Monday, October 31, 2016 -- Halloween



Complete DHS Report for October 31, 2016

Daily Report                                            

Top Stories

• Officials reached a $150,000 settlement October 27 with Specialty Materials Inc. after a July 2014 inspection found that the company failed to properly manage methylene chloride and other hazardous materials. – U.S. Environmental Protection Agency

1. October 27, U.S. Environmental Protection Agency – (Massachusetts) Lowell company settles with EPA for hazardous waste concerns. The U.S. Environmental Protection Agency (EPA) announced October 27 that it reached a $150,000 settlement with Lowell, Massachusetts-based Specialty Materials Inc. to resolve alleged violations of the Federal Resource Conservation and Recovery Act and Massachusetts hazardous waste management regulations after a July 2014 EPA inspection found that the company failed to properly store, handle, and manage methylene chloride, mercury-contaminated solids and wastewater, and other hazardous wastes; neglected to ensure safety and emergency preparedness procedures were followed; and failed to maintain appropriate records on the storage and handling of hazardous wastes, among other violations. Source: https://www.epa.gov/newsreleases/lowell-company-settles-epa-hazardous-waste-concerns

• BMW issued a recall October 28 for 136,188 of its model years 2007 – 2012 vehicles in select makes due to faulty wiring in the fuel pump that could result in a buildup of electrical resistance and cause the pump to overheat and melt. – TheCarConnection.com

2. October 28, TheCarConnection.com – (National) BMW recalls 136,000 vehicles in the U.S. to fix stalling & fuel leaks. BMW issued a recall October 28 for 136,188 of its model years 2007 – 2012 vehicles in select makes equipped with an in-tank fuel pump sold in the U.S. due to faulty wiring in the fuel pump that may have been improperly crimped, which could result in a buildup of electrical resistance and cause the pump to overheat and melt, thereby increasing the risk of stalling and fuel leaks. Source: http://www.thecarconnection.com/news/1106957_bmw-recalls-136000-vehicles-in-the-u-s-to-fix-stalling-fuel-leaks

• A total of 61 individuals and entities were charged in an indictment unsealed October 27 for their alleged roles in a call center scheme that defrauded at least 15,000 U.S. residents out of more than $250 million. – Washington Post below in the Financial Services Sector

• The U.S. Environmental Protection Agency announced October 27 that Bacon-Agostini Construction Co., Inc. and K.R. Rezendes, Inc. agreed to pay $49,500 to resolve alleged violations of the Clean Water Act. – U.S. Environmental Protection Agency

12. October 27, U.S. Environmental Protection Agency – (Massachusetts) Companies and EPA settle matter of stormwater discharges during construction of Somerset, Mass. school. The U.S. Environmental Protection Agency (EPA) announced October 27 that Bacon-Agostini Construction Co., Inc. and excavation company K.R. Rezendes, Inc. agreed to pay $49,500 to resolve alleged violations of the Clean Water Act after the companies discharged sediment-filled stormwater from the construction site of the new Somerset-Berkley Regional High School in Somerset, Massachusetts, into catch basins for the town’s municipal storm sewer system and the Taunton River in 2012. As part of the settlement, the company’s must take necessary steps to protect the Taunton River and the local storm sewer system from contamination, and correct their violations of the EPA permit to discharge storm water. Source: https://www.epa.gov/newsreleases/companies-and-epa-settle-matter-stormwater-discharges-during-construction-somerset-mass

Financial Services Sector

4. October 27, Washington Post – (International) Justice Department charges dozens in massive Indian call center scheme. A total of 61 individuals and entities were charged in an indictment unsealed October 27 for their alleged roles in a call center scheme that defrauded at least 15,000 U.S. residents out of more than $250 million after call center operators in India impersonated U.S. Internal Revenue Service or U.S. Citizenship and Immigration Services officials and threatened potential victims with arrest, imprisonment, or deportation if they failed to pay taxes or debts to the government. The charges state that a network of U.S.-based co-conspirators liquidated and laundered the extorted funds through wire transfers or by purchasing prepaid debit cards that were registered with stolen information from the identity theft victims. Source: https://www.washingtonpost.com/world/national-security/justice-department-charges-dozens-in-massive-indian-call-center-scheme/2016/10/27/ae64a6b0-9c48-11e6-a0ed-ab0774c1eaa5_story.html

Information Technology Sector

17. October 28, SecurityWeek – (International) Apple patches flaws in Xcode, Windows software. Apple released version 8.1 of its Xcode integrated development environment (IDE) to address 10 vulnerabilities in Node.js and OpenSSL that an attacker could exploit for arbitrary code execution or to cause an application to crash. Apple also released iTunes version 12.5.2 and iCloud version 6.0.1 for Microsoft Windows due to flaws in the WebKit Web browser engine, which can be exploited through processing specially crafted Web content for arbitrary code execution and disclosure of user information. Source: http://www.securityweek.com/apple-patches-flaws-xcode-windows-software

18. October 28, Help Net Security – (International) New code injection attack works on all Windows versions. Security researchers from enSilo discovered a code injection method, dubbed AtomBombing can be leveraged against all Microsoft Windows versions without triggering security solutions. The researchers found attackers can write malicious code into the operating system’s atom table in order to force a legitimate program to retrieve the malicious code and manipulate the program to execute that code, thereby enabling attackers to take screenshots, access encrypted passwords, and perform Man in the Browser (MitB) attacks. Source: https://www.helpnetsecurity.com/2016/10/28/code-injection-windows-atombombing/

Communications Sector

19. October 27, Washington Post – (National) The FCC just passed sweeping new rules to protect your online privacy. The Federal Communications Commission approved new rules October 27 that require Internet service providers to receive explicit consent from their customers before using or sharing sensitive personal information, including app and browsing history and mobile location data, among other information generated while using the Internet. The ruling also requires service providers to inform customers about what data they collect and why, and notify customers of data breaches. Source: https://www.washingtonpost.com/news/the-switch/wp/2016/10/27/the-fcc-just-passed-sweeping-new-rules-to-protect-your-online-privacy/

Friday, October 28, 2016 – Author’s Birthday



Complete DHS Report for October 28, 2016

Daily Report                                            

Top Stories

• Ford Motor Company issued a recall October 26 for 400,000 of its model years 2010 – 2012 vehicles in select makes due to a faulty fuel delivery module supply port that may crack over time and cause a fuel leak. – TheCarConnection.com

1. October 26, TheCarConnection.com – (National) Ford Escape, Mercury Mariner, Shelby GT350/R Mustang recalled for oil and fuel leaks. Ford Motor Company issued a recall October 26 for 400,000 of its model years 2010 – 2012 Ford Escape vehicles and its model years 2010 – 2011 Mercury Mariner vehicles equipped with 3.0-liter flex-fuel engines sold in the U.S. due to a faulty fuel delivery module supply port that may crack over time and cause a fuel leak, thereby increasing the risk of fire. Ford issued a second recall for 8,000 of its model years 2015 – 2017 Ford Shelby GT350/R Mustang vehicles sold in the U.S. due to a potential engine issue. Source: http://www.thecarconnection.com/news/1106906_ford-escape-mercury-mariner-shelby-gt350-r-mustang-recalled-for-oil-and-fuel-leaks

• The former chief executive officer of Axium International, Inc. was convicted October 25 after he and a co-conspirator diverted about $5.1 million from Axium between 2005 and 2007. – U.S. Attorney’s Office, Central District of California See item 3 below in the Financial Services Sector

• A Manhattan tax attorney and a co-conspirator were charged October 26 for allegedly diverting more than $3 million in fee income from transactions the attorney performed from 2005 – 2011, and failing to report over $1.2 million in fee income to the U.S. Internal Revenue Service. – U.S. Attorney’s Office, Southern District of New York See item 4 below in the Financial Services Sector

• A 6-alarm fire at an apartment building on the Upper East Side of New York City killed 1 person, injured 12 others, and displaced 18 families October 27. – WCBS 2 New York  

17. October 27, WCBS 2 New York – (New York) Firefighter performs ‘heroic’ rope rescue in deadly Upper East Side fire. A 6-alarm fire at an apartment building on the Upper East Side of New York City killed 1 person, injured 12 others, and displaced 18 families October 27. Officials temporarily shut down surrounding roads and the cause of the fire remains under investigation.

Financial Services Sector

2. October 26, Associated Press – (Montana) Montana credit union tells customers about possible security breach. Rocky Mountain Credit Union in southwestern Montana notified 135 of its members October 26 that some of their personal information, including Social Security numbers, bank account numbers, and driver's license numbers may have been publicly accessible via its Website from April 15 – June 30 after the credit union detected a security issue with the Website customers used to upload documents as part of their mortgage application. Officials did not believe the documents were accessed by an unauthorized individual and the credit union repaired the security flaw. Source: http://billingsgazette.com/news/state-and-regional/montana/montana-credit-union-tells-customers-about-possible-security-breach/article_39eea0fd-2a96-5380-b638-c78e2e3ca1cf.html

3. October 26, U.S. Attorney’s Office, Central District of California – (California) Former CEO of Hollywood payroll company convicted for tax fraud conspiracy. The former chief executive officer (CEO) of Axium International, Inc. was convicted October 25 after he and a co-conspirator diverted about $5.1 million from Axium between 2005 and 2007 through various schemes, including a scheme where the CEO diverted tax refund checks payable to Axium and its subsidiaries into shadow bank accounts he and his co-conspirator controlled. The charges state the duo diverted the funds after discovering the company’s Federal tax delinquencies exceeded $100 million and its lender foreclosed on its bank accounts. Source: https://www.justice.gov/usao-cdca/pr/former-ceo-hollywood-payroll-company-convicted-tax-fraud-conspiracy

4. October 26, U.S. Attorney’s Office, Southern District of New York – (New York) Tax attorney and CPA indicted for tax evasion and diversion of tax shelter fees from major Manhattan law firm. A Manhattan tax attorney and a Florida certified public account (CPA) were charged October 26 for allegedly diverting more than $3 million in fee income from tax shelter and related transactions the attorney performed while serving as a partner for the Manhattan law firm from 2005 – 2011, and failing to report over $1.2 million in fee income to the U.S. Internal Revenue Service. The charges allege that as part of the scheme, the tax attorney caused roughly $500,000 in tax shelter fees paid by a client to be routed to a partnership entity he and the CPA co-owned, and used those fees for personal expenses. Source: https://www.justice.gov/usao-sdny/pr/tax-attorney-and-cpa-indicted-tax-evasion-and-diversion-tax-shelter-fees-major

Information Technology Sector

14. October 27, SecurityWeek – (International) Cisco patches 9 flaws in Email Security Appliance. Cisco Systems, Inc. released software updates for its Email Security Appliances (ESA) to resolve a total of nine vulnerabilities, including three denial-of-service (DoS) flaws in the AsyncOS software for Cisco ESA which could allow an unauthenticated remote attacker to cause a DoS condition using maliciously crafted emails and attachments. Cisco also patched vulnerabilities that could allow unauthenticated attackers to remotely trick a user into clicking a malicious link, initiate a DoS condition, and bypass various filters, among other flaws.

15. October 26, SecurityWeek – (International) VMware flaws allows security bypass on Mac OS X. VMware released VMware Tools version 10.1.0 after security researchers from Tencent’s KeenLab discovered that VMware Tools version 9.x and 10.x are plagued with a flaw that could allow a local user to obtain information that can be leveraged to bypass a security mechanism. VMware also released version 8.5 of its VMware Fusion products to resolve a flaw that could allow a privileged local user on a system with System Integrity Protection (SIP) enabled to obtain kernel memory addresses to bypass the kASLR protection mechanism.

16. October 26, SecurityWeek – (International) Adobe patches Flash vulnerability used in targeted attacks. Adobe released a Flash Player update after researchers from Google’s Threat Analysis Group found a critical use-after-free vulnerability that has been exploited in the wild for arbitrary code execution and targeted attacks against users running Microsoft Windows 7, 8.1, and 10. Adobe stated the security flaw affects Flash Player 23.0.0.185 and earlier and Linux versions 11.2.202.637 and earlier. Source: http://www.securityweek.com/adobe-patches-flash-vulnerability-used-targeted-attacks

Communications Sector

Nothing to report