Thursday, October 22, 2015



Complete DHS Report for October 22, 2015

Daily Report                                            

Top Stories

 • Crews plugged an Oasis Petroleum North America LLC-owned well in North Dakota October 20 and recovered about 483,000 gallons of spilled crude oil and saltwater from the well site. – Associated Press  

1. October 21, Associated Press – (North Dakota) Workers cap out-of-control North Dakota oil well. Crews plugged an Oasis Petroleum North America LLC-owned well near White Earth in North Dakota October 20 and recovered about 483,000 gallons of crude oil and saltwater from the well site that began leaking the weekend of October 17. The cause of the spill is under investigation but regulators believe that the breach may have been caused by hydraulic fracturing operations at a nearby well that was being drilled. Source: http://www.wahpetondailynews.com/workers-cap-out-of-control-north-dakota-oil-well/article_88ab25f2-7769-11e5-856e-cfe75a28bc44.html

 • Five former employees were charged in Tennessee October 20 for their alleged involvement in a scheme that defrauded FedEx of more than $1.7 million. – U.S. Attorney’s Office, Western District of Tennessee

7. October 20, U.S. Attorney’s Office, Western District of Tennessee – (National) Former FedEx hub employees indicted in million-dollar shipping theft scheme. Five former FedEx employees were charged in Memphis October 20 for their alleged involvement in a scheme that defrauded FedEx of more than $1.7 million from 2013 – 2014 through interstate shipping of stolen wireless mobile devices from Verizon and AT&T. Source: https://www.fbi.gov/memphis/press-releases/2015/former-fedex-hub-employees-indicted-in-million-dollar-shipping-theft-scheme

 • Fire officials reported October 18 that the Sun-Re Cheese Co., in Pennsylvania halted production indefinitely after an accidental fire caused at least $3 million in damages. – Sunbury Daily Times

12. October 20, Sunbury Daily Item – (Pennsylvania) Factory fire damage estimated at $3 million. Fire officials reported October 18 that the Sun-Re Cheese Co., halted production indefinitely at its Sunbury facility after a 36-inch exhaust fan prompted an accidental fire, causing at least $3 million in damages. No injuries were reported. Source: http://www.dailyitem.com/news/factory-fire-damage-estimated-at-million/article_ddaeb2a0-7762-11e5-829e-d308e129bb06.html

 • An October 20 liquid bleach spill at a YMCA in Santee, California, caused 81 students and adults to be transported to area hospitals for treatment following complaints of a chemical smell and burning sensation in their eyes. – San Diego Union-Tribune

18. October 20, San Diego Union-Tribune – (California) Liquid bleach spill near Santee school. An October 20 liquid bleach spill at the Cameron Family YMCA in Santee, California, caused 81 students and adults to be transported to area hospitals for treatment following complaints of a chemical smell and burning sensation in their eyes. A HAZMAT crew investigated and cleared the scene once they determined that there was no public health risk. Source: http://www.sandiegouniontribune.com/news/2015/oct/20/possible-chemical-spill-at-santee-school/

Financial Services Sector

Nothing to report

Information Technology Sector

21. October 21, Securityweek – (International) Flaws in Apple productivity apps expose users to attacks. Apple recently released updates addressing input validation vulnerabilities related to how malicious documents are parsed in Keynote, Pages, Numbers, and iWork for iOS 2.6 which could have allowed an Extensible Markup Language (XML) External Entity (XXE) attack potentially leading to disclosure of data, denial-of-service (DoS), or other impacts, as well as memory corruption issues that could lead to unexpected termination of applications or arbitrary code execution.Source: http://www.securityweek.com/flaws-apple-productivity-apps-expose-users-attacks

22. October 21, Threatpost – (International) Oracle quarterly security update patches 154 vulnerabilities. Oracle released a quarterly patch addressing 154 security issues in 54 products, including 24 vulnerabilities in Java SE, 16 remotely exploitable bugs in Fusion Middleware, and 7 in Oracle Database, among others. Eighty-four of the patches address vulnerabilities that may be remotely exploitable without authentication. Source: https://threatpost.com/oracle-quarterly-security-update-patches-154-vulnerabilities/115120/

23. October 21, The Register – (International) ‘10-second’ hack jogs Fitbits into malware-spreading mode. Security researchers from Fortinet discovered a vulnerability in Fitbit devices in which attackers within a close proximity could use Bluetooth to deliver fully persistent malware within 10 seconds, which could then infect a computer once the device is synchronized. Source: http://www.theregister.co.uk/2015/10/21/fitbit_hack/

24. October 21, Softpedia – (International) Western Digital My Passport hard drives come with a slew of security holes. Security researchers published findings on the International Association for Cryptologic Research Web site revealing that attackers could use brute force attacks to bypass built-in encryption and password-based authentication in Western Digital My Passport hard drives, and that attackers could use all Western Digital devices’ firmware update mechanisms to install malicious code via “evil maid” and “badUSB” attacks. Source: http://news.softpedia.com/news/western-digital-my-passport-hard-drives-come-with-a-slew-of-security-holes-494990.shtml

25. October 21, Softpedia – (International) Firefox FindMyDevice service lets hackers wipe or lock phones, change PINs. Researchers discovered a flaw in Mozilla’s “Find My Device” service for devices running the Firefox operating system (OS) in which a hacker could remotely lock device screens, make devices ring, and wipe all device data via clickjacking-enabled cross-site request forgery (CSRF) attacks. The attack requires the user to be logged in to the service with their Firefox account. Source: http://news.softpedia.com/news/firefox-findmydevice-service-lets-hackers-wipe-or-lock-phones-change-pins-495003.shtml

Communications Sector

26. October 20, U.S. Federal Communications Commission – (Alaska) FCC fines Alaskan company over $600,000 for cell tower. General Communications Inc., the parent company of The Alaska Wireless Network, agreed to pay $620,500 in a settlement reached with the U.S. Federal Communications Commission (FCC) October 20 resolving allegations that the company failed to register 118 cellular communication facilities through the FCC’s Antenna Structure Registration system and failed to properly light 3 facilities to comply with flight safety rules. Source: https://www.fcc.gov/document/fcc-fines-gci-over-600000-cell-tower-violations-0?contrast

For additional stories, see items 21 and 25 above in the Information Technology Sector