Thursday, December 24, 2015



Complete DHS Report for December 24, 2015

Daily Report                                            

Top Stories

• Boeing Company agreed to pay $12 million December 22 to resolve several violations, including the company’s failure in meeting a deadline for the submission of airplane service instructions. – Associated Press

7. December 22, Associated Press – (International) Boeing fined $12M for failing to quickly address fuel tank blast risk. Boeing Company agreed to pay $12 million in a settlement reached December 22 with the Federal Aviation Administration resolving several violations including the company’s failure in meeting a deadline for the submission of service instructions that would enable airlines to reduce the risk of fuel tank explosion on hundreds of plans. The settlement also resolves production quality control problems and failures to implement corrective actions, among other issues.

• Federal authorities issued an alert December 22 to drug compounders claiming that drug shipments from China may be contaminated following two explosions at a Tianjin chemical warehouse in August. – U.S. Food and Drug Administration

12. December 22, U.S. Food and Drug Administration – (International) CDER alert: FDA warns of potential contamination of drug shipments from explosions in Tianjin City. The U.S. Food and Drug Administration issued an alert December 22 to drug compounders and manufacturers claiming that drug shipments from Tianjin, China, may be contaminated with chemicals following two large explosions at Tianjin Dongjiang Port Ruihai International Logistics Co., chemical warehouse in August. The alert was issued after regulators detected hydrogen cyanide in two shipments of drugs from Tianjin Tianyao Pharmaceuticals Co., Ltd. which is located 18 miles from the explosion site.

• Sanrio Co., Ltd reported December 22 that it fixed a security vulnerability on an online fan Web site after the personal information of 3.3 million users were compromised. – Associated Press

17. December 23, Associated Press – (International) Hello Kitty owner Sanrio says fansite security leak fixed. Sanrio Co., Ltd reported December 22 that it fixed a security vulnerability on an online fan Web site, SanrioTown.com after the personal information of 3.3 million users were compromised following a security researcher’s discovery December 19 that names, birthdays, and encrypted passwords can be extracted by using multiple Internet Protocol (IP) addresses.

• Police in Oregon are investigating December 22 after 2 men were found in possession of 470 Apple iPhones products worth $292,000, as well as hundreds of fraudulent gift cards and receipts. – Portland Oregonian

18. December 22, Portland Oregonian – (Oregon) Tigard police seize 470 iPhones related to gift card fraud. Tigard police are investigating December 22 an organized retail theft scheme that occurred at the Washington Square Mall and Bridgeport Village after police stopped 2 men and found 470 Apple iPhones products worth $292,000, as well as hundreds of fraudulent gift cards and receipts totaling $585,000. Police confiscated the stolen items and believe that the counterfeit credit cards may have originated from southern California. Source: http://www.oregonlive.com/tigard/index.ssf/2015/12/tigard_police_seize_470_iphone.html

Financial Services Sector

1   1.  December 23, Waco Tribune-Herald – (Texas) Skimmers hit Extraco Banks credit, debit cards. Texas-based Extraco Banks announced December 22 that at least 265 customers had their bank-issued credit and debit cards illegally accessed through skimming devices placed on ATM machines and/or merchant terminals. An investigation is ongoing and the bank has taken additional security steps, including lowering daily withdrawal and purchase amounts, as well as limiting the amount of fraud that could occur if a card is compromised. Source: http://www.wacotrib.com/news/business/skimmers-hit-extraco-credit-debit-cards/article_515689d1-4a06-576d-a484-998c23724280.html

2   2. December 23, Associated Press – (Maryland; West Virginia) Developer pleads guilty in $5.7 million bank fraud scheme. A developer pleaded guilty December 22 to charges connected to a scheme that fraudulently obtained $5.7 million in real estate loans for properties in Maryland’s Deep Creek Lake and West Virginia’s Cheat Lake. Two other co-conspirators were previously convicted for their roles in the scheme. Source: https://www.washingtonpost.com/local/developer-pleads-guilty-in-57-million-bank-fraud-scheme/2015/12/23/02bc562c-a979-11e5-b596-113f59ee069a_story.html

3   3.  December 23, CNBC – (National) Federal Reserve vulnerable to hackers: Inspector general. A report released December 23 by the inspector general for the U.S. Federal Reserve System warned that there are several cybersecurity deficiencies in the Federal Reserve Board’s Statistics and Reserves (STAR) system. The report included six recommendations for improvements to the system’s security controls in areas including planning, security assessment and authorization, contingency planning, auditing, and information integrity, among other areas. Source: http://www.cnbc.com/2015/12/23/federal-reserve-vulnerable-to-hackers-inspector-general.html

4   4.  December 23, WHAS 11 Louisville – (Kentucky) 3 arrested in credit card ‘skimming’ operation. Police arrested three individuals following the discovery of 86 prepaid debit cards that were re-coded with stolen credit card numbers in their vehicle during a traffic stop on Preston Highway in Louisville December 21. Source: http://www.whas11.com/story/news/crime/2015/12/22/3-arrested-credit-card-skimming-operation/77772768/

5. December 22, Reuters – (National) Morgan Stanley to pay U.S. SEC $8.8 million in ‘parking’ scheme case. The U.S. Securities and Exchange Commission announced December 22 that Morgan Stanley Investment Management Inc., will pay $8.8 million to settle charges that one of its portfolio managers took part in pre-arranged trading or “parking” which included arranging sales of mortgage-backed securities at predetermined prices to a trader at the Societe Generale brokerage unit, SG Americas. The sales allowed the portfolio manager to buy back the positions at a small markup into other accounts that Morgan Stanley advised. Source: http://www.reuters.com/article/us-morganstanley-fine-idUSKBN0U520N20151222

For another story, see item 18 above in Top Stories

Information Technology Sector

14. December 23, SecurityWeek – (International) Recently patched NTP flaws affect Siemens RUGGEDCOM devices. Siemens released an advisory stating that its industrial communications devices, running all versions ROX I and certain versions of ROX II operating systems (OS) had several previously patched network time protocol (NTP) vulnerabilities including an improper input validation issue, an authentication bypass issue, and a configured time server issue, among other flaws, that if exploited, can be reconfigured to use the NTP daemon from ntp.org for time synchronization in electric utility substations and traffic control cabinets. Siemens released firmware updates to address the flaws on ROX II devices and advised customers to use firewalls to block NTP packets from unknown sources, as well as use NTP time synchronization in trusted networks.

15. December 22, SecurityWeek – (International) RCE, SQLi flaws found in popular web apps. Researchers from High-Tech Bridge discovered several vulnerabilities in popular web applications including various versions of osCmax application and osCommerce’s Online Merchant store solution, Roundcube, Osclass, and SocialEngine that are susceptible to remote code execution (RCE), cross-site request forgery (CSRF) attacks, Structured Query Language (SQL) injection vulnerabilities, and path traversal vulnerabilities. Roundcube and Osclass developers are reportedly working to patch the vulnerabilities. Source: http://www.securityweek.com/rce-sqli-flaws-found-popular-web-apps

For additional stories, see item 16 below in the Communications Sector and item 17 below from the Commercial Facilities Sector

17. December 23, Associated Press – (International) Hello Kitty owner Sanrio says fansite security leak fixed. Sanrio Co., Ltd reported December 22 that it fixed a security vulnerability on an online fan Web site, SanrioTown.com after the personal information of 3.3 million users were compromised following a security researcher’s discovery December 19 that names, birthdays, and encrypted passwords can be extracted by using multiple Internet Protocol (IP) addresses.

Communications Sector
 
16. December 23, Softpedia – (International) Botnet of Aethra Routers used for Brute-Force WordPress Sites. Security researchers from VoidSec discovered a botnet that used vulnerable Aethra Internet routers and modems to perform various reflected cross-site scripting (XSS) attacks, cross-site request forgery (CSRF) attacks, and brute-force attacks through six Internet Service Providers (ISP) including Fastweb, Albacom (BT-Italia), Clouditalia, Qcom, WIND, and BSI Assurance UK to compromise WordPressWeb sites. The botnet easily accessed approximately 12,000 Aethra routers worldwide as the routers were still using their default login credentials.

For another story, see item 14 above in the Information Technology Sector