Monday, January 05, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of December 5, 2014





Cyber Crime

Sony insider — not North Korea — likely involved in hack, experts say: Federal authorities insist that the North Korean government is behind the cyberattack on Sony Pictures Entertainment. Cybersecurity experts? Many are not convinced. The Los Angeles Times, December 30, 2014
Banks: Card Breach at Some Chick-fil-A’s: Sources at several U.S. financial institutions say they have traced a pattern of credit card fraud back to accounts that all were used at different Chick-fil-A fast food restaurants around the country. Chick-fil-A told KrebsOnSecurity that it has received similar reports and is working with IT security firms and law enforcement in an ongoing investigation. KrebsOnSecurity, December 30, 2014
Target Hackers Hit Parking services have taken a beating this year at the hands of hackers bent on stealing credit and debit card data. This week’s victim — — comes compliments of the same organized crime gang thought to be responsible for stealing tens of millions of card numbers from shoppers at Target and Home Depot. KrebsOnSecurity, December 30, 2014
New Clues In Sony Hack Point To Insiders, Away from DPRK: A strong counter-narrative to the official account of the hacking of Sony Pictures Entertainment has emerged in recent days, with the visage of the petulant North Korean dictator, Kim Jong Un, replaced by another, more familiar face: former Sony Pictures employees angry over their firing during a recent reorganization at the company. The Security Ledger, December 28, 2014
World’s Biggest Data Breaches: Vizualization of elected losses greater than 30,000 records. Information is Beautiful

Cyber Privacy

Web Freedom Is Seen as a Growing Global Issue: SAN FRANCISCO — Government censorship of the Internet is a cat-and-mouse game. And despite more aggressive tactics in recent months, the cats have been largely frustrated while the mice wriggle away. The New York Times, January 1, 2015

Cyber Warning

SONY HACKERS THREATEN U.S. NEWS MEDIA ORGANIZATION: The hackers who infiltrated Sony Pictures Entertainment’s computer servers have threatened to attack an American news media organization, according to an FBI bulletin obtained by The Intercept. TheIntercept, December 31, 2014
Steam Chat Spreading Dangerous Malware: Most people know not to click on suspicious links from strangers, but suspicious links from friends are more of a marginal case. Malefactors are currently using Steam, Valve’s popular PC gaming platform, to spread malware by hiding a nasty program in a supposedly innocuous screenshot that looks like it is coming from a trusted friend. Tom’s Guide, December 30, 2014

Cyber Security Management

Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm: LOS ANGELES — It was three days before Thanksgiving, the beginning of a quiet week for Sony Pictures. But Michael Lynton, the studio’s chief executive, was nonetheless driving his Volkswagen GTI toward Sony’s lot at 6 a.m. Final planning for corporate meetings in Tokyo was on his agenda — at least until his cellphone rang. The New York Times, December 30, 2014
Cybersecurity 2015: Are We Near End of Big Retail Hacks?: Cybersecurity emerged as a much bigger risk for companies in 2014, and is likely to be a hot topic again in 2015. We asked some top cybersecurity and data privacy experts to look ahead and tell us what they see. Two top trends: companies now “get” the need for cybersecurity and new payment systems could bring an end to big retail data breaches. The Wall Street Journal, December 30, 2014
SEC Faults Rating Firms for Rule Lapses, Lax Cybersecurity: Reports Says Some Firms Lack Sufficient Internal Systems to Prevent ‘Misuse, Inappropriate Dissemination.’ The Wall Street Journal, December 30, 2014
Why It’s Time For A Board-Level Cybersecurity Committee: Just the past 12 months have seen one massive corporate security breach after another. Major retailers (Target, Home Depot, Neiman Marcus, Sony Pictures), e-commerce sites (eBay), and financial institutions (JP Morgan) have all been victims. Forbes, December 27, 2014

Cyber Underworld

Lizard Kids: A Long Trail of Fail: The Lizard Squad, a band of young hooligans that recently became Internet famous for launching crippling distributed denial-of-service (DDoS) attacks against the largest online gaming networks, is now advertising its own Lizard-branded DDoS-for-hire service. Read on for a decidedly different take on this offering than what’s being portrayed in the mainstream media. KrebsOnSecurity, December 31, 2014
Who’s in the Lizard Squad?: The core members of a group calling itself “Lizard Squad” — which took responsibility for attacking Sony’s Playstation and Microsoft‘s Xbox networks and knocking them offline for Christmas Day — want very much to be recognized for their actions. So, here’s a closer look at two young men who appear to be anxious to let the world know they are closely connected to the attacks. KrebsOnSecurity, December 29, 2014
A Q&A with the hackers who say they helped break into Sony’s network:
Lizard Squad. That’s the hacker group whose name is suddenly on everyone’s lips after it took credit for ruining Christmas for PlayStation and Xbox gamers everywhere. The Washington Post, December 29, 2014

National Cyber Security

Sony Incident Sets Dangerous Precedent, Cyber Expert Fears: When cyber journalist and author Shane Harris heard that President Barack Obama was promising the United States would make a “proportional response” against North Korea over the recent hacks at Sony Pictures Entertainment, his first response was alarm. Voice of America, December 31, 2014
White House Deflects Doubts on Source of Sony Hack: The White House pushed back Tuesday against criticism from some cybersecurity experts who have challenged the government’s conclusion that North Korea was behind the hacking of Sony Pictures Entertainment Inc. The Wall Street Journal, December 31, 2014

Critical Infrastructure

A Hacker’s Hit List of American Infrastructure: On Friday, December 19, the FBI officially named North Korea as the party responsible for a cyber attack and email theft against Sony Pictures. The Sony hack saw many studio executives’s sensitive and embarrassing emails leaked online. The hackers threatened to attack theaters on the opening day of the offending film, The Interview, and Sony pulled the plug on the movie, effectively censoring a major Hollywood studio. (Sony partially reversed course, allowing the movie to show in 331 independent theaters on Christmas Day, and to be streamed online.) The Atlantic, January 2, 2015
If cyberwar erupts, America’s electric grid is a prime target: Cybersecurity experts say that targets in a cyberwar wouldn’t be Hollywood studios but instead the nation’s critical infrastructure, which is already under attack by hackers trying to infiltrate, study, and potentially cripple US utilities. The Christian Science Monitor, December 23, 2014

Weekend Vulnerability and Patch Report

Important Security Updates

Apple OS X: US-Cert reports that Apple has released security updates for OS X Mountain Lion, Mavericks, and Yosemite to address multiple highly critical vulnerabilities. Updates are available from Apple’s website for OS X Mountain Lion, OS X Mavericks, and OS X Yosemite.
Apple QuickTime: Apple has released version of QuickTime for Windows 7, Vista, XP SP2 or later.  Updates are available from within the program or Apple’s website.
AVG Free Edition: AVG has released version 2015.0.5645 of its 64 and 32 bit Free Edition. Updates are available on AVG’s website.
Mozilla Firefox: Mozilla has released version 34.0.5. Updates are available within the browser or from Mozilla’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.4 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 34.0.5
Google Chrome 39.0.2171.95
Internet Explorer 11.0.9600.17501
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released an update to Expressway Series and Cisco TelePresence Video Communication Server (VCS) to fix moderately critical vulnerabilities in versions X7.x and X8.x. Update or upgrade to version X8.5 (scheduled to be available mid December 2014).
Novell Multiple Products: Secunia reports Novell has released an update to its Open Enterprise Server to fix highly critical vulnerabilities in  Expressway Series and Cisco TelePresence Video Communication Server (VCS) to fix moderately critical vulnerabilities in Novell Open Enterprise Server 11 (OES11), 11 SP1 (OES11SP1), and 11 SP2 (OES11SP2), and Novell Open Enterprise Server 2 SP3 (OES2SP3). Apply updated packages via the zypper package manager.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog