Friday, December 5, 2014



Complete DHS Report for December 5, 2014

Daily Report

Top Stories

 · Honda announced December 3 that it will expand its recall of vehicles equipped with airbags manufactured by Takata to include all 50 States due to the potential for the airbag inflators to shatter and send shrapnel into vehicles’ cabins. – Washington Post

4. December 3, Washington Post – (National) Honda expands Takata air bag recall to all 50 states. Honda announced December 3 that it will expand its recall of vehicles equipped with airbags manufactured by Takata to include all 50 States due to the potential for the airbag inflators to shatter and send shrapnel into vehicles’ cabins. The announcement could result in the recall of several million vehicles. Source: http://www.washingtonpost.com/local/trafficandcommuting/honda-expands-takata-air-bag-recall-to-all-50-states/2014/12/03/e2c9e3f4-7b14-11e4-b821-503cc7efed9e_story.html

 · A fire at the American Appliance Factory in Newport, Tennessee, December 3 caused around $1 million in damage and stopped work at the facility. – WVLT 8 Knoxville

5. December 3, WVLT 8 Knoxville – (Tennessee) Fire shuts down work at Newport factory. A fire at the American Appliance Factory in Newport, Tennessee, December 3 caused around $1 million in damage and stopped work at the facility. The fire was believed to have started in a paint room at the factory. Source: http://www.local8now.com/home/headlines/Fire-shuts-down-work-at-Newport-factory-284662001.html

 · A U.S. Department of Justice’s Office of the Inspector General report found that a former-operator of the FEBG Bond Fund operated the fund as a Ponzi scheme that defrauded around 130 individuals of over $30 million. –Tribune News Service See item 7 below in the Financial Services Sector

 · Eight workers at a U.S. Postal Service processing center in Bethpage, New York, were charged December 3 for allegedly stealing illegal shipments of marijuana and conspiring to deal the drugs which held an estimated street value of up to $930,000. – New York Daily News

12. December 3, New York Daily News – (New York) Postal workers on Long Island busted for stealing pot packages. Eight workers at a U.S. Postal Service processing center in Bethpage were charged December 3 on federal charges for allegedly stealing illegal shipments of marijuana and conspiring to deal the drugs. Federal agents seized 129 pounds of marijuana with an estimated street value of up to $930,000. Source: http://www.nydailynews.com/new-york/postal-workers-busted-stealing-pot-packages-article-1.2032179

Financial Services Sector

6. December 4, Softpedia – (International) Critical PayPal bug left all accounts vulnerable to hijacking. A security researcher identified and reported a cross-site request forgery (CSRF) vulnerability that could have been used with other flaws to allow an attacker to link their email address to a victim’s account by capturing a reusable authentication token that was valid for all PayPal accounts. The vulnerability was fixed by PayPal before the researcher publicly disclosed his findings, and the researcher was awarded $10,000 from PayPal’s Bug Bounty program. Source: http://news.softpedia.com/news/Critical-PayPal-Bug-Left-All-Accounts-Vulnerable-to-Hijacking-466500.shtml

7. December 3, Tribune News Service – (Florida) Investigation reveals how Florida man ripped off DEA. A report from the U.S. Department of Justice’s Office of the Inspector General found that a now-deceased Jacksonville man who ran the FEBG Bond Fund operated the fund as a Ponzi scheme that defrauded around 130 individuals of over $30 million, more than half of whom were current or former Drug Enforcement Agency (DEA) employees or connected to DEA employees. The report found that some DEA personnel exercised poor judgment in giving the man access to DEA personnel and facilities and receiving gifts from the man. Source: http://www.msn.com/en-us/news/other/investigation-reveals-how-florida-man-ripped-off-dea-agents/ar-BBgigCn

8. December 3, Charlotte Observer – (North Carolina; South Carolina) Charlotte man pleads guilty to role in Wax House scheme. A Charlotte, North Carolina man pleaded guilty December 3 for his role in the $75 million Operation Wax House mortgage and investment fraud scheme in North Carolina and South Carolina. The man was charged with laundering over $200,000 in loan proceeds through his Perry Masonry Construction company and for working as a promoter to recruit straw buyers. Source: http://www.charlotteobserver.com/2014/12/03/5359034/charlotte-man-pleads-guilty-to.html

Information Technology Sector

27. December 4, The Register – (International) Big Blue patches big blooper in Endpoint Manager for mobes. IBM released a patch for its Endpoint Manager for Mobile Devices product that allowed attackers to gain remote access and compromise mobile devices connected to the network. Source: http://www.theregister.co.uk/2014/12/04/ibm_endpoint_manager_patch/

28. December 3, Softpedia – (International) Asprox operators have started recruiting for a larger botnet. Researchers with Malcovery found that the operators of the Asprox botnet began a campaign using spam emails purporting to be order confirmation from major retailers such as HomeDepot, WalMart, CostCo, and Target in order to infect more users and expand the Asprox botnet. Source: http://news.softpedia.com/news/Asprox-Operators-Have-Started-Recruiting-For-a-Larger-Botnet-466482.shtml

29. December 3, Softpedia – (International) Vulnerability in WhatsApp leads to losing conversations. Two security researchers reported and released a proof-of-concept (PoC) for a flaw in WhatsApp where an attacker could send a 2KB text containing special characters that would cause the app to crash unless the conversation thread is deleted. The researchers stated that the app affects WhatsApp versions 2.11.431 and 2.11.432 on Android devices. Source: http://news.softpedia.com/news/Vulnerability-in-WhatsApp-Leads-to-Losing-Contacts-and-Conversations-466481.shtml

30. December 3, Securityweek – (International) DNSimple suffers downtime due to 25 Gbps DDoS attack. Florida-based DNS provider DNSimple reported that it experienced a distributed denial of service (DDoS) attack December 1 that peaked at 25 Gbps and lasted around 12 hours, causing outages for the company and its customers. The company stated that DNSimple was not targeted but was affected by the DDoS attack after domains already under attack were delegated to the company. Source: http://www.securityweek.com/dnsimple-suffers-downtime-due-25-gbps-ddos-attack

31. December 3, Softpedia – (International) LastPass master password can be decrypted. Researchers presenting at the DefCamp 2014 conference during the November 29-30 weekend demonstrated how an attacker could use a man-in-the-middle (MitM) attack to trick users into running a malicious payload that could expose LastPass password manager passwords under certain conditions. Source: http://news.softpedia.com/news/Saving-LastPass-Master-Password-Locally-Is-A-Bad-Idea-466472.shtml

Communications Sector

32. December 3, Charlottesville Daily Progress – (Virginia) Crash disrupts CenturyLink service along U.S. 29 in southern Albemarle. Cellphone and landline services for CenturyLink customers in southern Albemarle County were disrupted for around 8 hours December 3 when a vehicle crashed on U.S. Route 29 South and struck a box containing CenturyLink fiber optics. Source: http://www.dailyprogress.com/news/local/crash-disrupts-centurylink-service-along-u-s-in-southern-albemarle/article_92cf08ce-7b38-11e4-8b10-17928eaf2149.html

33. December 3, WSBT 22 South Bend – (Indiana) Over 18,000 Frontier customers reportedly lose phone service. Frontier Communications crews worked to restore phone service in the LaPorte, South Bend, and Valparaiso areas after equipment at their main office failed December 3 affecting over 18,000 customers. Source: http://www.wsbt.com/news/local/Over-18-000-Frontier-customers-reportedly-lose-phone-service/30034428