Complete DHS Report for October 21, 2016
Daily Report
Top Stories
• Two individuals were arrested October 18 in Rayville, Louisiana,
after authorities discovered roughly 120 fraudulent credit and bank cards in
the duo’s vehicle. – Richland Beacon-News See item 4
below in the Financial Services Sector
• Three Team Work Ready executives were convicted October 18 for
submitting $9.6 million in false claims under a Federal health care benefit
program for medical services that were not provided. – U.S. Attorney’s
Office, Southern District of Texas
9. October 18, U.S.
Attorney’s Office, Southern District of Texas – (National) CEO, CFO, and
VP convicted in nationwide worker’s compensation fraud scheme. Three
executives with Team Work Ready (TWR) were convicted October 18 after TWR
submitted approximately $9.6 million in fraudulent claims under the Federal
Employees Compensation Act (FECA) health care benefit program for one-on-one
physical therapy services that patients never received and were medically
unnecessary in order to earn a profit. The charges also state that the executives
laundered about $700,000 from TWR’s bank accounts through a transportation
company’s account owned by 2 of the co-conspirators in order to conceal the
fraudulent earnings from authorities. Source: https://www.justice.gov/usao-sdtx/pr/ceo-cfo-and-vp-convicted-nationwide-workers-compensation-fraud-scheme
• St. Joseph Health agreed October 18 to pay $2.14 million to
settle alleged violations of the Health Insurance Portability and
Accountability Act after the electronic protected health information of 31,800
individuals was made publicly available on Internet search engines from 2011 –
2012. – U.S. Department of Health and Human Services
10. October 18, U.S.
Department of Health and Human Services – (California; New Mexico; Texas) $2.14
million HIPAA settlement underscores importance of managing security risk. St.
Joseph Health (SJH) agreed October 18 to pay $2.14 million to settle alleged
violations of the Health Insurance Portability and Accountability Act (HIPAA)
Privacy and Security Rules after its files containing electronic protected
health information (ePHI) of 31,800 individuals were made publicly available on
Google and other Internet search engines from February 2011 – February 2012. As
part of the settlement, SJH agreed to a corrective action plan that requires
the firm to develop and implement a risk management plan, update its procedures
and policies, and adequately train its employees on these policies, among other
requirements. Source: http://www.hhs.gov/about/news/2016/10/18/214-million-hipaa-settlement-underscores-importance-managing-security-risk.html
• T-Mobile US, Inc. agreed October 19 to pay $48 million to
resolve allegations that the carrier failed to adequately inform customers of
wireless data restrictions on its unlimited plans. – Wall Street Journal See item 17
below in the Communications Sector
Financial Services Sector
4. October 19, Richland
Beacon-News – (Arkansas; Louisiana) Rayville PD takes down fake credit
card ring. Two Little Rock, Arkansas residents were arrested in Rayville,
Louisiana, October 18 after authorities discovered roughly 120 credit and bank
cards made out in the suspects’ names, a credit card machine for activating the
cards, and blank money orders worth $500, among other illicit items in the
suspects’ vehicle. The suspects allegedly made fraudulent credit card
transactions in Jackson, Louisiana, and Little Rock, Arkansas. Source: http://www.richlandtoday.com/news/rayville-pd-takes-down-fake-credit-card-ring
For another story, see item 9
above in Top Stories
Information Technology Sector
15. October 20,
SecurityWeek – (International) Lexmark patches critical flaw in printer
management tool. Lexmark International, Inc. released an update for its
Markvision Enterprise printer management software after security researchers
from Digital Defense Inc. (DDI) found the software was plagued with a
vulnerability in the Apache Flex BlazeDS that can be exploited to read
arbitrary files via specially crafted Action Message Format (AMF) messages and
retrieve the file storing the admin credentials, as well as an issue that
allows attackers to upload arbitrary files and execute code with elevated
privileges, among other vulnerabilities. Users are advised to change the admin
password after installation, as the encrypted password stored in the text file
is not updated after installation.
16. October 20,
SecurityWeek – (International) Windows zero-day exploited by
“FruityArmor” APT group. Security researchers from Kaspersky Lab discovered
that a zero-day remote code execution vulnerability patched by Microsoft in its
October 2016 security bulletin was being leveraged in attacks carried out by an
advanced persistent threat (APT) group, dubbed “FruityArmor” for privilege escalation
on an affected system. Researchers found that the FruityArmor APT’s attack
platform is built around Microsoft PowerShell and abuses Windows Management
Instrumentation (WMI) for persistence in order to make it difficult to detect
on a system. Source: http://www.securityweek.com/windows-zero-day-used-fruityarmor-apt-privilege-escalation
For another story, see item 18
below in the Communications
Sector
Communications Sector
17. October 19, Wall
Street Journal – (National) FCC reaches $48 million settlement with
T-Mobile over unlimited plans. The Federal Communications Commission
announced October 19 that it reached a $48 million settlement with T-Mobile US,
Inc. to resolve allegations that the carrier applied slower data speeds once a
certain usage threshold was met without adequately informing customers of these
wireless data restrictions on its unlimited plans. As part of the settlement,
T-Mobile will pay $35.5 million in consumer benefits in the form of discounts
and additional data to unlimited customers of T-Mobile and MetroPCS, its
prepaid brand, and provide at least $5 million in services and equipment to
schools. Source: http://www.wsj.com/articles/fcc-reaches-48-million-settlement-with-t-mobile-over-unlimited-plans-1476891100
18. October 19,
SecurityWeek – (International) Skype calls expose user keystrokes:
Researchers. Researchers from the University of California Irvine (UCI) and
two Italian universities found that Microsoft Skype users typing on their
laptop or desktop during a Skype call are vulnerable to a keyboard acoustic
eavesdropping attack, as the Voice-over-IP (VoIP) software receives acoustic
emanations of keystrokes during a Skype conversation and sends them to other
users participating in the VoIP call, thereby allowing an attacker to
reconstruct the user’s input, including potentially confidential information
such as passwords. Source: http://www.securityweek.com/skype-calls-expose-user-keystrokes-researchers