Friday, September 9, 2016



Complete DHS Report for September 9, 2016

Daily Report                                            

Top Stories

• Mazda Motor Corporation issued a recall September 8 for more than 759,000 of its model years 2010 – 2016 vehicles in select makes due to a problem affecting the vehicles’ rear hatches where the hatch lift supports can corrode and break, thereby increasing the risk of injury. – TheCarConnection.com

2. September 8, TheCarConnection.com – (International) Mazda recalls 2010-2013 Mazda3, 2012-2015 Mazda5, 2013-2016 CX-5, 2016 CX-3: 2.2 million affected. Mazda Motor Corporation issued a recall September 8 for more than 759,000 of its model years 2010 – 2016 vehicles in select makes sold in the U.S. and Canada due to a problem affecting the vehicles’ rear hatches where the protective coating applied to the hatch lift supports does not protect the supports from water intrusion, which can lead to corrosion and cause the supports to break, thereby increasing the risk of injury. Source:

• Four people were arrested in Brooklyn, New York, September 7 after authorities discovered 2,433 blank credit cards and other illicit materials while executing a search warrant at the group’s apartment. – WNBC 4 New York See item 3 below in the Financial Services Sector

• Missouri officials lifted a precautionary boil water advisory for approximately 85,000 customers in St. Louis County September 7 that was issued after the company’s water treatment plant temporarily lost power. – St. Louis Post-Dispatch

12. September 7, St. Louis Post-Dispatch – (Missouri) Boil advisory reportedly triggered by car accident. Missouri American Water officials lifted a precautionary boil water advisory for approximately 85,000 customers in St. Louis County September 7 that was issued September 6 after the company’s water treatment plant on Hog Hollow Road temporarily lost power when a vehicle reportedly hit an electric pole at Pritchard Farm and Creve Coeur Mill Roads. Officials stated water quality tests confirmed the water is safe to consume. Source: http://www.stltoday.com/news/local/metro/boil-advisory-reportedly-triggered-by-car-accident/article_cea97122-a9c8-5391-bf0d-f80ada404094.html

• Florida officials announced September 6 that the Albert Whitted plant in St. Petersburg released nearly 20 million gallons of partially treated sewage September 5 due to heavy rains from Hurricane Hermine. – WTSP 10 St. Petersburg

13. September 6, WTSP 10 St. Petersburg – (Florida) Hermine overwhelmed sewer facilities around Bay area. The Florida Department of Environmental Protection announced September 6 that the Albert Whitted plant in St.Petersburg released nearly 20 million gallons of partially treated sewage September 5 and 2,000 gallon of raw sewage August 31 due to heavy rains from Hurricane Hermine. Officials also announced that millions of gallons of sewage mixed with storm water spilled near the Marshall Street wastewater treatment plant in Clearwater, Florida, August 31 after the plant received more than 20 million gallons of wastewater per day during the storm. Source: http://www.wtsp.com/news/hermine-overwhelmed-sewer-facilities-around-bay-area/314610723

Financial Services Sector

3. September 8, WNBC 4 New York – (New York) 4 arrested, guns and thousands of blank credit cards seized in Brooklyn: NYPD. Four people were arrested in Bedford-Stuyvesant in Brooklyn, New York, September 7 after authorities discovered 2,433 blank credit cards, 2 credit card embossing machines, and 3 credit card skimmers, among other illicit materials, while executing a search warrant at the group’s apartment. Source: http://www.nbcnewyork.com/news/local/NYC-4-Arrested-Guns-Thousands-Fake-Credit-Cards-Seized-Forgery-392697211.html

4. September 7, SecurityWeek – (International) Gugi banking trojan can bypass Android 6 protection. Kaspersky security researchers discovered a variant of the Gugi mobile banking trojan can bypass two security features in Google’s Android 6.0, including the permission-based app overlays and the dynamic permission requirement for dangerous in-app activities like calls or short message service (SMS) in order to overlay applications and steal mobile banking credentials from its victims, and found the trojan is being distributed via SMS spam that tricks victims into accessing phishing Websites, which downloads the malware onto the device. Researchers advised users to reboot the infected device in safe mood and attempt to uninstall the trojan. Source: http://www.securityweek.com/gugi-banking-trojan-can-bypass-android-6-protection

Information Technology Sector

22. September 8, Softpedia – (International) WordPress 4.6.1 security update is out, time to update peeps. WordPress released version 4.6.1 of its WordPress Content Management System (CMS) resolving a path traversal vulnerability and a cross-site scripting (XSS) flaw affecting the admin panel that can be exploited via image metadata and allow a malicious actor to take over the affected Website. The update also patches 15 other bugs related to the underlying CMS codebase.

23. September 8, Help Net Security – (International) Flaws in Network Management Systems open enterprise networks to attacks. Rapid7 researchers and an independent researcher discovered over 12 vulnerabilities plaguing 9 different Network Management Systems (NMSs) products that could be exploited via cross-site scripting (XSS) attacks over Simple Network Management Protocol (SNMP) agent-provided data, which could allow a local attacker to add a malicious device to the network, XSS attacks over SNMP trap alert messages, and format string processing on the NMS Web management console that can be carried out via specially crafted trap alert messages. Researchers reported that all the flaws have received patches. Source: https://www.helpnetsecurity.com/2016/09/08/flaws-network-management-systems/

24. September 7, SecurityWeek – (International) Google patches QuadRooter, other critical Android vulnerabilities. Google released its September 2016 Android Security Bulletin resolving 55 vulnerabilities, including 2 critical remote code execution (RCE) flaws in LibUtils and Mediaserver, a high risk RCE in MediaMuxer, and 2 issues in QuadRooter that impacted over 900 million Android devices using Qualcomm chipsets, among other vulnerabilities. Source: http://www.securityweek.com/google-patches-quadrooter-other-critical-android-vulnerabilities

25. September 7, SecurityWeek – (International) Siemens fixes several flaws in SIPROTEC products. Siemens released firmware updates addressing vulnerabilities in its SIPROTEC 4 and SIPROTEC Compact devices after Kaspersky Lab researchers found the devices were plagued with a flaw that an attacker with network access could exploit to bypass authentication mechanisms and carry out administrative operations, and a flaw that could allow an attacker with network access to perform those actions while a legitimate user is logged in to the Web interface. Siemens advised customers to use network segmentation, virtual private networks (VPNs), and firewalls to protect their systems against attacks. Source: http://www.securityweek.com/siemens-fixes-several-flaws-siprotec-products

For another story, see item 4 above in the Financial Services Sector

Communications Sector

See item 4 above in the Financial Services Sector and item 24 above in the Information Technology Sector