Country’s Leading Internet Security Experts Spoke on Cybercrime at the ISSALA 3rd Information Summit: Twenty-two of the country’s leading experts on Internet security spoke at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) third annual Information Security Summit. The theme of this year’s Summit was The Growing Cyber Threat: Protect Your Business. More than 380 people attended the event on the University of California Los Angeles campus, and it was hosted by UCLA Extension. … “Cybercrime is rampant. This is open season for hackers. There has been an explosive growth in cybercrime, just within the last two weeks,” said ISSA-LA President Stan Stahl, Ph.D. “Yesterday’s defenses don’t work against the worst of today’s cyber-attacks. The Summit’s mission is what businesses, nonprofits and other organizations must do to stay ahead of the cybercriminals.” Newswire Today, June 16, 2011
Meeting the cybersecurity challenge: Eliminating threats is impossible, so protecting against them without disrupting business innovation and growth is a top management issue. McKinsey Quarterly, June, 2011
Analysis: Cyber raids fuel calls for training, monitoring: Employers rushing to boost cyber defences after a rash of U.S. online break-ins won’t block spies and thieves by simply throwing technology at the problem, since their core weakness is often badly-trained and managed workers. Reuters, June 17, 2011
Citigroup hacker attack affected more customers than first thought: The breach in Citigroup Inc.’s online security, affecting more customers than originally thought, shows that financial institutions still are struggling to block hackers and still are loath to explain to customers and the public what thieves took. Dr. Stahl is quoted in this story. The LA Times, June 17, 2011
IMF State-Backed Cyber-Attack Follows Hacks of Lab, G-20: The data theft from International Monetary Fund computers by hackers said to be linked to a foreign government follows incidents against companies and governments that illustrate the growth of cyber-attacks as an espionage tool. Bloomberg, June 13, 2011
ADP says investigating data breach: Automatic Data Processing Inc, the world’s largest payroll processor, on Wednesday said it had become the latest big financial company attacked by cyber criminals. Reuters, June 15, 2011
Computer game giant Sega falls victim to hackers: Sega, the computer games giant behind the best selling Sonic the Hedgehog series, has become the latest computer game giant to fall victim to hackers. The Telegraph, June 18, 2011
Trojan stealing Bitcoin users’ wallets, says Symantec: Bitcoins have become popular as an alternative to government-controlled currencies, but a new Trojan seems to be specifically targeting Bitcoin wallets in an attempt to steal funds, security firm Symantec warns. The news follows reports earlier this week of a Bitcoin user being hacked to the tune of 25,000 bitcoins, or about $500,000 USD. BetaNews, June 17, 2011
Court Favors Small Business in eBanking Fraud Case: Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business, a Michigan court ruled. Experts say the decision is likely to spur additional lawsuits from other victims that have been closely watching the case. … Judge Patrick J. Duggan found that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 wire transfers within a few hours from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered amounted to $560,000. KrebsOnSecurity, June 17, 2011
Hacker attacks show vulnerability of cloud computing: Dr. Stahl is quoted in this story about the vulnerability of cloud computing. As hackers continue their rampage against the world’s largest banks, defense contractors and technology companies, executives and government officials are confronting a sobering truth: The bad guys are winning. The LA Times, June 17, 2011
Draft data breach bill requires quick disclosure: Draft legislation is being circulated in Congress that would require firms to make reasonable efforts to secure customers’ personal data and to provide quick disclosures in the case of a data breach. Reuters, June 13, 2011
Feds may share cyber threat details with companies, DoD No. 2 says: PARIS — The U.S. government is considering sharing precise information on cyber threats with defense companies as a way of boosting security of corporate computer networks, Deputy Defense Secretary William Lynn said during a visit here on Thursday.Federal Times, June 16, 2011
The Fog of Cyberwar: What Are the Rules of Engagement?: There is speculation among some politicians and pundits that the fog of war will soon extend to the Internet, if it has not done so already, given a recent report that the U.S. Department of Defense will introduce its first cyberwarfare doctrine this month, combined with similar announcements from the governments of Australia, China and the U.K. (not to mention Google’s ongoing cyber spat with China). Less clear, however, are the rules of engagement—such as what constitutes an act of cyberwar as opposed to the cyberattacks that take place on government computers every day and who, if anyone, should mediate such disputes. Scientific American, June 13, 2011 Recommended Reading
China military paper urges steps against U.S. cyber war threat: China must boost its cyber-warfare strength to counter a Pentagon push, the country’s top military newspaper said ckinsey on Thursday after weeks of friction over accusations that Beijing may have launched a string of Internet hacking attacks. Reuters, June 16, 2011
China’s hacking drains US economic power: There has always been industrial espionage, and sometimes it has involved governments spying on behalf of their home industries. In the last decade, however, China has stretched that practice to the point where it threatens the international economic system. By harnessing the power of the Internet and engaging in systematic, global industrial espionage on a massive scale, China’s cyber spies have made a mockery of international protections of intellectual property rights and patents. Richard Clark, Harvard Kennedy School, April 19, 2011
Planning a Smarter U.S. Defense Against Cyber-Villains: View: The threats from cyberspace grow more powerful and pernicious. Companies from Sony Corp. to Google Inc. (GOOG) to Lockheed Martin Corp. have admitted startling security lapses. The International Monetary Fund last month suffered a “very major” breach leading to the loss of sensitive data. Congress and executive branch agencies faced almost 2 billion cyber-attacks a month last year. Bloomberg, June 14, 2011
Lessons from Anonymous on cyberwar: “Cyberwar” is a heavily loaded term, which conjures up Hollywood inspired images of hackers causing oil refineries to explode. Some security celebrities came out very strongly against the thought of it, claiming that cyberwar was less science, and more science fiction. Last year on May 21, the United States Cyber Command (USCYBERCOM) reported reaching initial operational capability, and news stories abound of US soldiers undergoing basic cyber training, which all point to the idea that traditional super powers are starting to explore this arena. Aljazeera, March 10, 2011
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Adobe Flash: Adobe has released an emergency security update to partially fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. The highly critical vulnerability exists in Flash Player version 10.3.181.16 and earlier for Windows, Macintosh, Linux and Solaris and version 10.3.185.22 and earlier for Android. Users running multiple web browsers need to separately upgrade Internet Explorer along with the other browsers they use. Users can find out what version of Flash they have running at this Adobe web site. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that the Download Center may attempt to foist additional unwanted software on you. If you’d prefer to update manually, the direct installers for Windows are available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again. [Thanks to Brian Krebs of KrebsOnSecurity for detailed information on Adobe Flash updates.]
Google Chrome 12.0.742.91: Google has released Chrome 12.0.742.91 for Windows, Mac, Linux, and Chrome Frame to address multiple vulnerabilities, some of which are highly critical. Google Chrome can be updated from inside the program via the configuration icon.
Java 6 Update 26: Oracle has released an update to its ubiquitous Java software to fix at least 17 security vulnerabilities. Frankly, we don’t like Java. Cyber criminals regularly find and exploit its many bugs, making it a tool-of-choice for bypassing too many anti-virus and anti-malware programs. We agree with Brian Krebs at KrebsOnSecurity that if you don’t need Java, remove it … or at least disable it in your browser except when you need it. (In Firefox 4, this can be done from the “Content” tab found under “Tools / Options.) Java 6 Update 26 (v. 1.6.0.26) can be obtained either through the updater built in to Java (accessible from the Windows control panel) or by visiting java.com.
VLC Media Player 1.1.10: VideoLAN has released version 1.1.10 to address a highly critical vulnerability. The update is available from VideoLAN’s web site.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
ACDSee Photo: Several highly critical zero-day vulnerabilities have been identified in various ACDSee photo products. Zero-day vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time.
Google Chrome 11.x: A highly critical zero-day vulnerability has been identified in Google Chrome, version 11.x. No patch is available at this time. Readers are urged to upgrade to version 12.0.742.91 or later.
Symantec Mail Security: Multiple highly critical zero-day vulnerabilities have been reported in Symantec Mail Security. Systems affected include Symantec Mail Security for Microsoft Exchange 6.x, Domino 7.x and Domino 8.x. No patches are available at this time. Readers in corporate environments using Microsoft Exchange or Domino are urged to forward this notice to their IT personnel so they may take appropriate action.
Cyber Security Advisories from US CERT (United States Computer Emergency Response Team)
Adobe has issued a prenotification advisory indicating that it plans to release updates for Adobe Reader and Acrobat to address multiple vulnerabilities. The advisory indicates that updates for Windows and Macintosh will be available on June 14, 2011.
Microsoft has issued a Security Bulletin Advance Notification indicating that its June release will contain 16 bulletins. Nine of the bulletins will have the severity rating of critical. The notification states that these critical bulletins are for Microsoft Windows, Microsoft .NET framework, Microsoft Silverlight, Microsoft Forefront Threat Management Gateway, and Internet Explorer. The remaining 7 bulletins will have the severity rating of important. The notification states that these important bulletins are for Microsoft Windows, Microsoft Office, Microsoft SQL Server, and Microsoft Visual Studio. Release of these bulletins is scheduled for Tuesday, June 14, 2011.
VMware has released security advisory VMSA-2011-0009 to address multiple vulnerabilities. Readers in corporate environments are encouraged to forward this notice to their IT personnel as this advisory may apply to their information systems environment.
Important Unpatched Zero-Day Vulnerabilities.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues to be unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
FBI Investigating Cyber Theft of $139,000 from Pittsford, NY: Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States. KrebsOnSecurity, June 10, 2011
I.M.F. Reports Cyberattack Led to ‘Very Major Breach’: WASHINGTON — The International Monetary Fund, still struggling to find a new leader after the arrest of its managing director last month in New York, was hit recently by what computer experts describe as a large and sophisticated cyberattack whose dimensions are still unknown. The New York Times, June 11, 2011
Attacks on Sony, others show it’s open hacking season: There seems to be a groundswell of hacking activity recently. From the Epsilon breach that touched dozens of major U.S. companies and their millions of customers, and RSA replacing its customers’ SecurID tokens after attacks on several defense contractors to Sony sites getting pummeled by hackers on a regular basis–all within the last few months. What’s going on? Cnet, June 8, 2011
Citi Says Credit Card Customers’ Data Was Hacked: Citigroup acknowledged on Thursday that unidentified hackers had breached its security and gained access to the data of hundreds of thousands of its credit card customers in North America. The New York Times, June 9, 2011
Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security: A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. KrebsOnSecurity, June 8, 2011
InfraGard cyberattack a lesson in password protection: Not even a nonprofit that works with the FBI on cybersecurity issues is safe from hackers. Not even in metro Atlanta, which is home to more than 150 online security companies and a university that researches modern cyberattacks. Atlanta Business News, June 6, 2011
Some Top Apps Put Data at Risk: You’d think the spate of Internet security breaches this spring would have companies on their toes. But when it comes to wireless apps, some are still making rookie mistakes. The Wall Street Journal, June 8, 2011
Facebook Privacy: How to block facial recognition: You know those really unflattering photos on Facebook that you untagged at lightning speed? Now might be a good time to delete them…or at least check up on one new privacy setting. MacWorld, June 8, 2011
Operation Cupcake: MI6 replaces al-Qaeda bomb-making instructions with cupcake recipes: Hackers working for U.K. intelligence agency MI6 recently modified an online al-Qaeda magazine and replaced the bomb recipes inside with cake recipes. The Washington Post, June 3, 2011
Naming & Shaming Sources of Spam: SpamRankings.net is a project launched by the Center for Research in Electronic Commerce at the University of Texas at Austin. Its goal is to identify and call attention to organizations with networks that have been infiltrated by spammers. KrebsOnSecurity, June 7, 2011
One in four US hackers ‘is an FBI informer’: The underground world of computer hackers has been so thoroughly infiltrated in the US by the FBI and secret service that it is now riddled with paranoia and mistrust, with an estimated one in four hackers secretly informing on their peers, a Guardian investigation has established. The Guardian, June 6, 2011
Spain Detains 3 in PlayStation Cyberattacks: The Spanish police said on Friday that they had apprehended three men suspected of computer hacking in connection with recent attacks on Sony’s PlayStation Network as well as corporate and government Web sites around the world. The New York Times, June 10, 2011
U.S. urges code of conduct for Internet commerce: Companies using the Internet to do business should adhere to a code of conduct to reduce hacking and online theft, the Commerce Department said in a report issued on Wednesday. Reuters, June 8, 2011
SEC “seriously” looking at cybersecurity: Securities and Exchange Commission Chairman Mary Schapiro said this week she will “seriously consider” issuing additional guidance outlining when public companies should disclose cybersecurity breaches. Reuters, June 8, 2011
Online Companies Urged by U.S. to Boost Their Cyber Defenses: The U.S. Commerce Department recommended ways for companies with an online presence to bolster their defenses against cyber attacks as part of an Obama administration strategy on Internet security. Bloomberg, June 8, 2011
Dr. Stan Stahl, President of Citadel Information Group, based in Los Angeles, CA, was interviewed by Jim Goyjer of the Carl Terzian Channel on BigMediaUSA.com. Stan spoke about his pioneering days in Information Security, his company, the upcoming 3rd Annual Information Security Summit hosted by the Los Angeles Chapter of ISSA and why every business person and consumer needs to be aware and paying attention to cyber threats and taking proactive steps to protect themselves. Citadel provides information and security management services to middle market organizations. BigMediaUSA.com, May 31, 2011
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Cisco Releases Security Advisories for Multiple Products: Cisco has released security advisories for four products to address multiple vulnerabilities. These products include Cisco Unified IP phones, Cisco Network Registrar, Cisco AnyConnect Secure Mobility Client, and Cisco Media Experience. Exploitation of the vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or gain administrative access. US-CERT encourages users and administrators to review the following Cisco security advisories and apply any necessary updates to help mitigate the risks.
Gmail Phishing Attack: US-CERT is aware of public reports of a phishing attack that specifically targets US government and military officials’ Gmail accounts. The attack arrives via an email sent from a spoofed address of an individual or agency known to the targeted user. The email contains a “view download” link that leads to a fake Gmail login page. The login information is then sent to an attacker. Google has indicated that this phishing campaign has been disrupted and that affected parties have been notified. Click here for the steps to help mitigate the risks.
Apple Releases Malware Detection Tool: Apple has released Security Update 2011-003 for Mac OS X in response to the recent Mac fake anti-virus software.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
None
Special Cyber Security Warnings
Web-based Phishing Attacks: As we referred to above, and where US-Cert reports, as well Google reports and lists specific steps to improve your security when using Google products, users should be aware, there has been a variety of recent attacks on other popular Webmail platforms. In addition to Gmail, Hotmail and Yahoo! Mail have also been targeted. While the attacks appear to have been separately conducted, these have some significant similarities.
In the past week, Citadel has helped several clients take immediate re-mediating steps to take back control of their Yahoo! email accounts. Further, Citadel personnel provided guidance to ensure users won’t repeat the same mistakes, therefore keeping the cyber criminals from doing further damage.
Important Unpatched Zero-Day Vulnerabilities.
Apple iOS: Our research still fails to determine if iOS 4.3.2 fixes the critical vulnerability identified during the recent “computer hacking” Pwn2Own competition. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, May 13, 2011.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues to be unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.