worked to repair utility lines damaged by a pickup truck fire. The damage caused phone and Internet outages for Century Link customers, a company spokeswoman said. According to Newton police, the fire erupted when a gas tank became dismounted from a 2002 Ford F150 pickup, causing it to drag underneath the vehicle for a short distance. The driver realized there was a problem and pulled to the side of the road and exited the truck just as it caught fire and became engulfed, police said. The Newton police and fire departments were on scene quickly, but significant damage occurred to the utility lines which will require extensive repair work. A media relations spokeswoman for Century Link said the fire destroyed iber optic and copper wire lines, causing major interruptions in phone and Internet service. She said Century Link will reroute as much traffic as it can, but there will be an impact on some customers. Service Electric Cable Television also reported outages in the Newton area, but it could not be determined if the outage was related to the truck fire. Source:

45. May 30, Carlisle Sentinel – (Pennsylvania) Service disrupted for customers. A cut line caused a massive disruption to phone and Internet services from May 30. told customers a line was cut, causing the company’s Mechanicsburg, Penssylvania facility to lose control over its services. Because of the cut line, there was no way for customers to get in contact with customer service at did not give an explanation as to why the line was cut, though there is construction in the area. Source: