Complete DHS Report for August 5, 2016
Daily Report
Top Stories
• A former teller at a TD Bank branch in Washington Township, New
Jersey, pleaded guilty to Federal charges August 2 after she embezzled $608,000
from 8 bank customers between 2014 and 2015. – Cherry Hill Courier-Post See item 3 below in
the Financial Services Sector
• Maryland officials announced August 3 that a broken sewer line
in Ellicott City is dumping nearly 5 million gallons of sewage per day into a
Patapsco River tributary following flash floods that hit the city July 30. – WUSA
9 Washington, D.C.
16. August 3,
WUSA 9 Washington, D.C. – (Maryland) Nearly 5 million gallons of
sewage spilling into Patapsco River each day. The Maryland Department of
the Environment announced August 3 that a broken sewer line in Ellicott City is
dumping nearly 5 million gallons of sewage per day into a portion of the Sucker
Branch tributary of the Patapsco River following flash floods that hit the city
July 30. Source: http://www.wusa9.com/news/local/maryland/nearly-5-million-gallons-of-sewage-spilling-into-patapsco-river-each-day/286792677
• Duke Energy officials reported August 3 that up to 50,000
gallons of storm water runoff spilled from their coal-fired power plant in
Rutherford County, North Carolina, into the Broad River. – Associated Press
17. August 3,
Associated Press – (North Carolina) Duke Energy says stormwater spilled from
coal power plant. Duke Energy officials reported August 3 that up to 50,000
gallons of storm water runoff spilled from their coal-fired power plant in
Rutherford County, North Carolina, into the Broad River. Officials stated that
while the water came into contact with unburned coal stored at the Rogers
Energy Complex, it did not come into contact with any ash or harm the Broad
River. Source: http://www.wwaytv3.com/2016/08/03/duke-energy-says-stormwater-spilled-from-coal-power-plant/
• Banner Health notified approximately 3.7 million patients,
health plan members, physicians, and health care providers August 3 of a
potential data breach after hackers may have gained unauthorized access to
patient, physician, and beneficiary data in its computer systems between June
23 and July 7. – Reuters
18. August 3,
Reuters – (National) Banner Health says hackers may have gained access
to patient data. Banner Health notified approximately 3.7 million patients,
health plan members, physicians, and health care providers August 3 of a
potential data breach after hackers may have gained unauthorized access to
patient, physician, and beneficiary data in computer systems that process card
data at food and beverage outlets at Banner Health locations in 7 States
between June 23 and July 7.
Financial Services Sector
2. August 3,
Softpedia – (International) Venmo fixes hole that allowed attackers to
steal $2,999.99 per week using Siri. Venmo patched an attack vector in its
digital wallet service after a security researcher discovered attackers could
exploit design flaws in Venmo and Apple’s iPhone operating system (iOS) to
approve roughly $3,000 a week in money requests if a malicious actor had
physical access to a victim’s iPhone by instructing Siri to send a message to a
Venmo five-digit phone number on an iOS device that would handle the payment
request instead of showing app notifications to the user. Venmo removed the
Short Message Service (SMS) “reply-to-pay” functionality, as well as other
smaller patches that made the service vulnerable to similar attacks. Source: http://news.softpedia.com/news/venmo-fixes-hole-that-allowed-attackers-to-steal-2-999-99-per-week-using-siri-506912.shtml
3. August 2,
Cherry Hill Courier-Post – (New Jersey) Washington Twp. TD Bank
teller admits to $600K scam. A former teller at a TD Bank branch in
Washington Township, New Jersey, pleaded guilty to Federal charges August 2
after she embezzled $608,000 from 8 bank customers between 2014 and 2015 by
transferring money from dormant checking accounts into personal bank accounts
or by obtaining cashier’s checks issued in her name. Officials stated the
former teller used the stolen funds for personal use. Source: http://www.courierpostonline.com/story/news/2016/08/02/washington-twp-td-bank-teller-admits-600k-scam/87972636/
Information Technology Sector
23. August 4,
SecurityWeek – (International) Critical flaws found in Cisco small business
routers. Cisco released patches for its small business RV series routers
after researchers discovered a critical flaw affecting the Web interface that
allows remote, unauthenticated attackers to execute arbitrary code with root
privileges, a high severity flaw that can be exploited remotely to perform a
directory traversal and access arbitrary files on the system, and a medium
severity command shell injection flaw that could allow a local attacker to
inject arbitrary shell commands that are then executed by the device, among
other vulnerabilities. Source: http://www.securityweek.com/critical-flaws-found-cisco-small-business-routers
24. August 4,
SecurityWeek – (International) Google patches 10 vulnerabilities in Chrome
52. Google released an update for Chrome 52 resolving 10 security
vulnerabilities after third-party developers discovered 4 high risk flaws
affecting the Web browser including an address bar spoofing flaw, a
use-after-free bug in Blink, and heap overflow bugs in pdfium, as well as 3
medium risk bugs including a same origin bypass for imagines in Blink, and
parameter sanitization failure bugs in DevTools. Source: http://www.securityweek.com/google-patches-10-vulnerabilities-chrome-52
25. August 3,
Help Net Security – (International) Four high-profile vulnerabilities in HTTP/2
revealed. Imperva released a report at the Black Hat USA 2016 conference
documenting four high-profile vulnerabilities in Hypertext Transfer Protocol
(HTTP)/2 after researchers from the Imperva Defense Center found a HPACK Bomb
attack resembling a zip bomb, a dependency cycle attack that takes advantage of
HTTP/2’s flow control mechanisms for network optimization, stream multiplexing
abuse that results in denial-of-service to legitimate users, and Slow Read attacks
in server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2.
The vendors of the HTTP/2 protocol mechanisms released patches for the issues.
For another story, see item 2 above in the Financial Services Sector
Communications Sector
Nothing to report