Monday, June 27, 2016



Complete DHS Report for June 27, 2016

Daily Report                                            

Top Stories

• Officials announced June 23 that approximately 29,400 gallons of unrefined crude was released from a Crimson Pipeline LLC-owned 10-inch underground pipeline in Ventura, California. – Los Angeles Times

2. June 23, Los Angeles Times – (California) Ventura oil spill misses the ocean, but damage on land is unclear. Officials announced June 23 that approximately 29,400 gallons of unrefined crude was released from a Crimson Pipeline LLC-owned 10-inch underground pipeline in Ventura which pooled in a storm water basin, allowing officials to block the crude from continuing to flow. Crimson Pipeline is responsible for cleanup efforts and authorities are investigating the incident.

• Fiat Chrysler Automobiles NV’s Maserati unit issued a recall June 23 for 13,092 of its model year 2014 Quattroporte and Ghibli vehicles sold in the U.S. due to a confusing gear shift selector. – Reuters

3. June 23, Reuters – (National) Fiat Chrysler recalls 13,000 Maserati cars for rollaway issue. Fiat Chrysler Automobiles NV’s Maserati unit issued a recall June 23 for 13,092 of its model year 2014 Quattroporte and Ghibli vehicles sold in the U.S. due to a confusing gear shift selector that may cause drivers to falsely believe they have engaged the vehicles in “park” mode, thereby increasing the risk of the vehicle rolling away and injuring people or damaging nearby property. Fiat Chrysler announced June 22 it is speeding up a software fix for 1.1 million of its Dodge, Chrysler, and Jeep vehicles recalled in April due to the same issue after receiving reports of 212 accidents, 41 injuries, and one death that was potentially linked to the faulty gear selectors.

• The U.S. Securities and Exchange Commission announced June 23 that Merrill Lynch Wealth Management agreed to pay $415 million and admit wrongdoing to settle charges that it misused customer cash and failed to protect customer securities from the claims of its creditors. – U.S. Securities and Exchange Commission See item 4 below in the Financial Services Sector

• Crews worked June 24 to contain the 8,000-acre Erskine Fire burning in Kern County, California, which has destroyed nearly 100 structures and threatens an additional 1,000. – KTLA 5 Los Angeles

16. June 24, KTLA 5 Los Angeles – (California) Erskine Fire in Kern County grows to 8,000 acres, about 100 structures burned. Crews worked June 24 to contain the 8,000-acre Erskine Fire burning in the Lake Isabella area of Kern County which has destroyed nearly 100 structures and threatens an additional 1,000. Evacuations were ordered for surrounding areas and three firefighters suffered smoke inhalation injuries. Source: http://ktla.com/2016/06/24/erskine-fire-in-kern-county-grows-to-8000-acres-about-100-structures-burned/

Financial Services Sector

4. June 23, U.S. Securities and Exchange Commission – (National) Merrill Lynch to pay $415 million for misusing customer cash and putting customer securities at risk. The U.S. Securities and Exchange Commission (SEC) announced June 23 that Merrill Lynch Wealth Management agreed to pay $415 million and admit wrongdoing to settle charges that it violated the SEC’s Customer Protection Rule after the firm misused customer cash by engaging in complex options trades that artificially reduced the required deposit of customer cash in a reserve account in order to free up billions of dollars per week from 2009 – 2012, which the firm used for its own trading activities. The charges also allege that the firm failed to protect customer securities from the claims of its creditors by holding up to $58 billion per day of customer securities in a clearing account subject to liens from 2009 – 2015. Source: https://www.sec.gov/news/pressrelease/2016-128.html

5. June 23, U.S. Securities and Exchange Commission – (National) Merrill Lynch paying $10 million penalty for misleading investors in structured notes. The U.S. Securities and Exchange Commission announced June 23 that Merrill Lynch Wealth Management agreed to pay a $10 million penalty to settle charges that the firm made misleading statements to retail investors in offering materials for structured notes issued by its parent company, Bank of America Corporation, which were linked to a proprietary volatility index. The charges also allege that the firm failed to implement effective policies or procedures to ensure its personnel drafted and approved disclosures that adequately stated all of the costs included in the volatility index.

Information Technology Sector

21. June 24, SecurityWeek – (International) Malware can steal data from air-gapped devices via fans. Security researchers from Ben-Gurion University of the Negev discovered a new acoustic data exfiltration method dubbed Fansmitter was leveraging the noise emitted by a computer’s fans to transmit data without relying on speakers by sending bits of data to a nearby mobile phone or a computer equipped with a microphone. Attackers can control the fan to rotate at a specific speed to transmit a “0” bit and a different speed to transmit a “1” bit as the frequency and the strength of the acoustic noise depends on the revolutions per minute (RPM).

22. June 24, Help Net Security – (International) Crypto-ransomware attacks hit over 700,000 users in one year. Security researchers from Kaspersky Lab reported that there was a 17.7 percent increase in encryption ransomware attacks between April 2015 and March 2016 after discovering 718,536 users were infected with crypto-ransomware. Researchers advised customers to use a reliable security solution, back-up all files, and keep all software up-to-date to avoid infection, among other recommendations.

23. June 23, Softpedia – (International) Six malicious Android apps removed from the Google Play store. Google reported that it removed six Android applications that were reported to have malicious actions after a security researcher from Dr. Web discovered the apps infected more than 55,000 users with the Android.Valeriy malware via the Google Play store. Once the malware is installed, it connects to a command-and-control (C&C) server from which it receives a list of Uniform Resource Locators (URLs) and opens the links in the WebView browser component. Source: http://news.softpedia.com/news/six-malicious-android-apps-removed-from-the-google-play-store-505604.shtml

24. June 23, SecurityWeek – (International) Advantech patches flaws in WebAccess SCADA software. Advantech released updates for its WebAccess product after a security researcher from Acorn Network Security discovered the product was susceptible to two medium severity vulnerabilities including a flaw in the ActiveX Control that can be exploited by a local attacker to execute unauthorized code or commands, and a buffer overflow flaw that can be triggered by using a specially crafted Dynamic Link Libraries (DLL) file which can lead to crashes or arbitrary code execution. Source: http://www.securityweek.com/advantech-patches-flaws-webaccess-scada-software

Communications Sector

Nothing to report