Tuesday, December 6, 2016



Complete DHS Report for December 6, 2016

Daily Report                                            

Top Stories

• Ford Motor Company issued a recall December 5 for 602,739 of its model years 2013 –2017 Ford Fusion vehicles and 2013 –2015 Lincoln MKZ vehicles sold in the U.S. – TheCarConnection.com

6. December 5, TheCarConnection.com – (International) Ford recalls 2013-17 Ford Fusion, 2013-15 Lincoln MKZ for seatbelt, seat back problems. Ford Motor Company issued a recall December 5 for 602,739 of its model years 2013 –2017 Ford Fusion vehicles and model years 2013 –2015 Lincoln MKZ vehicles sold in the U.S. due to an issue with the seatbelt anchor pretensioners where heat generated during deployment can cause the pretensioner cables to separate, thereby causing the seatbelt to improperly restrain the occupant and increasing the risk of injury. The recall also affects 35,614 vehicles in Canada, 8,665 in Mexico, and 653 elsewhere. Source: http://www.thecarconnection.com/news/1107607_ford-recalls-2013-17-ford-fusion-2013-15-lincoln-mkz-for-seatbelt-seat-back-problems

• A Germantown, Maryland resident pleaded guilty December 1 to embezzling at least $1.02 million from her employer, a Chevy Chase-based financial institution, between December 2007 and June 2014. – Bethesda Magazine See item 7 below in the Financial Services Sector

• A Houston couple pleaded guilty December 2 to stealing the identities of 50,000 victims and using the identities to apply for and obtain 230 debit cards and earn $250,000 in fraudulent Federal tax returns. – Houston Chronicle See item 8 below in the Financial Services Sector

• The founder and chief executive officer of Virginia-based VitalSpring Technologies, Inc. pleaded guilty December 2 to a $30 million investment fraud scheme affecting 160 VitalSpring shareholders. – U.S. Department of Justice 

24. December 2, U.S. Department of Justice – (Delaware; Virginia) CEO of Virginia health care technology company pleads guilty to $30 million shareholder fraud and $7.5 million employment tax fraud. The founder and chief executive officer of Virginia-based VitalSpring Technologies, Inc. pleaded guilty December 2 to a $30 million investment fraud scheme where the former executive provided materially fraudulent and misleading information to 160 VitalSpring shareholders to induce investments in the company. The founder concealed that VitalSpring failed to account for and pay over $7.5 million in employment taxes to the U.S. Internal Revenue Service, and falsely claimed that the sale of the company was imminent, which would have resulted in substantial profits for the shareholders, among other misrepresentations. Source: https://www.justice.gov/opa/pr/ceo-virginia-health-care-technology-company-pleads-guilty-30-million-shareholder-fraud-and-75

Financial Services Sector

7. December 2, Bethesda Magazine – (Maryland) Woman pleads guilty to defrauding Chevy Chase financial company of more than $1 million. A Germantown, Maryland resident pleaded guilty December 1 to embezzling at least $1.02 million from her employer, a Chevy Chase-based financial institution, between December 2007 and June 2014. The charges allege that the defendant sent banks fictitious invoices where she forged the signature of another employee of her financial firm, and deposited over 60 checks issued by various banks including U.S. Bank, Bank of America, and JPMorgan Chase & Co. into her personal financial accounts. Source: http://www.bethesdamagazine.com/Bethesda-Beat/Web-2016/Woman-Pleads-Guilty-To-Defrauding-Chevy-Chase-Financial-Company-of-More-than-1-Million/

8. December 2, Houston Chronicle – (International) Couple pleads guilty to stealing 50K identities in tax fraud scam. A Houston couple pleaded guilty December 2 to stealing the identities of 50,000 victims and using the identities to apply for and obtain 230 debit cards from January 2014 – May 2015. The duo used the stolen identities to earn $250,000 in fraudulent Federal tax returns, while attempting to obtain a total of $1.9 million in tax refunds. Source: http://www.chron.com/news/houston-texas/article/Houston-couple-pleads-guilty-10688348.php

Information Technology Sector

31. December 2, SecurityWeek – (International) Eight vulnerabilities found in Moxa NPort devices. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported that Moxa’s NPort serial device servers are plagued by eight vulnerabilities after security researchers discovered three critical flaws that can be exploited to retrieve an administrator password without authentication, update the device’s firmware without authentication, and use brute force to bypass authentication, as well as high security flaws that can be exploited to cause a denial-of-service (DoS) condition and remotely execute arbitrary code, among other flaws. Moxa released firmware updates for most of the affected servers and advised its customers to install the updates.
Source: http://www.securityweek.com/eight-vulnerabilities-found-moxa-nport-devices

For another story, see item 23 below from the Healthcare and Public Health Sector

23. December 5, Softpedia – (International) Hackers can compromise smart defibrillators and kill the host, researchers warn. A team of security researchers discovered that a malicious actor can compromise and intercept the wireless communication system between Implantable Medical Devices (IMDs) and their monitors to launch reverse engineering and distributed denial-of-service (DDoS) attacks to compromise the devices’ security systems and take control of the devices’ functions. Researchers stated that a standby mode after the communication between the monitors and implanted devices ends is the most effective way to avoid the hack.
Source: http://news.softpedia.com/news/hackers-can-compromise-smart-defibrillators-and-kill-the-host-researchers-warn-510732.shtml

Communications Sector

Nothing to report

Monday, December 5, 2016



Complete DHS Report for December 5, 2016

Daily Report                                            

Top Stories

• Five co-conspirators were charged December 1 for their roles in a $33 million mortgage fraud conspiracy after their company, Terra Foundation filed nearly 60 fraudulent mortgage discharges in New York and Connecticut. – Lower Hudson Valley Journal News See item 6 below in the Financial Services Sector

• Officials announced December 1 that American Civil Contractors agreed to pay a $207,000 settlement after a March 2016 chemical spill that killed over 5,600 fish in northern Colorado’s Big Thompson River. – Associated Press

13. December 2, Associated Press – (Colorado) Company to pay $207,000 after spill killed thousands of fish in Big Thompson River. Colorado Parks and Wildlife officials announced December 1 that American Civil Contractors agreed to pay a $207,000 settlement after a March 2016 chemical spill that killed over 5,600 rainbow trout, brown trout, suckers, and dace fish in northern Colorado’s Big Thompson River during reconstruction of U.S. Route 34 in the Big Thompson Canyon near Loveland. Source: http://www.denverpost.com/2016/12/01/company-pay-spill-killed-big-thompson-fish/

• Researchers reported that tens of millions of users of Android’s AirDroid are vulnerable to man-in-the-middle (MitM) attacks that could compromise their devices through fraudulent updates and result in data theft. – Help Net Security See item 26 below in the Information Technology Sector

• Authorities in New York City raided 2 Brooklyn warehouses December 1 and seized more than $7 million worth of counterfeit Apple and Samsung products, $71,000 in cash, and arrested 3 suspects. – WNBC 4 New York

28. December 2, WNBC 4 New York – (New York) NYPD raids Brooklyn warehouses, seize more than $7 million in bogus Apple, Samsung smartphones. Authorities in New York City raided 2 Brooklyn warehouses December 1 and seized more than $7 million worth of counterfeit Apple and Samsung products, $71,000 in cash, and arrested 3 suspects who allegedly sold counterfeit phones to unsuspecting customers through business locations across the city. The months-long investigation began when suspicious packages began coming through John F. Kennedy International Airport around May 2016. Source: http://www.nbcnewyork.com/news/local/NYPD-Raids-Brooklyn-Warehouses-Seize-10-Million-Apple-Samsung-Products-404162246.html

Financial Services Sector

6. December 1, Lower Hudson Valley Journal News – (New York; Connecticut) 5 facing federal charge for $33M mortgage fraud. Five co-conspirators were charged December 1 for their roles in a $33 million mortgage fraud conspiracy after their company, Terra Foundation filed nearly 60 fraudulent mortgage discharges in Westchester and Putnam counties in New York and in Connecticut that made it appear as though Terra’s clients’ mortgages were paid off. In order to make a profit, Terra charged monthly fees for services including audits that were never performed, and convinced clients to take out a second or reverse mortgage and retained large portions of the proceeds.

Information Technology Sector

26. December 2, Help Net Security – (International) AirDroid app opens millions of Android users to device compromise. Zimperium security researchers reported that tens of millions of users of Android’s remote management tool, AirDroid are vulnerable to man-in-the-middle (MitM) attacks that could compromise their devices through fraudulent updates and result in data theft. If a user is on the same unsecured network as a malicious actor, the attacker could perform a MitM network attack to access the device authentication information, decrypt any Hypertext Transfer Protocol (HTTP) request the application performs, and redirect and modify the HTTP traffic sent and received by the device when it checks for updates, and then plant a malicious update for the app to use.

27. December 1, SecurityWeek – (International) Bug allows activation lock bypass on iPhone, iPad. Security researchers discovered two variations of a flaw that can be exploited to bypass Apple’s Activation Lock feature and access the homescreen of locked iPhones and iPads running Apple’s mobile operating system (iOS) 10.1 and iOS 10.1.1. Once a locked device is started, users are required to connect to a WiFi network and attackers can enter long strings into the username and password fields to trigger a crash that display’s the device’s homescreen. Source: http://www.securityweek.com/bug-allows-activation-lock-bypass-iphone-ipad

Communications Sector

Nothing to report