Complete DHS Report for January 8, 2016

Daily Report                                            

Top Stories

• Federal authorities released nutritional recommendations January 7 which include limiting daily added sugar intake and saturated fats to no more than 10 percent daily and limiting sodium intake to less than 2,300 mg a day. – Los Angeles Times

9. January 7, Los Angeles Times – (National) Eggs and coffee get the all-clear in new dietary guidelines just issued by the U.S. The U.S. Department of Agriculture and U.S. Department of Health and Human Services released its nutritional recommendations January 7 dubbed 2015 – 2020 Dietary Guidelines which include limiting daily added sugar intake and saturated fats to no more than 10 percent of daily consumed calories and limiting sodium intake to less than 2,300 mg a day, among other recommendations. Source: http://www.latimes.com/science/sciencenow/la-sci-sn-dietary-guidelines-eggs-coffee-20160107-story.html

• A suspect was taken into custody following a standoff with police that prompted the 10-hour evacuation of the Tucson, Arizona police substation and crime lab January 6. – Arizona Daily Star

17. January 6, Arizona Daily Star – (Arizona) Standoff at Tucson police substation ends. The Tucson police substation and crime lab, along with a trailer park and surrounding businesses were evacuated for approximately 10 hours January 6 after a man parked outside the substation made threats to 9-1-1 dispatchers and threatened to set off propane tanks during a standoff with police. The man was taken into custody without incident. Source: http://tucson.com/news/blogs/police-beat/standoff-at-tucson-police-substation-ends/article_45cd9798-b48f-11e5-9328-7b5562a3a5cb.html

• IOActive reported several vulnerabilities in Drupal’s content management system (CMS) including unauthenticated updates that are downloaded unencrypted and a cross-site request forgery (CSRF) vulnerability. – SecurityWeek See item 18 below in the Information Technology Sector

• Time Warner Cable reported January 6 that approximately 320,000 of its customers may have had their email passwords stolen through phishing attacks or through data breaches of other companies that stored customer information. – WGRZ 2 Buffalo See item 26 below in the Communications Sector


Financial Services Sector

See item 23 below in the Information Technology Sector

Information Technology Sector

18. January 7, SecurityWeek – (International) Unpatched Drupal flaws expose sites to attacks. A researcher from IOActive reported that there were several vulnerabilities in the update process for the Drupal content management system (CMS) versions 6 and 7 series including a cross-site request forgery (CSRF) vulnerability that can be exploited to force Web site administrators to check for updates, which can enable hackers to deliver server-side request forgery (SSRF) attacks against drupal.org. Additional issues included an authentication vulnerability that allows hackers to launch Man-in-the-Middle (MitM) attacks due to Drupal’s lack of authentication checks, allowing hackers to deliver backdoored versions of Drupal modules to compromise a Web site, among other vulnerabilities. Source: http://www.securityweek.com/unpatched-drupal-flaws-expose-sites-attacks

19. January 7, SecurityWeek – (International) WordPress 4.4.1 patches XSS vulnerability. WordPress released security and maintenance updates within version 4.4.1 for its content management system (CMS) that resolved 1 vulnerability and 52 non-security issues including a cross-site scripting (XSS) vulnerability that allowed hackers to compromise infected Web sites. Source: http://www.securityweek.com/wordpress-441-patches-xss-vulnerability

20. January 7, Help Net Security – (International) HTTPS Bicycle attack reveals password length, allows easier brute-forcing. A security researcher released a report detailing how a new attack, named HTTPS Bicycle attack can enable hackers to discover the length of a users’ password to web applications and potentially make a Web site or browser more susceptible to brute-force attacks by analyzing and using a packet capture of a user’s Hypertext Transfer Protocol Secure (HTTPS) traffic and the plaintext HTTP headers included in each and every request. The researcher offered preventative measures such as including hashing or padding the passwords to disguise its length. Source: http://www.net-security.org/secworld.php?id=19295

21. January 7, The Register – (International) Mozilla warns Firefox fans its SHA-1 ban could bork their security. Mozilla advised its users to update its Firefox web browser to the latest iteration as users may not have access to Web sites with Secure Hash Algorithm 1 (SHA-1) signed Secure Sockets Layer (SSL) certificate due to the company’s rejection of SHA-1-signed certificates, which could allow attackers to spy on users’ activities without the users’ consent. The company reported that Web sites with the SHA-1-signed certificate were blocked and could not be accessed. Source: http://www.theregister.co.uk/2016/01/07/mozilla_warns_firefox_users_that_sha1_ban_could_bork_their_security/

22. January 6, SecurityWeek – (International) Backdoors not patched in many Juniper firewalls. A security researcher reported that Juniper Networks NetScreen devices were still vulnerable to firewall backdoors after an Internet-wide scan revealed that a total of 1,595 devices had potentially unpatched firewalls. The backdoors can be accessed with any username and the “<<<%s(un='%s') = %u” password. Source: http://www.securityweek.com/backdoors-not-patched-many-juniper-firewalls

23. January 6, Softpedia – (International) Facebook disabled page scam wants your credit card data, Facebook and PayPal credentials. Researchers from RNLI and Malwarebytes reported that a new scam has been targeting Facebook Pages users into disclosing their Facebook login credentials, their PayPal credentials, and credit card details by spreading the scam via comments left on Facebook pages that demand owners to access a link or have their pages disabled. Source: http://news.softpedia.com/news/facebook-disabled-page-scam-wants-your-credit-card-data-facebook-and-paypal-credentials-498557.shtml

24. January 6, Softpedia – (International) Windows and Linux malware linked to Chinese DDoS tool. Researchers from Malware Must Die! reported that the malware, dubbed Linux/DDOSTF primarily targets Linux systems running Elasticsearch servers, with some attacks against Microsoft Windows systems, via a PHP-MySQ webshell that exploits the Windows Management Instrumentation (WMI) infrastructure, enabling attackers to infiltrate the system, upload and execute malicious exploits, and gain system privileges over the infected machine. The malware is distributed as a malicious executable and linkable format (ELF) and shares similarities to an older malware named JrLinux. Source: http://news.softpedia.com/news/windows-and-linux-malware-linked-to-chinese-ddos-tool-498554.shtml

For additional stories, see item 4 below from the Transportation Systems Sector and 26 below in the Communications Sector

Communications Sector

25. January 6, KERO 23 Bakersfield – (California) AT&T customers experiencing phone outage in Kern Valley. AT&T reported that cellular phone service, including 9-1-1 calls, was down in the Kern Valley area January 6. Service was expected to be restored by January 7. Source: http://www.turnto23.com/news/local-news/att-customers-experiencing-phone-outages-in-ridgecrest

26. January 6, WGRZ 2 Buffalo – (National) Email and password breach at Time Warner. Time Warner Cable reported January 6 that approximately 320,000 of its customers may have had their email passwords stolen after login credentials were reportedly gathered through malware via phishing attacks or through data breaches of other companies that stored customer information. Source: http://www.wgrz.com/story/news/2016/01/06/email-and-password-breach-time-warner/78395074/