Wednesday, February 11, 2015



Complete DHS Report for  February 11, 2015

Daily Report

Top Stories

 · More than 1,800 flights within, into, or out of the United States were cancelled February 9 due to a massive snow storm that swept across the Northeast region of the country. – USA Today

10. February 9, USA Today – (National) Airlines cancel flights as another snowstorm hits northeast. More than 1,800 flights within, into, or out of the United States were canceled February 9 due to a massive snow storm that swept across the Northeast region of the country. Airports in the New York City area reported significant delays for inbound flights, including average delays of almost 7 hours for flights headed to LaGuardia Airport. Source: http://www.usatoday.com/story/todayinthesky/2015/02/09/northeast-snow-flight-cancellations/23111291/

 · A semi-truck that overturned on U.S. 40 in Daniels Canyon in Utah February 6 spilled 12,000 gallons of crude oil and ignited a large blaze that prompted the closure of the highway in both directions for nearly 12 hours. – KSL 5 Salt Lake City

11. February 7, KSL 5 Salt Lake City – (Utah) Daniels Canyon opens after oil tanker crash, fire. A semi-truck that overturned on U.S. 40 in Daniels Canyon February 6 spilled 12,000 gallons of crude oil and ignited a large blaze that prompted the closure of the highway in both directions for nearly 12 hours. One lane of the highway was scheduled to remain open February 7-8 while crews responded to road damage and environmental cleanup, and a second lane in the opposite direction reopened ahead of schedule February 7. Source: http://www.ksl.com/?nid=148&sid=33385876

 · California health officials reported that 107 cases of measles were confirmed in the State February 9, with 39 cases linked to a December 2014 outbreak that began in Disneyland. –Reuters

21. February 9, Reuters – (International) California confirms 107 cases of measles, 39 from Disneyland outbreak. California health officials reported that 107 cases of measles were confirmed in the State February 9 and 39 of them linked to a December 2014 outbreak that began in Disneyland. More than 3 dozen additional cases of the disease have been reported in 19 other States and in Mexico. Source: http://www.msn.com/en-us/news/us/california-confirms-107-cases-of-measles-39-from-disneyland-outbreak/ar-AA9bOHN

 · A researcher released 10 million username/password combinations that he collected over the years on the Web in an effort to advance research and make authentication more secure. – Securityweek

29. February 10, Securityweek – (International) Researcher publishes 10 million usernames and passwords. A researcher released 10 million username/password combinations that he collected over the years in an attempt to advance research and make authentication more secure. The researcher asserted that most combinations were dated and had been scrubbed of all identifying and compromising information. Source: http://www.securityweek.com/researcher-publishes-10-million-usernames-and-passwords

Financial Services Sector

4. February 9, Bergen County Record – (National) Waldwick police seize 125 credit cards from Walgreens customers. Three individuals were arrested by police at a Waldwick Walgreens February 7 when they were caught with more than 125 stolen credit cards allegedly taken from all over the U.S. The suspects were caught while they were purchasing a gift card and police found additional gift cards on them while they were arrested. Source: http://www.northjersey.com/news/waldwick-police-seize-125-credit-cards-from-walgreens-customers-1.1267484

5. February 9, Reuters – (New York) New York plans cybersecurity reviews of insurers after breach. New York’s Financial Services Department announced plans February 9 to increase State insurers preparedness through regular cyber-security reviews and enhanced regulations in the wake of February’s Anthem Inc., breach that affected up to 80 million customers. Source: http://www.reuters.com/article/2015/02/09/us-anthem-cybersecurity-new-york-idUSKBN0LD1R620150209

Information Technology Sector

28. February 10, Softpedia – (International) About 40,000 MongoDB databases found open online. Three Saarland University cyber-security students reported security vulnerabilities in MongoDB’s database configuration, including servers with no access control mechanisms that could potentially allow access outside the backend and expose the information of millions of customer to unauthorized parties. An initial scan found nearly 40,000 databases that were open, prompting the researchers to submit their findings to MongoDB maintainers for integration into revised security instructions for users. Source: http://news.softpedia.com/news/About-40-000-MongoDB-Databases-Found-Open-Online-472747.shtml

29. February 10, Securityweek – (International) Researcher publishes 10 million usernames and passwords. A researcher released 10 million username/password combinations that he collected over the years in an attempt to advance research and make authentication more secure. The researcher asserted that most combinations were dated and had been scrubbed of all identifying and compromising information. Source: http://www.securityweek.com/researcher-publishes-10-million-usernames-and-passwords

30. February 9, Securityweek – (International) Box Sync for Mac exposed sensitive information: Researcher. Box Sync for Mac released version 4.0.6035 to fix a security issue discovered in January that exposed Python files containing sensitive data such as application program interface (API) keys, internal user IDs, passwords, and URLs. Box Sync representatives asserted that customer data was never at risk. Source: http://www.securityweek.com/box-sync-mac-exposed-sensitive-information-researcher

31. February 9, Securityweek – (International) LG fixes authentication bypass vulnerability in on-screen phone app. LG released On-Screen Phone application update 4.3.010 to fix a vulnerability discovered by Search-Lab researchers in September 2014 that allowed attackers to possibly bypass authentication and take control of users’ smartphones without their knowledge through a connection between the mobile device and the computer conducted via USB cable, Wi-Fi, or Bluetooth. Source: http://www.securityweek.com/lg-fixes-authentication-bypass-vulnerability-screen-phone-app

For another story, see item 1 below from the Energy Sector
 
1. February 9, Securityweek – (National) API vulnerability exposed accounts of Delmarva Power customers. Delmarva Power, a subsidiary of Pepco Holdings, issued a patch in January addressing a vulnerability in its Android app after a researcher discovered the application programming interface (API) is plagued by Insecure Direct Object Reference (IDOR), which could have allowed an attacker to hijack customer’s online accounts by resetting user’s passwords and gaining control over their accounts. Source: http://www.securityweek.com/api-vulnerability-exposed-accounts-delmarva-power-customers

Communications Sector

Nothing to report