Monday, December 29, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of December 29, 2014





Cyber Crime

Hackers pop German steel mill, wreck furnace: Talented hackers have caused “serious damage” after breaching a German steel mill and wrecking one of its blast furnaces. The Register, December 22, 2014
Neglected Server Provided Entry for JPMorgan Hackers: The computer breach at JPMorgan Chase this summer — the largest intrusion of an American bank to date — might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network, said people who have been briefed on internal and outside investigations into the attack. The New York Times, December 22, 2014
Sony Hack Was Not All That Sophisticated, Cybersecurity Experts Say: The Sony hack is a hydra-headed monster of a story, emerging from the sea late last month to descend on Los Angeles before going on to smash across the country, sprouting new heads as it went, dragging the badly battered body of a colossal global corporation in its dust. Billboard, December 21, 2014
Staples: 6-Month Breach, 1.16 Million Cards: Office supply chain Staples Inc. today finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company now says some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been stolen as a result. KrebsOnSecurity, December 19, 2014

Cyber Attack

Sony: PlayStation Network is back online now, really: After giving gamers false hope on Saturday, Sony now says its PlayStation Network has been fully restored after a Christmas Day attack that knocked it offline for about three days. PC World, December 28, 2014
Cowards Attack Sony PlayStation, Microsoft xBox Networks: A gaggle of young misfits that has long tried to silence this Web site now is taking credit for preventing millions of users from playing Sony Playstation and Microsoft Xbox Live games this holiday season. … The group, which calls itself LizardSquad, started attacking the gaming networks on or around Christmas Day. Various statements posted by self-described LizardSquad members on their open online chat forum — — suggest that these misguided individuals launched the attack for no other reason than because they thought it would be amusing to annoy and disappoint people who received new Xbox and Playstation consoles as holiday gifts. Krebs on Security, December 26, 2014

Cyber Privacy

How to Avoid Cyber-Burglars This Holiday Season: Featuring Citadel’s Kimberly Pease – Before the age of computers and smartphones, a would-be burglar would have to look in your window to see that you are gone on a holiday vacation. Good Morning America, ABC News, December 23, 2014
Hacking Our Humanity: THERE’S a square in the upper right-hand corner of your computer keyboard that probably looks more banged up than it did a week or two ago. It’s the one marked “delete.” I’ll bet that you’ve been giving it a workout lately, pressing it hard and often, moving relentlessly backward over your emails, fretting and fussing and killing off nearly as many words as you birth. Are they open to misinterpretation? Is their tone too mischievous or meanspirited? Delete, delete, delete. Better safe than Sony’d. The New York Times, December 20, 2014

Financial Cyber Security

Top bankers urged to take cybercrime threat more seriously: Top British bankers and other senior financial services executives are not taking the risk of cyber-attacks seriously enough, financial policymakers at the Bank of England have said. The Guardian, December 22, 2014
Gang Hacked ATMs from Inside Banks: An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. While none of the victim institutions were in the United States or Western Europe, experts say the stealthy methods used by the attackers in these heists would likely work across a broad range of western banks. KrebsOnSecurity, December 22, 2014

Cyber Security Management – Cyber Defense

Backoff Malware Validates Targets Through Infected IP Cameras: RSA report on Backoff dives deeper into clues about the POS software and hints at attackers potentially located in India. DarkReading, December 23, 2014

Cyber Security Management – Cyber Update

Apple updates Macs for first time without asking — to foil hackers: Apple is pushing out its first automatic security update to protect your computer from being taken over. CNet, December 23, 2014
Apple releases security update for critical NTP vulnerability in OS X: Apple has issued a security update to address a critical security issue with OS X’s Network Time Protocol service. The company recommends that all users apply this patch “as soon as possible.” ZDNet, December 22, 2014

Cyber Security Management – Cyber Awareness

If a Strong Password is 2,573 Miles, How Long is Yours?: One of the difficulties of expressing just how much stronger one password is than another is that we as humans have such a hard time visualizing large numbers. Can we really, for example, truly comprehend the difference between a strong password and a weak one? XATO, May 24, 2012

National Cyber Security

Countering Cyberattacks Without a Playbook: WASHINGTON — For years now, the Obama administration has warned of the risks of a “cyber-Pearl Harbor,” a nightmare attack that takes out America’s power grids and cellphone networks and looks like the opening battle in a full-scale digital war. The New York Times, December 23, 2014
North Korea May Have Had Help From the Hackers Who Hit Sony in 2011: The sweeping conclusion by President Obama and the FBI last week, blaming North Korea for the Sony hack, was clean and, to many, wholly satisfying. It’s unusual that a huge cyber-crime is solved so definitively and so quickly. It felt like something out of the movies. Bloomberg, December 23, 2014
The Case for N. Korea’s Role in Sony Hack: There are still many unanswered questions about the recent attack on Sony Pictures Entertainment, such as how the attackers broke in, how long they were inside Sony’s network, whether they had inside help, and how the attackers managed to steal terabytes of data without notice. To date, a sizable number of readers remain unconvinced about the one conclusion that many security experts and the U.S. government now agree upon: That North Korea was to blame. This post examines some compelling evidence from past such attacks that has helped inform that conclusion. KrebsOnSecurity, December 23, 2014
When Does Cyber Crime Become an Act of Cyberwar?: No consensus exists between the U.S. government and cyber security experts as to whether North Korea is responsible for the online dumping of Sony Pictures Entertainment’s confidential business data and emails. Even if it could be proven beyond any doubt with uncontestable forensic evidence that this theft is also, in fact, an act of computer hacking, it still wouldn’t technically constitute an act of cyberwar — regardless of the identity of the perpetrator. So then, when would it? TownHall, December 23, 2014
Experts Are Still Divided on Whether North Korea Is Behind Sony Attack: The FBI announcement last week that it had uncovered evidence in the Sony hack pointing to North Korea appears to have settled the issue for a lot of people—in Washington, DC. Wired, December 23, 2014
North Korea Internet hit by 2 more outages: North Korea’s Internet service, which was out for almost 10 hours on Monday, went down two more times Tuesday, including a 31-minute stretch, according to Dyn Research. USA Today, December 23, 2014
China says no proof North Korea hacked Sony: China said on Monday it opposed all forms of cyberattacks but there was no proof that North Korea was responsible for the hacking of Sony Pictures, as the United States has said. The Globe and Mail, December 22, 2014
Did North Korea Really Attack Sony?: I am deeply skeptical of the FBI’s announcement on Friday that North Korea was behind last month’s Sony hack. The agency’s evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the U.S. government would make the accusation this formally if officials didn’t believe it. Bruce Schneier, The Atlantic, December 22, 2014
North Korea Loses Its Link to the Internet: SAN FRANCISCO — A strange thing happened to North Korea’s already tenuous link to the Internet on Monday: It failed. The New York Times, December 22, 2014

Cyber Insurance

Breach insurance might not cover losses at Sony Pictures: Documents leaked by the group claiming responsibility for the attack on Sony Pictures show that the company has upwards of $60 million in cyber insurance coverage after consolidating coverage with Sony Corporation of America. But will that be enough?
CSO, December 15, 2014

Cyber Sunshine

Alleged Counterfeiter “Willy Clock” Arrested: In September 2014, I wrote about receiving a package of $500 in counterfeit U.S. currency from an unknown sender, after mentioning in a blog post about a rash of funny money resellers flooding underground cybercrime markets. Last week, U.S. authorities announced the arrest of a Texas man charged with leading the international counterfeit currency operation from a location in the Republic of Uganda. KrebsOnSecurity, December 22, 2014

Weekend Vulnerability and Patch Report, December 28, 2014

Important Security Updates

Apple OS X: US-Cert reports that Apple has released security updates for OS X Mountain Lion, Mavericks, and Yosemite to address multiple highly critical vulnerabilities. Updates are available from Apple’s website for OS X Mountain Lion, OS X Mavericks, and OS X Yosemite.
Apple QuickTime: Apple has released version of QuickTime for Windows 7, Vista, XP SP2 or later.  Updates are available from within the program or Apple’s website.
AVG Free Edition: AVG has released version 2015.0.5645 of its 64 and 32 bit Free Edition. Updates are available on AVG’s website.
Mozilla Firefox: Mozilla has released version 34.0.5. Updates are available within the browser or from Mozilla’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.4 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 34.0.5
Google Chrome 39.0.2171.95
Internet Explorer 11.0.9600.17501
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released an update to Expressway Series and Cisco TelePresence Video Communication Server (VCS) to fix moderately critical vulnerabilities in versions X7.x and X8.x. Update or upgrade to version X8.5 (scheduled to be available mid December 2014).
Novell Multiple Products: Secunia reports Novell has released an update to its Open Enterprise Server to fix highly critical vulnerabilities in  Expressway Series and Cisco TelePresence Video Communication Server (VCS) to fix moderately critical vulnerabilities in Novell Open Enterprise Server 11 (OES11), 11 SP1 (OES11SP1), and 11 SP2 (OES11SP2), and Novell Open Enterprise Server 2 SP3 (OES2SP3). Apply updated packages via the zypper package manager.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog