Wednesday, December 2, 2015



Complete DHS Report for December 2, 2015

Daily Report                                            

Top Stories

• The former New York State Assembly speaker was charged November 30 for 7 counts of honest services fraud, extortion, and money laundering after gaining $4 million in kickbacks. – New York Times See item 9 below in the Financial Services Sector

• Plano, Texas officials reported November 30 that heavy rainfall and overflows in aged pipes caused more than 300,000 gallons of water to leak from 8 sewage spills over the weekend of November 28. – Dallas Morning News

14. November 30, Dallas Morning News – (Texas) Several sewage spills over weekend did not harm Plano’s public water supply, city says. Plano officials reported November 30 that more than 300,000 gallons of water leaked from 8 sewage spills over the weekend of November 28, prompted by heavy rainfall and overflows in aged underground pipes. Authorities reported that the pipes would be repaired and that there was no threat to public drinking water. Source: http://planoblog.dallasnews.com/2015/11/several-sewage-spills-over-weekend-did-not-harm-planos-public-water-supply-city-says.html/

• An audit of the Louisiana State University (LSU) Health Care Services Division revealed November 30 that nearly $6 million in state-owned hospital equipment could not be located and over $15 million in equipment for the LSU Medical Center was not properly recorded. – Associated Press

16. November 30, Associated Press – (Louisiana) $6 million in equipment missing from state hospitals, audit says. An audit of the Louisiana State University (LSU) Health Care Services Division conducted by the State’s legislative auditor was released November 30 and found that nearly $6 million in state-owned hospital equipment could not be located and that over $15 million in equipment bought for the LSU Medical Center in New Orleans was not properly recorded and tagged before it was turned over to the hospital operator. LSU stated that it is working to locate and properly tag all medical equipment purchased.

• Schneider Electric released updates for its ProClima product addressing a remote control execution (RCE) flaw that can enable a remote attacker to execute unauthorized code via ActiveX controls connected to Internet Explorer. – Securityweek See item 23 below in the Information Technology Sector

Financial Services Sector

7. December 1, InsideNoVa.com – (Virginia) Fairfax police arrest 4 in credit-card scheme. Fairfax County Police arrested 2 men November 23 for allegedly buying 21 iPhone 6S Plus smartphones worth more than $19,000 with fraudulent credit cards at the Apple store in Tysons Corner Center shopping mall in Virginia. An investigation of the suspects’ vehicle led to the discovery of 241 fraudulent credit cards as well as the arrest of two more suspects involved in the scheme. Source: http://www.insidenova.com/news/crime_police/fairfax/fairfax-police-arrest-in-credit-card-scheme/article_07d5317e-9795-11e5-bc22-3b35b28f28ec.html

8. November 30, U.S. Securities and Exchange Commission – (International) Standard Bank to pay $4.2 million to settle SEC charges. Officials from the U.S. Securities and Exchange Commission (SEC) reported November 30 that London-based Standard Bank Plc was charged with violating the Foreign Corrupt Practices Act by failing to disclose a payment of $6 million made by the Bank affiliate to a firm with no substantial role in a $600 million debt transaction with the Government of Tanzania in 2013. The Bank agreed to pay the SEC $4.2 million in settlements and is also facing action on the part of the United Kingdom’s Serious Fraud Office. Source: http://www.sec.gov/news/pressrelease/2015-268.html

9. November 30, New York Times – (New York) Ex-New York Assembly speaker, is found guilty on all counts. The former speaker of the New York State Assembly was found guilty in New York City November 30 on 7 counts of honest services fraud, extortion, and money laundering for his role in a scheme in which he gained $4 million in kickbacks from a cancer research center and 2 real estate firms that he subsequently hid in Weitz & Luxenberg firm. Source: http://www.nytimes.com/2015/12/01/nyregion/sheldon-silver-guilty-corruption-trial.html

10. November 30, WWLP 22 Springfield – (Massachusetts) Florida man charged with wire fraud in western Mass. A Florida man was charged November 30 for his role in an investment scheme from 2008 – 2012 in which he falsely promised 23 investors inflated returns on $600,000 worth of investments of which he used some for personal gain. The suspect also wrote 40 bad checks worth nearly $1.8 million when investors asked for their money back. Source: http://wwlp.com/2015/11/30/florida-man-charged-with-wire-fraud-in-western-mass/

Information Technology Sector

22. December 1, Securityweek – (International) Unpatched flaws allow hackers to compromise Belkin routers. A researcher discovered multiple vulnerabilities affecting Belkin’s N150 wireless home routers, including an HTML/script injection that affects the “language” parameter present and causes the device’s web interface to become inoperable; a session hijacking vulnerability that allows an attacker to easily obtain data through a brute force attack due to the fixed state of the session ID as a hexadecimal string; and a remote control access flaw that allows an attack to gain root privileges, among other vulnerabilities. Source: http://www.securityweek.com/unpatched-flaws-allow-hackers-compromise-belkin-routers

23. December 1, Securityweek – (International) Schneider patches RCE flaws in ProClima software. Schneider Electric released security updates for its ProClima product addressing a series of vulnerabilities, including a remote control execution (RCE) flaw that can enable a remote attacker to execute unauthorized code via ActiveX controls connected to the Internet Explorer web browser. The products were distributed to the U.S. and Europe and affect sectors such as energy, critical manufacturing, and commercial facilities. Source: http://www.securityweek.com/schneider-patches-rce-flaws-proclima-software

24. December 1, Securityweek – (International) Videofied Alarm System flaws allow hackers to intercept data. Researchers from U.K.-based Cybergibbons identified high severity vulnerabilities in RSI Video Technologies’ Videofied alarm systems including the CVE-2015-8252 and CVE-2015-8253 flaws that allows remote attackers to obtain the device’s authentication key from its serial number transmitted through plain text and enables hackers to spoof alarms and intercept data including messages and videos in the form of plain text and MJPEG files. The vulnerabilities affect devices sold in over 70 countries. Source: http://www.securityweek.com/videofied-alarm-system-flaws-allow-hackers-intercept-data

25. November 30, Securityweek – (International) OpenSSL to patch several vulnerabilities. The OpenSSL Project announced November 30 that it will be releasing scheduled updates December 3 addressing several OpenSSL vulnerabilities, including several threats ranging from low to high security levels including flaws that can be exploited remotely to compromise server private key, vulnerabilities that disclose contents of server memory, and flaws where remote code execution is possible in common situations. Source: http://www.securityweek.com/openssl-patch-several-vulnerabilities

Communications Sector

26. December 1, WDTN 2 Dayton – (National) Time Warner Cable recovering from massive outage. Time Warner Cable worked to restore Internet and cable services December 1 following a reported outage that affected over 16,000 customers across several States November 30.