Tuesday, December 23, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of December 22, 2014





Cyber Crime

Sony Hackers Snooped for Months, Then Planted 10-Minute Time Bomb: Hackers who broke into Sony Corp.’s Hollywood unit probably spent months collecting passwords and mapping the network before they committed a last act of vandalism, setting off a virus that wiped out data and crashed the system in 10 minutes. Bloomberg, December 19, 2014
Banks: Park-n-Fly Online Card Breach: Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result. KrebsOnSecurity, December 19, 2014
Sony Hackers Threaten to Release a Huge ‘Christmas Gift’ of Secrets: As leaks from the recent Sony hack continue to make headlines and company executives apologize for insensitive comments made in exposed emails, we still don’t know how the hack occurred or the exact nature of the demands made by the attackers. But we’ve learned a bit about Sony’s security practices. And we’ve learned that the attackers may have tried to extort Sony before releasing its secrets. We’ve also learned that attempts by Sony to rally public support from rival studios has failed. Wired, December 15, 2014

Financial Cyber Security

Crimeware-as-a-Service Threatens Banks: A new report from security firm Sophos raises alarms about the increasing sophistication of crimeware-as-a-service, an underground business model that pushes adaptable malware from a botnet, rather than simply infecting a single machine. BankInfoSecurity, December 18, 2014

Identity Theft

Sony Hackers Have Your Personal Information. What You Can Do: If your paycheck or your pension or your medical insurance has its origins at Sony, then you are at risk. Citadel Information Group, December 14, 2014

Cyber Privacy

Angelina Jolie Hires Cybersecurity for Her Kids: How to Keep Your Kids Safe, Too: Angelina Jolie and Brad Pitt have hired a cybersecurity team to monitor their children on social media. Citadel’s Kimberly Pease Interviewed, Good Morning America, ABC, December 18, 2014
Where Tech Giants Protect Privacy: LONDON — FROM their glass-fronted office parks and start-up lofts in Silicon Valley, American tech companies oversee ever-expanding global empires. The New York Times, December 13, 2014

Cyber Warning

EU banks counter rising cybercrime as traditional hold-ups decrease: The EU Banking Authority (EBA) today (19 December) issued new regulations to beef up security of internet payments across the bloc to counter cybercrime, which is on the rise. EurActiv, December 19, 2014
12 Million Home Routers Vulnerable to Takeover: More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer. ThreatPost, December 18, 2014
Bad Bots On The Rise: The number of bots roaming the Net dropped this year, but the population of malicious bots has grown. DarkReading, December 18, 2014
MISFORTUNE COOKIE –SUSPECTED VULNERABLE MODEL LIST: Misfortune Cookie is a critical vulnerability that allows an intruder to remotely take over a residential gateway device and use it to attack the devices connected to it. Check Point, December 17, 2014

Cyber Security Management

Sony Said to Learn Last Year About Large Network-Security Breach: Sony Corp. (6758) was warned about a year ago that hackers had infiltrated its network and were stealing gigabytes of data several times a week, underscoring a pattern of lapses predating a recent attack that has spilled Sony Pictures’ secrets onto the Internet. BusinessInsider, December 15, 2014

Cyber Security Management – Cyber Defense

Report: Mysterious Russian Malware Is Infecting 100,000+ WordPress Sites: A Russian malware called SoakSoak has infected over 100,000 WordPress sites since this Sunday, turning blogs into attack platforms. It’s a potential shitshow, and it could’ve been prevented earlier this fall. Gizmodo, December 15, 2014

National Cyber Security

Eyes turn to the next Congress as Sony hack exposes cybersecurity flaws: As the fallout from the cyberattack against Sony Pictures Entertainment grows amid reports that the hack may be linked to the North Korean government, lawmakers and the Obama administration are calling on Congress to focus heavily on cybersecurity legislation after the holiday recess. The Washington Post, December 18, 2014
Watch out world: North Korea deep into cyber warfare, defector says: Seoul, South Korea (CNN) — North Korea is one of the world’s poorest countries, seen as well behind most everyone when it comes to most technologies and much more. CNN, December 18, 2014
North Korean Role in Sony Hack Presents Quandary for U.S.: U.S. officials’ conclusion that Pyongyang was behind the hacking attack on Sony Pictures has raised the difficult question of how Washington should respond to an aggressive act by a foreign government. The Wall Street Journal, December 17, 2014
U.S. Said to Find North Korea Ordered Cyberattack on Sony: WASHINGTON — American officials have concluded that North Korea was “centrally involved” in the hacking of Sony Pictures computers, even as the studio canceled the release of a far-fetched comedy about the assassination of the North’s leader that is believed to have led to the cyberattack. The New York Times, December 17, 2014
FBI Beefs Up Amid Explosion of Cybercrime: Cybercrime is one of the priorities for the FBI, which has 13,260 special agents across the country, according to the agency. GovernmentTechnology, December 15, 2014

Cyber Law

Obama Signs 5 Cybersecurity Bills: Without ceremony, President Obama on Dec. 18 signed five cybersecurity-related bills, including legislation to update the Federal Information Security Management Act, the law that governs federal government IT security. GovInfoSecurity, December 18, 2014
Former Employees Are Suing Sony Over ‘Epic Nightmare’ Hack: Two former employees of Sony Pictures Entertainment filed a class-action lawsuit against the studio giant on Monday for failing to properly secure sensitive employee data. Wired, December 16, 2014

Cyber Sunshine

SpamHaus, CloudFlare Attacker Pleads Guilty: A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare, KrebsOnSecurity has learned. KrebsOnSecurity, December 13, 2014

Weekend Vulnerability and Patch Report, December 22, 2014

Important Security Updates

Dropbox: Dropbox has released version 3.0.4 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Piriform CCleaner: Piriform has released version 5.01.5075 for CCleaner. Updates are available from Piriform’s website.
Opera: Opera has released version 26.0.1656.60 to fix multiple moderately critical unpatched vulnerabilities reported in previous versions. Updates are available from within the browser or from Opera’s website.
Skype: Skype has released Skype Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.4 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 34.0
Google Chrome 39.0.2171.95
Internet Explorer 11.0.9600.17501
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released an update to IOS XR. Update to version Secunia reports a moderately critical unpatched vulnerability in IronPort Email Security Appliance. No official solution is available.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.

SecurityRecruiter.com's Security Recruiter Blog