Monday, November 10, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of November 10, 2014




Cyber Crime

Home Depot hackers used vendor log-on to steal data, e-mails: Hackers used a vendor’s stolen log-on credentials to penetrate Home Depot’s computer network and install custom-built malware that stole customer payment-card data and e-mail addresses, the retailer announced Thursday. USA Today, November 7, 2014
Home Depot hackers exposed 53 million email addresses: The Home Depot hack was even worse than authorities originally thought, according to a new report. Along with compromising 56 million credit card accounts, the hackers also exposed 53 million customer email addresses. Fortune, Novemeber 6, 2014
Thieves Cash Out Rewards, Points Accounts: A number of readers have complained recently about having their Hilton Honors loyalty accounts emptied by cybercrooks. This type of fraud often catches consumers off-guard, but the truth is that the recent spike in fraud against Hilton Honors members is part of a larger trend that’s been worsening for years as more companies offer rewards programs. KrebsOnSecurity, November 3, 2014
New Ponemon report shows cybercrime is on the rise: The Ponemon Institute completed their annual look at how well companies are coping with cyber attacks. Cybercrime is up 10.4% over the previous year. Tech Republic, November 3, 2014
Luck Played Role in Discovery of Data Breach at JPMorgan Affecting Millions: When it comes to defending a large company against an online attack, sometimes luck and timing can mean as much as spending hundreds of millions of dollars a year on computer security. The New York Times, October 31, 2014

Financial Cyber Security

Australia, UK and US Are Most Affected by Dridex Banking Trojan: Threat actors behind the malicious email campaigns delivering the Dridex banking Trojan seem to be focused on residents in Australia, the United Kingdom and the United States, in this particular order. Softpedia, November 6, 2014
Flaw in New ‘Secure’ Credit Cards Would Let Hackers Steal $1M Per Card: As U.S. banks and retailers are barreling toward a 2015 deadline to replace magnetic-stripe credit and debit cards with more secure cards that come embedded with a microchip, researchers have announced a critical flaw in the card system. Wired, November 3, 2014
Chip & PIN vs. Chip & Signature: The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity. KrebsOnSecurity, October 30, 2014

Cyber Warning

How to protect your iPhone from Wirelurker, the first iOS malware (+video): A new report from Palo Alto Networks says that a new malware, called Wirelurker, is able to infiltrate iOS devices. Though Wirelurker shows possible vulnerabilities in the iPhone, the malware is contained in China and those who download unapproved applications. Christian Science Monitor, November 6, 2014
Mac Security Flaw ‘Rootpipe’ Puts Business Data at Risk: All Mac business users, listen up. Details of a vulnerability in Macs have just been released, and you won’t like the risks it poses for your company. BusinessNewsDaily, November 6, 2014
Ransomware Getting Easier For Both Bad Guys & Victims: Ransomware operators can make a tidy living without much technical expertise or legwork. DarkReading, November 4, 2014
BlackEnergy Malware Plug-Ins Leave Trail of Destruction: BlackEnergy, a converted crimeware tool, operates behind a laundry list of plug-ins for Linux and Windows systems that allows it to be used to attack Cisco networking devices, steal digital certificates, brick systems it infects, and skillfully hide from security analysts. ThreatPost, Novemeber 3, 2014
‘Number spoofing’ scam can make you think your bank is calling: Criminals are using a new scam to make people believe they are speaking to someone from their bank by fooling their phone handset into displaying the bank’s correct contact number. The Guardian, October 29, 2014

Cyber Security Management

How to take a forward-looking approach to cybersecurity: Although many companies are seeing cybersecurity threats rise, many lack the resources to handle these risks, a new global survey shows. Jorunal of Accountancy, November 5, 2014
Workplace Privacy: Big Brother Is Watching: Companies may have the right to monitor employees who are checking their bank balances or shopping online on corporate networks. The real question is, should they? DarkReading, November 4, 2014

Cyber Security Management – Cyber Defense

From Malware To Breach: New report maps attack behavior after the initial exploit gets dropped on a machine in a victim organization. Dark Reading, November 7, 2014
iOS 8 Vs. Android: How Secure Is Your Data?: With iOS 8, the lines between iOS and Android are blurring. No longer is iOS the heavily fortified environment and Android the wide-open one. DarkReading, November 5, 2014

HIPAA gets cybersecurity upgrades: WASHINGTON • Officials say has gotten cybersecurity upgrades ahead of a Nov. 15 start for the second open enrollment season under President Barack Obama’s health care law. St Louis Post, November 6, 2014

Cyber Underworld

Still Spamming After All These Years: A long trail of spam, dodgy domains and hijacked Internet addresses leads back to a 37-year-old junk email purveyor in San Diego who was the first alleged spammer to have been criminally prosecuted 13 years ago for blasting unsolicited commercial email. KrebsOnSecurity, November 5, 2014

National Cyber Security

NSA DIRECTOR SAYS AGENCY SHARES VAST MAJORITY OF BUGS IT FINDS: When the National Security Agency discovers a new vulnerability that looks like it might be of use in penetrating target networks, the agency considers a number of factors, including how popular the affected software is and where it’s typically deployed, before deciding whether to share the new bug. The agency shares most of the bugs it finds, NSA Director Mike Rogers said, but not all of them. ThreatPost, November 7, 2014

Cyber Misc

Texan charged in first bitcoin securities fraud Ponzi case: (Reuters) – A Texas man who operated Bitcoin Savings and Trust was charged on Thursday with bilking his investors, in what prosecutors called the first federal criminal securities fraud case arising from a bitcoin-related Ponzi scheme. Reuters, November 6, 2014
Former NSA’s chief lawyer: BlackBerry’s encryption efforts led to its demise: BlackBerry’s core feature, encrypted email and messaging, was its downfall, according to former National Security Agency general counsel Stewart Baker. ZDNet, November 5, 2014

Cyber Sunshine

Feds Arrest Alleged ‘Silk Road 2′ Admin, Seize Servers: Federal prosecutors in New York today announced the arrest and charging of a San Francisco man they say ran the online drug bazaar and black market known as Silk Road 2.0. In conjunction with the arrest, U.S. and European authorities have jointly seized control over the servers that hosted Silk Road 2.0 marketplace. KrebsOnSecurity, November 6, 2014

Important Security Updates

Apple iCloud: Apple has released an update for iCloud for Windows. Updates are available from Apple’s website.
Avira Free Antivirus: Avira has released version of its free Antivirus. Updates are available from Avira’s website.
Mozilla Firefox: Mozilla has released version 33.0.3 for Firefox. Updates are available within the browser or from Mozilla’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.44 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 33.0.3
Google Chrome 38.0.2125.111
Internet Explorer 11.0.9600.17280
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.6
Safari 5.1.7 
Safari 7.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports an unpatched vulnerability in Cisco’s Unified Communications Manager in versions 8.6(2), 8.6(2.23900.10), and 9.1(2). No official solution is available.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog