Sunday, March 01, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of March 1, 2015





Cyber Crime

Personal data on 50,000 Uber drivers exposed in breach: The names and license plate numbers of about 50,000 Uber drivers were compromised in a security breach last year, the company revealed Friday. PCWorld, February 27, 2015
Urban Institute Hacked: Up To 700,000 Nonprofits Affected After Tax System Breach: A prominent Washington, D.C. think tank has been hacked, compromising email addresses, passwords and other information of hundreds of thousands of charitable organizations that use its system for filing taxes. The Huffington Post, February 25, 2015
US offers highest-ever cybercrime reward for arrest of Russian hacker: The US State Department and FBI have announced a $3m reward for information leading to the arrest or conviction of Russian national Evgeniy Bogachev, the highest bounty US authorities have ever offered in a cyber case. The Guardian, February 24, 2015
Lawyer who clicked on attachment loses $289K in hacker scam: A lawyer who clicked on an email attachment lost $289,000 to hackers who likely installed a virus that recorded his keystrokes. ABA Journal, February 19, 2015

Cyber Attack

Webnic Registrar Blamed for Hijack of Lenovo, Google Domains: Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain ( On Wednesday, was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over, the Malaysian registrar that serves both domains and 600,000 others. KrebsOnSecurity, February 26, 2015

Cyber Privacy

White House Proposes Broad Consumer Data Privacy Bill: The Obama administration on Friday proposed a wide-ranging bill intended to provide Americans with more control over the personal information that companies collect about them and how that data can be used, fulfilling a promise the president had talked about for years. New York Times, February 27, 2015
U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says: LONDON — Gemalto, a French-Dutch digital security company, said on Wednesday that it believed that American and British intelligence agencies had most likely hacked into the company’s networks in an attempt to gain access to worldwide mobile phone communications. But it said that the intrusions had only limited effect. The New York Times, February 25, 2015
How Malware Can Track Your Smartphone Without Using Location Data: The way your smartphone uses power provides a simple way to track it, say computer scientists who have developed an app to prove it. MIT Technology Review, February 21, 2015

Financial Cyber Security

Lawsky Proposes New Cybersecurity, Money-Laundering Rules For Banks: New York’s top banking regulator ratcheted up the pressure on financial institutions, unveiling a handful of proposals on Wednesday that would increase the burdens and potential pitfalls for banks as they try to prevent cyberattacks and money laundering. The Wall Street Journal, February 25, 2015
TurboTax’s Anti-Fraud Efforts Under Scrutiny: Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax – allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their fight against the multi-billion dollar problem of tax refund fraud. KrebsOnSecurity, February 22, 2015

Identity Theft

Identity theft tops list of consumer complaints: Identity theft was once again the number one complaint from Americans this year, according the Federal Trade Commission’s annual tally. CNN, February 27, 2015
New Study Says Over 2 Million Americans Are Victims Of Medical Identity Theft: According to the Fifth Annual Study on Medical Identity Theft ‒ released today by the Medical Identity Theft Alliance (MIFA) ‒ the number of patients affected by medical identity theft increased nearly 22 percent in just the last year. Forbes, February 23, 2015

Securing the Village

Wall St. and Law Firms Plan Cooperative Body to Bolster Online Security: The threat of ever-larger online attacks is bringing together Wall Street banks and the big law firms that do work for them in an alliance that could result in some sharing of basic information about digital security issues. New York Times, February 23, 2015
Obama Order Gives Firms Cyberthreat Information: President Obama signed an executive order on Tuesday that promotes increased information sharing about cyberthreats between the government and private companies that oversee the country’s critical infrastructure, offering a weakened alternative to legislation the administration had hoped Congress would pass last year. New York Times, February 12, 2015

Cyber Warning

Spam Uses Default Passwords to Hack Routers: In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims. KrebsOnSecurity, February 26, 2015
Hackers impersonating IT staff popular tactic in data breaches, FireEye finds: Fresh FireEye research suggests that today’s cyberattackers are becoming smarter about the systems they seek to break, and are commonly using impersonation and social engineering to tap into the most common weakness in the security chain — employees. ZDNet, February 24, 2015

Cyber Security Management

Why Information Security Is Everybody’s Business Now: Admiral Michael Rogers, the director of the National Security Agency, said he expects a major cyber attack. “It’s only a matter of the ‘when,’ not the ‘if,’ that we are going to see something dramatic.” Many other information security experts would agree with him. Forbes, February 5, 2015

Cyber Security Management – Cyber Defense

How can I find and remove Superfish and similar malware?: Anthony has a new Lenovo laptop and wonders if he should be concerned. Jack Schofield says that’s the tip of the iceberg and everyone should be worried. The Guardian, February 26, 2015

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #54: An Interview with Ben Wittes: Episode 54 of the Cyberlaw Podcast features a guest appearance by Lawfare’s own Ben Wittes, discussing cybersecurity in the context of his forthcoming book, The Future of Violence, authored by Ben and Gabriella Blum. (The future of violence, you won’t be surprised to hear, looks bright.) Ben also floats the idea of taping an episode of all the Lawfare-affiliated podcasts in a bar with some of our listeners. More on that idea to come. LawFare, February 20, 2015
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last: CANCUN, Mexico — In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn’t know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail. ars technica, February 16, 2015

Cyber Research

DARPA offers rare glimpse at program to visualize cyberdefenses (+video): The Pentagon’s advanced research arm revealed its latest version of Plan X, an in-progress system designed for the military to visualize defending against cyberattacks, at a Passcode event on the future of cybersecurity innovation. Christian Science Monitor, February 26, 2015

Cyber Misc

5 Reasons To Never Market Malware: Governments around the world, especially their policing and security agencies are now employing “legal” malware. This is an emerging market, and about as morally ambiguous as the arms market. A mirror image of cybersecurity services, which protect organizations against malware targeted attacks and advanced persistent threats, a “legal” malware service offers platforms and programs to bore into a suspect organization to extract information needed for prosecution. One can use this technology to cripple an organization as well. Forbes, February 26, 2015
Fine Arts Museums Threaten Workers’ Information Security, Union Says: Just as museum guards were about to line up, dip their thumbs onto a virtual ink pad and give out perhaps their most sensitive personal information to an outside company, their union said, no — let’s march on City Hall. SFWeekly, February 24, 2015
Hackers Cut in Line at the Burning Man Ticket Sale—And Get Caught: Burning Man has practically gone mainstream. The once-fringe desert camping festival is now cultural fodder for The Simpsons and Taco Bell commercials. Celebrities and CEOs routinely attend. So it’s no surprise that 40,000 Burning Man tickets sold out in less than an hour last Wednesday when they went on sale. Wired, February 23, 2015

Cyber Sunshine

Ramnit Botnet Disrupted By International Public-Private Collaboration: Europol leads the effort to bring down the bank credential-stealing botnet that infected 3.2 million computers across the globe. DarkReading, February 25, 2015

Vulnerability and Patch Report, March 1, 2015

Important Security Updates

AVG Free Edition: AVG has released version 2015.0.5751 of its 64 and 32 bit Free Edition. Updates are available on AVG’s website.
Mozilla Firefox: Mozilla has released version 36 to fix at least 11 highly critical vulnerabilities. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 27.0.1689.76. Updates are available from within the browser or from Opera’s website.
Piriform CCleaner: Piriform has released version 5.03.5128 for CCleaner. Updates are available from Piriform’s website.
TechSmith Corporation SnagIt: TechSmith has released version for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.2.6 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 36
Google Chrome 40.0.2214.115
Internet Explorer 11.0.9600.17633
Java SE 8 Update 31 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.3 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates and partial fixes for its Cisco Security Manager (CSM), Cisco Email Security, IronPort Email Security Appliance, Cisco Web Security, IOS XR, Network Convergence System 6000 (NCS 6000) and Carrier Routing System X (CRS-X) and others. Apply updates.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog