Anonymous hacker group hits Apple, publishes data: The Internet vigilante hacker group Anonymous claimed to have broken into an Apple Inc (AAPL.O) server and published a small number of usernames and passwords for one of the U.S. technology company’s websites. Reuters, July 4, 2011
Washington Post Reports Data Breach on Job Ads Section: The Washington Post has alerted job seekers who use its employment pages of a data breach that compromised up to 1.27 million accounts. The publisher wrote on its website that the “Jobs” section was attacked by an “unauthorized third party” once on June 27 and once on June 28. The attackers obtained user IDs and e-mail addresses, but did not get passwords or other personal information. PC World, July 7, 2011
AntiSec Hackers Hit F.B.I. Contractor: Hackers who have claimed responsibility for a spate of recent break-ins said on Friday that they had infiltrated the network of IRC Federal, an engineering contractor that works for federal agencies including the Federal Bureau of Investigation, and stole internal documents from its database and e-mail system. The New York Times, July 8, 2011
Kiplinger Warns Customers Hackers Breached Computer Network, Stole Data: Kiplinger Washington Editors Inc., the publisher of Kiplinger’s Personal Finance, warned customers that hackers breached its computer network on June 25 and stole account data, including credit card numbers. Bloomberg, July 9, 2011
New cyberattacks target small businesses: Criminals who infect websites are making the Internet much riskier for small business owners. Since early June, one gang has been using a uniquely insidious type of automated attack to inject malicious code on some 20,000 to 30,000 sites, many of them small businesses that rely on the Internet to reach customers, says Wayne Huang, chief technical officer at website security firm Armorize. USA Today, July 4, 2011
Attacks on websites spark demand for cyber-security experts: The cyber-security industry is on Defcon 1 high alert. The recent rash of attacks on dozens of websites including those of the CIA, the FBI and even PBS is roiling the security industry and increasing demand for cyber-defense experts. LA Times, July 5, 2011
PDFs that exploit iPhone, iPad zero-day available on the Web: Hours after developers revealed they had exploited bugs in Apple’s iOS to “jailbreak” iPhones and iPads, German government security authorities warned that one of the flaws could be put to malicious use. Computer World, July 7, 2011
Apple girding gadgets against hackers: Apple on Friday said it was working to patch a vulnerability that hackers could use to break into the company’s popular iPad, iPhone and iPod Touch gadgets. Engineers at the California firm are fixing a weakness pointed out by the German Federal Office for Information Security (BSI). AFP, July 8, 2011
Meet the Hackers with a Cause: Hacker groups that attack or steal — some estimates say there are as many as 6000 of such groups online with about 50,000 “bad actors” around the world drifting in and out of them — are a threat, but the goals, methods, effectiveness of these groups varies widely. PC World, July 9, 2011
U.S. Suspects Contaminated Foreign-Made Components Threaten Cyber Security: Some foreign-made computer components are being manufactured to make it easier to launch cyber attacks on U.S. companies and consumers, a security official at the the Department of Homeland Security said. ABC News, July 9, 2011
Country’s Leading Internet Security Experts Spoke on Cybercrime at the ISSALA 3rd Information Summit: Twenty-two of the country’s leading experts on Internet security spoke at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) third annual Information Security Summit. The theme of this year’s Summit was The Growing Cyber Threat: Protect Your Business. More than 380 people attended the event on the University of California Los Angeles campus, and it was hosted by UCLA Extension. … “Cybercrime is rampant. This is open season for hackers. There has been an explosive growth in cybercrime, just within the last two weeks,” said ISSA-LA President Stan Stahl, Ph.D. “Yesterday’s defenses don’t work against the worst of today’s cyber-attacks. The Summit’s mission is what businesses, nonprofits and other organizations must do to stay ahead of the cybercriminals.” Newswire Today, June 16, 2011
Meeting the cybersecurity challenge: Eliminating threats is impossible, so protecting against them without disrupting business innovation and growth is a top management issue. McKinsey Quarterly, June, 2011
Analysis: Cyber raids fuel calls for training, monitoring: Employers rushing to boost cyber defences after a rash of U.S. online break-ins won’t block spies and thieves by simply throwing technology at the problem, since their core weakness is often badly-trained and managed workers. Reuters, June 17, 2011
Citigroup hacker attack affected more customers than first thought: The breach in Citigroup Inc.’s online security, affecting more customers than originally thought, shows that financial institutions still are struggling to block hackers and still are loath to explain to customers and the public what thieves took. Dr. Stahl is quoted in this story. The LA Times, June 17, 2011
IMF State-Backed Cyber-Attack Follows Hacks of Lab, G-20: The data theft from International Monetary Fund computers by hackers said to be linked to a foreign government follows incidents against companies and governments that illustrate the growth of cyber-attacks as an espionage tool. Bloomberg, June 13, 2011
ADP says investigating data breach: Automatic Data Processing Inc, the world’s largest payroll processor, on Wednesday said it had become the latest big financial company attacked by cyber criminals. Reuters, June 15, 2011
Computer game giant Sega falls victim to hackers: Sega, the computer games giant behind the best selling Sonic the Hedgehog series, has become the latest computer game giant to fall victim to hackers. The Telegraph, June 18, 2011
Trojan stealing Bitcoin users’ wallets, says Symantec: Bitcoins have become popular as an alternative to government-controlled currencies, but a new Trojan seems to be specifically targeting Bitcoin wallets in an attempt to steal funds, security firm Symantec warns. The news follows reports earlier this week of a Bitcoin user being hacked to the tune of 25,000 bitcoins, or about $500,000 USD. BetaNews, June 17, 2011
Court Favors Small Business in eBanking Fraud Case: Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business, a Michigan court ruled. Experts say the decision is likely to spur additional lawsuits from other victims that have been closely watching the case. … Judge Patrick J. Duggan found that Dallas-based Comerica failed to act “in good faith” in January 2009, when it processed almost 100 wire transfers within a few hours from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered amounted to $560,000. KrebsOnSecurity, June 17, 2011
Hacker attacks show vulnerability of cloud computing: Dr. Stahl is quoted in this story about the vulnerability of cloud computing. As hackers continue their rampage against the world’s largest banks, defense contractors and technology companies, executives and government officials are confronting a sobering truth: The bad guys are winning. The LA Times, June 17, 2011
Draft data breach bill requires quick disclosure: Draft legislation is being circulated in Congress that would require firms to make reasonable efforts to secure customers’ personal data and to provide quick disclosures in the case of a data breach. Reuters, June 13, 2011
Feds may share cyber threat details with companies, DoD No. 2 says: PARIS — The U.S. government is considering sharing precise information on cyber threats with defense companies as a way of boosting security of corporate computer networks, Deputy Defense Secretary William Lynn said during a visit here on Thursday.Federal Times, June 16, 2011
The Fog of Cyberwar: What Are the Rules of Engagement?: There is speculation among some politicians and pundits that the fog of war will soon extend to the Internet, if it has not done so already, given a recent report that the U.S. Department of Defense will introduce its first cyberwarfare doctrine this month, combined with similar announcements from the governments of Australia, China and the U.K. (not to mention Google’s ongoing cyber spat with China). Less clear, however, are the rules of engagement—such as what constitutes an act of cyberwar as opposed to the cyberattacks that take place on government computers every day and who, if anyone, should mediate such disputes. Scientific American, June 13, 2011 Recommended Reading
China military paper urges steps against U.S. cyber war threat: China must boost its cyber-warfare strength to counter a Pentagon push, the country’s top military newspaper said ckinsey on Thursday after weeks of friction over accusations that Beijing may have launched a string of Internet hacking attacks. Reuters, June 16, 2011
China’s hacking drains US economic power: There has always been industrial espionage, and sometimes it has involved governments spying on behalf of their home industries. In the last decade, however, China has stretched that practice to the point where it threatens the international economic system. By harnessing the power of the Internet and engaging in systematic, global industrial espionage on a massive scale, China’s cyber spies have made a mockery of international protections of intellectual property rights and patents. Richard Clark, Harvard Kennedy School, April 19, 2011
Planning a Smarter U.S. Defense Against Cyber-Villains: View: The threats from cyberspace grow more powerful and pernicious. Companies from Sony Corp. to Google Inc. (GOOG) to Lockheed Martin Corp. have admitted startling security lapses. The International Monetary Fund last month suffered a “very major” breach leading to the loss of sensitive data. Congress and executive branch agencies faced almost 2 billion cyber-attacks a month last year. Bloomberg, June 14, 2011
Lessons from Anonymous on cyberwar: “Cyberwar” is a heavily loaded term, which conjures up Hollywood inspired images of hackers causing oil refineries to explode. Some security celebrities came out very strongly against the thought of it, claiming that cyberwar was less science, and more science fiction. Last year on May 21, the United States Cyber Command (USCYBERCOM) reported reaching initial operational capability, and news stories abound of US soldiers undergoing basic cyber training, which all point to the idea that traditional super powers are starting to explore this arena. Aljazeera, March 10, 2011
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Cisco Releases Security Advisories for Multiple Products: Cisco has released security advisories for four products to address multiple vulnerabilities. These products include Cisco Unified IP phones, Cisco Network Registrar, Cisco AnyConnect Secure Mobility Client, and Cisco Media Experience. Exploitation of the vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, or gain administrative access. US-CERT encourages users and administrators to review the following Cisco security advisories and apply any necessary updates to help mitigate the risks.
Gmail Phishing Attack: US-CERT is aware of public reports of a phishing attack that specifically targets US government and military officials’ Gmail accounts. The attack arrives via an email sent from a spoofed address of an individual or agency known to the targeted user. The email contains a “view download” link that leads to a fake Gmail login page. The login information is then sent to an attacker. Google has indicated that this phishing campaign has been disrupted and that affected parties have been notified. Click here for the steps to help mitigate the risks.
Apple Releases Malware Detection Tool: Apple has released Security Update 2011-003 for Mac OS X in response to the recent Mac fake anti-virus software.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
Special Cyber Security Warnings
Web-based Phishing Attacks: As we referred to above, and where US-Cert reports, as well Google reports and lists specific steps to improve your security when using Google products, users should be aware, there has been a variety of recent attacks on other popular Webmail platforms. In addition to Gmail, Hotmail and Yahoo! Mail have also been targeted. While the attacks appear to have been separately conducted, these have some significant similarities.
In the past week, Citadel has helped several clients take immediate re-mediating steps to take back control of their Yahoo! email accounts. Further, Citadel personnel provided guidance to ensure users won’t repeat the same mistakes, therefore keeping the cyber criminals from doing further damage.
Important Unpatched Zero-Day Vulnerabilities.
Apple iOS: Our research still fails to determine if iOS 4.3.2 fixes the critical vulnerability identified during the recent “computer hacking” Pwn2Own competition. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, May 13, 2011.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues to be unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
White House Unveils Global Cyberspace and Cybersecurity Policies The next Osama bin Laden may not be one bearded man hiding in a walled fortress but instead a group of highly skilled, faceless men behind computers. Cyberterrorism, while still largely science fiction, lurks around the corner as growing accounts of logic bombs in U.S. networks and cases of software that can cripple power plants continue to put the U.S. government in defensive mode. While we’ve made progress, such as establishing new positions within government for Cybersecurity Coordinator, aka Cyber Czar, and Commander of U.S. Cyber Command, aka CYBERCOM, there still exists a great need for a framework under which to view ongoing organic global change in the Internet and resources for responding to that change. In response, the White House this past week introduced to major policy documents. The Huffington Post, May 18, 2011
U.S. Calls for Global Cybersecurity Strategy: WASHINGTON — The Obama administration on Monday proposed creating international computer security standards with penalties for countries and organizations that fell short. The New York Times, May 16, 2011
The U.S. Cyber Policy Blitz: Over the past week, the White House has announced two big plans for improving Internet security. One is an international policy that seeks to promote Internet freedom while cracking down on the theft of intellectual property. The other is a domestic legislative proposal whose key features include tightening data-breach notification laws. Technology Review, May 18, 2011
Account Takeover: Where’s the Progress? In April, the Federal Bureau of Investigation warned of a new wave of wire fraud originating in China. The spree, which involves numerous unauthorized transfers to China-based hackers, is but the latest in a long line of corporate account takeover incidents small and mid-sized banking institutions have battled since the summer of 2009. Bank Info Security, May 18, 2011
Mass. unemployment agency hit by computer virus, possible data breach: The state’s labor department is apologizing for a computer virus infection that may have compromised sensitive data from as many as 210,000 unemployed workers. The Boston Herald, May 17, 2011
Report: PSN password resets exploited, accounts compromised again: Just two days after the PlayStation Network was restored after a near month-long outage, the PSN password page has apparently been exploited. According to reports, the exploit allows other users to reset your account password using only your e-mail address and date of birth. This personal data was made available to hackers during the initial PSN attack. Ars Technica, May 18, 2011
Sony CEO Warns of ‘Bad New World’: TOKYO—After spending weeks to resolve a massive Internet security breach, Sony Corp. Chief Executive Howard Stringer said he can’t guarantee the security of the company’s videogame network or any other Web system in the “bad new world” of cybercrime. The Wall Street Journal, May 18, 2011
Point-of-Sale Skimmers: Robbed at the Register: Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced the machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud. KrebsOnSecurity, May 18, 2011
Hackers hit Sony, more security issues raised: Reuters NEW YORK – Sony Corp has been hacked again, exposing more security issues for the company less than a month after intruders stole personal information from more than 100 million online user accounts. Business Spectator, May 21, 2011
Facebook opposes California bill on social network privacy settings: Facebook and other social network giants are opposing a new Californian bill, which requires all social network websites to make users’ information private by default. A spokesman claims that the bill would be a big threat to their businesses. International Business Times, May 17, 2011
10 Facebook Settings to Check Right Now As Facebook becomes the window to the Web for its more than 500 million users worldwide, the security of the social network has never been a hotter topic. The Detroit Free Press, May 16, 2011
Cybersecurity Safety Tips for Travelers – From the EC-Council: Airports are hotbeds for identity theft, and from rogue Wi-Fi hotspots to new wirelessly accessible e-passports, travelers have never been at greater risk. The EC-Council, an international cybersecurity training and consulting group, is urging travelers to be aware of the risks, and offers the following tips that can help travelers stay safe this summer. PRWeb, May 18, 2011 Report: Electronic medical records are vulnerable: WASHINGTON (AP) — The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators warn. NECN.com, May 17, 2011 99% of Android phones leak secret account credentials: The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned. The Register, May 16, 2011 Google Fixes Android Public Wi-Fi Security Flaw A few days ago researchers at Ulm University in Germany found that it was “quite easy” for hackers to intercept data from Google’s photo-sharing, calendar and contacts applications, as well as potentially other Google services including Gmail, and already Google says it has “fixed” the problem. Zero Paid, May 20, 2011 Study Sees Way to Win Spam Fight: For years, a team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, the billions of unwanted e-mail messages generated by networks of zombie computers controlled by the rogue programs called botnets. They even coined a term, “spamalytics,” to describe their work. Now they have concluded an experiment that is not for the faint of heart: for three months they set out to receive all the spam they could (no quarantines or filters need apply), then systematically made purchases from the Web sites advertised in the messages…The New York TImes, May 19, 2011
Cybersecurity Safety Tips for Travelers – From the EC-Council: Airports are hotbeds for identity theft, and from rogue Wi-Fi hotspots to new wirelessly accessible e-passports, travelers have never been at greater risk. The EC-Council, an international cybersecurity training and consulting group, is urging travelers to be aware of the risks, and offers the following tips that can help travelers stay safe this summer. PRWeb, May 18, 2011
Report: Electronic medical records are vulnerable: WASHINGTON (AP) — The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators warn. NECN.com, May 17, 2011
99% of Android phones leak secret account credentials: The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned. The Register, May 16, 2011
Google Fixes Android Public Wi-Fi Security Flaw A few days ago researchers at Ulm University in Germany found that it was “quite easy” for hackers to intercept data from Google’s photo-sharing, calendar and contacts applications, as well as potentially other Google services including Gmail, and already Google says it has “fixed” the problem. Zero Paid, May 20, 2011
Study Sees Way to Win Spam Fight: For years, a team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, the billions of unwanted e-mail messages generated by networks of zombie computers controlled by the rogue programs called botnets. They even coined a term, “spamalytics,” to describe their work. Now they have concluded an experiment that is not for the faint of heart: for three months they set out to receive all the spam they could (no quarantines or filters need apply), then systematically made purchases from the Web sites advertised in the messages…The New York TImes, May 19, 2011
Hackers Breach Second Sony Service: Sony Corp. said computer hackers breached security for a second online service, gaining access to personal information for 24.6 million customer accounts as part of a broader attack on the company that has compromised data for more than 100 million accounts. The Wall Street Journal, May 2, 2011
RSA Among Dozens of Firms Breached by Zero-Day Attacks: The recent data breach at security industry giant RSA was disconcerting news to the security community … The hackers who broke into RSA appear to have leveraged some of the very same Web sites, tools and services used in that attack to infiltrate dozens of other companies during the past year, including some of the Fortune 500 companies protected by RSA, new information suggests. KrebsOnSecurity. May 4, 2011
Password Manager Service LastPass Investigating Possible Database Breach: The “last password you’ll ever need” now requires a reset: LastPass is forcing users of the password manager service to change the single master password they created for accessing websites, virtual private networks, and Web mail accounts via the tool. The move comes in response to the company’s discovery of unusual network activity around one of its databases. Dark Reading, May 5, 2011
Sony offers PlayStation network users $1M insurance after hacking: Sony Chairman Howard Stringer apologized and offered U.S. users of its PlayStation Network and Qriocity online services a year of free identity-theft protection after the system was crippled by hackers. The Seattle Times, May 6, 2011
Fake security software takes aim at Mac users: ‘Rogueware’ plague expands from Windows to Mac OS, tries to dupe Apple users into paying $60-$80. Scammers are distributing fake security software aimed at the Mac by taking advantage of the news that al-Qaeda leader Osama Bin Laden has been killed by U.S. forces, a security researcher said today. Computer World, May 2, 2011
‘Weyland-Yutani’ Crime Kit Targets Macs for Bots:A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs. KrebsOnSecurity, May 2, 2011
Hackers use bin Laden’s death as lure for the unwary: Computer hackers are disseminating spam, viruses and malicious software designed to ensnare the unwary with bogus videos, photos or other digital data about the killing of Osama bin Laden. The Washington Times, May 3, 2011
Scammers Swap Google Images for Malware: A picture may be worth a thousand words, but a single tainted digital image may be worth thousands of dollars for computer crooks who are using weaknesses in Google’s Image Search to foist malicious software on unsuspecting surfers. … On Wednesday, the SANS Internet Storm Center posted a blog entry saying they, too, were receiving reports of Google Image searches leading to fake anti-virus sites. According to SANS, the attackers have compromised an unknown number of sites with malicious scripts that create Web pages filled with the top search terms from Google Trends. KrebsOnSecurity, May 6, 2011
CYBER-SECURITY SYSTEM MIMICS HUMAN IMMUNE RESPONSE: Computer scientists and IT engineers are increasingly looking to the human immune system as a model for preventing attacks by cyber-hackers. They hope that in the near future computers will be able to communicate among themselves, recognize threats, and be able to monitor their own health — just like the cells inside our bodies. Discovery News, April 21, 2011
The Power Grid Brings Cyber-Security Concerns: The topic du jour across government and the electricity industry is the smart grid and the amazing efficiencies it will bring to the nation. There’s also, however, a growing chorus about potential cyber-security dangers as new smart grid infrastructures are designed and installed across North America. Is it real, hype or somewhere in between? Let’s start by defining the smart grid and then some of those security issues. Government Technology, April 28, 2011
White House cyber czar: Trusted Identities program is a secure “ecosystem”, not a national ID card: At this week’s Visa Global Security Summit in Washington, Howard Schmidt said the proposed National Strategy for Trusted Identities in Cyberspace (NSTIC) program will not only solve security challenges for internet users, but provide opportunities for commerce and security firms alike. At the same time, the White House advisor sought to calm the fears of privacy critics. Infosecurity, April 29, 2011
FBI Fails DOJ Audit on Cyber Security Investigations: According to a U.S. Department of Justice audit, the FBI is not doing an adequate job in investigating cyber intrusions. eSecurityPlanet, April 29, 2011
Survey: Educators lack training to teach online safety: America’s K-12 teachers are ill-prepared to educate students on the basics of online safety, security and ethics, and more than a third of teachers receive no training in cybersecurity issues, according to a coalition of government and private technology experts who released a study today. USA Today, May 4, 2011
Five things to do when a company leaks your personal info: Even if you’re not among customers put at risk by hackers stealing personal data from over 100 million user accounts at Sony, odds are that you or someone you know already has or will receive notice of a data breach notice from a bank, retailer, hospital, former employer, or even a government agency. Consumer Reports, May 6, 2011