Monday, January 12, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of January 12, 2015





Cyber Crime

Hackers Release Swiss Bank Data After Ransom Demand Is Rejected: A hacking group leaked identifying details about 30,000 clients of a small Swiss bank, after Banque Cantonale de Geneve (BCGE) declined the group’s request to pay a ransom. Bloomberg, January 9, 2015
Hackers with ties to Islamic State group take over Buena Park nonprofit’s website: BUENA PARK – Giving Children Hope, a nonprofit that delivers aid to children and families in need around the world, had its website hacked by a group identifying itself as Team System Dz, an Islamic State sympathizer. OCRegister, January 7, 2015
Hackers steal $5 million from major bitcoin exchange: Bitcoin exchange Bitstamp has frozen accounts and transactions while it investigates a breach. Fortune, January 5, 2015
U.S. Spies Say They Tracked ‘Sony Hackers’ For Years: American spies have detailed dossiers on the North Koreans who the U.S. says were behind the Sony attack. But the still-secret evidence likely won’t convince skeptics. TheDailyBeast, January 2, 2015
How My Mom Got Hacked: MY mother received the ransomnote on the Tuesday before Thanksgiving. It popped up on her computer screen soon after she’d discovered that all of her files had been locked. “Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If my mother failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data — would be lost forever. The New York Times, January 2, 2015
Sunday Morning Newsmakers with Larry Marino: Featuring Stan Stahl, Ph.D. President Citadel Information Group – Stahl explores the broader issues into the hacking of Sony Pictures what it means for all of us. AM870theanswer, December 30, 2014

Cyber Privacy

Finding a balance between cybersecurity and liberty to take center stage in months ahead: Well-publicized cyberattacks on the U.S. in late 2014 have made it almost certain that government will focus heavily on the nation’s technological security in the year ahead. And as cybersecurity talks heat up in Washington, policymakers will be tasked with striking a balance between protecting the nation’s cyber infrastructure and enacting rules that threaten U.S. Internet liberties, such as 2012’s much maligned Cyber Intelligence Sharing and Protection Act. PersonalLiberty, January 9, 2015

Financial Cyber Security

Banking Trojans Disguised As ICS/SCADA Software Infecting Plants: Researcher spots spike in traditional financial malware hitting ICS/SCADA networks — posing as popular GE, Siemens, and Advantech HMI products. DarkReading, January 8, 2015
Morgan Stanley Breach Put Client Data Up for Sale on Pastebin, an Online Site: In mid-December, a posting appeared on the Internet site Pastebin offering six million account records, including passwords and login data for clients of Morgan Stanley. The New York Times, January 5, 2015

Cyber Warning

Gogo in-flight Wi-Fi is spoofing its own customers:Connecting to the web on a flight this Friday, Google engineer Adrienne Porter Felt noticed something weird. When she logged in, there was a red X over the padlock by the URL bar, a sign that something was fishy. She was looking at the Google search page, supposedly protected by HTTPS, but the site wasn’t what it seemed. TheVerge, January 5, 2015

Cyber Security Management

Cybersecurity: What Advisors Need to Know: J.P. Morgan. Sony. Morgan Stanley — these are just some of the more recent high profile victims of data breaches, which have advisors re-examining their own precautions. onwallstreet, January 9, 2015
Boards Dissatisfied With Cyber, IT Risk Info Provided by Management: A recent survey from the National Association of Corporate Directors (NCD) found that the majority of directors are dissatisfied about the quantity of information provided by company management about cybersecurity and IT risk. SecurityWeek, January 2, 2015
Framework for Improving Critical Infrastructure Cybersecurity: The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of
critical infrastructure systems,placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. NIST, February 14, 2014

Cyber Security Management – Cyber Defense

Who’s Attacking Whom? Realtime Attack Trackers: It seems nearly every day we’re reading about Internet attacks aimed at knocking sites offline and breaking into networks, but it’s often difficult to visualize this type of activity. In this post, we’ll take a look at multiple ways of tracking online attacks and attackers around the globe and in real-time. KrebsOnSecurity, January 5, 2015

Cyber Security Management – Cyber Update

Lizard Stresser Runs on Hacked Home Routers: The online attack service launched late last year by the same criminals who knocked Sony and Microsoft’s gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, has discovered. KrebsOnSecurity, January 9, 2015

National Cyber Security

FBI Director Says ‘Sloppy’ North Korean Hackers Gave Themselves Away: Bureau chief says hackers occasionally forgot to use proxy servers, while the Director of National Intelligence says North Koreans have no sense of humor. DarkReading, January 7, 2015
North Korean defector: ‘Bureau 121′ hackers operating in China: Shenyang, China (CNN)On the streets of the neon-lit Chinese city of Shenyang, you’ll find a restaurant, hotel, and other businesses owned and operated by the North Korean government. CNN, January 6, 2015
What Should the 114th Congress Do About Cybersecurity in 2015?: Bellicose rhetoric and intelligence sharing aren’t enough, the U.S. needs a comprehensive cybersecurity strategy ASAP. NetworkWorld, January 5, 2014
Prosecutors Say Tools For Hiding Online Hinder Cybercrime Crackdowns: Prosecutors say tools that cloak online identities are complicating their efforts to police all kinds of crime. NPR, January 5, 2015

Cyber Law

Sony hack could be game changer: The high-profile hack at Sony Pictures has injected new urgency into the years-old push for cybersecurity legislation, with a broad spectrum of lawmakers suddenly vowing to take action in the new Congress. TheHill, January 4, 2015

Cyber Lawsuit

Zappos Settles, Pays Out $106K Following Data Breach: Online retailer Zappos this week settled with attorneys general in nine states, agreeing to pay out $106,000 stemming from a data breach in 2012 that exposed 24 million customers’ information. ThreatPost, January 9, 2015

Cyber Survey

Cybercrime Dipped During Holiday Shopping Season: The number of businesses breached dropped by half from years past, but attackers got more bang for their buck in terms of stolen records, a new IBM report reveals. DarkReading, January 5, 2015

Cyber Misc

Anonymous Hackers Say They’ll Target Terrorists With #OpCharlieHebdo Following Paris Attacks: The loosely organized collective of computer hackers called Anonymous has claimed its next target in a YouTube video. Called “Op Charlie Hebdo,” short for Operation Charlie Hebdo, the group says it will target “al Qaeda, the Islamic State and other terrorists.” International Business Times, January 9, 2015
CES: Security Risks From the Smart Home: LAS VEGAS — THE Internet of Things arrived in force at this year’s International CES, the huge trade show here. But while manufacturers at the event painted a rosy picture of connected grills, coffee makers, refrigerators and door locks, security experts and regulators warned that the Internet of Things could be a threat to both security and privacy. The New York Times, January 7, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Dropbox: Dropbox has released version 3.0.5 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
WinZip: Winzip has released version 19.0.11294. Updates are available from within the program, look for “Check for Updates” on the Help menu, or download from the WinZip website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.5 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 34.0.5
Google Chrome 39.0.2171.95
Internet Explorer 11.0.9600.17501
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco WebEx Meetings Server: Secunia reports Cisco has released updates for WebEx Meetings Server to fix  vulnerabilities, some of which are moderately critical reported in previous versions. Update to a fixed version.
McAfee ePolicy Orchestrator: Secunia reports an unpatched vulnerability in McAfee’s ePolicy Orchestrator in versions 4.6.8 and prior and 5.1.1 and prior. Update to version 4.6.9 (scheduled to be released in February 2015) or 5.1.2 (scheduled to be released in Q2 2015) when available.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog