Complete DHS Report for January 12, 2016
Daily Report
Top Stories
• The National Highway Traffic Safety Administration
announced January 9 that only Fiat Chrysler radios possess a security flaw that
could allow attackers to breach a vehicle’s speed via the Uconnect infotainment
system. – Associated Press
3. January
11, Associated Press – (National) Feds: Non-Jeep car radios aren’t vulnerable to
hacking. The National Highway Traffic Safety Administration announced
January 9 that it ended its investigation into the vulnerabilities of
automotive radios and determined that only Fiat Chrysler radios possess a
security flaw that could allow attackers to breach a vehicle’s speed and
control the brakes, radio, windshield wipers, and transmission through the
Uconnect infotainment system. The administration determined that a 2015 recall
of 1.4 million Fiat Chrysler vehicles addressed the flaw and that the fear of
widespread vulnerability to hackers appears to be unfounded. Source: http://www.mercurynews.com/business/ci_29365971/feds-non-jeep-car-radios-arent-vulnerable-hacking
• The chief
financial officer at Clarkston Brandon Community Credit Union in Detroit was
charged with embezzlement January 8 after stealing $20 million from the credit
union over the course of 12 years. – Associated Press See item 4 below in the Financial Services Sector
• The U.S. Department of Justice and DHS formed a new unit called
the Countering Violent Extremism Task Force to coordinate U.S. efforts to fight
extremist groups such as the Islamic State (IS) domestically and to support
international partners of the U.S. in their programs against extremist
activities. – SecurityWeek See
item 22 below in the Information Technology Sector
• Approximately 150 employees and customers were evacuated
from the Heritage Plaza in Auburn, Massachusetts January 9 after a heating
system in a business leaked high levels of carbon monoxide. – Associated
Press
28. January 9,
Associated Press – (Massachusetts) High levels of carbon monoxide lead to strip
mall evacuation. Approximately 150 employees and customers were evacuated
from the Heritage Plaza in Auburn, Massachusetts January 9 after a heating
system in the office of Great Expressions Dental Centers malfunctioned and
leaked high levels of carbon monoxide. No injuries were reported and the
heating system was shut down. Source: http://www.bostonherald.com/news/local_coverage/2016/01/high_levels_of_carbon_monoxide_lead_to_strip_mall_evacuation
Financial Services Sector
4. January 8,
Associated Press – (Michigan) Cops: Man admits to stealing $20M from suburban
credit union. The chief financial officer at Clarkston Brandon Community
Credit Union in Detroit was charged with embezzlement January 8 after
confessing January 6 to stealing $20 million from the credit union over the
course of 12 years. Source: http://gazette.com/cops-man-admits-to-stealing-20m-from-suburban-credit-union/article/feed/305895
Information Technology Sector
19. January
11, Softpedia – (International) CSRF bug in Verizon’s API left My FiOS
accounts open to attacks. Verizon released patches for a cross-site request
forgery flaw and a proof-of-concept (PoC) vulnerably in its My FiOS application
program interface (API) after an independent security researcher discovered
that attackers can access users’ accounts via malicious Web pages distributed
through email campaigns. Once users open the malicious pages, a password reset
command can be triggered. Source: http://news.softpedia.com/news/csrf-bug-in-verizon-s-api-left-my-fios-accounts-open-to-attacks-498723.shtml
20. January
11, SecurityWeek – (International) Drupal starts patching update process flaws. Drupal
reported its researchers were working to patch a cross-site request forgery
(CSRF) vulnerability and an update status vulnerability found in its Content
Management System (CMS) product after an IOActive researcher discovered the
flaws affected Drupal versions 7 and 8. Source: http://www.securityweek.com/drupal-starts-patching-update-process-flaws
21. January
11, SecurityWeek – (International) Juniper to enhance RNG in ScreenOS. Juniper
Networks reported January 8 that it will replace the Duel Elliptic Curve
Deterministic Random Bit Generator (Dual EC DRBG) technology used in its
ScreenOS products with the same random number generation (RNG) technology used
in Junos OS products after an investigation revealed that the Junos OS products
will be more difficult to plant unauthorized code and will include a more
robust RNG subsystem. Source: http://www.securityweek.com/juniper-enhance-rng-screenos
22. January 9,
SecurityWeek – (International) US ramps up war on IS propaganda,
recruitment. White House officials reported January 8 that the U.S.
Department of Justice and DHS formed a new unit called the Countering Violent
Extremism Task Force to coordinate U.S. efforts to fight extremist groups such
as the Islamic State (IS) domestically, and to support international partners
of the U.S. in their programs to neutralize potential extremist activities by
preventing radical groups from using the Internet to recruit supporters and prevent
the groups from using encrypted technologies to hide their activities. Source: http://www.securityweek.com/us-ramps-war-propaganda-recruitment
For another story, see item 27 below from the Commercial Facilities Sector
27. January 9,
Softpedia – (National) Star Wars BB-8 toy vulnerable to hacking, nobody
cares, the toy is still awesome. Researchers from Pen Test Partners discovered
that Sphero’s Internet of Things (IoT) product, Star Wars BB-8 toy used with
Microsoft Android app and Apple iOS app were vulnerable to firmware update
attacks that allow hackers to change the toy’s sound files and control the
product due to flawed privacy-intrusive sensors and data collection features
that uses Hypertext Transfer Protocol (HTTP) systems. Sphero confirmed its
researchers were working to patch the flaw. Source: http://news.softpedia.com/news/star-wars-bb-8-toy-vulnerable-to-hacking-nobody-cares-the-toy-is-still-awesome-498673.shtml
Communications Sector
Nothing to report