Monday, December 15, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of December 15, 2014





Cyber Crime

Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year: A new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops tracked online ad traffic patterns for 36 major companies and discovered epic levels of abuse. DarkReading, December 9, 2014
Unencrypted Data Lets Thieves ‘Charge Anywhere’: Charge Anywhere LLC, a mobile payments provider, today disclosed that malicious software planted on its networks may have jeopardized credit card data from transactions the company handled between November 2009 and September 2014. KrebsOnSecurity, December 9, 2014
Sony Under Siege: Cyber Crisis Leaves Hollywood Reeling: Hollywood is reeling from the entertainment industry equivalent of WikiLeaks — leaving the entire town on high alert. Variety, December 9, 2014
Donors’ Data Breached But On Smaller Scales: The first thing that might come to mind when you hear the words data breach is the recent hacks of large corporations such as Home Depot, Chase and Target that possibly exposed millions of usernames, passwords and other records. Hacking a nonprofit isn’t likely to breach 76 million records as is estimated with Chase or yield a bounty of credit card information, but who knows the motivation of some people? TheNonProfitTimes, December 9, 2014
Hackers tell Sony to halt the release of The Interview: A new message has been posted on GitHub, purporting to be from the Sony hackers and offering a fresh batch of sensitive corporate data. The message threatens further consequences if the studio continues with its release of “the movie of terrorism,” believed to refer to The Interview, an upcoming comedy starring Seth Rogen and James Franco, which depicts the assassination of North Korean leader Kim Jong-un. It’s the most explicit reference to the film that the attackers have made so far, although many had previously linked the attacks to North Korean retaliation for the film’s release. TheVerge, December 8, 2014
Sony’s Breach Stretched From Thai Hotel to Hollywood: The computer hackers drilled into the network at the elegant St. Regis Bangkok that night and, with a keystroke, laid bare the secrets of Sony Pictures Entertainment. Bloomberg, December 7, 2014

Cyber Privacy

Sony Hackers Flash Disturbing New Warning on Staffers’ Computers (Exclusive): A group claiming to be the #GOP displayed the scary image on Thursday, an insider tells TheWrap. The Wrap, December 11, 2014
As More Documents Appear, Sony Seeks to Calm Nervous Employees: LOS ANGELES – As hackers made public more Sony Pictures Entertainment documents on Monday, Sony sought to calm its jittery employees, announcing in an internal memo that the F.B.I. would visit its Culver City, Calif., lot on Wednesday for security briefings. The New York Times, December 8, 2014
FBI confirms Sony Pictures employees threatened by hackers: Hackers threaten Sony Pictures employees and their familes via email while attack is linked to a hotel in Bangkok, Thailand. The Guardian, December 8, 2014

Financial Cyber Security

‘Poodle’ Bug Returns, Bites Big Bank Sites: Many of the nation’s top banks, investment firms and credit providers are vulnerable to a newly-discovered twist on a known security flaw that exposes Web site traffic to eavesdropping. The discovery has prompted renewed warnings from the U.S. Department of Homeland Security advising vulnerable Web site owners to address the flaw as quickly as possible. KrebsOnSecurity, December 11, 2014
Senate to Hold Hearing on Cyberattacks Against Finance: The Senate Banking Committee plans to hold a hearing next week on ways to “protect the financial sector” from cyberattacks, but for now there are no plans to have anyone from the financial services industry testify. The New York Times, December 5, 2014

Identity Theft

Toward a Breach Canary for Data Brokers: When a retailer’s credit card systems get breached by hackers, banks usually can tell which merchant got hacked soon after those card accounts become available for purchase at underground cybercrime shops. But when companies that collect and sell sensitive consumer data get hacked or are tricked into giving that information to identity thieves, there is no easy way to tell who leaked the data when it ends up for sale in the black market. In this post, we’ll examine one idea to hold consumer data brokers more accountable. KrebsOnSecurity, December 8, 2014

Cyber Warning

Android Malware Installs Pirated Assassin’s Creed App: A pirated version of the Assassin’s Creed application for Android is bundled with malware according to the security-as-as-service from Zscaler. ThreatPost, December 12, 2014
Turla Trojan Unearthed on Linux: Turla, a hard-to-spot Trojan that has for years bedeviled Windows systems, has been discovered to have at least two Linux variants. Linux Turla maintains stealth without requiring elevated privileges while running arbitrary remote commands. The malware cannot be discovered using netstat, a command-line administrative tool, Kaspersky Lab said, and it uses techniques that don’t require root access. LinuxInsider, December 12, 2014
Two stealthy Linux malware samples uncovered, following in Windows variants’ tracks: Security researchers have uncovered two Linux variants of a complex piece of Windows malware, which is known to have previously targeted embassies, the military, and pharmaceutical companies. ZDNet, December 9, 2014

Cyber Security Management – Cyber Defense

The human factor a key challenge to information security, say experts: The lack of awareness and understanding of risks is one of the biggest challenges to information security, according to a panel of experts. ComputerWeekly, December 12, 2014
Sony Is Launching A Counterattack Against Its Hackers: Sony has launched a counterattack against people trying to download leaked files stolen from its servers after a massive hack. Business Insider, December 11, 2014
The Four Horsemen of Cyber Security in 2014: What too many of the year’s high-profile data breaches had in common. DarkReading, December 8, 2014

Cyber Security Management – Cyber Update

Microsoft, Adobe Push Critical Security Fixes: If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat, Reader and Flash Player, including a bug in Flash that already is being exploited. KrebsOnSecurity, December 9, 2014

Cyber Underworld

Here Are The FBI’s Most Wanted Cyber Criminals: As cybercrime becomes increasingly damaging, the FBI has kept a list of “Cyber’s Most Wanted.” Business Insider, December 8, 2014

Cyber Espionage

Digital Spies Target Diplomats’ iPhones, Androids And PCs With ‘Inception’ Malware: A range of politicians and diplomats have been targeted by stealthy hackers, who have been trying to thrust malware onto dignitaries’ iPhone and Android devices as well as PCs with varying degrees of success since this summer, according to security researchers. Forbes, December 10, 2014

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #46: An Interview with Shane Harris: Our interview focuses on Shane Harris and his new book, @War: The Rise of the Military-Internet Complex. It’s a good read and a good book, marred by the occasional deployment of easy lefty tropes – government contractors are mercenaries, the military sees war as an opportunity to expand turf, cybersecurity is a threat to privacy, anonymity is all about rights, etc. But Harris is first and foremost a storyteller, and his zeal for the story is far more important to him than ideology. When he tells the story of the guys who used cybertactics to break al Qaeda in Iraq during the surge, or of the banks’ cyberbattle with Iran, he lets the reader decide who to root for. Lawfare, December 10, 2014

Critical Infrastructure

Exclusive: Iran hackers may target US energy, defense firms, FBI warns: (Reuters) – The Federal Bureau of Investigation has warned U.S. businesses to be on the alert for a sophisticated Iranian hacking operation whose targets include defense contractors, energy firms and educational institutions, according to a confidential agency document. AOL, December 12, 2014

Cyber Law

Rockefeller, Thune Statement on Passage of Commerce Cybersecurity Bill: WASHINGTON, D.C.- Senate Commerce, Science, and Transportation Committee Chairman John D. (Jay) Rockefeller IV (D-WV) and Ranking Member John Thune (R-SD) today applauded the passage of their bipartisan cyber legislation that will help strengthen and protect the nation’s economic and national security. The passage of the Rockefeller-Thune bill last night follows years of work to reach a bipartisan consensus on cybersecurity legislation. National Journal, December 12, 2014

Cyber Insurance

Cyber Security Practices Insurance Underwriters Demand: Insurance underwriters aren’t looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks. DarkReading, December 11, 2014

Cyber Misc

‘Security by Antiquity’ Bricks Payment Terminals: Last week, several thousand credit card payment terminals at various retailers across the country suddenly stopped working, their LCD displays showing blank screens instead of numbers and letters. Puzzled merchants began to worry that this was perhaps part of some sophisticated hacker attack on their cash registers. It turns out that the incident was indeed security-related, but for once it had nothing to do with cyber thieves. KrebsOnSecurity, December 12, 2014
Pirate Bay Has Been Raided and Taken Down: Here’s What We Know: The popular file-sharing service Pirate Bay was taken down today following a raid in Sweden by police who seized servers and computers. Wired, December 9, 2014

Weekend Vulnerability and Patch Report, December 15, 2014

Important Security Updates

Adobe Flash Player: Adobe has released version to fix at least 6 extremely critical unpatched vulnerabilities reported in previous versions. Updates are available from Adobe’s website. Updates are also available for Acrobat.
Adobe Reader: Adobe has released version 11.0.10 to fix at least 8 highly critical vulnerabilities reported in previous versions. Updates are available through the program’s Help menu/Check for Updates or from Adobe’s website. Updates are also available for Adobe Acrobat.
Adobe Shockwave Player: Adobe has released version of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Dropbox: Dropbox has released version 3.0.3 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released Google Chrome version 39.0.2171.95. Updates are available from within the browser or from Google Chrome’s website.
Microsoft Internet Explorer: Microsoft has released updates for all versions of Internet Explorer to fix at least 14 highly critical vulnerabilities. Updates are available through the program or from Microsoft’s website.
Microsoft Office Excel: Microsoft has released updates for Excel to fix at least 2 highly critical vulnerabilities in most versions of Office Excel. Updates are available through the program or from Microsoft’s website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 7updates to address at least 24 vulnerabilities, some of which are highly critical within Windows, Internet Explorer, Office, Word, .NET, Windows Flash Player, and other Microsoft products.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 34.0
Google Chrome 39.0.2171.95
Internet Explorer 11.0.9600.17501
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Microsoft Exchange Server: Secunia reports Microsoft has released a partial fix for Exchange Server 2007, 2010, 2013. Apply update.
VMware vCloud: US-CERT reports VMware has released updates to fix a critical vulnerability in its vCloud Automation Center (vCAC). Apply updates.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog