Complete DHS Report for January 8, 2016
Daily Report
Top Stories
• Federal authorities released nutritional recommendations
January 7 which include limiting daily added sugar intake and saturated fats to
no more than 10 percent daily and limiting sodium intake to less than 2,300 mg
a day. – Los Angeles Times
9. January 7,
Los Angeles Times – (National) Eggs and coffee get the all-clear in new dietary
guidelines just issued by the U.S. The U.S. Department of Agriculture and
U.S. Department of Health and Human Services released its nutritional
recommendations January 7 dubbed 2015 – 2020 Dietary Guidelines which include
limiting daily added sugar intake and saturated fats to no more than 10 percent
of daily consumed calories and limiting sodium intake to less than 2,300 mg a
day, among other recommendations. Source: http://www.latimes.com/science/sciencenow/la-sci-sn-dietary-guidelines-eggs-coffee-20160107-story.html
• A suspect was taken into custody following a standoff
with police that prompted the 10-hour evacuation of the Tucson, Arizona police
substation and crime lab January 6. – Arizona Daily Star
17. January 6,
Arizona Daily Star – (Arizona) Standoff at Tucson police substation ends. The
Tucson police substation and crime lab, along with a trailer park and
surrounding businesses were evacuated for approximately 10 hours January 6
after a man parked outside the substation made threats to 9-1-1 dispatchers and
threatened to set off propane tanks during a standoff with police. The man was
taken into custody without incident. Source: http://tucson.com/news/blogs/police-beat/standoff-at-tucson-police-substation-ends/article_45cd9798-b48f-11e5-9328-7b5562a3a5cb.html
• IOActive reported several vulnerabilities in Drupal’s
content management system (CMS) including unauthenticated updates that are
downloaded unencrypted and a cross-site request forgery (CSRF) vulnerability. –
SecurityWeek See
item 18 below in the Information Technology Sector
• Time Warner Cable reported January 6 that approximately
320,000 of its customers may have had their email passwords stolen through
phishing attacks or through data breaches of other companies that stored
customer information. – WGRZ 2 Buffalo See item 26 below in the Communications Sector
Financial Services Sector
See item 23 below in the Information Technology
Sector
Information Technology Sector
18. January 7,
SecurityWeek – (International) Unpatched Drupal flaws expose sites to
attacks. A researcher from IOActive reported that there were several
vulnerabilities in the update process for the Drupal content management system
(CMS) versions 6 and 7 series including a cross-site request forgery (CSRF)
vulnerability that can be exploited to force Web site administrators to check
for updates, which can enable hackers to deliver server-side request forgery
(SSRF) attacks against drupal.org. Additional issues included an authentication
vulnerability that allows hackers to launch Man-in-the-Middle (MitM) attacks
due to Drupal’s lack of authentication checks, allowing hackers to deliver
backdoored versions of Drupal modules to compromise a Web site, among other
vulnerabilities. Source: http://www.securityweek.com/unpatched-drupal-flaws-expose-sites-attacks
19. January 7,
SecurityWeek – (International) WordPress 4.4.1 patches XSS vulnerability. WordPress
released security and maintenance updates within version 4.4.1 for its content
management system (CMS) that resolved 1 vulnerability and 52 non-security
issues including a cross-site scripting (XSS) vulnerability that allowed
hackers to compromise infected Web sites. Source: http://www.securityweek.com/wordpress-441-patches-xss-vulnerability
20. January 7,
Help Net Security – (International) HTTPS Bicycle attack reveals password length,
allows easier brute-forcing. A security researcher released a report
detailing how a new attack, named HTTPS Bicycle attack can enable hackers to
discover the length of a users’ password to web applications and potentially
make a Web site or browser more susceptible to brute-force attacks by analyzing
and using a packet capture of a user’s Hypertext Transfer Protocol Secure
(HTTPS) traffic and the plaintext HTTP headers included in each and every
request. The researcher offered preventative measures such as including hashing
or padding the passwords to disguise its length. Source: http://www.net-security.org/secworld.php?id=19295
21. January 7,
The Register – (International) Mozilla warns Firefox fans its SHA-1 ban
could bork their security. Mozilla advised its users to update its Firefox
web browser to the latest iteration as users may not have access to Web sites
with Secure Hash Algorithm 1 (SHA-1) signed Secure Sockets Layer (SSL)
certificate due to the company’s rejection of SHA-1-signed certificates, which
could allow attackers to spy on users’ activities without the users’ consent.
The company reported that Web sites with the SHA-1-signed certificate were
blocked and could not be accessed. Source: http://www.theregister.co.uk/2016/01/07/mozilla_warns_firefox_users_that_sha1_ban_could_bork_their_security/
22. January 6,
SecurityWeek – (International) Backdoors not patched in many Juniper
firewalls. A security researcher reported that Juniper Networks NetScreen
devices were still vulnerable to firewall backdoors after an Internet-wide scan
revealed that a total of 1,595 devices had potentially unpatched firewalls. The
backdoors can be accessed with any username and the “<<<%s(un='%s') =
%u” password. Source: http://www.securityweek.com/backdoors-not-patched-many-juniper-firewalls
23. January 6,
Softpedia – (International) Facebook disabled page scam wants your credit
card data, Facebook and PayPal credentials. Researchers from RNLI and Malwarebytes
reported that a new scam has been targeting Facebook Pages users into
disclosing their Facebook login credentials, their PayPal credentials, and
credit card details by spreading the scam via comments left on Facebook pages
that demand owners to access a link or have their pages disabled. Source: http://news.softpedia.com/news/facebook-disabled-page-scam-wants-your-credit-card-data-facebook-and-paypal-credentials-498557.shtml
24. January 6,
Softpedia – (International) Windows and Linux malware linked to Chinese
DDoS tool. Researchers from Malware Must Die! reported that the malware,
dubbed Linux/DDOSTF primarily targets Linux systems running Elasticsearch
servers, with some attacks against Microsoft Windows systems, via a PHP-MySQ
webshell that exploits the Windows Management Instrumentation (WMI)
infrastructure, enabling attackers to infiltrate the system, upload and execute
malicious exploits, and gain system privileges over the infected machine. The
malware is distributed as a malicious executable and linkable format (ELF) and
shares similarities to an older malware named JrLinux. Source: http://news.softpedia.com/news/windows-and-linux-malware-linked-to-chinese-ddos-tool-498554.shtml
For additional stories, see
item 4 below from the Transportation Systems Sector
and
26 below in the Communications Sector
Communications Sector
25. January 6,
KERO 23 Bakersfield – (California) AT&T customers experiencing phone outage in
Kern Valley. AT&T reported that cellular phone service, including 9-1-1
calls, was down in the Kern Valley area January 6. Service was expected to be
restored by January 7. Source: http://www.turnto23.com/news/local-news/att-customers-experiencing-phone-outages-in-ridgecrest
26. January 6,
WGRZ 2 Buffalo – (National) Email and password breach at Time Warner. Time
Warner Cable reported January 6 that approximately 320,000 of its customers may
have had their email passwords stolen after login credentials were reportedly
gathered through malware via phishing attacks or through data breaches of other
companies that stored customer information. Source: http://www.wgrz.com/story/news/2016/01/06/email-and-password-breach-time-warner/78395074/