Monday, December 01, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of December 1, 2014




Cyber Crime – Sony Attack

Several Sony Films Leak Online After Hack Attack: Screener copies of at least five new Sony Pictures movies are being traded online after the studio’s computers were hacked. ‘Fury’ and ‘Annie’ are among the pirated titles surging in online downloads. Hollywood Reporter, November 29, 2014
Sony Pictures’ computers are still locked as hackers demand equality (updated): Sony Pictures’ employees around the globe are still locked out of their company computers after they were hacked on the 24th by a group calling itself the “Guardians of Peace.” Now, new details have emerged that shed some light on what they want and how they did it. Someone who claims to be part of the group and identifies himself as “Lena” told Salted Hash and The Verge that it’s not money they’re after: “We Want equality. Sony doesn’t. It’s an upward battle.” Further, he hints that the whole deal was an inside job and that they have physical access to the company’s offices: “Sony left their doors unlocked, and it bit them,” Lena wrote. “They don’t do physical security anymore. Sony doesn’t lock their doors, physically, so we worked with other staff with similar interests to get in.” engadget, November 26, 2014
Sony Pictures hackers say they want ‘equality,’ worked with staff to break in: The hackers who took down Sony Pictures’ computer systems yesterday say that they are working for “equality” and suggest that their attack was assisted or carried out by Sony employees. In an email responding to inquiries from The Verge, a person identifying as one of the hackers writes, “We Want equality . Sony doesn’t. It’s an upward battle.” The hackers’ goals remain unclear, but they used the attack yesterday to specifically call out Sony Entertainment CEO Michael Lynton, referring to him as a “criminal” in a tweet. The Verge, November 25, 2014
Sony Pictures Targeted by Apparent Hack Attack to Corporate Systems: Sony Pictures Entertainment has told employees companywide to not connect to corporate networks or access email, after the studio was hit Monday by what appeared to be a malicious hacker attack threatening to disclose “secrets,” Variety has confirmed. Variety, November 24, 2014

Cyber Crime

Syrian Hackers Infiltrate Business Site, Affecting Other Websites: LOS ANGELES — Gigya, an American company that helps connect more than 700 businesses with customers through social media, says a Syrian group hacked its web address to upload a message to other sites. The New York Times, November 27, 2014
Home Depot Spends $28 Million on Breach Expenses in Q3: Home Depot $HD reported on its Q3 fiscal earnings, and revealed “pretax net expenses of $28 million” related to its massive data breach. The CEO said on an earnings call that it’s “very difficult” to evaluate if there was any impact. Net earnings for the third quarter were $1.5 billion, and the company confirmed that it expects fiscal 2014 sales growth of approximately 4.8 percent. HackSurfer, November 20, 2014

Cyber Attack among websites attacked by Syrian hacker group: and several other news and retail websites could not be accessed for a time Thursday after a third-party service provider used by the sites was hacked. The Boston Globe, November 28, 2014
Anonymous Crashes Cleveland City Website in Retaliation for Police Killing of 12-Year-Old: The hacker collective Anonymous claimed responsibility for shutting down the Cleveland city website early on Monday in retaliation for the police killing of a 12-year-old boy carrying a toy air gun. Vice News, November 24, 2014

Financial Cyber Security

Skimmer Innovation: ‘Wiretapping’ ATMs: Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader. KrebsOnSecurity, November 26, 2014

Identity Theft

Convicted ID Thief, Tax Fraudster Now Fugitive: In April 2014, this blog featured a story about Lance Ealy, an Ohio man arrested last year for buying Social Security numbers and banking information from an underground identity theft service that relied in part on data obtained through a company owned by big-three credit bureau Experian. Earlier this week, Ealy was convicted of using the data to fraudulently claim tax refunds with the IRS in the names of more than 175 U.S. citizens, but not before he snipped his monitoring anklet and skipped town. KrebsOnSecurity, November 21, 2014
Security breach reveals personal data on Prince George’s school employees: The Prince George’s County Public School System notified employees on Friday evening of a possible security breach involving employees’ personal data. The Washington Post, November 21, 2014

Cyber Warning

Malware Targets Password Managers: The Citadel crimeware toolkit, originally designed to steal sensitive information from infected Windows PCs, has been upgraded to grab the master passwords used to unlock password management applications, according to IBM’s Trusteer security division. That creates the risk that usernames and passwords stored in otherwise secure password managers might get stolen by attackers. To date, however, there’s been no evidence of related attacks, or successful exploits. BankInfoSecurity, November 24, 2014
‘Regin’ malware described as ‘groundbreaking and almost peerless': Experts don’t know where it came from, and aren’t quite sure what it does. But they do know this: a newly-uncovered cybersecurity threat wasn’t your typical credit-card stealing operation. It appears to be a government spying tool, and is “groundbreaking and almost peerless.” CNN, November 23, 2014
‘Naked Woman Eaten by Shark’ Video Scam on Facebook Installs Malware on PC: You can call them hackers or cybercriminals, but fact is that they are genius in an evil way. In a new attempt to earn some bucks and to play with people’s feeling, a new video scam has went viral on Facebook claiming to show a naked woman being attacked and eaten by a giant shark. HackRead, November 20, 2014

Cyber Security Management

The Case for a Global Cybersecurity Strategy: The World Economic Forum looks to raise awareness and improve cybersecurity, one organization at a time. BizTech, November 28, 2014

Cyber Security Management – Cyber Defense

Custom Malware Sneaks Past Advanced Threat Detection Appliances In Lab Experiment: An independent test of advanced threat detection products demonstrates how they could be bypassed by attackers. DarkReading, November 28, 2014
Here are five areas were merchants need to pay attention: With the holiday shopping season coming up, and crooks lining up to take advantage of the stress and confusion, this is a good time for merchants to review their payment security procedures. CSO, November 24, 2014

Cyber Misc

What Cloud Computing Means to Your Job: Technology has been accused of making many a job disappear, like the production line or the accounting office. And it is not done yet. The New York Times, November 23, 2014
The Secret Life of Passwords: We despise them – yet we imbue them with our hopes and dreams, our dearest memories, our deepest meanings. They unlock much more than our accounts. The New York Times, November 19, 2014

Weekend Vulnerability and Patch Report, November 30, 2014

Important Security Updates

Adobe Flash Player: Adobe has released version to fix an extremely critical vulnerability reported in previous versions. Updates are available from Adobe’s website.
Dropbox: Dropbox has released version 2.10.52 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released Google Chrome version 39.0.2171.71 to fix a highly critical vulnerability. Updates are available from within the browser or from Google Chrome’s website.
Microsoft Windows: Microsoft has released an update to several versions of Windows, including Windows 8, 8.1 and Server 2012, to fix a highly critical vulnerability caused by the bundling of Adobe Flash Player within Internet Explorer. Updates are available through Windows Updates in the Control Panel.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.52 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 33.1.1
Google Chrome 39.0.2171.71
Internet Explorer 11.0.9600.17420
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.6
Safari 5.1.7 
Safari 7.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for Adaptive Security Appliance (ASA), IOS XR, and others. Apply patches.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog