Thursday, May 14, 2015




Complete DHS Report for May 14, 2015

Daily Report

Top Stories

 · The Michigan Department of Environmental Quality announced May 13 that Enbridge Energy will pay $75 million in penalties, and for the cleanup and restoration of areas affected by an 800,000 gallon oil spill in Talmadge Creek and the Kalamazoo River in 2010. – Reuters

1. May 13, Reuters – (Michigan) Enbridge to pay $75mln to settle 2010 oil spill-Michigan officials. The Michigan Department of Environmental Quality announced May 13 that Enbridge Energy will pay $75 million in a settlement that includes the cleanup and restoration of areas affected by a 2010 pipeline spill that dumped 800,000 gallons of oil into Talmadge Creek and the Kalamazoo River. Source: http://www.reuters.com/article/2015/05/13/enbridge-inc-michigan-oilspill-idUSL1N0Y40O820150513

 · The cybersecurity services and training provider root9B discovered that the cyberespionage group APT28 has planned attacks on financial institutions in the U.S. and worldwide. – Securityweek See item 4 below in the Financial Services Sector

 · At least 7 people were killed and over 200 others were injured when an Amtrak Northeast Regional train headed to New York from Washington, D.C., derailed and rolled onto its side May 13. – WCAU 10 Philadelphia

6. May 13, WCAU 10 Philadelphia – (Pennsylvania) At least 7 dead, over 200 hurt after Amtrak train derails, rolls on side in Philadelphia. At least 7 people were killed and over 200 people were injured when 7 cars of an Amtrak Northeast Regional train headed to New York from Washington, D.C., derailed and rolled onto its side in the Port Richmond section of Philadelphia May 13. Service on Amtrak’s Northeast Corridor between New York and Philadelphia was suspended in addition to service on the Southeastern Pennsylvania Transportation Authority’s Trenton Regional Rail line until further notice while authorities investigate the accident. Source: http://www.nbcphiladelphia.com/news/local/Amtrak-Derailment-Philadelphia--303536331.html

 · The U.S. Federal Communications Commission and multiple State officials announced May 12 that Sprint and Verizon Wireless will pay $158 million in penalties and refunds to consumers nationwide in a mobile cramming settlement. – Baltimore Sun See item 21 below in the Communications Sector

Financial Services Sector

4. May 13, Securityweek – (International) Russian cyber espionage group planning to hit banks: Report. The cybersecurity services and training provider root9B discovered that the cyberespionage group APT28, also known as Pawn Storm, Sednit, Fancy Bear, Tsar Team, and Sofacy, has planned attacks on financial institutions worldwide including Bank of America, The United Nations Children’s Fund, and others. The group was previously linked to Russia by cybersecurity experts. Source: http://www.securityweek.com/russian-cyber-espionage-group-planning-hit-banks-report

5. May 12, Reuters – (International) Nomura, RBS face $805 million damages after U.S. ruling -lawyer. A U.S. District Judge ruled May 11 that Nomura Holdings Inc., and the Royal Bank of Scotland Group Plc., were liable for making false statements in the sale of mortgage-backed securities to Fannie Mae and Freddie Mac. Officials estimated that the damages owed to the Federal Housing Finance Agency could exceed $805 million, while the exact amount is yet to be determined. Source: http://www.reuters.com/article/2015/05/12/fhfa-nomura-hldgs-damages-idUSL1N0Y323420150512

Information Technology Sector

16. May 13, Softpedia – (International) Flash Player 17.0.0.188 addresses security holes. Adobe released updates for Flash Player that fixed 18 vulnerabilities, including 10 memory corruption, heap overflow, integer overflow, type confusion, and use-after-free bugs that could allow an attacker to run arbitrary code on an affected system. Source: http://news.softpedia.com/news/Flash-Player-17-0-0-188-Addresses-18-Security-Holes-481046.shtml

17. May 13, Softpedia – (International) Mozilla Firefox 38 fixes 13 vulnerabilities, 5 are critical. Mozilla released fixes for 13 vulnerabilities in Firefox version 38, including 5 critical flaws that could be leveraged to execute arbitrary code or read parts of the memory containing sensitive data. The update also added support for Digital Rights Management (DRM), among other improvements. Source: http://news.softpedia.com/news/Mozilla-Firefox-38-Fixes-13-Vulnerabilities-5-Are-Critical-481034.shtml

18. May 13, Softpedia – (International) Adobe rolls out critical update for Reader and Acrobat. Adobe released new versions for Acrobat and Reader PDF software patching 34 vulnerabilities, 17 of which include use-after-free, heap-based buffer overflow, and buffer overflow to memory corruption bugs that could have allowed an attacker to execute arbitrary code and take control of an affected system. Source: http://news.softpedia.com/news/Adobe-Rolls-Out-Critical-Update-for-Reader-and-Acrobat-481014.shtml

19. May 13, IDG News Service – (International) Microsoft fixes 46 flaws in Windows, IE, Office, other products. Microsoft released patches addressing 46 vulnerabilities across various products, including 3 critical security bulletins that covered remote code execution flaws in Windows, Internet Explorer, Office, Microsoft .NET Framework, Lync, and Silverlight. Source: http://www.networkworld.com/article/2922093/microsoft-fixes-46-flaws-in-windows-ie-office-other-products.html#tk.rss_all

20. May 13, Threatpost – (International) “VENOM” flaw in virtualization software could lead to VM escapes, data theft. Security researchers from CrowdStrike discovered a vulnerability in virtualization platforms in which an attacker could exploit a flaw in the virtual floppy disk controller component of the QEMU open-source visualization package to escape from a guest virtual machine (VM) to gain code execution on the host in addition to any other VMs running on the affected system. The bug has been dubbed VENOM and affects a variety of virtualization software running on all major operating systems (OS’). Source: https://threatpost.com/venom-flaw-in-virtualization-software-could-lead-to-vm-escapes-data-theft/112772

Communications Sector

21. May 12, Baltimore Sun – (National) Sprint and Verizon Wireless to pay $158 million in mobile ‘cramming’ settlement. The U.S. Federal Communications Commission along with officials in several States announced May 12 that Sprint and Verizon Wireless will pay $158 million in penalties and refunds to consumers nationwide under a settlement holding the 2 mobile carriers accountable of unauthorized charges for third-party services, also known as mobile cramming. Source: http://www.baltimoresun.com/business/consuming-interests-blog/bs-bz-sprint-verizon-cramming-settlement-20150512-story.html