Friday, August 5, 2016



Complete DHS Report for August 5, 2016

Daily Report                                            

Top Stories

• A former teller at a TD Bank branch in Washington Township, New Jersey, pleaded guilty to Federal charges August 2 after she embezzled $608,000 from 8 bank customers between 2014 and 2015. – Cherry Hill Courier-Post See item 3 below in the Financial Services Sector

• Maryland officials announced August 3 that a broken sewer line in Ellicott City is dumping nearly 5 million gallons of sewage per day into a Patapsco River tributary following flash floods that hit the city July 30. – WUSA 9 Washington, D.C.

16. August 3, WUSA 9 Washington, D.C. – (Maryland) Nearly 5 million gallons of sewage spilling into Patapsco River each day. The Maryland Department of the Environment announced August 3 that a broken sewer line in Ellicott City is dumping nearly 5 million gallons of sewage per day into a portion of the Sucker Branch tributary of the Patapsco River following flash floods that hit the city July 30. Source: http://www.wusa9.com/news/local/maryland/nearly-5-million-gallons-of-sewage-spilling-into-patapsco-river-each-day/286792677

• Duke Energy officials reported August 3 that up to 50,000 gallons of storm water runoff spilled from their coal-fired power plant in Rutherford County, North Carolina, into the Broad River. – Associated Press

17. August 3, Associated Press – (North Carolina) Duke Energy says stormwater spilled from coal power plant. Duke Energy officials reported August 3 that up to 50,000 gallons of storm water runoff spilled from their coal-fired power plant in Rutherford County, North Carolina, into the Broad River. Officials stated that while the water came into contact with unburned coal stored at the Rogers Energy Complex, it did not come into contact with any ash or harm the Broad River. Source: http://www.wwaytv3.com/2016/08/03/duke-energy-says-stormwater-spilled-from-coal-power-plant/

• Banner Health notified approximately 3.7 million patients, health plan members, physicians, and health care providers August 3 of a potential data breach after hackers may have gained unauthorized access to patient, physician, and beneficiary data in its computer systems between June 23 and July 7. – Reuters

18. August 3, Reuters – (National) Banner Health says hackers may have gained access to patient data. Banner Health notified approximately 3.7 million patients, health plan members, physicians, and health care providers August 3 of a potential data breach after hackers may have gained unauthorized access to patient, physician, and beneficiary data in computer systems that process card data at food and beverage outlets at Banner Health locations in 7 States between June 23 and July 7.

Financial Services Sector

2. August 3, Softpedia – (International) Venmo fixes hole that allowed attackers to steal $2,999.99 per week using Siri. Venmo patched an attack vector in its digital wallet service after a security researcher discovered attackers could exploit design flaws in Venmo and Apple’s iPhone operating system (iOS) to approve roughly $3,000 a week in money requests if a malicious actor had physical access to a victim’s iPhone by instructing Siri to send a message to a Venmo five-digit phone number on an iOS device that would handle the payment request instead of showing app notifications to the user. Venmo removed the Short Message Service (SMS) “reply-to-pay” functionality, as well as other smaller patches that made the service vulnerable to similar attacks. Source: http://news.softpedia.com/news/venmo-fixes-hole-that-allowed-attackers-to-steal-2-999-99-per-week-using-siri-506912.shtml

3. August 2, Cherry Hill Courier-Post – (New Jersey) Washington Twp. TD Bank teller admits to $600K scam. A former teller at a TD Bank branch in Washington Township, New Jersey, pleaded guilty to Federal charges August 2 after she embezzled $608,000 from 8 bank customers between 2014 and 2015 by transferring money from dormant checking accounts into personal bank accounts or by obtaining cashier’s checks issued in her name. Officials stated the former teller used the stolen funds for personal use. Source: http://www.courierpostonline.com/story/news/2016/08/02/washington-twp-td-bank-teller-admits-600k-scam/87972636/

Information Technology Sector

23. August 4, SecurityWeek – (International) Critical flaws found in Cisco small business routers. Cisco released patches for its small business RV series routers after researchers discovered a critical flaw affecting the Web interface that allows remote, unauthenticated attackers to execute arbitrary code with root privileges, a high severity flaw that can be exploited remotely to perform a directory traversal and access arbitrary files on the system, and a medium severity command shell injection flaw that could allow a local attacker to inject arbitrary shell commands that are then executed by the device, among other vulnerabilities. Source: http://www.securityweek.com/critical-flaws-found-cisco-small-business-routers

24. August 4, SecurityWeek – (International) Google patches 10 vulnerabilities in Chrome 52. Google released an update for Chrome 52 resolving 10 security vulnerabilities after third-party developers discovered 4 high risk flaws affecting the Web browser including an address bar spoofing flaw, a use-after-free bug in Blink, and heap overflow bugs in pdfium, as well as 3 medium risk bugs including a same origin bypass for imagines in Blink, and parameter sanitization failure bugs in DevTools. Source: http://www.securityweek.com/google-patches-10-vulnerabilities-chrome-52

25. August 3, Help Net Security – (International) Four high-profile vulnerabilities in HTTP/2 revealed. Imperva released a report at the Black Hat USA 2016 conference documenting four high-profile vulnerabilities in Hypertext Transfer Protocol (HTTP)/2 after researchers from the Imperva Defense Center found a HPACK Bomb attack resembling a zip bomb, a dependency cycle attack that takes advantage of HTTP/2’s flow control mechanisms for network optimization, stream multiplexing abuse that results in denial-of-service to legitimate users, and Slow Read attacks in server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The vendors of the HTTP/2 protocol mechanisms released patches for the issues.

For another story, see item 2 above in the Financial Services Sector

Communications Sector

Nothing to report