Monthly Archives: January 2017

“Thank you” is not enough

A few weeks ago I made a very personal, and very public announcement- that I had lost my wife to cancer a few days before Christmas. I debated how to share the news, especially since we had largely kept it quiet- she was as private a person as I am public. I decided to share the news on Twitter and Facebook, and the response was overwhelming. Literally overwhelming. The outpouring of love and support I received was humbling and deeply moving. It made me want to be a better person (although a dear friend cautioned me against making any rash decisions).
The words “thank you” are not enough, especially tossed out here on my neglected blog, but it is a start. Thank you- to friends old and new, acquaintances, and complete strangers. I am truly humbled by your support.
For those who had not heard the news or our story, my wife and I met when she was 14 and I was 15, we started dating a few months later and never stopped. Below is a photo of us from 1976 (and yes, it is one of the last known photos of me without a beard).FallFormal1976-1



2016 was a rough year for many of us and 2017 is presenting us with new challenges, but (forgive my optimism) together we can make things suck less, personally and professionally.
For me 2017 is about friends old, new, and as yet unmet. I still love technology, I love abusing technology and solving problems with technology, but this year is about people. I’ll be at most of the usual events, and a lot of smaller ones, all around the world. If our paths cross please find me, say hello, maybe share coffee or a cocktail and conversation.
I was recently at Shmoocon, it is an event I have always enjoyed and this year it was especially good to reconnect with the Shmoocon crowd as I started my return to being active and engaged on the road. I’ll be at BSides San Francisco and RSA in a couple of weeks, after that I’m regrouping before hitting the road again, but more on that later.

Thank you
Jack

Times are a changin’

At the start of a new year we look ahead to identify broad technological advancements with disruptive potential – and examine likely security implications. I believe there are two trends which will shape IT security in a profound way. Many future scenarios are forecast – and indeed likely: major cyber attacks are expected to have …

DHS Daily Open Source Infrastructure Report 2017-01-21 08:58:00




I know that this is unusual but I feel necessary….the DHS has found it necessary to abandon security duties to the private and business sectors due to its obligations to the new president.  I find this unacceptable.  You likely assume that I follow other lists in performing my duties to my clients and that is correct.  However, for more than six years I have not challenged the DHS report which I will do in the future.

I trust that you will not be concerned by my additional reports which will be clearly labeled.

Regards,

Bob Johnston, CISSP

P.S.  If you wish to write to me on this matter please reply to rjohnstn@cox.net

Wednesday, January 18, 2017



Complete DHS Report for January 18, 2017

Daily Report

Top Stories

Enbridge Energy, Inc. officials reported January 14 that 15,330 gallons of crude oil leaked from a 22-inch pipeline near Everton, Missouri. – KYTV 3 Springfield

1. January 16, KYTV 3 Springfield – (Missouri) Oil spill worse than initially thought. Enbridge Energy, Inc. officials reported January 14 that 15,330 gallons of crude oil leaked from a 22-inch pipeline near Everton, Missouri, forcing officials to shut down Highway M in Lawrence County while crews from Enbridge and the State Department of Natural Resources worked to clean up the spill. Source: http://www.ky3.com/content/news/UPDATE--Oil-spill-worse-than-initially-thought-410874425.html 

Toyota Motor Corporation issued a recall January 13 for 543,000 of its model years 2006 – 2012 vehicles in select makes sold in the U.S. due to faulty Takata Corporation front passenger-side airbag inflators. – TheCarConnection.com

4. January 13, TheCarConnection.com – (International) Toyota adds 543,000 Lexus, Scion, Toyota vehicles to Takata recall roster. Toyota Motor Corporation issued a recall January 13 for 543,000 of its model years 2006 – 2012 Lexus, Scion, and Toyota vehicles in select makes sold in the U.S. to replace faulty Takata Corporation front passenger-side airbag inflators equipped with ammonium nitrate, which can become destabilized when exposed to moisture and high temperatures, causing the airbags to deploy with too much force. The faulty inflators have been linked to 16 deaths and
more than 100 injuries worldwide. Source: http://www.thecarconnection.com/news/1108340_toyota-adds-543000-lexus-scion-toyota-vehicles-to-takata-recall-roster 

Moody’s Investors Service Inc., Moody’s Analytics Inc., and their parent, Moody’s Corporation agreed January 13 to pay nearly $864 million after the firm allegedly deviated from its credit rating standards for Residential Mortgage-Backed Securities (RMBS) and Collateralized Debt Obligations (CDO). – U.S. Department of Justice See item 5 below in the Financial Services Sector

About 300,000 Midco customers in South Dakota, North Dakota, and Minnesota were without Internet service for more than 8 hours January 13. – Forum of Fargo-Moorhead See item 23 below in the Communications Sector

Financial Services Sector

5. January 13, U.S. Department of Justice – (National) Justice Department and State partners secure nearly $864 million settlement with Moody’s arising from conduct in the lead up to the financial crisis. The U.S. Department of Justice, 21 States, and the District of Columbia reached a nearly $864 million settlement with Moody’s Investors Service Inc., Moody’s Analytics Inc., and their parent, Moody’s Corporation January 13 to resolve allegations that the firm deviated from its credit rating standards and methodologies for Residential Mortgage-Backed Securities (RMBS) and Collateralized Debt Obligations (CDO) and failed to disclose those changes to the public, causing people to make poor investment decisions. The Statement of Facts included in the settlement acknowledges that beginning in 2001, Moody’s RMBS group used an internal RMBS rating tool that did not calculate the loss given default or expected loss for RMBS below AAA and failed to integrate Moody’s own rating standards, among other violations. Source: https://www.justice.gov/opa/pr/justice-department-and-state-partners-secure-nearly-864-million-settlement-moody-s-arising 

Information Technology Sector

19. January 16, SecurityWeek – (International) Flaws found in Carlo Gavazzi energy monitoring products. Carlo Gavazzi released firmware updates after a security researcher found that the company’s VMU-C product was plagued with a flaw that grants a malicious actor access to most of the application’s functions without authentication, as well as a cross-site request forgery (CSRF) issue that can be exploited to change configuration parameters. The researcher also found the product stores some sensitive information in clear text, and warned that the flaws can be remotely exploited if the device’s administrator interface is accessible from the Internet or local network.
Source: http://www.securityweek.com/flaws-found-carlo-gavazzi-energy-monitoring-products

20. January 15, SecurityWeek – (International) New RIG campaign distributes Cerber
ransomware. Researchers from Heimdal Security found that a recently spotted campaign is leveraging the Empire Pack version of the RIG exploit kit (EK) to exploit one of eight vulnerabilities plaguing outdated versions of Adobe Flash Player, Microsoft Internet Explorer, Microsoft Edge, and Microsoft Silverlight in order to compromise a victim’s device and download and install the Cerber ransomware. The researchers reported that users must keep their software updated at all times to ensure protection against such attacks. Source: http://www.securityweek.com/new-rig-campaign-distributes-cerber-ransomware

21. January 13, Washington Post – (International) Virginia college student pleads guilty to federal computer malware charges. A student at James Madison University in Virginia pleaded guilty January 13 to Federal charges after he developed malicious keylogger software and sold the malware to more than 3,000 users, who subsequently used the software to infect more than 16,000 computers. Source: https://www.washingtonpost.com/local/education/virginia-college-student-pleads-guilty-to-federal-computer-malware-charges/2017/01/13/993fb4d2-d9c4-11e6-9f9f-5cdb4b7f8dd7_story.html?utm_term=.279d0dae49a1

22. January 13, SecurityWeek – (International) Advantech WebAccess flaws allow access to sensitive data. Advantech released patches addressing several serious vulnerabilities in version 8.1 of its WebAccess software package after researchers from Tenable Network Security discovered that the product was impacted by a critical Structured Query Language (SQL) injection flaw and a critical authentication bypass issue, which could enable a remote attacker to access potentially sensitive information. Source: http://www.securityweek.com/advantech-webaccess-flaws-allow-access-sensitive-data

Communications Sector

23. January 16, Forum of Fargo-Moorhead – (South Dakota; North Dakota; Minnesota) Midco not sure of root cause of Internet outage Friday. Midco officials are investigating the root cause of an Internet and email service outage January 13 that left about 300,000 Midco customers in South Dakota, North Dakota, and Minnesota without service for more than 8 hours. Source: http://www.inforum.com/news/4199843-midco-not-sure-root-cause-internet-outage-friday

Tuesday, January 17, 2017



Complete DHS Report for January 17, 2017

Daily Report

Top Stories

Investment Technology Group, Inc. (ITG) agreed January 12 to pay over $24.4 million to settle charges that it violated Federal securities laws from 2011 – 2014. – U.S. Securities and Exchange Commission See item 2 below in the Financial Services Sector

The Siskiyou County Community Development Department in California was notified January 11 that an estimated 1.3 million gallons of untreated sewage escaped into Cold Creek due to a break in a main sewer line. – KRCR 7 Redding/Chico

11. January 12, KRCR 7 Redding/Chico – (California) Cold Creek sewage spill update. The Siskiyou County Community Development Department in California was notified January 11 that an estimated 1.3 million gallons of untreated sewage escaped into Cold Creek due to a break in a main sewer line. Work crews are installing a bypass pump system to prevent any subsequent wastewater loss and expect the repair to take up to 2 weeks. Source: http://www.krcrtv.com/news/local/siskiyou/cole-creek-sewage-spill-update/265681638 

Zimmer Biomet agreed January 12 to pay more than $30 million to resolve Federal investigations into the company’s alleged Foreign Corrupt Practices Act (FCPA) violations. – U.S. Securities and Exchange Commission

15. January 12, U.S. Securities and Exchange Commission – (International) Biomet charged with repeating FCPA violations. The U.S. Securities and Exchange Commission (SEC) announced January 12 that Warsaw, Indiana-based Zimmer Biomet agreed to pay more than $30 million to resolve parallel SEC and U.S. Department of Justice investigations into the company’s alleged Foreign Corrupt Practices Act (FCPA) violations after Biomet continued to interact and improperly record transactions with a prohibited distributer in Brazil, and used a third-party customs broker to pay bribes to Mexican customs officials to enable the smuggling of unregistered dental products. Source: https://www.sec.gov/news/pressrelease/2017-8.html 

The U.S. Government agreed January 12 to provide $2.2 billion in disability benefits to as many as 900,000 U.S. Marine Corps service members who were potentially exposed to contaminated drinking water between August 1953 and December 1987. – Associated Press 

22. January 12, Associated Press – (National) US agrees to pay billions to Marines affected by toxic water. The U.S. Government agreed January 12 to provide $2.2 billion in disability benefits to as many as 900,000 U.S. Marine Corps service members who were potentially exposed to contaminated drinking water while stationed at Camp Lejeune in North Carolina for at least 30 cumulative days between August 1953 and December 1987. The payouts are scheduled to begin in March 2017 and veterans are required to submit evidence of their diagnoses and service information in order to receive the benefits. Source: http://abcnews.go.com/Politics/wireStory/us-agrees-pay-billions-marines-affected-toxic-water-44743897
  
Financial Services Sector

2. January 12, U.S. Securities and Exchange Commission – (National) ITG paying $24 million for improper handling of ADRs. The U.S. Securities and Exchange Commission announced January 12 that Investment Technology Group, Inc. (ITG) agreed to pay over $24.4 million to settle charges that it violated Federal securities laws from 2011 – 2014 by facilitating pre-releases of American Depository Receipts (ADRs) to its counterparties without owning the foreign shares or taking the necessary steps to ensure they were protected by the counterparty on whose behalf they were being acquired. Many of the ADRs obtained by ITG through pre-releases were ultimately used to engage in short selling and dividend arbitrage although that they may not have been backed by foreign shares, leaving them exposed to market abuse. Source: https://www.sec.gov/news/pressrelease/2017-6.html 

3. January 12, SecurityWeek – (International) New Ploutus ATM malware variant at large. Security researchers from FireEye reported that a new variant of the Ploutus ATM malware targeting machines from Diebold, dubbed Ploutus-D is capable of significantly expanding its list of targets with minor code changes, as it is capable of interacting with KAL’s Kalignite multivendor ATM platform which runs on 40 different ATM vendors in 80 countries. The new variant requires an attacker or money mule to open the top portion of the ATM, connect a keyboard to the machine, and use an activation code that is provided by the actor in charge of the operation in order to dispense the money from the machine. Source: http://www.securityweek.com/new-ploutus-atm-malware-variant-large

Information Technology Sector

26. January 12, SecurityWeek – (International) GoDaddy revokes nearly 9,000 SSL certificates. GoDaddy revoked nearly 9,000 Secure Sockets Layer (SSL) certificates after discovering that a software bug, which was introduced in July 2016 as part of a routine code change intended to improve the certificate issuance process, can cause the domain validation process to be unreliable. GoDaddy provides the customer a random code and directs the customer to place it in a specific location on their Website in order to validate the domain name for a certificate, however the systems were observed validating domains even if the code was not found. Source: http://www.securityweek.com/godaddy-revokes-nearly-9000-ssl-certificates

Communications Sector

Nothing to report

Friday, January 13, 2017



Complete DHS Report for January 13, 2017

Daily Report                                            

Top Stories

• Ford Motor Company issued a recall January 12 for 654,695 of its model years 2005 – 2009 vehicles sold in select makes to replace fatally flawed Takata Corporation passenger-side airbags. – TheCarConnection.com

4. January 12, TheCarConnection.com – (International) Takata airbag recall list balloons again: 816,000 Ford, Lincoln, Mercury vehicles added. Ford Motor Company issued a recall January 12 for 654,695 of its model years 2005 – 2009 vehicles sold in select makes in the U.S. to replace fatally flawed Takata Corporation passenger-side airbags. The recall also includes 161,174 vehicles registered in Canada. Source: http://www.thecarconnection.com/news/1108318_takata-airbag-recall-list-balloons-again-816000-ford-lincoln-mercury-vehicles-added

• The Volkswagen Group agreed to pay $4.3 billion in criminal fines and civil penalties and pleaded guilty January 11 after the company rigged more than 500,000 vehicles with software to cheat pollution laws and lied to U.S. investigators about the nature of the conspiracy. – USA Today

6. January 11, USA Today – (International) VW pleads guilty to conspiracy, obstruction of justice; 6 execs charged. The Volkswagen Group agreed to pay $4.3 billion in criminal fines and civil penalties and pleaded guilty January 11 after the company rigged more than 500,000 vehicles with software to cheat pollution laws and lied to U.S. investigators about the nature of the conspiracy. Six German Volkswagen executives were also charged January 11 for their alleged roles in the scheme. Source: http://www.usatoday.com/story/money/cars/2017/01/11/volkswagen-epa-doj-department-of-justice-settlement/96439678/

• Straight Path Communications, Inc. agreed to pay $15 million January 12 to resolve an investigation into its former parent company IDT Corp. and its spectrum licenses following claims of fraud made against the company by an anonymous shortseller. – Reuters See item 21below in the Communications Sector

• Ameren Missouri announced January 10 that the Lake of the Ozarks’ Bagnell Dam will receive $52 million worth of structural upgrades. – St. Louis Post-Dispatch

25. January 10, St. Louis Post-Dispatch – (Missouri) Dam at Lake of the Ozarks to receive $52-million structural upgrades. Ameren Missouri announced January 10 that the Lake of the Ozarks’ Bagnell Dam will receive $52 million worth of structural upgrades, including outfitting the dam with 68 new anchors to hold it into the bedrock, and adding over 66 million pounds of new concrete to better secure the dam, among other improvements. The project will begin in March 2017 and is expected to take 18 months to complete. Source: http://www.stltoday.com/business/local/dam-at-lake-of-the-ozarks-to-receive-- million/article_bb767264-a7d1-5ae7-b0dc-6c7a0dc4b241.html

Financial Services Sector

Nothing to report

Information Technology Sector

16. January 12, SecurityWeek – (International) Eight vulnerabilities patched in WordPress. WordPress version 4.7.1 was released, resolving a total of 8 security flaws and 62 bugs including 2 cross-site request forgery (CSRF) flaws, several cross-site scripting (XSS) vulnerabilities, and a weak crypto issue related to multisite activation keys.

17. January 12, SecurityWeek – (International) Four high severity DoS flaws patched in BIND. The Internet Systems Consortium (ICS) released BIND versions 9.9.9-P5, 9.10.4-P5, 9.11.0-P2, and 9.9.9-S7 addressing four high severity denial-of-service (DoS) flaws that can be remotely exploited to cause the BIND name server process to encounter an assertion failure and stop executing. ICS stated it was not aware of the vulnerabilities being actively exploited.

18. January 11, SecurityWeek – (International) Command execution vulnerability patched in Ansible. Red Hat released updates for the Ansible IT automation platform addressing a security bypass vulnerability after security researchers from Computest found that a flaw in the controller, the central node in an Ansible installation, could be leveraged by an attacker to bypass filters and gain control of certain facts to execute arbitrary code on the controller, and subsequently move to the other hosts. Source: http://www.securityweek.com/command-execution-vulnerability-patched-ansible

19. January 11, SecurityWeek – (International) Powerful “Spora” ransomware lets victims pay for immunity. Security researchers from Emsisoft warned that a newly observed ransomware, dubbed Spora is distributed via spam emails masked as invoices and leverages Windows CyrptoAPI for encryption, using a mix of RSA and Advanced Encryption Standard (AES) that allows the ransomware to encrypt files without a command and control (C&C) server connection, as well as ensuring that a decryption tool developed for one victim will not work for another victim. The researchers also found that Spora is able to determine how much ransom a victim should pay by creating creates statistics of the targets to encrypt and saving them to a .KEY file as a set of six numbers. Source: http://www.securityweek.com/powerful-spora-ransomware-lets-victims-pay-immunity

20. January 11, SecurityWeek – (International) RIG grabs 35% of exploit kit market in December. Symantec researchers reported that the RIG exploit kit (EK) was responsible for nearly 35 percent of the total EK activity during December 2016, with Fiesta at roughly 4 percent, and the Magnitude EK at about 3 percent. The number of Web attacks blocked by Symantec increased by about 33 percent in December 2016 after the company blocked 388,000 attacks per day in comparison to the 291,000 attacks blocked per day in November 2016. Source: http://www.securityweek.com/rig-grabs-35-exploit-kit-market-december

Communications Sector

Nothing to report

Thursday, January 12, 2017


Complete DHS Report for January 12, 2017

Daily Report                                            

Top Stories

• Honda Motor Co. Ltd. issued a recall January 11 for 1.29 million of its model years 2005 – 2012 Acura and Honda vehicles in select makes to replace faulty Takata Corporation passenger-side airbags. – TheCarConnection.com

4. January 11, TheCarConnection.com – (National) Honda adds 772,000 Accord, Civic, CR-V, and other models to Takata airbag recall. Honda Motor Co. Ltd. issued a recall January 11 for 1.29 million of its model years 2005 – 2012 Acura and Honda vehicles sold in select makes in the U.S. to replace faulty Takata Corporation passenger-side airbags. The recall includes 518,000 vehicles that were previously involved in recalls for driver-side Takata Corporation airbags.

• The U.S. Federal Deposit Insurance Corporation (FDIC) filed a $542 million lawsuit against Bank of America Corp. January 9 for reportedly failing to pay the FDIC for deposit insurance protection. – Bloomberg News See item 6below in the Financial Services Sector

• The former operator of Coin.mx pleaded guilty January 9 to violating Federal anti-money laundering laws and regulations by processing over $10 million in illegal Bitcoin transactions. – U.S. Attorney’s Office, Southern District of New York See item 7 below in the Financial Services Sector

• The Port Authority of New York and New Jersey agreed January 10 to pay a $400,000 penalty after it offered and sold $2.3 billion worth of bonds to roadway project investors without informing them of risks associated with certain projects. – U.S. Securities and Exchange Commission

11. January 10, U.S. Securities and Exchange Commission – (New York; New Jersey) SEC: Port Authority omitted risks to investors in roadway projects. The U.S. Securities and Exchange Commission announced January 10 that the Port Authority of New York and New Jersey agreed to pay a $400,000 penalty and admit wrongdoing after it offered and sold $2.3 billion worth of bonds to roadway project investors without informing the investors that certain projects listed in the offering documents were outside its mandate and potentially illegal to pursue.
Source: https://www.sec.gov/news/pressrelease/2017-4.html

Financial Services Sector

6. January 9, Bloomberg News – (National) Bank of America sued for $542 million over FDIC risk rule. The U.S. Federal Deposit Insurance Corporation (FDIC) filed a $542 million lawsuit against Bank of America Corp. January 9 for reportedly failing to pay the FDIC for deposit insurance protection from 2013 – 2014 after the bank ignored FDIC instructions and improperly calculated exposure faced by its parent-level firms, thereby causing the bank to understate how much it owed in insurance protection for its 20 largest counterparties. The FDIC claims the bank owes a total of more than $1 billion in underpayments made since 2011. Source: https://www.bloomberg.com/news/articles/2017-01-09/bank-of-america-sued-by-fdic-over-542-million-of-insurance

7. January 9, U.S. Attorney’s Office, Southern District of New York – (International) Operator of unlawful Bitcoin exchange pleads guilty in multimillion-dollar money laundering and fraud scheme. The former operator of Coin.mx, an Internet-based Bitcoin exchange, pleaded guilty January 9 to violating Federal anti-money laundering laws and regulations by processing over $10 million in illegal Bitcoin transactions from 2013 – July 2015 via a sham front company, Collectables Club that the operator and co-conspirators created in order to avoid detection. To further avoid scrutiny from financial institutions about the nature of Coin.mx’s business, the group gained control of New Jersey-based Helping Other People Excel Federal Credit Union in 2014 after making more than $150,000 in illegal bribes. Source: https://www.justice.gov/usao-sdny/pr/operator-unlawful-bitcoin-exchange-pleads-guilty-multimillion-dollar-money-laundering

Information Technology Sector

24. January 10, SecurityWeek – (International) Microsoft patches flaws in Windows, Office, Edge. Microsoft released a total of four security bulletins, including a critical bulletin that resolves a memory corruption flaw in Office that can be exploited by convincing a targeted user to open a maliciously crafted file or to visit a Website hosting a malicious file due to the way the software handles objects in memory. Microsoft also released bulletins patching a privilege escalation flaw in Edge, a denial-of-service (DoS) flaw, as well as vulnerabilities in Adobe Flash Player used in several versions of Windows.

25. January 10, SecurityWeek – (International) SAP patches multiple XSS and missing authorization vulnerabilities. SAP released its January 2017 security patches resolving a total of 23 flaws across its products, including a severe buffer overflaw bug that an attacker could leverage to inject malicious code into memory and cause a compromised application to execute it, enabling the attacker to take complete control of an application, cause a denial-of-service (DoS) condition, or execute arbitrary commands, among other malicious actions. The patches also addressed a critical Structured Query Language (SQL) injection flaw in SAP Business Intelligence Platform that could allow a malicious actor using specially crafted SQL queries to access and modify sensitive information from a database, remove the data, and execute administration operations, among other addressed flaws. Source: http://www.securityweek.com/sap-patches-multiple-xss-and-missing-authorization-vulnerabilities

26. January 10, SecurityWeek – (International) Adobe patches 42 flaws in Reader, Acrobat, Flash. Adobe released security updates addressing a total of 42 vulnerabilities in its products, including 29 issues affecting Acrobat and Reader versions 11 and 15 that could allow a malicious actor to take control of impacted system. The updates also resolve 13 critical security flaws in Flash Player, which can lead to arbitrary code execution or information disclosure.
Source: http://www.securityweek.com/adobe-patches-42-flaws-reader-acrobat-flash

27. January 10, SecurityWeek – (International) New Terror exploit kit emerges. Security researchers from Trustwave reported cybercriminals started leveraging a new exploit kit (EK), dubbed Terror which packs at least eight different operational exploits for Microsoft Internet Explorer, Adobe Flash Player, and Mozilla Firefox that are a combination of metasploit exploits and ones borrowed from the Hunter or Sundown EKs. The developer of Terror was observed leveraging the EK to deliver a cryptocurrency miner to the compromised device.

Communications Sector

Nothing to report

Wednesday, January 11, 2017



Complete DHS Report for January 11, 2017

Daily Report                                            

Top Stories

• Fiat Chrysler Automobiles issued a recall January 9 for 86,403 of its model years 2005 – 2010 vehicles in select makes to replace Takata airbag inflators. – TheCarConnection.com

2. January 9, TheCarConnection.com – (International) Chrysler Aspen, Dodge Durango, Ram 2500 and 3500 recalled to fix Takata airbags. Fiat Chrysler Automobiles issued a recall January 9 for 86,403 of its model years 2005 – 2010 vehicles in select makes sold in the U.S. to replace Takata airbag inflators on the driver’s or passenger’s side of the vehicles. The recall also includes roughly 14,000 vehicles sold in Canada, Mexico, and outside of North America. Source: http://www.thecarconnection.com/news/1108255_chrysler-aspen-dodge-durango-ram-2500-3500-recalled-to-fix-takata-airbags

• The former top emissions compliance manager for Volkswagen in the U.S. was charged January 7 in Florida for allegedly conspiring to defraud the U.S. after playing a central role in the carmaker’s efforts to conceal its emissions cheating from U.S. regulators with a so-called defeat device. – New York Times

3. January 9, New York Times – (National) F.B.I. arrests Volkswagen executive on conspiracy charge in emissions scandal. The former top emissions compliance manager for Volkswagen in the U.S. was charged January 7 in Florida for allegedly conspiring to defraud the U.S. after playing a central role in the carmaker’s efforts to conceal its emissions cheating from U.S. regulators with a so-called defeat device. The arrest came as Volkswagen and the U.S. Department of Justice neared a deal to pay over $2 billion to settle the criminal investigation into the emissions cheating.

• Officials in Santa Cruz, California, declared an emergency water shortage January 9 and asked residents to limit their water use by 30 percent until January 16. – KGO 7 San Francisco

11. January 10, KGO 7 San Francisco – (California) Drinking water emergency declared in Santa Cruz. Officials in Santa Cruz, California, declared an emergency water shortage January 9 and asked residents to limit their water use by 30 percent until January 16 after a storm the weekend of January 7 caused a critical water pipeline to leak 1,500 gallons per minute for several hours. City officials have no estimate of how long it will take to repair the leak. Source: http://abc7news.com/weather/drinking-water-emergency-declared-in-santa-cruz/1694992/

• The former president of United Auto Workers Local 2326 and an insurance broker were charged January 9 for allegedly defrauding Horizon Blue Cross Blue Shield of New Jersey out of roughly $6.6 million. – Associated Press

12. January 10, Associated Press – (National) Former union official, broker charged in $6.6 million fraud. The former president of United Auto Workers Local 2326 and an insurance broker were charged January 9 for allegedly defrauding Horizon Blue Cross Blue Shield of New Jersey out of roughly $6.6 million after the broker created two shell companies to market insurance to hundreds of people across the country not employed by them, and allowed some of those people to stay on the union’s plan even after the health care program discovered they did not meet eligibility requirements.

Financial Services Sector

4. January 9, McLean Patch – (Virginia) Police seize 87 fraudulent credit cards from suspects Sunday at Tysons shopping center. Authorities in Fairfax County, Virginia, arrested and charged 3 suspects after they seized 87 fraudulent credit cards in the suspects’ possession at Tysons Corner Center January 8. Further investigation revealed the suspects also possessed several items used to manufacture fake credit cards and identification cards. Source: http://patch.com/virginia/mclean/police-seize-87-fraudulent-credit-cards-suspects-sunday-tysons-shopping-center

Information Technology Sector

21. January 9, SecurityWeek – (International) Rockwell Automation addresses flaws in programmable controllers. Rockwell Automation released firmware updates for its Allen-Bradley programmable automation controllers, programmable logic controllers, and safety programmable controllers after Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that versions 16 –21 of the devices were plagued with a critical stack-based buffer overflow flaw that could be remotely exploited to execute arbitrary code on a controller or cause the device to enter a denial-of-service (DoS) condition by sending maliciously crafted common industrial protocol (CIP) packets to the targeted device. Source: http://www.securityweek.com/rockwell-automation-addresses-flaws-programmable-controllers

22. January 9, SecurityWeek – (International) Edge exploits added to Sundown EK. A security researcher discovered that the operators of the Sundown exploit kit (EK) started leveraging two memory corruption flaws in Microsoft Edge that can be remotely exploited to execute arbitrary code in the context of the user by tricking a victim into accessing a maliciously crafted Website.

23. January 9, SecurityWeek – (International) Mac crashing attack method used in tech support scam. Malwarebytes Labs security researchers discovered that attackers are leveraging drive-by downloads to deliver malicious code targeting Apple’s Safari browser on Macs via a newly registered scam Website that pushes two different types of denial-of-service malware as part of a campaign to trick victims into calling a fake tech support service. The researchers stated that the attack does not work against machines running Mac’s operating system Sierra 10.12.2 or above.

For additional stories, see item 13 below from the Healthcare and Public Health Sector and item 19 below from the Government Facilities Sector


13. January 9, Threatpost – (National) St. Jude Medical patches vulnerable cardiac devices. St. Jude Medical, Inc. and the U.S. Food and Drug Administration announced January 9 the release of a software update for St. Jude’s Merlin at home Transmitter medical device after MedSec Holdings and Muddy Waters discovered in 2016 that the remote transmitting devices used to communicate with St. Jude’s implantable cardiac devices were plagued with vulnerabilities that exposed pacemakers and defibrillators to attacks, putting patients’ physical safety at risk.


19. January 9, SecurityWeek – (International) Man pleads guilty to hacking accounts of U.S. officials. A North Carolina resident pleaded guilty the week of January 2 for his role in the “Crackas With Attitude” hacking group’s conspiracy to gain access to the online accounts of Federal Government officials and their families, as well as government computer systems from October 2015 and February 2016. The group published the officials’ personal details on the Internet and harassed them over the phone.
Source: http://www.securityweek.com/man-pleads-guilty-hacking-accounts-us-officials

Communications Sector

Nothing to report

MS17-002 – Important: Security Update for Microsoft Office (3214291) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (January 10, 2017): Bulletin published
Summary: This security update resolves a vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS17-004 – Important: Security Update for Local Security Authority Subsystem Service (3216771) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (January 10, 2017): Bulletin Published
Summary: A denial of service vulnerability exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests. An attacker who successfully exploited the vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system.

MS17-001 – Important: Security Update for Microsoft Edge (3214288) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (January 10, 2017): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Edge. This vulnerability could allow elevation of privilege if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerability could elevate privileges in affected versions of Microsoft Edge.

Tuesday, January 10, 2017



Complete DHS Report for January 10, 2017

Daily Report                                            

Top Stories

• Over 91,000 Pacific Gas and Electric Company customers across northern California were without power January 8 after severe weather caused flooding and downed power lines January 7. – Los Angeles Times

2. January 8, Los Angeles Times – (California) More than 90,000 Californians without power. Over 91,000 Pacific Gas and Electric Company customers across northern California were without power January 8 after severe weather caused flooding and downed power lines January 7. Company officials expect to restore power to most of the impacted customers January 9.

• Roughly 3,500 gallons of gasoline were spilled into a small creek that leads to a tributary of Beaver Run Reservoir January 8 after a tanker truck overturned in Salem Township, Pennsylvania. – KDKA 2 Pittsburgh

3. January 8, KDKA 2 Pittsburgh – (Pennsylvania) Gasoline gushes from ruptured tanker truck in Salem Twp. Roughly 3,500 gallons of gasoline were spilled January 8 after a tanker truck overturned while exiting the Sunoco Logistics Partners LP fuel terminal in Salem Township, Pennsylvania. The gasoline spilled into a small creek that leads to a tributary of Beaver Run Reservoir and the Pennsylvania Department of Environmental Protection is monitoring the water quality in the creek. Source: http://pittsburgh.cbslocal.com/2017/01/08/report-gasoline-gushes-from-ruptured-tanker-truck-in-salem-twp/

• A former vice president of U.S. operations at Poseidon Concepts Corporation in Calgary, Canada, was charged January 5 for his role in a securities fraud scheme where he allegedly caused the company to fictitiously report roughly $100 million in revenue from purported contracts with oil and natural gas companies.– U.S. Department of Justice See item 6below in the Financial Services Sector

• Five people were killed and six others were injured after a man opened fire at the baggage claim in Terminal 2 of the Fort Lauderdale – Hollywood International Airport in Florida January 6. – Associated Press; WTVJ 6 Miami (See item 7)

7. January 9, Associated Press; WTVJ 6 Miami – (Florida) 5 dead, 6 wounded in shooting at Fort Lauderdale-Hollywood International Airport. Five people were killed and six others were injured after a man opened fire at the baggage claim in Terminal 2 of the Fort Lauderdale – Hollywood International Airport in Florida January 6. The suspect surrendered to authorities and was indicted on Federal charges. Source: http://www.nbcmiami.com/news/local/Shooting-Reported-Inside-Fort-Lauderdale--Hollywood-International-Airport-409905825.html

Financial Services Sector

6. January 6, U.S. Department of Justice – (International) Former vice president of publicly traded company charged with orchestrating $100 million securities fraud scheme. A former vice president of U.S. operations at now-bankrupt Poseidon Concepts Corporation in Calgary, Canada, was charged January 5 for his role in a securities fraud scheme where from November 2011 to December 2012, he allegedly caused the company to fictitiously report roughly $100 million in revenue from purported contracts with oil and natural gas companies. The charges allege that the defendant executed the scheme to enrich himself through the continued receipt of funds and stock appreciation, while causing the firm’s shares to lose nearly $1 billion in value.

Information Technology Sector

19. January 6, SecurityWeek – (International) New “Ghost Host” technique boosts botnet resiliency. Cyren security researchers reported that malware developers have started leveraging a new technique, dubbed ghost host, which fools Web security and Uniform Resource Locator (URL) filtering systems by inserting non-malicious host names that are both registered and unregistered into the Hypertext Transfer Protocol (HTTP) host fields of a botnet’s communications, in order to guarantee communication with the command and control (C&C) server is not blocked by security systems. The botnet operator can also manipulate the server to respond differently when messages using different ghost host names are received, including commanding the botnet to download a specific type of malware onto a device.

Communications Sector

20. January 8, WKBN 27 Youngstown – (Ohio) AT&T service outages restored across northeast Ohio. AT&T Inc. technicians restored U-verse and Internet service to thousands of customers in the Youngstown area of Ohio January 8 after a fiber cut caused an outage January 6. Source: http://wkbn.com/2017/01/08/att-power-outages-being-reported-across-northeast-ohio/

Monday, January 9, 2017



Complete DHS Report for January 9, 2017

Daily Report                                            

Top Stories

• A Mission, Texas-based businessman pleaded guilty January 3 to using the U.S. banking system to help three former governors from Mexico launder tens of millions of dollars. – San Antonio Express-News See item 3 below in the Financial Services Sector

• TransUnion, Equifax, Inc., and their subsidiaries were ordered January 3 to pay more than $17.6 million in restitution to consumers and $5.5 million in fines for misleading consumers about the usefulness and actual cost of credit scores the companies sold. – U.S. Consumer Financial Protection Bureau
See item 5 below in the Financial Services Sector

• An electrical malfunction at the Blucher Poole Wastewater Treatment Plant in Bloomington, Indiana, caused 104,500 gallons of untreated wastewater to be released into Bean Blossom Creek January 5. – WBIW 1340 AM Bedford

14. January 5, WBIW 1340 AM Bedford – (Indiana) CBU officials respond to wastewater release at Blucher Poole Wastewater Treatment Plant. An electrical malfunction related to the pumping system at the Blucher Poole Wastewater Treatment Plant in Bloomington, Indiana, caused 104,500 gallons of untreated wastewater to be released into Bean Blossom Creek January 5. The cause of the electrical failure remains under investigation. Source: http://www.wbiw.com/local/archive/2017/01/cbu-officials-respond-to-wastewater-release-at-blucher-poole-wastewater-treatment-plant.php

• The State of Michigan removed the director of the Unemployment Insurance Agency January 5 after a review uncovered that 93% of fraud allegations against over 22,000 unemployment insurance applicants were false. – Detroit Free Press

17. January 5, Detroit Free Press – (Michigan) Chief of Mich. unemployment agency out amid false fraud allegations. The State of Michigan removed the director of the Unemployment Insurance Agency January 5 after a review performed partly at the request of the Federal Government uncovered that 93% of fraud allegations the agency made against over 22,000 unemployment insurance applicants from October 2013 – October 2015 were false, resulting in more than $15 million being unlawfully taken from claimants through wage garnishees, seizures of income tax returns, and other methods in 2015 alone. Michigan officials report that around $5.4 million has been refunded to 2,571 claimants wrongly accused of fraud.

Financial Services Sector

3. January 5, San Antonio Express-News – (International) Valley businessman pleads guilty in Mexico corruption probe. A Mission, Texas-based businessman pleaded guilty January 3 to using the U.S. banking system to help former governors from Coahuila, Aguascalientes, and Tamaulipas, Mexico, launder tens of millions of dollars by compelling the officials to direct inflated payments for road work to the defendant’s Mexican asphalt company, which the defendant subsequently moved to his account for his U.S. firm, Rodmax Inc. The defendant had the exclusive rights to sell a certain kind of paving machine and paid bribes to the Mexican government representatives in exchange for contracts to perform the road work. Source: http://www.expressnews.com/news/local/article/Valley-businessman-pleads-guilty-as-part-of-10834876.php

4. January 4, WABC 7 New York – (New Jersey) Police investigating ATM skimming incidents at banks in New Jersey. New Jersey authorities are investigating after recent ATM skimming incidents at banks across the State, including the Lakeland Bank branch in Oak Ridge from December 2016 – January 2017, as well as at banks in Bloomingdale and Lincoln Park. More than 100 potential victims of these ATM skimming incidents have been identified to date. Source: http://abc7ny.com/news/thieves-using-skimmers-to-steal-customers-account-info-at-nj-banks/1686118/

5. January 3, U.S. Consumer Financial Protection Bureau – (National) CFPB orders TransUnion and Equifax to pay for deceiving consumers in marketing credit scores and credit products. The U.S. Consumer Financial Protection Bureau (CFPB) January 3 ordered TransUnion, Equifax, Inc., and their subsidiaries to pay more than $17.6 million in restitution to consumers and fines worth $5.5 million to the CFPB for misleading consumers about the usefulness and actual cost of credit scores the companies sold by leading consumers to think they were the same credit scores lenders commonly used to make credit decisions, and for persuading consumers to pay expensive recurring fees for credit scores and credit-related products that the firm’s falsely claimed were free or low-cost, from at least July 2011 – March 2014. As part of the settlement, TransUnion and Equifax must clearly notify consumers about the nature of credit scores they are selling, must obtain the consumer’s consent prior to enrolling them in any credit-related product with a negative option feature, and must offer consumers a simple way to cancel the purchase of any credit-related product. Source: http://www.consumerfinance.gov/about-us/newsroom/cfpb-orders-transunion-and-equifax-pay-deceiving-consumers-marketing-credit-scores-and-credit-products/

Information Technology Sector

19. January 5, SecurityWeek – (International) KillDisk malware targets Linux machines. ESET security researchers reported that the KillDisk malware recently observed adding encryption capabilities and behaving like ransomware is now targeting Linux systems, including workstations and servers. The Linux variant of the malware overwrites the bootloader entries and displays the ransom text within the GRUB bootloader

20. January 5, SecurityWeek – (International) “MM Core” APT malware now targets United States. Forcepoint security researchers reported that two new versions of the malware “MM Core,” dubbed BigBoss and SillyGoose, have been used to target the news and media, government (defense), oil and gas, and telecommunications industries in Africa and the U.S. The trojan was designed to collect information on the infected computer and set up a backdoor for remote access.

Communications Sector

See item 20 above in the Information Technology Sector

Friday, January 6, 2017



Complete DHS Report for January 6, 2017

Daily Report                                            

Top Stories

• Deutsche Bank AG agreed January 4 to pay $95 million to settle a tax fraud lawsuit after the bank allegedly used shell companies to avoid paying tens of millions of dollars in Federal taxes in 2000. – MarketWatch See item 3below in the Financial Services Sector

• About 104 people were injured after a Long Island Rail Road train arriving from Far Rockaway derailed at the Atlantic Terminal in Brooklyn, New York, January 4. – Reuters

5. January 5, Reuters – (New York) New York train crash injures more than 100 commuters. About 104 people were injured after a Long Island Rail Road train arriving from Far Rockaway derailed at the Atlantic Terminal in Brooklyn, New York, January 4 after striking a bumping block when the train failed to stop on time. The incident remains under investigation.

• Baltimore County public works officials reported that around 57,000 gallons of sewage spilled in Reisterstown, Maryland, January 4 after a 10-inch sewer line broke. – Baltimore Sun

12. January 4, Baltimore Sun – (Maryland) 57,000 gallons of sewage spills in Reisterstown. Baltimore County public works officials reported that around 57,000 gallons of sewage spilled in Reisterstown, Maryland, January 4 after a 10-inch sewer line broke due to its proximity to an eroding stream bed. Health officials will monitor bacteria levels in the water for possible contamination. Source: http://www.baltimoresun.com/news/maryland/baltimore-county/bs-md-co-sewage-spill-reisterstown-20170104-story.html

• The Northside Independent School District in San Antonio notified January 4 approximately 23,000 former and current students and employees that their personal information may have been compromised after hackers accessed the email accounts of some employees. – KSAT 12 San Antonio

16. January 4, KSAT 12 San Antonio – (Texas) Letter notifies NISD employees, students of email breach. The Northside Independent School District in San Antonio notified January 4 approximately 23,000 former and current students and employees that their personal information may have been compromised after it was discovered in August 2016 that hackers accessed some employees’ email accounts. Officials stated there is no evidence that any of the information has been abused.
Source: http://www.ksat.com/education/letter-sent-notifying-nisd-employees-students-of-email-breach

Financial Services Sector

3. January 5, MarketWatch – (International) Deutsche Bank settles tax fraud suit for $95 million. Deutsche Bank AG agreed January 4 to pay the U.S. Government $95 million to settle a tax fraud lawsuit filed in 2014 after the bank allegedly used shell companies to avoid paying tens of millions of dollars in Federal taxes in 2000, including as much as $190 million in taxes, penalties, and interest.

4. January 4, Lafayette Journal & Courier – (Indiana; Illinois) Ex-fast food employee admits to card skimming. A West Lafayette, Indiana woman pleaded guilty January 4 to skimming 100 customer credit cards through the cash register and another handheld device while employed at a West Lafayette McDonald’s restaurant in December 2015. The woman and two co-conspirators reportedly used the stolen card information to create counterfeit credit cards and make fraudulent purchases at stores in Lafayette and Chicago. Source: http://www.jconline.com/story/news/crime/2017/01/04/mcdonalds-employee-pleads-credit-card-skimming/96159498/

Information Technology Sector

24. January 5, SecurityWeek – (International) FireCrypt ransomware packs DDoS code. The MalwareHunterTeam discovered that the FireCrypt ransomware is able to encrypt victims’ files, as well as launch a distributed denial-of-service (DDoS) attack against a Uniform Resource Locator (URL) hardcoded in the source code. The researchers found the URL FireCrypt targets cannot be modified using the ransomware’s builder, and reported that in order for the malware’s DDoS attack to cause significant damage, FireCrypt would have to infect thousands of devices simultaneously.

25. January 4, SecurityWeek – (International) Google patches 22 critical Android vulnerabilities. Google released its January 2017 Android Security Bulletin addressing a total of 95 vulnerabilities, including 23 flaws that impact various Android components and 72 bugs that affect drivers and other original design manufacturer (ODM) software, as well as Nexus and Pixel devices. The patches resolve a total of 22 critical vulnerabilities, including 21 elevation of privilege flaws in the Qualcomm bootloader, kernel file system, and Qualcomm video driver, among other components.

26. January 4, SecurityWeek – (International) MongoDB databases actively hijacked for extortion. A security researcher and co-founder of GDI Foundation found that a hacker, known as Harak1r1, is searching for vulnerable MongoDB databases exposed to the Internet and subsequently hijacks them to steal and replace the databases content with one called “Warning” before demanding a ransom in exchange for the data. The researcher reported that the malicious actor targets only those databases that contain important data, as companies are more likely to pay a high ransom to regain access to the content. Source: http://www.securityweek.com/mongodb-databases-actively-hijacked-extortion

Communications Sector

Nothing to report

CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits




CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.

Note : No successful exploitation seen despite integration tries.

On 2017-01-04 @theori_io released a POC

providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.

After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.

The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.

[edit : 2017-01-10]
​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.
[/edit]

Sundown:
2017-01-06

Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06
No exploitation here though
Fiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)

Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)

Neutrino:
2017-01-14
--
Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.
--
So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.
Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.

NeutrAds redirect is now  accepting Edge traffic - 2017-01-14

Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14
(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )


Extracted CVE-2016-7200/7201  elements - 2017-01-14


Note: i did not get infection with
- Edge 25.10586.0.0 / EdgeHTML 13.10586
- Edge 20.10240.16384.0

Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip  (Password is malware)
Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)

reveiled[.space|45.32.113.97 - NeutrAds Filtering Redirector
vfwdgpx.amentionq[.win|149.56.115.166 - Neutrino

Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610
Associated C2 :
buyyou[.org | 204.44.118.228
felixesedit[.com
fastfuriedts[.org
monobrosexeld[.org


So those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get Gootkit
MISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)
Kaixin:
2017-01-15 Finding by Simon Choi


CVE-2016-7200/7201 code fired by Kaixin - 2017-01-16
Fiddler : Kaixin_2017-01-16.zip (Password is malware)

Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332
Callback:
http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195

http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437

Edits:
2016-11-10 - Adding information about mitigation on Edge
2016-11-14 - Adding Neutrino
2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not
2016-11-16 - Adding Kaixin

Read More:
Three roads lead to Rome - Qihoo360 - 2016-11-29
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04

Thursday, January 5, 2017



Complete DHS Report for January 5, 2017

Daily Report                                            

Top Stories

• A Bellevue, Washington-based developer was charged January 3 for allegedly orchestrating a scheme that defrauded hundreds of Asian investors who hoped to receive green cards through the Federal Government’s EB-5 program out of about $150 million. – Seattle Times See item 3below in the Financial Services Sector

• New York officials reported that an equipment failure at the wastewater treatment plant in Amsterdam caused over 30,000 gallons of raw sewage to spill into the Mohawk River January 3. – WNYT 13 Albany

10. January 3, WNYT 13 Albany – (New York) 30,000 gallons of raw sewage spill into Mohawk River in Amsterdam. The New York State Department of Environmental Conservation reported that an equipment failure at the wastewater treatment plant in Amsterdam, New York, caused over 30,000 gallons of raw sewage to spill into the Mohawk River January 3.

• A Tennessee woman pleaded guilty January 3 after she stole more than $1.5 million from the U.S. Department of Agriculture’s Child and Adult Care Food Program. – Nashville Tennessean

16. January 3, Nashville Tennessean – (Tennessee) Tennessee woman pleads guilty to child food program fraud. A Tennessee woman pleaded guilty January 3 after she stole more than $1.5 million from the U.S. Department of Agriculture’s Child and Adult Care Food Program after she used her sponsor agency, All About Giving, Inc., to make monthly reimbursement requests to the Federal program that overstated the number of child care providers and meals served between March 2015 and July 2016 in order to obtain more funds. In order to conceal the scheme, the woman and co-conspirators created fake names and addresses of child care providers that did not exist, and wrote checks to providers who returned a portion to her in cash, among other fraudulent actions.

• A fire at JR’s Repair and Import Sales in Billings, Montana, caused an estimated $750,000 in damages January 3. – Billings Gazette

23. January 3, Billings Gazette – (Montana) Repair shop destroyed by fire, damage estimated at $750,000. A fire at JR’s Repair and Import Sales in Billings, Montana, caused an estimated $750,000 in damages January 3. No injuries were reported and the cause of the fire remains under investigation. Source: http://billingsgazette.com/news/local/repair-shop-destroyed-by-fire-damage-estimated-at/article_4a776546-1768-5818-9080-5dd4224ca7bb.html  

Financial Services Sector

3. January 4, Seattle Times – (International) Seattle-area developer charged with fraud after collecting $150M from Asian investors. A Bellevue, Washington-based commercial developer was charged January 3 for allegedly orchestrating a scheme that defrauded hundreds of Asian investors who hoped to receive green cards through the Federal Government’s EB-5 program out of about $150 million, the Federal agency that approved the conditional green cards based on the developer’s false assurances, as well as American and Chinese companies that raised tens of millions of dollars for the job creation projects. The charges allege that the scheme threatened the permanent green card status of more than 200 foreign investors, as well as the financial institutions that approved the defendant for $85 million in loans. Source: http://www.seattletimes.com/business/real-estate/seattle-developer-charged-with-fraud-after-collecting-150m-from-asian-investors/

Information Technology Sector

18. January 4, SecurityWeek – (International) Pseudo-Darkleech remains prominent distributor of ransomware. Palo Alto Networks security researchers reported that the pseudo-Darkleech campaign is expected to remain a prominent ransomware distributor in 2017 after finding the campaign’s operators were able to quickly adapt to major exploit kit (EK) and ransomware landscape changes during 2016 to maintain the high level of attacks and to ensure the campaign remained relevant. The researchers found, however, that the pseudo-Darkleech campaign’s infection method remains the same, in that it directs a victim who visits a compromised Website with malicious script to an EK landing page designed to fingerprint the device to find vulnerable applications and exploit them.

19. January 4, SecurityWeek – (International) Google researcher finds certificate flaws in Kaspersky products. Kaspersky Lab resolved two flaws in its anti-malware products after a Google Project Zero security researcher found the products were plagued with a critical flaw related to how Kaspersky Antivirus inspects Secure Sockets Layer (SSL)/Transport Layer Security (TLS) connections that could allow an attacker to intercept all traffic to a certain domain by sending the targeted Kaspersky Antivirus user two certificates with the same key. The researcher also found a high severity flaw involving improper protection of the private key for the local certificate authority (CA) root which could allow any unprivileged user to become a CA. Source: http://www.securityweek.com/google-researcher-finds-certificate-flaws-kaspersky-products

20. January 4, SecurityWeek – (International) XSS flaws decline, DoS becomes more common: Imperva. Imperva analyzed Web application vulnerability trends in 2016, and found that the total number of vulnerabilities discovered since 2015 has increased, while the number of issues impacting Web applications has declined potentially due to a shift in research focus, and not due to Web applications being more secure than before. Imperva found that more than 25 percent of flaws observed were classified as high priority, and that the number of denial-of-service (DoS) bugs has significantly increased, but the amount of cross-site scripting (XSS) flaws has declined, among other findings. Source: http://www.securityweek.com/xss-flaws-decline-dos-becomes-more-common-imperva

Communications Sector

Nothing to report

Wednesday, January 4, 2017



Complete DHS Report for January 4, 2017

Daily Report                                            

Top Stories

• More than 80,000 people in Louisiana and Mississippi lost power January 2 after severe storms moved across the southeastern U.S. – Associated Press  

1. January 2, Associated Press – (National) Officials: Storms kill 4 in southern Alabama. More than 80,000 people in Louisiana and Mississippi lost power January 2 after severe storms moved across the southeastern U.S. The storms killed four people in Alabama and damaged structures in several States. Source: http://abcnews.go.com/US/wireStory/latest-storm-system-damages-wal-mart-louisiana-44517089

• The former senior vice president of a Maryland-based bank was indicted December 31 after she allegedly embezzled more than $1.8 million from 6 customers’ bank accounts from April 2010 – July 2016. – Perry Hall Patch See item 2below in the Financial Services Sector

• The owner and operator of El Cajon, California-based Cunningham’s Tax Service pleaded guilty December 30 to preparing false individual income tax returns for her clients, causing the U.S. Internal Revenue Service more than $1.2 million in losses. – U.S. Department of Justice See item 3 below in the Financial Services Sector

• More than 450,000 gallons of sewer water spilled into waterways throughout Mobile County, Alabama, January 1 due to heavy rains. – WKRG 5 Mobile

11. January 2, WKRG 5 Mobile – (Alabama) Roughly half million gallons of sewage spills into Mobile waterways; more expected. More than 450,000 gallons of sewer water spilled into waterways throughout Mobile County, Alabama, January 1 due to heavy rains.

Financial Services Sector

2. December 31, Perry Hall Patch – (Maryland) Nottingham woman indicted on embezzlement, fraud charges. The former senior vice president of a Maryland-based bank was indicted December 31 after she allegedly embezzled more than $1.8 million from 6 customers’ bank accounts from April 2010 – July 2016 by making unauthorized transfers and withdrawals from the accounts in order to pay for personal expenses. The charges allege that the executive abused her position at the bank to override notifications of the suspicious transactions. Source: http://patch.com/maryland/perryhall/nottingham-woman-indicted-embezzlement-fraud-charges

3. December 30, U.S. Department of Justice – (California) California tax return preparer pleads guilty to preparing false tax returns. The owner and operator of El Cajon, California-based Cunningham’s Tax Service pleaded guilty December 30 to preparing false individual income tax returns for her clients for tax years 2008 – 2010 which included fraudulent medical and dental expenses, education credits, and false charitable deductions, causing the U.S. Internal Revenue Service more than $1.2 million in losses. Source: https://www.justice.gov/opa/pr/california-tax-return-preparer-pleads-guilty-preparing-false-tax-returns

Information Technology Sector

17. January 3, SecurityWeek – (International) Libpng patches flaw introduced in 1995. The developers of the Slackware Linux distribution released updates for the libpng official Portable Network Graphics (PNG) reference library resolving a null pointer dereference vulnerability impacting PNG image editors that could be exploited to cause a denial-of-service (DoS) condition.

Communications Sector

Nothing to report

Tuesday, January 3, 2017



Complete DHS Report for January 3, 2017

Daily Report                                            

Top Stories

• A powerful snowstorm caused nearly 100,000 people across Maine to lose power December 30. – Portland Press Herald

1. December 30, Portland Press Herald – (Maine) Nearly 100,000 Mainers still without power after snowstorm dumps up to 27 inches in state. A powerful snowstorm caused nearly 100,000 people across Maine to lose power December 30. Central Maine Power Company officials reported it may take several days to restore power in some areas due to widespread damage and difficult travel conditions. Source: http://www.pressherald.com/2016/12/30/storm-dumps-nearly-2-feet-in-parts-of-maine-causes-widespread-power-outages/

• Honda Motor Co. issued a recall December 29 for 633,753 of its model years 2011 – 2016 Honda Odyssey vehicles sold in the U.S. due to faulty release levers on the second-row outboard seats that can stay unlocked. – TheCarConnection.com

3. December 29, TheCarConnection.com – (National) 2011-2016 Honda Odyssey minivans recalled: 641,000 vehicles affected. Honda Motor Co. issued a recall December 29 for 633,753 of its model years 2011 – 2016 Honda Odyssey vehicles sold in the U.S. due to faulty release levers on the second-row outboard seats that can stay in the unlocked position even after the seats are returned to the proper position, which can increase the risk of injury in the event of a collision or sudden stop. Honda Motor Co. also issued a recall December 29 for 7,549 of its 2016 Honda Odyssey vehicles sold in the U.S. because of an issue with the horizontal adjuster bar in the second-row center seat that may also remain in the unlocked position. Source: http://www.thecarconnection.com/news/1108052_2011-2016-honda-odyssey-minivans-recalled-641000-vehicles-affected


• General Cable Corporation agreed December 29 to pay $20 million to resolve Foreign Corrupt Practices Act violations after the company made improper payments to government officials in China, Angola, Indonesia, and other countries to illicitly win business worth more than $50 million in profits. – U.S. Department of Justice 

4. December 29, U.S. Department of Justice – (International) General Cable Corporation agrees to pay $20 million penalty for foreign bribery schemes in Asia and Africa. General Cable Corporation agreed December 29 to pay $20 million to resolve Foreign Corrupt Practices Act violations after the company made improper payments to government officials in China, Angola, and Indonesia, among other countries in order to illicitly win business, which resulted in more than $50 million in profits. In a related settlement, the U.S. Securities and Exchange Commission (SEC) filed a cease and desist order against the company, and General Cable agreed to pay the SEC about $55 million.

• The U.S. Department of Homeland Security and FBI published a Joint Analysis Report (JAR) December 29 detailing the tools Russian hackers used to attack the U.S. presidential election after two actors, Advanced Persistent Threat (APT) 29 and APT 28, participated in cyberattacks against a U.S. political party in 2015 and 2016. – SecurityWeek

15. December 30, SecurityWeek – (International) U.S. attributes election hacks to Russian threat groups. The U.S. Department of Homeland Security and FBI published a Joint Analysis Report (JAR) December 29 detailing the tools that Russian hackers used in attacks against the U.S. presidential election after two different actors, Advanced Persistent Threat (APT) 29 and APT 28, participated in cyberattacks against a U.S. political party in 2015 and 2016. The U.S. President announced several retaliatory actions against Russia in response to the election hacks, which include denying access to two Russian compounds inside the U.S., expelling 35 diplomats, and implementing sanctions on two intelligence agencies.

Financial Services Sector

6. December 29, WSOC 9 Charlotte – (North Carolina) Feds arrest two in complex Charlotte credit-card fraud scheme. Two individuals were charged the week of December 19 for allegedly using their accounts at a Rock Hill, North Carolina-based business known as P.A. to obtain the Social Security numbers and other personal information of Charlotte area residents by using skiptracing services provided by another company, TransUnion Risk and Alternative Data Solutions, Inc., to run queries on 10,000 victims and acquire at least 80 fraudulent credit cards in their names. The charges allege that one of the suspects stole the credit cards that they fraudulently applied for out of residents’ mailboxes. Source: http://www.wsoctv.com/news/local/feds-arrest-two-in-complex-charlotte-credit-card-fraud-scheme/479451022

Information Technology Sector

18. December 30, SecurityWeek – (International) Sundown exploit kit starts using steganography. Trend Micro security researchers reported that a new version of the Sundown exploit kit (EK) leverages steganography to hide its malicious traffic in legitimate-seeming Portable Network Graphics (PNG) image files to disguise various exploits, including those targeting Microsoft’s Internet Explorer and Adobe’s Flash Player.

For another story, see item 20 below from the Commercial Facilities Sector

20. December 29, SecurityWeek – (International) Topps customer data exposed after Website hack. The Topps Company, Inc. notified its customers the week of December 26 that one or more attackers hacked its Website and accessed sensitive information including names, addresses, payment card data, and phone numbers of those customers who placed an order via the company’s Website between July and October 2016.

Communications Sector

See item 4 above in Top Stories