‘Wardriving’ Hackers Cracked Wi-Fi Networks From Black Mercedes: Seattle police are investigating a criminal ring they believe used a specially outfitted Mercedes to hack into the Wi-Fi networks of area businesses, a practice called “wardriving.” SecurityNewsDaily April 25, 2011
Bizarre pornography raid underscores Wi-Fi privacy risks: BUFFALO, N.Y. — Lying on his family room floor with assault weapons trained on him, shouts of “pedophile!” and “pornographer!” stinging like his fresh cuts and bruises, the Buffalo homeowner didn’t need long to figure out the reason for the early morning wake-up call from a swarm of federal agents. That new wireless router. He’d gotten fed up trying to set a password. Someone must have used his Internet connection, he thought. MSNBC News April 25, 2011
Where Did That Scammer Get Your Email Address?: You’ve seen the emails: They claim to have been sent by a financial institution in a faraway land, or from a corrupt bureaucrat in an equally corrupt government. Whatever the ruse, the senders always claim to need your help in spiriting away millions of dollars. These schemes, known as “419,” “advance fee” and “Nigerian letter” scams seemingly have been around forever and are surprisingly effective at duping people. But where in the world do these scammers get their distribution lists, and how did you become a target? Krebs on Security April 25, 2011
Ex-Gucci admin accused of $200,000 IT rampage: A network engineer fired by fashion house Gucci has been charged with going on an IT rampage against his former employer in which he deleted data, shut down servers and left the company nursing an estimated $200,000 cleanup bill. Computerworld April 6, 2011
Cyber attack forces ORNL to shut down Internet access; experts probing Advanced Persistent Threat: A highly sophisticated cyber attack — known as Advanced Persistent Threat or APT — forced Oak Ridge National Laboratory to shut down all Internet access and email systems over the weekend. Knox News April 18, 2011
Where is the “Public Awareness” in the Cyber Security Public Awareness Act?: Last week, Senators Sheldon Whitehouse (D-RI) and Jon Kyl (R-AZ) introduced the Cyber Security Awareness Act of 2011 (S.813). Forbes April 26, 2011
DHS Secretary Calls for Public-Private Alliance to Battle Cyber-Attacks: In a speech to California college students, Department of Homeland Security Secretary Janet Napolitano discussed how the public, government and private industry can work together to contain rapidly evolving cyber-threats. eWeek April 26, 2011
Millions of Passwords, Credit Card Numbers at Risk in Breach of Sony Playstation Network: Sony warned today that intruders had broken into its PlayStation online game network, a breach that may have jeopardized the user names, addresses, passwords and credit card information of up to 70 million customers. Krebs on Security April 26, 2011
Sony unsure if PlayStation Network user data was stolen: Sony has yet to determine if customers’ personal information and credit card details have been stolen as part of an external intrusion into its system that has left PSN, the PlayStation network, inaccessible for five days. The Register April 25, 2011
Sony Faces Lawsuit, Regulators’ Scrutiny Over PlayStation Breach: Sony Corp. (6758)’s network entertainment unit faced a legal and regulatory backlash over delays in telling 77 million subscribers that their personal account data may have been stolen by a hacker. Bloomberg April 28, 2011
Microsoft, FBI Reprogram Botnet to Remove Coreflood Permanently: While the Federal Bureau of Investigation has seized control the Coreflood botnet, it is now working with Microsoft to try to permanently remove malware from thousands of infected zombie machines to prevent Coreflood from springing back to life. eWeek April 28, 2011
FBI warns U.S. businesses of new Chinese cybercrime scheme: Washington (CNN) — FBI agents combating international cybercrime are currently battling hackers on two new fronts — from a remote corner of China to the virtual battlefields of “Call of Duty” emanating from the family playroom. CNN April 28, 2011
Apple Speaks Out on iPhone Tracking, Promises to Encrypt Location Data: Apple released a Q&A about the location data that’s stored on the iPhone. In the statement, the company says broadly that it does not track the iPhone’s location, and that the data, which is currently stored in an unprotected file, will be encrypted in the next major update of iOS. In the statement, Apple admits that iPhones send location data to Apple to maintain a crowd-sourced database of Wi-Fi hotspots and cell phone towers, as many have suspected . However, the company says the locations recorded can be up to 100 miles away from the where the phone actually is, and that the data is sent anonymously. PC Magazine April 25, 2011
Windows Phone stores your location too: After all the coverage of iPhone and Android location tracking, Microsoft says its mobile platform does the same thing. The software giant has confirmed Windows Phone 7 automatically tracks user location data whether or not the user has GPS service enabled. TG Daily April 27, 2011
Jobs Says Apple Made Mistakes With iPhone Data: SAN FRANCISCO — Hoping to put to rest a growing controversy over privacy, Steven P. Jobs, Apple’s chief executive, took the unusual step of personally explaining that while Apple had made mistakes in how it handled location data on its mobile devices, it had not used the iPhone and iPad to keep tabs on the whereabouts of its customers. The New York Times April 27, 2011
Scammers take advantage of Epsilon data breach: Scammers are currently taking advantage of the data breach that affected email security provider Epsilon recently, by creating a copy of Epsilon‘s website and claiming that people can download a ‘security tool’ that tells them whether they have been affected. Virus Bulletin, April 18, 2011 [Read Citadel's analysis of Epsilon here.]
Cybercriminals Target Consumers Looking to Give Disaster Relief: The emails read: “I’m Mrs. Mariam Ellis, a devoted humanitarian, with your assistance I want to set up a foundation (worth millions of dollars) to help the victims of Tsunami in Japan and other environments around the world. The funds are available. Please contact me for more details…”. Fox News
Scam may target Texans after personal data leak. Telephone scammers may be targeting the nearly 3.5 million Texans who had their Social Security numbers and other vital personal information inadvertently exposed to the public, the state attorney general’s office warned Tuesday. Bloomberg BusinessWeek, April 19, 2011
‘Naked pic’ scam spreads across Internet: A new email scam is hoping to catch eager Web surfers with their pants down. MSNBC, Security News Daily
Android Skype Users Had Personal Info Exposed to Malicious Apps: Android users of Skype may have had their personal sensitive information stolen due to malicious applications stealing user data from their phones due to file permissions that were incorrectly assigned due to a vulnerability in the method Skye’s Android application stored their data. TopTechReviews.net, April 18, 2011
Amazon Cloud Failure Takes Down Web Sites. A widespread failure in Amazon.com’s Web services business was still affecting many Internet sites on Friday morning, highlighting the risks involved when companies rely on so-called cloud computing. New York Times, April 21, 2011
ISSA of Los Angeles Announces Carl Terzian Distinguished Keynote Speaker at 3rd Annual Information Security Summit. The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) announces Carl Terzian, chairman of Carl Terzian Associates, as Distinguished Keynote Speaker at its third annual Information Security Summit on Protecting Businesses from Cyber Attacks. The theme of this year’s Summit is The Growing Cyber Threat: Protect Your Business. The Summit will be held Wednesday, June 15, 2011 at 7:30 AM on the UCLA Campus and will be hosted by UCLA Extension. PRLog.org, April 22, 2011 [Visit ISSA-LA for more information or to register]
U.S. Government Targets Ring Infecting 2.3 Million Computers: The FBI and the Justice Department on Wednesday began dismantling a ring of international computer thieves who stole hundreds of millions of dollars worldwide by infecting over 2.3 million computers with malicious software. It was the biggest such enforcement action U.S. authorities have ever taken against cyber criminals. Fox News, April 13, 2011
U.S. Government Takes Down Coreflood Botnet: The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs. KrebsOnSecurity, April 14, 2011
Verizon Security Report: Data Breaches At New Highs In 2010: According to a new report by Verizon and the U.S. Secret Service, a record number of data breaches were reported in 2010, though the number of compromised records dropped dramatically to 4 million in 2010 from 144 million in 2009. Huffington Post, April 19, 2011
Are Megabreaches Out? E-Thefts Downsized in 2010: The number of financial and confidential records compromised as a result of data breaches in 2010 fell dramatically compared to previous years, a decrease that cybercrime investigators attribute to a sea-change in the motives and tactics used by criminals to steal information. At the same time, organizations of all sizes are dealing with more frequent and smaller breaches than ever before, and most data thefts continue to result from security weaknesses that are relatively unsophisticated and easy to prevent. Krebs On Security, April 19, 2011
Security lags cyberattack threats in critical industries, report finds: The world’s water treatment plants, power grids, and other vital industries are seeing escalating cyberattacks, but are not ramping up security fast enough, says a new global report. Christian Science Monitor, April 20, 2011
Sharp Rise in Cyber Attacks on Grids Is Reported: McAfee, a network security firm in Santa Clara, Calif., and Georgetown University’s Center for Strategic and International Studies (CSIS) have issued a report documenting a high rate of cyber attacks against the electric power grids in 14 countries surveyed. Of 200 IT executives questioned, 40 percent thought vulnerabilities had increased, 30 percent thought their companies were not adequately prepared, and 40 percent expected a major attack in the next year. Energy Wise, April 20, 2011
National lab lax in securing nuclear stockpile information, says audit. Lawrence Livermore National Laboratory has fallen short in securing information about the US nuclear stockpile, according to a Department of Energy (DOE) audit. infosecurity, April 20, 2011
Obama Calls for Secure Online-Identity System. President Barack Obama unveiled an ambitious proposal Friday urging the private sector to create a trusted-identity system to boost consumer security in cyberspace.Digital rights groups cautiously welcomed the first-of-its-kind government proposal, calling it a blueprint for increased internet security and privacy, as the nation drifts to the virtual world to take care of basic needs from grocery shopping to paying taxes and dating. Wired, April 15, 2011
The Web’s Trust Issues: THE most dubious phrase in English after “act natural” is “trust me”. A party asking for trust without offering a reason why is probably untrustworthy. And yet the internet’s entire security ecosystem relies on precisely that reasoning. Browsers believe in the integrity of secured websites based on other unknown parties’ word. In these complicated times such implicit trust may be misplaced. Thankfully, work is afoot to change how trust is assigned, and it cannot come too quickly. The Economist, April 18, 2011
Tracking File Found in iPhones: Apple faced questions on Wednesday about the security of its iPhone and iPad after a report that the devices regularly record their locations in a hidden file. New York Times, April 20, 2011
French Hacker Cuffed After Bragging on Telly:A French hacker who boasted of breaking into the systems of a government security contractor on national television has suffered some unsurprising consequences. The Register, April 14, 2011
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Adobe Reader and Acrobat: Adobe has released updates for both Reader and Acrobat to patch the vulnerabilities we reported last week. Updates are available for Windows, Mac and Linux versions. The update is available through the Reader & Acrobat programs via “Help > Check for Updates.”
Apple iTunes 10.2.2: Apple has released version 10.2.2 patching two vulnerabilities. The update is available through iTunes via “Help > Check for Updates.”
Skype for Android: Skype has released version 1.0.0.983 for the Android to patch a vulnerability.
Newly Announced Unpatched Vulnerabilities
None
Important Unpatched Vulnerabilities.
Apple iOS: Our research fails to determine if iOS 4.3.2 fixes the critical vulnerability identified during the recent “computer hacking” Pwn2Own competition.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
AOL: The zero-day vulnerability in the way AOL handles Rich Text Files remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 4.
BlackBerry: The zero-day vulnerability affecting the browser in BlackBerry Software versions 6.0 and later remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 18.
CA Internet Security Suite: The highly critical zero-day vulnerabilities in versions 6.x and 7.x of this popular all-in-one security program remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 3.
Easy File Sharing Web Server 5.8: The moderately critical zero-day vulnerability remains unpatched. We highly recommend users refrain from using this software — or any other similar Peer-to-Peer file sharing software. We alerted readers more than a year ago that the FTC had warned businesses and users about the dangers of Peer-to-Peer (P2P) file-sharing networks. These products are known sources of security leaks, both from misconfigurations and from unpatched vulnerabilities.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Adobe Flash: Adobe has released version 10.2.159.1, correcting a critical security vulnerability. The update is available here.
Apple iOS: Apple has released iOS 4.3.2 and iOS 4.2.7 for the iPhone, iPad and iTouch. The update can be installed from inside iTunes. More information is available here.
Apple OS X: Apple has released a security update for OS X. The update is available here.
Apple Safari 5.0.5: Apple has released a security update Safari. The update is available here.
CA Total Defense: CA has issued version r12 SE2 to fix multiple moderately critical vulnerabilities in its security software. More information is available here.
Google Chrome: Google has released Chrome 10.0.648.205 for Windows, Mac, Linux, and Chrome Frame to address multiple highly critical vulnerabilities. Google Chrome is updated from inside the program.
Microsoft Windows & Office Updates: Microsoft released a record number of software updates fixing at least 64 security vulnerabilities in its Windows operating systems and Office products, including at least one that attackers are actively exploiting. You can check that these updates were automatically installed by going to the “Security Center,” accessible from the Windows “Control Panel.”
Microsoft Internet Explorer 6, 7 & 8: Microsoft released security updates for Windows IE6, IE7 and IE8. The updates fix 5 security vulnerabilities, including one that is being actively exploited. According to Microsoft, these IE8 updates, together with the Windows and Office updates, fix the vulnerability we have been tracking since last December. We have, accordingly, removed Internet Explorer 8 from our “Unsafe for Browsing” list.
RealPlayer 14.0.3: RealPlayer has released an upgrade that fixes the highly critical vulnerability we first reported on in our Weekend Report of March 25. The update is available here.
VLC Media Player: VLC has updated Media Player to version 1.1.9. This update fixes the vulnerability we listed last week. The upgrade is available here.
Newly Announced Unpatched Vulnerabilities
Adobe Reader & Acrobat: The same highly critical zero-day vulnerability that resulted in this week’s Flash upgrade also affects both Reader and Acrobat. Adobe says it will have updates available for these programs in the next 10 days.
Microsoft Reader: A highly critical zero-day vulnerability has been found in Microsoft Reader, versions 2.x. No patch is available at this time. Users are cautioned to apply the same skeptical attitude towards Microsoft eBooks that they apply to unexpected attachments in emails—don’t open without independent confirmation of validity.
Important Unpatched Vulnerabilities.
Apple iOS: Our research fails to determine if iOS 4.3.2 fixes the critical vulnerability identified during the recent “computer hacking” Pwn2Own competition.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
AOL: The zero-day vulnerability in the way AOL handles Rich Text Files remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 4.
BlackBerry: The zero-day vulnerability affecting the browser in BlackBerry Software versions 6.0 and later remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 18.
CA Internet Security Suite: The highly critical zero-day vulnerabilities in versions 6.x and 7.x of this popular all-in-one security program remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 3.
Easy File Sharing Web Server 5.8: The moderately critical zero-day vulnerability remains unpatched. We highly recommend users refrain from using this software — or any other similar Peer-to-Peer file sharing software. We alerted readers more than a year ago that the FTC had warned businesses and users about the dangers of Peer-to-Peer (P2P) file-sharing networks. These products are known sources of security leaks, both from misconfigurations and from unpatched vulnerabilities.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Last month witnessed the security breach of RSA Security, a leader in the information security industry, whose products are used to secure financial and other high risk transactions. The breach at RSA contains important security lessons for all organizations. (For an account of the attack, see cnet news.)
The success of the cyber attack at RSA was the result of two specific weaknesses, one human and the other technical.
The human weakness is curiosity. We are a curious species. Our human curiosity is often a good thing. It’s the starting point for our creativity. There would be no computers where we not curious; indeed, it’s unlikely there would even be a wheel.
But sometimes, as the saying goes, curiosity can kill the cat. That’s what happened in the RSA breach. An employee at RSA received an email with an attached Excel spreadsheet provocatively entitled “2011 Recruitment plan.xls.” Curious, he opened the attachment—just as the cyber criminals behind this attack expected. This set the stage for the cyber criminals to exploit the technical weakness.
The attachment wasn’t just an Excel spreadsheet. It had been booby-trapped to ‘explode’ when it was opened, invisibly installing a Trojan horse on the user’s computer. The Trojan horse—a particularly malicious type of malware program known as an Advanced Persistent Threat gave the cyber criminals complete access to the employee’s computer, a beachhead from which they successfully launched their attack on RSA’s network. (ISSA-LA’s monthly meeting in February included a presentation on Advanced Persistent Threats by David Nardoni and Jeff Dye. That presentation can be found here.)
If you work in a corporate environment, your computer may very well have been ‘locked down’ by the IT Department to prevent you from installing your own programs. If it’s not, it should be.
So how did this booby-trapped Excel spreadsheet manage to install a program on this employee’s computer? After all, RSA is one of the premier information security companies in the world. We can be pretty certain that their employees workstations are well-locked down.
This gets us to the second weakness, the technical one. The software industry’s inconvenient truth is that every complex computer program is flawed. It’s these software flaws—programming errors—that let cyber criminals booby trap seemingly innocent files, like the Excel spreadsheet at RSA.
The cyber criminals who successfully breached RSA had found a flaw in Adobe’s popular Flash program. Adobe Flash is well known as having very critical security flaws, forcing Adobe to regularly issue upgrades that fix the flaws they know about. Indeed, as I write this Adobe has announced the discovery of a new zero-day vulnerability which they expect to patch this week. (We notify readers of updates for Adobe Flash on our Weekly Patch and Vulnerability Report.)
The problem with the flaw that the cyber criminals used in the RSA attack was that—at the time of the attack—there was no upgrade that would fix it. The vulnerability was not even known to Adobe. This was a pure example of a zero day vulnerability, a critical vulnerability for which no patch exists. By exploiting this vulnerability, the cyber criminals were able to use Adobe Flash to install their Trojan horse.
Lessons for Management:
Lesson 1: Create a culture of security.
Ensure your people are trained and educated in cyber security. They need to know that they are under cyber attack. They need to become naturally suspicious of unexpected emails. They need to recognize the cyber criminal danger signals, refraining from opening attachments that may be booby-trapped or clicking on potentially booby-trapped hyperlinks. Cyber criminals use publicly available information to try to convince targets that their emails are legitimate, relying on human gullibility to gain access. A simple and avoidable mistake, as demonstrated in RSA’s case, can be costly and embarrassing.
This basic rule of effective cyber security management is simple: Don’t be a victim of your own curiosity. Don’t open an email attachment or click on a hyperlink in an email unless you have independent confirmation from the sender that the email is legitimate.Period.
Lesson 2: Replace anti-virus software with security solutions specifically designed to block zero-day attacks
Another inconvenient truth is that anti-virus software often fails to block zero-day attacks and the Trojan horses they deliver. The antivirus detection rate for ZeuS—a well known Trojan horse used to commit online bank fraud—is below 40%. This means that at any given time 60% of ZeuS variants will get past a company’s anti-virus software. Lesson 2 is that it is time to retire your basic anti-virus software, replacing it with a behaviorally-based solution that can detect and prevent zero-days and other malware from running on workstations.
Lesson 3: It’s not enough to try to prevent attacks. You must also be able to detect them and limit their damage.
Even as we bemoan the fact that RSA was breached, we can’t ignore the critical fact that RSA discovered the breach and took action to limit its damage. Compare this with the recent Stuxnet attack on Iran’s nuclear processing facilities; by the time Iranian authorities discovered the Stuxnet attack, the damage had been done. (See our blog post on Stuxnet.)
It’s a military security truism that—if the enemy discovers that you are planning to attack at dawn—it makes an enormous difference whether or not you know that the enemy knows. If you don’t know the enemy knows, you walk into a trap. If you know the enemy knows, you can change your plans.
HIPAA, the Payment Card Industry’s Data Security Standard, Gramm Leach Bliley, FTC security rules, ISO 27002 — all of these impose an audit and monitoring standard sufficient to detect and respond to a cyber attack. This makes having a robust Incident Response Plan a vital component of effective cyber security management.