Friday, October 30, 2015



Complete DHS Report for October 30, 2015

Daily Report                                            

Top Stories

 • The Santa Clara County Public Health Department reported October 28 that the number of cases in a Shigella outbreak rose to 190 after being linked to consumption from the Mariscos San Juan restaurant. – San Jose Mercury News

12. October 29, San Jose Mercury News – (California) Shigella outbreak reaches 190 reported cases. The Santa Clara County Public Health Department reported October 28 that the number of cases in a Shigella outbreak rose to 190. The cause of the outbreak remains under investigation but officials believe that nearly all cases stem from food served at the Mariscos San Juan restaurant between October 16 and October 17.

 • Sanofi issued a recall October 28 for approximately 490,000 packs of Auvi-Q epinephrine injectors used to treat severe allergic reactions following 26 reports of malfunctions with the injectors. – Associated Press

20. October 28, Associated Press – (International) Sanofi recalls all injectors used for allergic reactions. Sanofi issued a recall October 28 for approximately 490,000 packs of Auvi-Q epinephrine injectors used to treat severe allergic reactions following 26 reports of malfunctions with the injectors that may not deliver the correct amount of the drug. Source: http://abcnews.go.com/Business/wireStory/sanofi-recalls-pen-injectors-allergic-reactions-34805509

 • A security expert reported October 28 that 13 million personal user records from the free web hosting service, 000webhost.com were compromised after its main server was exploited via a flaw in its old version of PHP. – Securityweek See item 24 below in the Information Technology Sector

 • Mapunapuna officials reported October 28 that a building supply company housing 17 businesses sustained extensive damage October 27 after a 3-alarm fire caused approximately $5.5 million in damages. – Honolulu Star-Advertiser

30. October 28, Honolulu Star-Advertiser – (Hawaii) Fire causes $5.5 million damage to Mapunapuna businesses. Mapunapuna officials reported October 28 that a building supply company housing 17 businesses sustained extensive damage October 27 after a 3-alarm fire caused approximately $5.5 million in damages. Fire crews remained on site for nearly 21 hours extinguishing the blaze and the cause of the incident is under investigation. Source: http://www.staradvertiser.com/news/breaking/20151027_Firefighters_respond_to_threealarm_fire_in_Mapunapuna.html?id=337815871

Financial Services Sector

6. October 28, Buffalo News – (New York) Falls businessman who shot brother-in-law pleads guilty to bank fraud. A suspect serving a prior prison sentence for attempted murder pleaded guilty October 28 in a Buffalo district court to defrauding M&T Bank of $177,500 by cashing 42 checks from an overdrawn company account from the now-defunct Electro-Dyne Choke Corp., between November 2012 and March 2013. The suspect had the company’s payroll firm issue payroll checks to himself and another individual from bank accounts that did contain enough money.

7. October 28, Bloomberg News – (New York) Goldman agrees to pay $50 million to settle N.Y. Fed leak case. Goldman Sachs Group Inc., reached a $50 million settlement and accepted a 3-year suspension on some advisory capacities within New York October 28 following allegations of unauthorized access to classified documents from the Federal Reserve Bank of New York. The case involves a Federal Reserve employee who provided a client’s confidential information to a Goldman Sachs employee, who then circulated the information to senior personnel. Source: http://www.bloomberg.com/news/articles/2015-10-28/goldman-agrees-to-pay-50-million-to-settle-n-y-fed-leak-case

8. October 28, Chicago Tribune – (Illinois) Politician goes from speaker to felon, but his dark past still a mystery. A U.S. politician plead guilty October 28 in a Federal courtroom in Chicago to charges related to allegations of illegally structuring more than $3.5 million in bank account withdrawals to avoid financial reporting requirements as part of a payout to cover up alleged wrongdoing. Source: http://www.chicagotribune.com/news/local/breaking/ct-dennis-hastert-guilty-plea-hearing-met-20151027-story.html

Information Technology Sector

24. October 29, Securityweek – (International) 13 million passwords leaked from free hosting service. A security expert reported October 28 that 13 million personal user records including names, emails, and plaintext passwords from the free web hosting service, 000webhost.com were compromised after its main server was exploited via a flaw in its old version of PHP. To mitigate future breaches, 000webhost updated its systems, increased its encryption, and changed all passwords. Source: http://www.securityweek.com/13-million-passwords-leaked-free-hosting-service

25. October 29, Securityweek – (International) Several flaws patched in Xen Hypervisor. Researchers from Xen Project released a total of nine advisories addressing recently patched Xen hypervisor vulnerabilities including hypercall issues leveraged to cause a denial-of-service (DoS) condition via repeated logging to the hypervisor console, privilege escalation vulnerability, and a multicall issue exploited via a malicious guest to crash a host, amongst other patched security holes after experts from Citrix, Alibaba, and SUSE discovered each vulnerability. Source: http://www.securityweek.com/several-flaws-patched-xen-hypervisor?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29

26. October 28, Securityweek – (International) “Chikdos” Malware abuses MySQL Servers for DDoS attacks. Researchers from Symantec reported that the Chikdos trojan malware designed to hijack both Linux and Windows, recently targeted MySQL servers via a malicious user-defined function (UDF) working as a downloader trojan (Downloader.Chikdos) that allows actors to conduct distributed denial-of-service (DDoS) attacks via SQL injection attacks. Symantec data confirms the most infected MySQL servers were located in India, China, Brazil, Holland, and the U.S. Source: http://www.securityweek.com/chikdos-malware-abuses-mysql-servers-ddos-attacks

27. October28, Securityweek – (International) Infinite Automation patches flaws in SCADA/HMI product. Infinite Automation Systems released an updated version of its Mango Automation product patching a series of vulnerabilities after researchers from ICS-CERT discovered unrestricted fire upload, information exposure, SQL injection, and cross-site scripting vulnerabilities. The version fixed all the flaws except an OS command injection and a cross-site request forgery (CSRF) flaw.

Communications Sector

Nothing to report

Thursday, October 29, 2015



Complete DHS Report for October 29, 2015

Daily Report                                            

Top Stories

 BMW announced a recall October 28 for 86,000 model year 2002 – 2005 Mini Cooper and Cooper S vehicles due to a power steering failure issue following 339 consumer complaints. – Associated Press

2. October 28, Associated Press – (National) Mini recalls 86,000 cars to fix power steering problems. BMW announced a recall October 28 for 86,000 model year 2002 – 2005 Mini Cooper and Cooper S vehicles due to a power steering failure issue following a Federal investigation into 339 consumer complaints including 5 crashes and 3 fires as a result of the failure. Source: http://www.detroitnews.com/story/business/autos/foreign/2015/10/28/mini-recall/74730982/

 New York officials reported October 27 that 4 suspects pleaded guilty and 11 others were charged for participating in a $31 million fraudulent debt collection scheme which misled victims into paying debt amounts greater than they owed. – Buffalo News See item 6 below in the Financial Services Sector

 The owner of 2 medical clinics in New York pleaded guilty October 26 to her role in a money laundering scheme that defrauded Medicaid and Medicare programs out of $55 million. – U.S. Department of Justice

16. October 26, U.S. Department of Justice – (New York) Owner of two New York medical clinics pleads guilty to role in $55 million health care fraud scheme. The U.S. Department of Justice announced October 26 that the owner of 2 medical clinics in New York pleaded guilty to her role in a money laundering scheme that defrauded Medicaid and Medicare programs of $55 million by offering patients kickbacks to allow medically unnecessary therapy, testing, and office visits that were never performed by licensed professional. The suspect admitted to diverting funds deposited into the clinics’ bank accounts by the Federal programs to herself, co-conspirators, and patients instead.  Source: http://www.justice.gov/opa/pr/owner-two-new-york-medical-clinics-pleads-guilty-role-55-million-health-care-fraud-scheme

 One person was killed and 20 students were transported to area hospitals following an October 27 accident where a school bus collided with another vehicle on U.S. Route 22 in Lehigh County, Pennsylvania. – Fox News; Allentown Morning Call

18. October 27, Fox News; Allentown Morning Call – (Pennsylvania) One person killed in Pennsylvania crash involving Lehigh University bus. One person was killed and 20 students were transported to area hospitals with minor injuries following an October 27 accident where a school bus transporting Lehigh University students collided with another vehicle on U.S. Route 22 in Lehigh County before flipping onto its roof. Source: http://www.foxnews.com/us/2015/10/27/13-reportedly-injured-in-pennsylvania-crash-involving-lehigh-university-bus/

Financial Services Sector

5. October 27, KSHB 41 Kansas City – (International) Johnson County man sentenced in credit card ID fraud case. A suspect in Johnson County was convicted by the Kansas Department of Corrections October 27 in connection to stealing over 500 credit card account numbers from Canadian citizens through skimming devices. The suspect re-coded the numbers on bank cards in the U.S.  Source: http://www.kshb.com/news/crime/johnson-county-man-sentenced-in-credit-card-id-fraud-case

6. October 27, Buffalo News – (National) Guilty pleas by 4, charges against 11 announced in federal fraud prosecution of Buffalo debt collectors. The U.S. attorney’s office in Manhattan reported October 27 that 4 suspects pleaded guilty and 11 others were charged for participating in a $31 million fraudulent debt collection scheme in which victims were misled and served threats including felony charges and driver’s license suspensions unless they paid debts in amounts greater than they owed.  Source: http://www.buffalonews.com/city-region/guilty-pleas-by-4-charges-against-11-announced-in-federal-fraud-prosecution-of-buffalo-debt-collectors-20151027

For another story, see item 23 below in the Information Technology Sector

Information Technology Sector

22. October 28, Softpedia – (International) Adobe patches critical vulnerability in Shockwave Player. Adobe released a patch resolving a memory corruption vulnerability in its Shockwave Player 12.2.0.162 for Windows and Mac user after researchers from Fortinet’s Fortiguard Labs discovered that the vulnerability allowed attackers to compromise remote computers and execute remote code, allowing full control of the operating system without the victim being aware.  Source: http://www.securityweek.com/adobe-patches-critical-vulnerability-shockwave-player

23. October 28, Softpedia – (International) Oracle EBS fixed against XSS, XXE, and SQL injection vulnerabilities. Oracle released patches for 154 fixes addressing vulnerabilities in several of its products including six found by ERPScan researchers in the Oracle E-Business Suite (Oracle EBS) including 3 XXE (XML External Entity) injection vulnerabilities, a user enumeration flaw, a cross-site scripting (XSS) problem, and a Structured Query Language (SQL) flaw that could potentially give attackers administrative rights over the Oracle EBS and its subsequent applications to access sensitive company data including financial, human resources, supply chain, and customer support departments. Source: http://news.softpedia.com/news/oracle-ebs-fixed-against-xss-xxe-and-sql-injection-vulnerabilities-495419.shtml

24. October 28, Securityweek – (International) Flaws in Rockwell PLCs expose operational networks. Rockwell Automation released firmware updates and mitigations addressing several vulnerabilities in its 1400 programmable logic controllers (PLCs) and its MicroLogix 1100 products including a buffer overflow bug that remotely crashes affected devices or executes arbitrary code, and a denial-of-service (DoS) bug dubbed “FrostyURL” that can be exploited to crash MicroLogix PLCs via a specially crafted uniform resource locator (URL) sent to victims through email, and a cross-site scripting (XSS) vulnerability that can be exploited to inject malicious JavaScript code in a device’s Web server, among others. Source: http://www.securityweek.com/flaws-rockwell-plcs-expose-operational-networks

Communications Sector

Nothing to report