Complete DHS Report for
September 24, 2015
Daily Report
Top Stories
• Volkswagen
announced September 22 emissions discrepancies in 11 million vehicles
worldwide, and pledged $7.3 billion to cover recall and other costs. – CNN
6. September
22, CNN – (International) Volkswagen scandal widens. Volkswagen
announced September 22 that internal investigations revealed significant
discrepancies in 11 million vehicles worldwide, after U.S. regulators reported
that the company had installed software to engage emissions management on
diesel vehicles when being tested, only to run up to 40 times more emissions
when on the road. Volkswagen pledged $7.3 billion to cover the cost of affected
vehicle recalls and other mitigation efforts. Source: http://money.cnn.com/2015/09/22/news/vw-recall-diesel/
• Washington, D.C.
Metro service for the Green and Yellow lines between the U Street and Fort
Totten stations was restored September 22 after being suspended while
authorities evacuated 500-600 people from a Metro tunnel after a train lost
power. – WRC 4 Washington, D.C.
12. September
22, WRC 4 Washington, D.C. – (Washington, D.C.) Service restored after
hundreds of evacuated from stuck Metro train near Papal Mass site. Washington,
D.C. Metro service on the Green and Yellow lines between the U Street and Fort
Totten stations was fully restored September 22 after being suspended for hours
while firefighters helped escort 500-600 passengers out of a Metro tunnel between
th Columbia Heights and Georgia Ave-Petworth stations, after a northbound train
got stuck due to a power loss. No injuries were reported. Source: http://www.nbcwashington.com/news/local/Metro-Delays-Expected-on-Green-and-Yellow-Lines-328732351.html
• The U.S. Office of
Personnel Management confirmed September 23 that the number of current and
formal Federal employees impacted in a data breach was up to 5.6 million, up
from the 1.1 million reported in July. – NBC News
18. September
23, NBC News – (National) OPM hack: 5.6 million fingerprints (not 1.1
million) were stolen. The U.S. Office of Personnel Management confirmed
September 23 that the number of fingerprints of current and former Federal
employees impacted in a data breach reported June 4 were 5.6 million, up from
the 1.1 million originally reported in July. Source: http://www.nbcnews.com/tech/security/opm-5-6-million-fingerprints-not-1-1-million-were-n432281
• The U.S. President
declared a major disaster September 22 for the 76,067-acre Valley Fire in
California that was 75 percent contained, and crews continued to battle the
70,868 Butte fire, which was 80 percent contained. – Los Angeles Times
20. September
23, Los Angeles Times – (California) U.S. President declares major
disaster in deadly California wildfire. The U.S. President declared a major
disaster for the 76,067-acre Valley Fire burning in northern California that
destroyed an estimated 1,261 structures and was 75 percent contained by
September 22. Fire crews also continued to battle the 70,868-acre Butte Fire,
which destroyed over 545 structures and was 80 percent contained. Source: http://www.msn.com/en-us/news/us/obama-declares-major-disaster-in-deadly-california-wildfire/ar-AAeEDso
Financial Services Sector
7. September
22, U.S. Securities and Exchange Commission – (National) SEC charges
investment adviser with failing to adopt proper cybersecurity policies and
procedures prior to breach. St. Louis-based R.T. Jones Capital Equities
Management agreed September 22 to pay $75,000 to settle U.S. Securities and
Exchange Commission charges that the firm failed to establish required
cybersecurity policies and procedures in advance of a breach that compromised
information of about 100,000 individuals in July 2013. Source: http://www.sec.gov/news/pressrelease/2015-202.html
8. September
22, Office of the Attorney General, State of Louisiana –
(National) Attorney General announces arrest of Baton Rouge man for
orchestrating national financial fraud scheme. A Baton Rouge man was
arrested September 22 for allegedly running a major credit-repair fraud
involving at least 13 other suspects that resulted in over 300 stolen identities
and losses of more than $5 million by stealing the Social Security numbers of
children and selling them as Credit Profile Numbers to individuals who needed
lines of credit. Source: https://www.ag.state.la.us/Article.aspx?articleID=1106&catID=2
Information Technology Sector
25. September
23, Securityweek – (International) Firefox 41 patches critical vulnerabilities. Mozilla
released updates addressing 30 vulnerabilities in Firefox version 41, including
use-after-free bugs with IndexedDB and manipulation of HyperText Markup
Language (HTML) content that could lead to an exploitable crash, memory safety
bugs that can be exploited to execute arbitrary code, and two flaws involving
cross-origin resource sharing (CORS)“preflight” request handling, among others.
Source: http://www.securityweek.com/firefox-41-patches-critical-vulnerabilities
26. September
23, Softpedia – (International) Brute-forcing URL shorteners can expose
sensitive corporate information. Security researchers and social engineers
discovered that brute-force attacks could be used to uncover active short links
by services running Bit.ly Uniform Resource Locator (URL) shorteners,
potentially accessing sensitive or private documents passed through a company’s
shortener, and that attackers could bypass rate limits with the use of proxies.
Source: http://news.softpedia.com/news/brute-forcing-url-shorteners-can-expose-sensitive-corporate-information-492442.shtml
27. September
23, Help Net Security – (International) WD My Cloud NAS devices
can be hijacked by attackers. Security researchers from VerSprite
discovered vulnerabilities in Western Digital My Cloud network attached storage
(NAS) products’ RESTful Application Program Interface (API) in which any
authorized remote user can remotely execute commands and steal files belonging
to other users, as well as abuse root access to the NAS in a private internal
network. Researchers also discovered a separate flaw in the device’s web
application allowing for cross-site request forgery attacks. Source: http://www.net-security.org/secworld.php?id=18885
28. September
23, Securityweek – (International) Large number of iOS apps infected by
XcodeGhost. Security researchers from Pangu discovered that the number of
iOS applications affected by the XcodeGhost malware is over 3,400, and FireEye
reported the number on the App store could be over 4,000. The malware injects
malicious code into legitimate iOS and OS X applications using a modified
version of Apple’s Xcode development platform, and has been detected in apps
distributed worldwide. Source: http://www.securityweek.com/large-number-ios-apps-infected-xcodeghost
29. September
23, The Register – (International) Malvertisers
slam Forbes, Realtor with world’s worst exploit kits. Security researchers
from FireEye and Malwarebytes reported that multiple Forbes Web sites and
Realtor.com were hit with malvertising attacks that redirected users to sites
hosting the Neutrino and Angler exploit kits (EKs), which boast a 40 percent
exploit-rate for victims and leverage Adobe Flash, Java, Microsoft Silverlight,
and other browser vulnerabilities and quickly incorporate zero day flaws. Source:
http://www.theregister.co.uk/2015/09/23/malvertising_forbes/
30. September
23, Softpedia – (International) New adware facilitates the distribution of
trojans for Mac users. Security researchers from Dr. Web discovered a new
malware named “Adware.Mac.WeDownload.1” containing a modified version of Adobe
Flash Player that, once clicked, requests administrator privileges and contacts
a command-and-control (C&C) server to install additional malicious
applications. Source: http://news.softpedia.com/news/new-adware-facilitates-the-distribution-of-trojans-for-mac-users-492466.shtml
For another story, see item 7 above in the Financial Services Sector
Communications Sector
Nothing to report