Monday, December 08, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of December 8, 2014




Cyber Crime – Sony Attack

Sony Pictures and F.B.I. Widen Hack Inquiry: LOS ANGELES — Sony Pictures Entertainment and the F.B.I. on Wednesday were seeking more information about an attack that crippled Sony’s computer systems — including whether North Korea, or perhaps a former employee, was responsible. The New York Times, December 4, 2014
Sony Films Are Pirated, and Hackers Leak Studio Salaries: LOS ANGELES — Just as Sony Pictures Entertainment appeared to be recovering from a crippling online attack last month, the studio found itself confronting new perils on Tuesday. The Federal Bureau of Investigation warned United States businesses of a similar threat, and additional Sony secrets were leaked online. The New York Times, December 3, 2014
Sony Pictures hackers release list of stolen corporate files: On Monday, employees at Sony Pictures Entertainment—the television and movie subsidiary of Sony Corp.—discovered that their internal corporate network had been hijacked. A message from an individual or group claiming responsibility appeared on corporate systems, pledging to release sensitive corporate data taken from the network by 11pm GMT on Monday. ars technica, November 26, 2014

Cyber Crime

Banks: Credit Card Breach at Bebe Stores: Data gathered from several financial institutions and at least one underground cybercrime shop suggest that thieves have stolen credit and debit card data from Bebe Stores Inc., a nationwide chain of some 200 women’s clothing stores. KrebsOnSecurity, December 4, 2014
Payroll company for SAG-AFTRA members discloses security breach: Employees at Sony Pictures Entertainment aren’t the only ones dealing with a hack attack. The LA Times, December 3, 2014
Hackers With Wall Street Savvy Stealing M&A Data: Hackers with Wall Street expertise have stolen merger-and-acquisition information from more than 80 companies for more than a year, according to security consultants who shared their findings with law enforcement. Bloomberg, December 1, 2014
Hackers Using Lingo of Wall St. Breach Health Care Companies’ Email: SAN FRANCISCO — For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — most of them publicly traded health care or pharmaceutical companies — apparently in pursuit of information significant enough to affect global financial markets. The New York Times, December 1, 2014
Hackers Infiltrate Payment Systems of Major Parking Garage Operator: After the number of major breaches affecting some of the largest retailers this year, some may feel uneasy as they approach the cashier to pay for their purchases. Now consumers have another place to worry about–parking garages. SecurityWeek, November 28, 2014

Financial Cyber Security

Treasury Dept: Tor a Big Source of Bank Fraud: A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online. KrebsOnSecurity, December 5, 2014
What happens when you swipe your card?: As hacking of top retailers make headlines, Bill Whitaker discovers how insecure your credit card information is this holiday season. 60 Minutes, CBS News, November 30, 2014
States, U.S. Beef Up Cybersecurity Training for Bank Examiners: Federal and state regulators are ramping up plans to train bank examiners about cybersecurity risks at a time when the financial institutions they oversee face growing threats from hackers. The Wall Street Journal, November 30, 2014

Cyber Privacy

Hackers Send Emails to Sony Employees: LOS ANGELES — As Hollywood snooped through yet another round of leaked Sony Pictures Entertainment documents on Friday, the studio and the F.B.I. publicly responded to a new threat from the hackers who attacked the company. The New York Times, December 5, 2014

Identity Theft

Sony Pictures hackers stole 47,000 social security numbers, including Sly Stallone’s: A week after it was brought to a standstill by a hacker group that may or may not have hailed from North Korea, things are getting even worse for Sony Pictures. The hackers that crippled the company’s computer systems have now released a vast hoard of Sony Pictures’ private documents onto the internet. An analysis of more than 33,000 documents showed that they displayed passwords to internal computers, credit cards, and social media accounts, as well as the Social Security numbers of 47,000 current and former Sony Pictures workers. TheVerge, December 4, 2014
Sony Execs Confirm Authenticity of Leaked Documents in Staff Memo: Reeling from a massive hack attack, Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal have told studio staff that they are “deeply saddened” that confidential data may be exposed. Variety, December 2, 2014
Black Friday, Cyber Monday for Crooks, Too!: Underground cybercrime shops that sell credit and debit card accounts stolen from retailers are slashing prices and promoting their own Black Friday and Cyber Monday sales as fraudsters gear up for the busy holiday shopping season. KrebsOnSecurity, November 29, 2014

Cyber Warning

Be Wary of ‘Order Confirmation’ Emails: If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities. KrebsOnSecurity, December 3, 2014
Exclusive: FBI warns of ‘destructive’ malware in wake of Sony attack: (Reuters) – The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment. Reuters, December 2, 2014

Cyber Security Management

The Cybersecurity Myths That Small Companies Still Believe: High-profile breaches at Target (TGT), Home Depot (HD), and JPMorgan Chase (JPM) have put cybersecurity on the agenda for companies large and small. But despite the ongoing media commentary and “best practices” memos, consultant Adam Epstein of Third Creek Advisors notes that board members of small-cap companies and those considering or preparing initial public offerings are still befuddled by persistent myths on this topic. BusinessWeek, November 24, 2014

Cyber Law

Judge rules that banks can sue Target for 2013 credit card hack: The development paves the way for more banks to sue merchants with poor POS security. ars technica, December 4, 2014

Weekend Vulnerability and Patch Report, December 7, 2014

Important Security Updates

Apple Safari: Apple has released updates for Safari to fix at least 13 vulnerabilities, some of which are highly critical, reported in previous versions. Update to version 8.0.1, 7.1.1, or 6.2.1. Updates are available from Apple’s website.
Avira Free Antivirus: Avira has released version of its free Antivirus. Updates are available from Avira’s website.
Foxit Reader: Foxit has released version of its Reader. Updates are available through the program or from Foxit’s website.
Malwarebytes Anti-Exploit: Malwarebytes has released version of its free Malwarebytes Anti-Exploit. Updates are available from Malwarebytes’ website.
Malwarebytes Anti-Malware: Malwarebytes has released version 2.0.4 of its free Malwarebytes Anti-Malware. Updates are available from Malwarebytes’ website.
Mozilla Firefox: Mozilla has released version 34.0 to fix at least 10 unpatched highly critical vulnerabilities reported in previous versions. Upgrade to version 34 and remove certain files on OS X 10.10 (Yosemite) within the /tmp folder. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 26 to fix multiple moderately critical unpatched vulnerabilities reported in previous versions. Updates are available from within the browser or from Opera’s website.
Siber Systems RoboForm: Siber Systems has released version of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.
Skype: Skype has released Skype Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.52 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 34.0
Google Chrome 39.0.2171.71
Internet Explorer 11.0.9600.17420
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for Unified Computing System (UCS), and others. Apply patches.
Citrix XenServer: Secunia reports Citrix has released updates for XenServer. Apply hotfix.
VMware Multiple Products: Secunia reports VMware has released an update for ESX Server, ESXi, vCenter Server Appliance, vSphere and others. Apply patches,
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog