Sunday, December 26, 2010

Weekend Vulnerability and Patch Report, December 24, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Java Update: Sun has published an update to Java, its ubiquitous browser plug-in. The new version is Java 6, Update 23. Readers can identify their version of Java and get installation help here. Readers will want to pay attention in upgrading Java to make sure that the install does not also install other software, such as the Yahoo Toolbar. 

Important Vulnerabilities.

Microsoft Internet Explorer Vulnerability: Microsoft has warned in a security advisory that an exploit now exists for the critical security vulnerability in Internet Explorer that we wrote about last week. The exploit runs remotely over the Internet, compromising a user's system and stealing sensitive information. The vulnerability has been confirmed in all versions of Internet Explorer, including IE 7 and 8. The exploit for this vulnerability gets around two of the key security defenses built into Windows Vista and Windows 7. We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. 

IBM Lotus Notes: Several security vulnerabilities have been identified in IBM Lotus Notes Traveler. Readers should update to version 8.5.1.3 or later. More information is available here.

Adobe Flash: Adobe Flash is a favorite of cyber criminals who seem able to regularly find critical security vulnerabilities in the program. Readers should make sure they are running the latest version of Flash. You can check your version of Adobe Flash here. 

Adobe Reader: Adobe Reader is another favorite of cyber criminals who seem able to regularly find critical security vulnerabilities in the program. Readers should make sure they are running the latest version of Reader. Readers can check for update under "Help" in the file menu. The latest version is 10.0.0.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
 
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Sunday, December 19, 2010

Weekend Vulnerability and Patch Report, December 17, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Microsoft Security Update: This month's Patch Tuesday from Microsoft contains 17 software updates plugging a total of 40 security holes. According to Microsoft the updates include fixes for at least 7 vulnerabilities in Internet Explorer versions 6, 7 & 8, including the 0-day vulnerability we've had on our vulnerability list for the last month. Patches are available through Microsoft Update (using IE) or Automatic Update.


Google Chrome Update: Google has released Chrome 8.0.552.224 to address multiple vulnerabilities. These vulnerabilities allow a cyber criminal to take control of a user's system and steal sensitive information or cause a denial-of-service condition. Users can get the Google Chrome update here.

F-Secure Anti-Virus Products: A vulnerability has been reported in various F-Secure products which can be exploited to compromise a user's system and steal sensitive information. Updates are distributed automatically by the update system.Users should make sure they are running the latest version. 

Adobe PhotoShop Update: A critical vulnerability has been discovered in Adobe PhotoShop. A cyber criminal can exploit the vulnerability to take control of a user's system and steal sensitive information. The vulnerability has been confirmed in CS4 and CS5 for Windows. Other versions may also be affected. Users should apply Adobe Photoshop 12.0.3 update for Adobe Photoshop CS5.

Apple AirPort Updates: Apple has released AirPort Utility 5.5.2 for Mac and Windows to fix security vulnerabilities. Apple has also fixed security vulnerabilities in its newly released AirPort Base Station and Time Capsule firmware update 7.5.2. Users can download these updates from Apple's Downloads page.
 
iTunes Update: Apple has released iTunes 10.1.1 which fixes several performance and security vulnerabilities.

Important Vulnerabilities.

Symantec Antivirus Alert Management System Vulnerability:  A vulnerability has been reported in Symantec Antivirus, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is reported in Symantec Antivirus Corporate Edition 10.1.4.4010. Other versions may also be affected. No patch is available at this time.   

Opera: Multiple vulnerabilities have been reported in Opera some of which can be exploited by malicious people to disclose potentially sensitive information and manipulate data. The vulnerabilities are reported in versions prior to 11.00. Users should upgrade to version 11.00 which can be found here. 

Microsoft Internet Explorer Vulnerability: On the same day that Microsoft finally fixed the security vulnerabilities that we had listed on our blog for a month, a new critical vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system and steal sensitive information. The vulnerability is confirmed in Internet Explorer 7 and 8 on a fully patched Windows XP SP3 system. We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. 

RealPlayer Vulnerabilities: Twenty eight critical security vulnerabilities have been found in earlier versions of RealPlayer. Windows users want to make sure they are running RealPlayer 14.0.0 or later. Mac users should make sure they are running version 12.0.0.1548 or later. 

BlackBerry Vulnerabilities: RIM has released a security advisory to address a vulnerability that allow a cyber criminal to take control of a user's BlackBerry and steal sensitive information or cause a denial-of-service condition. Users should alert their IT staff to BlackBerry server security advisory KB24761 so that they may apply  necessary updates to help mitigate these risks. Vulnerabilities in BlackBerry Desktop Software have been discovered. Windows users should make sure they are running BlackBerry Desktop Software version 6.0.1 or later. Macintosh users should make sure they are running BlackBerry Desktop Software version 2.0 or later.

 If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Saturday, December 11, 2010

Weekend Vulnerability and Patch Report, December 10, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Apple QuickTime Update: Apple has released QuickTime version 7.6.9. This update fixes 15 highly critical security vulnerabilities that a cyber criminal can use to take control of a user's system and steal sensitive information. Updates are available for both Mac and Windows versions of the program are available through Apple Downloads. Windows users can also download and install the update through the their iTunes or QuickTime Software Update feature. Mac users can update through the Mac's Software Update feature.
Firefox Update: Firefox has released version 3.6.13 fixing several highly critical security vulnerabilities that a cyber criminal can use to take control of a user's system and steal sensitive information. Users can update by going to "Help/Check for Updates" on the Taskbar.

WordPress Update: A week after releasing 3.0.2, WordPress has released version 3.0.3 to address a highly critical vulnerability that allows a cyber criminal to change or delete a web site built in WordPress. A cyber criminal could also exploit the vulnerability to attack the computers of visitors to the web site. Users will want to notify their web master to upgrade to version 3.0.3. Users whose website has been built using Joomla will also want to notify their webmaster of two newly discovered Joomla vulnerabilities in that popular content management system.
 
Apple MacBook Firmware Update: Apple has released a firmware update to its 11-inch and 13-inch MacBook Air models.According to Apple, the "update resolves a rare issue where MacBook Air boots or wakes to a black screen or becomes unresponsive."  While not a security update, users will want to update. Users can download the update here.
 
Important Vulnerabilities.

Microsoft Patch Tuesday: Microsoft is scheduled to release its monthly updates this coming Tuesday. Let's hope the IE Vulnerability we've been writing about is on the list. Make sure your PC gets updated.

Google Earth: A vulnerability has been discovered in Google Earth, which can be exploited by malicious people to to take control of a user's system. The vulnerability is confirmed in version 5.1.3533.1731. Users want to make sure they are running version 6.0.

Citrix Web Interface Vulnerability: A vulnerability has been found affecting versions 5.0, 5.1, and 5.3. The vulnerability does not affect version 5.4. You most likely want to update but check with IT staff before doing so.
 If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Sunday, December 5, 2010

Weekend Vulnerability and Patch Report, December 3, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

McAfee VirusScan Enterprise: A highly critical vulnerability has been found in McAfee VirusScan Enterprise, which can be exploited by malicious people to compromise a user's system. The vulnerability is confirmed in version 8.5.0i. Other versions may also be affected. The vulnerability has been fixed in McAfee VirusScan version 8.7i and later.

Google Chrome: Google has released version 8.0.552.215 to fix multiple vulnerabilities in Google Chrome 7.x. The latest version of Chrome is available here.

WordPress 3.0.2: WordPress has released WordPress 3.0.2 to address multiple security vulnerabilities. The new version is available here.

D-Link DIR-615: Moderately critical vulnerabilities have been found in this popular wireless router. The vulnerabilities have been found in firmware versions prior to revision D.4-13B01. Users should update their routers to the latest firmware version. Information from D-Link on how to upgrade the firmware on the DIR-615 line of routers can be found here.  

News of Important Vulnerabilities.

CA Internet Security Suite Plus 2010: A vulnerability has has been discovered in CA Internet Security Suite Plus which can be exploited by malicious, local users to gain escalated privileges. No patch is available at this time.

Palm Pre WebOS: Dark Reading reports a moderately critical vulnerability has been found in WebOS 1.4.x versions. According to Secunia, this vulnerability has reportedly been fixed in WebOS 2.0 beta.We have no more information at this time. Palm's web-site is here.  

Kindle for PC: A vulnerability has been discovered in the Kindle for PC program 1.x. According to Secunia, no patch is available at this time. Users are cautioned to only open files from trusted sources. 

Adobe Reader: If you have not yet updated to Adobe Reader X (as we recommended last week), you should do so now. You can download Reader X using the Adobe Download Manager from the Adobe Reader web site. To avoid the Download Manager with its attempt to get you to download other software as well, Windows users can download Windows Reader X here while Mac users can download Mac Reader X here. 

Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Saturday, December 4, 2010

WikiLeaks Exposes "Vast Hacking by a China Fearful of the Web"

We began covering the Chinese hack into Google and other western companies on our blog last March. An article in the New York Times based on an analysis of cables released by WikiLeaks provides a fascinating look at Chinese cyber espionage as seen through the eyes of the American government.

Wednesday, December 1, 2010

Personal Guide to Staying Safe Online

Cyber criminals want your bank account and credit card numbers so they can take your money and use your credit while stiffing you with the bill. They want your social security number so they can apply for credit in your name, stealing your identity. They have even begun selling stolen medical insurance information.

Cybercriminals steal your sensitive personal information by taking control of your computer. This control also lets them install rogue programs on your computer, turning your computer into a zombie under their control—the cyber-equivalent of Night of the Living Dead. Even reasonably well-protected computers can be turned into computer-zombies if users unwittingly click on Internet links, visit sabotaged web-sites or open attachments on emails.

The consequences of having your computer turned into a zombie under the control of a cyber criminal can be devastating. Just ask the owner of the escrow company  in Redondo Beach after cyber criminals withdrew $400,000 from her bank account using the firm’s on-line bank id and password which they stole after turning her computer into a zombie. You can read about her and other victims of on-line bank fraud indexed under Financial Systems Security on our blog:  http://blog.citadel-information.com.

Online bank fraud is just one of the ways cyber criminals can make money from turning your computer into a computer-zombie. Besides stealing your credit card numbers and the login credentials to your online bank and brokerage accounts, these cyber criminals also display annoying pop-up ads on your computer, send spam from your computer and use your computer to commit a wide variety of sophisticated computer crimes.

Cybercriminals take control of your computer by exploiting four weaknesses:
  1. Every computer program running on your computer has subtle programming errors (vulnerabilities) that cybercriminals exploit to take control of your computer.
  2. Legitimate internet web sites often fail to prevent cybercriminals from installing malicious programs on their web sites. When you visit these sites, these malicious programs silently install Trojan horses and other malware on your computer.
  3. Default settings for many computer programs make it easy for cyber criminals to take control of your computer.
  4. Users often don’t know what they need to do to minimize the dangers and risks of cybercrime, particularly the need for defense-in-depth.
Defense Strategy 1: Keep Cybercriminals Off Your Computer
  • Keep Systems Patched: Software manufacturers issue program updates containing patches to fix known vulnerabilities. Set Microsoft Windows and Office to automatically update. Manually update other programs like Adobe Acrobat, iTunes, Flash and Java. We list available updates for some of the more common programs in our Weekly Patch and Vulnerability Report, available on our blog:  http://blog.citadel-information.com.
  • Limit Exposure: Create separate accounts for all family members. This is done in the Control Panel. Set account type to “Limited” unless the account needs to run programs as “Administrator.” This will make it harder for cybercriminals to install malware on your computer.
  • Protect Your Desktop: Install a reputable antivirus / antispyware product & keep it up-to-date. If you’re technical, run Firefox with the NoScript add-on inside of sandboxie and install a host intrusion prevention system.  Sophisticated cybercriminals can get past basic antivirus/antispyware software. Antivirus is necessary. It is not sufficient.
  • Secure Your WiFi: If you have a wireless network, encrypt it with WPA2 encryption. Otherwise anyone near you can eavesdrop on your communications and piggy-back on your connection.
  • Stay Away from P2P Networks: Don’t run Peer-to-Peer or other file sharing programs, such as Kazaa, Limewire or BitTorrent. These networks provide strangers access to your computer.
  • Beware of Scams, 1: Don’t click on web-site ads or pop-ups offering to scan your computer for free. Cybercriminals love to take advantage of people’s fear of getting a virus. Instead of scanning your computer, these programs will infect it. Always be wary.
  • Beware of Scams, 2: Don’t open unusual or unexpected attachments, not even from people you know. It’s easy to send an email so it looks like it came from someone else. Also, how do you know your friend’s computer hasn’t been taken over? Always be wary.
  • Beware of Scams, 3: Don’t follow links in unfamiliar or unusual emails, especially those requesting your user names, passwords, or financial information. A SPAM filter can help you avoid these e-mails but you must be on guard for emails that get past your SPAM filter. Always be wary.
Defense Strategy 2: Be Careful With Your Financial Information On-Line
  1. Don’t send your Social Security Number, bank account numbers or credit card numbers in unencrypted email.
  2. Use different strong passwords [8+ characters, upper & lower case, numbers, characters] for all eCommerce websites. Use Password Safe or RoboForm to securely manage online passwords.
  3. Only buy on-line from merchants using SSL, which means the website address begins with https://. Look for the “lock” on the title bar of Internet Explorer or Firefox’s lower right corner.
  4. Use a credit card rather than a debit card when shopping on-line. Link PayPal to your credit card, not your bank account. Federal law limits your credit card exposure to $50. There is no corresponding limit if you use a debit card (even though many banks cover debit card fraud).
Defense Strategy 3: Protect Your Information Away from Home
  1. Keep your laptop with you at all times. Never leave it unattended in your car.
  2. Keep WiFi and Bluetooth turned off except when you are using them.
  3. Encrypt the hard drive of your laptop, protecting it with a strong 15+ character passphrase. If you lose the laptop, the information is still safe. You can get free encryption software at http://www.truecrypt.org/.
  4. Never use a public computer, Kiosk, or public WiFi for online banking, shopping or to access sensitive information. Since you don’t know how secure these are, prudence requires you to assume they are insecure.
Defense Strategy 4: Watch Your Credit
  1. Subscribe to a basic credit monitoring service (AAA California offers members a free service)
  2. Regularly review your bank, credit card and investment accounts for fraudulent activity.
Defense Strategy 5: Better Safe Than Sorry
  1. Always think about the information you are giving out.
  2. When in doubt, don’t.
  3. Stay up-to-date by reading our blog:  http://blog.citadel-information.com.

Sunday, November 28, 2010

Weekend Vulnerability and Patch Report, November 26, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Adobe Reader: Adobe has released Reader X. This follows repeated security problems with previous versions of Reader. The new Reader should be more secure than earlier versions as it has been built using advanced "sandbox" technology. You can download Reader X using the Adobe Download Manager from the Adobe Reader web site. To avoid the Download Manager with its attempt to get you to download other software as well, Windows users can download Windows Reader X here while Mac users can download Mac Reader X here.

Apple iOS: Apple has released iOS 4.2 for for the iPhone, iPad and iTouch. In addition to improved performance, this update fixes several security vulnerabilities. These updates are available during synchronization.
 
Trend Micro:  TrendMicro has released an update to OfficeScan 10.x. The update fixes a vulnerability that put users at risk of a cyber criminal taking full control of their computer. 
 
News of Important Vulnerabilities.

Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. 

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Tuesday, November 23, 2010

Bank sued over $440K Cyber Theft

KrebsOnSecurity.com is reporting that Choice Escrow and Land Title, an escrow firm in Missouri, is suing its bank, BancorpSouth Inc., to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.

The epidemic of on-line bank fraud by cyber criminals succeeds because
  • Security procedures at too many businesses fail to prevent the compromise of workstations. This leads to the compromise of online bank credentials which the cyber criminal uses to commit fraud.
  • ACH transfer security procedures at too many banks fail the test of "commercial reasonableness."

In our role of assisting clients with cyber security management, we have seen first-hand how too many companies (i) fail to provide effective awareness training to staff to meet the cyber crime challenge and (ii) fail to impose rigorous security requirements on the management of their IT infrastructures. 

We have also had the opportunity to see first-hand how easy it is for a bank to fail to meet the standard of commercial reasonableness of its ACH security procedures. 
  1. Failing to consider the wishes of its customer expressed to the bank. 
  2. Failing to consider the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank. 
  3. Failing to implement security procedures in general use by customers and receiving banks similarly situated.  
We echo Krebs' warning that "The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud."

Saturday, November 20, 2010

Weekend Vulnerability and Patch Report, November 19, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Apple Safari:  Apple has released Safari 5.0.3 and 4.1.3 to address multiple vulnerabilities in the Safari and WebKit packages. Because of these vulnerabilities, users are at risk of a cyber criminal taking full control of their computer. See Apple article HT4455 for more information.

Adobe Reader and Acrobat: Adobe has released security updates for Reader and Acrobat for Windows and Macintosh. These updates address multiple vulnerabilities that put users at risk of a cyber criminal taking full control of their computer. See Adobe Bulletin APSB10-28 for additional information.

Mac OS X: Apple has released Mac OS X v10.6.5 and Security Update 2010-007 to address multiple highly critical vulnerabilities in OS X. Mac users should install these. These updates are available on Apple's Downloads page and we urge all users to apply them. 

News of Important Vulnerabilities.

Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. 

RealPlayer: RealPlayer users should make sure they are running version 14.0.1.609 or later as serious vulnerabilities have been found in some earlier versions. 

WordPress: For those of you with web sites coded in the popular WordPress, Secunia has announced that an extremely serious security vulnerability has been found in the WordPress' Event Registration Plugin. (This follows the announcement last week of 6 serious WordPress vulnerabilities.) The vulnerability has the potential to allow a cyber criminal full access to any databases connected to a web site using the plug-in. Insist your web-master takes steps to protect any of your sensitive information that this vulnerability puts at risk. Direct your web-master to Secunia Advisory SA42265 for more information.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Thursday, November 18, 2010

Beware of Holiday Season Phishing Scams and Malware Campaigns

US-CERT is receiving reports of an increased number of phishing scams and malicious software campaigns that take advantage of the winter holiday and holiday shopping season. We urge users to be on their guard, mindful of the potential that an email message could be part of a potential phishing scam or malware campaign.

Users are urged to be sensitive to:
  • Electronic greeting cards that may contain malware
  • Requests for charitable contributions that may be phishing scams and may originate from Illegitimate sources claiming to be charities
  • Movie clips, screensavers or other forms of media that may contain malware
  • Credit card applications that may be phishing scams or identity theft attempts
  • Online shopping advertisements that may be phishing scams or identity theft attempts from bogus retailers

We strongly urge users to protect themselves during the holiday season:
  • Don't follow unsolicited web links in email messages. Consider running Firefox with the No-Script Add-in.
  • Use caution when opening email attachments; Is the email from someone you know? Was the email expected? When in doubt, Don't.
  • Maintain up-to-date antivirus and anti-spyware software.
  • Keep your systems patched. Be careful of the latest vulnerabilities. Follow our Weekly Vulnerability and Patch Report, published on our blog, Citadel on Security.

    Sunday, November 14, 2010

    The Great Cyberheist

    The New York Times Magazine: "One night in July 2003, a little before midnight, a plainclothes N.Y.P.D. detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man with long, stringy hair and a nose ring into the A.T.M. lobby of a bank. Pretending to use one of the machines, the detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash. Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something."

    "Indeed, the young man was in the act of “cashing out,” as he would later admit. He had programmed a stack of blank debit cards with stolen card numbers and was withdrawing as much cash as he could from each account. He was doing this just before 12 a.m., because that’s when daily withdrawal limits end, and a “casher” can double his take with another withdrawal a few minutes later. To throw off anyone who might later look at surveillance footage, the young man was wearing a woman’s wig and a costume-jewelry nose ring. The detective asked his name, and though the man went by many aliases on the Internet — sometimes he was cumbajohny, sometimes segvec, but his favorite was soupnazi — he politely told the truth. “Albert Gonzalez,” he said."

    ...

    "Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America: OfficeMax, BJ’s Wholesale Club, Dave & Buster’s restaurants, the T. J. Maxx and Marshalls clothing chains. They hacked into Target, Barnes & Noble, JCPenney, Sports Authority, Boston Market and 7-Eleven’s bank-machine network. In the words of the chief prosecutor in Gonzalez’s case, 'The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled.'"


    Click here to read the fascinating story of master cyber-thief, Albert Gonzalez. 

    Thanks to Dr. Andrea Belz for alerting us to this story.

    Weekend Vulnerability and Patch Report, November 12, 2010

    Microsoft Windows & Office: This month's Patch Tuesday fixed more than 11 security flaws in Microsoft products. One patch fixes a highly critical vulnerability that could allow a cyber criminal to gain control of a user's computer simply by having the user view an email in Outlook's Preview Pane. We strongly recommend all home users make sure that automatic updates is turned on so these and other Microsoft patches will be downloaded and installed automatically. All other things being equal business computers should also have automatic updates turned on, except sometimes the IT department has to manage these updates differently.

    Microsoft did not issue an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

    Mac OS X: Apple has issued several updates to patch highly critical vulnerabilities in OS X. Mac users should install these. These are available on Apple's Downloads page and we urge all users to apply them. 

    iTunes / QuickTime: Users should download and install iTunes 10.1 which includes Apple's QuickTime 7.6.8. Don't be lulled into a false sense of security though. Secunia has announced that a highly critical 0-day vulnerability has already been discovered in the new QuickTime version 7.6.8.

    PayPal for iPhone: PayPal has issued an update fixing a relatively minor security vulnerability in it's iPhone app. We suggest users update to the latest version.

    WordPress: For those of you with web sites coded in WordPress, Secunia has announced a number of security vulnerabilities in various WordPress plug-ins. Direct your web-masters to Secunia's web-site for more information.

    If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

    Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

    The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.
     
    © Copyright 2010. Citadel Information Group. All Rights Reserved.

    Friday, November 12, 2010

    Map of Online Bank Fraud Victims — Updated 11/11/10

    Here's an updated map of known businesses and other organizations which have been victims of online bank fraud. Among the victims in the Southern California:
    1. Genlabs in Chino, CA had $437,000 stolen
    2. Zico USA in La Puente lost $150,000 
    3. Village View Escrow in Redondo Beach had $465,000 stolen.
    Thanks to KrebsOnSecurity.com for alerting us to this.

      Wednesday, November 10, 2010

      New Mobile Banking Flaws Demonstrate Buyers Must Be Skeptical About Security Claims

      In our latest Weekend Patch and Vulnerability Report, we warned readers that significant vulnerabilities had been discovered in mobile banking applications from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade. According to The Wall Street Journal and Yahoo News, the vulnerabilities discovered by viaForensics could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website.

      The report that critical vulnerabilities had been found in mobile banking applications brought to mind my blog post last September when I discussed the wisdom of mobile online banking with my friend, Biz Coach, Terry Corbell. In my interview with Terry on his blog I had said “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”

      Needless to say, Terry received a scathing comment to that blog post from a marketing representative in the mobile banking industry. The commenter was absolutely positively certain that mobile banking was secure, that the software had been thoroughly tested and vetted, and that I didn't know what I was talking about.

      With this week's story, it turns out that I was the one who knew what he was talking about not the mobile banking guy. But this blog isn't about who's right and who's wrong. This blog is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more intellectually humble when we talk about how secure something is.

      Right now, the cyber criminals are winning. They are winning in part because too many people have a false sense of their own security. They have this false sense of security because they haven't "been there, done that." I have.

      For me it was a no-brainer that significant security vulnerabilities were going to be found in mobile banking applications. I had worked for several years in the Aerospace industry securing critical national security software. Before that I had been a research mathematician studying the logic of computer programs. And, as Yogi Berra said,  "You can observe a lot just by watching."

      I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack. I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake. And that's just one example of how experience has taught me that writing high quality software is incredibly challenging (and expensive).


      We're taught that pride goeth before the fall. That is certainly true in the battle against cyber crime. That's why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.

      Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis.

      Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise. We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

      The challenge is that, human nature being what it seems to be, our intellectual humility doesn't easily carry over to domains where we lack firsthand knowledge and experience. We tend to over-simplify in those places we know little about. This isn't usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we're all on the Internet it's as if the lion is right next door. And he's hungry.



      We can't expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system. Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

      You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches. And, lacking the experience, these otherwise well-meaning men and women don't understand the necessity of being intellectually humble in the presence of complex software.

      That's why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: "Trust. But verify." Do him one better: drop the trust.


      © Copyright 2010. Citadel Information Group. All Rights Reserved.

      Sunday, November 7, 2010

      Weekend Vulnerability and Patch Report, November 5, 2010

      Adobe Update for Flash Player: Adobe has now fixed the 0-day Flash vulnerability we reported last week. This update fixes 18 different security holes. Readers are urged to update their Flash version to v 10.1.102.64. Updates are available for Windows, Macintosh, Linux, and Solaris versions of Flash. If you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox or Google Chrome. The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner.

      Microsoft Warns of New IE 0-Day Vulnerability: Microsoft warned Internet Explorer users that attackers are exploiting a previously unknown security hole in their browser to install malicious software on user workstations. User workstations can be compromised simply by visiting a compromised web site. (Compromised web sites are all-too-common. See our blog post of April 19: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August 16: Network Solutions Once Again Serves Up Malware.) Hopefully Microsoft will update IE on this week's Patch Tuesday. We recommend using Firefox with the No-Script add-on for Internet browsing, particularly until this 0-day is patched.

      Mobile Banking Security Holes Discovered; Great Caution Urged: Be very careful  if you access your bank account from your iPhone or Android. Security research firm viaForensics reports that mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes. The bugs could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website. According to The Wall Street Journal and Yahoo News, Wells Fargo and USAA have already released updates, Bank of America should have an update out in the next few days, and TD Ameritrade will fix the issue in the next 30 days. We continue to urge great caution in mobile online banking. If you don't absolutely need it, don't use it. Readers who must use mobile online banking are urged to upgrade their online bank apps as quickly as upgrades become available.

      Beware of ThinkPoint and Other Fake Anti-Virus Products: A small business we know was recently infected with ThinkPoint. It was delivered via a fake Microsoft Security Essentials Alert that was clicked on by an unsuspecting employee. Once installed, ThinkPoint tried to prevent the company from using the workstation until it paid money to buy a licensed version of useless software. ThinkPoint is just one more reminder of how users must be extremely careful what they allow to run on their computers. Don't trust a reminder to upgrade or install software unless you're sure it's legit. Set Microsoft to update automatically. Check Adobe products regularly. Follow our alerts. Better safe than sorry.

      If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

      Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

      The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.

       
      © Copyright 2010. Citadel Information Group. All Rights Reserved.

      Friday, October 29, 2010

      Weekend Vulnerability and Patch Report, October 29, 2010

      Adobe Shockwave Update: Adobe has released a critical update for its shockwave player. The shockwave patch plugs 11 different security holes affecting both Windows and Mac computers. Readers should update to the newest Adobe Shockwave Player.

      Adobe Advisory for Flash Player, Acrobat Reader and Acrobat: Adobe has issued a security advisory that a new 0-day vulnerability has been found affecting all these products. The vulnerability affects these Adobe products on Windows, Mac and other operating systems. Readers are urged to be cautious until Adobe issues a patch for this vulnerability. We will alert readers to the patch when it is released.

      Facebook Users Under Attack: According to KrebsOnSecurity.com, Facebook users running Mac OS X are being attacked by a new version of the Koobface worm. The attack uses a malicious Java applet. In order for the attack to succeed the user must OK a prompt to download and install the malicious software. Readers are urged to be cautious in allowing Facebook applets to run. Readers should also make sure the have the latest version of Java running on their Mac.

      Firefox Update: Firefox has been updated to version 3.6.12. The program and its predecessor 3.6.11 (also released this week) fix 10 security vulnerabilities, many critical. Readers should update to the newest version. 

      If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

      Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

      The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.
      © Copyright 2010. Citadel Information Group. All Rights Reserved.

      Friday, October 22, 2010

      Weekend Patch Report, Oct 22, 2010

      RealPlayer: RealPlayer has released a product upgrade that fixes several critical vulnerabilities. The latest versions are available here. (October 20). 

      Microsoft Windows & Office: This month's Patch Tuesday fixed a record 49 security holes. Always install Microsoft patches. Home computers should have automatic updates turned on. All other things being equal so should business computers, except sometimes the IT department has to manage these updates differently. (October 12)

      Java:  This is a critical update. Microsoft has issued a warning that it is seeing a huge increase in attacks against security vulnerabilities in Java. When you are on the Internet, Java is running. Make sure to install this update. (October 12)

      Adobe Reader & Acrobat: This critical update plugs at least 23 holes in the Adobe PDF Reader and Acrobat software, including two vulnerabilities that are being actively exploited by cyber criminals. Update your program while running it. "Check for Updates" is on the drop-down list under "Help." (Oct 5)

      If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Patch Report to them and following up to make sure your computer has been patched.

      Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). Just like DNA, every program has hidden flaws, or vulnerabilities, in its code. When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

      It is the user's responsibility to make sure update patches are installed. Home users usually have to do this themselves. Users working in offices may have IT staff to do this for them, but even here, Citadel recommends strongly that users take the initiative to check that updates are being installed on their computers.

      The Weekend Patch report is intended to raise user awareness to the challenges of vulnerability management by alerting them to some of the week's important update patches. We do this to help users get the knowledge they need to take the necessary initiative in making sure the security of their computers is being effectively managed.


      © Copyright 2010. Citadel Information Group. All Rights Reserved.


      Wednesday, October 20, 2010

      Internet Teleconferencing: A Security Concern?

      A colleague asked me whether he should be concerned about the security of teleconferencing websites, like  Webex and GoToMeeting. [We regularly use both Webex and GoToMeeting.]

      My colleague is right to be concerned as there are several “vulnerability points” in Internet teleconferencing, particularly when video, voice and (potentially sensitive) data is being passed around the internet. [As a sidebar: I designed the security test plan in the mid-1980s on a White House project to provide highly secure emergency teleconferencing between the White House, several cabinet secretaries, and various DoD components.]

      First, the good news: I asked my friend and technology expert, Jason Lidow, President of The DigiTrust Group, if they were seeing attacks coming through teleconferencing sites and he said no. Jason’s got a very sensitive pulse on cyber attacks so if he says he’s not seeing them, there’s a pretty good bet that they aren’t there in any meaningful amount. Far better to spend scarce cyber security dollars managing the stuff that’s here and now.

      That said, there are a few basics that everyone should always pay attention to given the fact that all of the information being communicated is being sent out over the Internet. The Internet is like the roads in the early west; robbers might be found behind any rock. That’s why the basic foundational principle of cyber security is “Assume nothing is secure if you aren’t actively managing it or assessing it. And even then, be cautious.”

      So starting from the perspective of never taking security for granted, here’s a few of the things I would pay attention to when considering a teleconferencing provider:

      1. Is all teleconferencing encrypted in transmission? Does the URL begin with https://? This is what keeps communications private during the time the bits are traveling around the Internet. Encryption protects the communication from the cyber equivalent of wire tapping. If the answer to this question is “No,” then find another solution. If all you’re doing is videoconferencing, with no Power Points or QuickBook reports or other data being transmited, then a “yes” answer here is most likely good enough [unless you need to talk securely to the Fed].

       2. What communications (data, video, voice) are being passed through the server? (The less the better.) Are communications being stored on teleconference servers. A “No” answer is better than a “Yes” answer.All other things being equal, I’d select the company that is able to meet your teleconferencing needs without getting its servers involved over the company whose servers process and, perhaps store, your sensitive information. I’d pay attention to this but I wouldn’t sweat it.

       3. The third thing I’d pay attention to is more dangerous, more subtle, and more strategic, which also makes it more important. This, I sweat over. Here’s the situation: In order for you to show a PowerPoint from your computer to a person or persons at other computers (whether in the building next door or halfway around the world), a software program on your computer must take your PowerPoint, send it out of your computer over the Internet, directing that PowerPoint to the other participants in the teleconference.

      For a few technical reasons, it’s not prudent to assume that the software program doing all this teleconferencing work is behaving properly; it’s far more prudent to assume that the software is capable of behaving maliciously, stealing your information or even taking over your PC.

      This risk is a generic one affecting every program on your computer. [Sidebar: Every modern complex computer program has software vulnerabilities. This fact is a consequence of (i) the mathematical complexity of computer programming and (ii) the economics of software engineering.] Cybercriminals exploit these vulnerabilities to attack computers on which the program is running. Standard anti-virus, anti-malware solutions manage a piece of the problem. So does patching, keeping software up-to-date with updates that fix known vulnerabilities. An emerging class of solutions in this space—replacing increasingly ineffective anti-virus and anti-spyware software—are called “host intrusion prevention systems.” These systems are capable of actually recognizing a cyber attack  and blocking it, something anti-virus anti-spyware solutions can’t do. Several of our clients have installed professionally-managed host intrusion prevention systems as these have become increasingly affordable to small and medium-sized businesses.

      The second piece of managing this risk is to prefer—again all other things being equal—software from well known reputable companies with a history of taking security seriously and a positive leadership position in the industry.

      That why we use Cisco’s Webex for our teleconferencing. It is a little more expensive but I feel I know what I’m getting, I know the seriousness with which Cisco takes security and the security talent they possess, and I’m confident that they’ll be there should something go wrong. I’ve never heard of tukbox, the program my colleague asked about,so can render no opinion.

      One more thing to wrap-up this perhaps overly-long post. It’s important not to neglect the “human side” of security. Everybody needs to think about what they say or put on a PowerPoint; even what’s visible over the camera over someone’s shoulder. Ask yourselves questions like “What can we do to minimize the amount of sensitive data being sent over the Internet?” One strategy, for example, would be for voice communications to take place over regular land lines or a totally separate secure digital line. With this strategy, participants all agree that the ‘really sensitive information’ is to be talked about but not shown on shared PowerPoints, etc.

      This is the most important strategic recommendation: That everyone keep thinking about cyber security.

      Tuesday, October 5, 2010

      Critical Security Updates Available for Adobe Acrobat/Reader

      Adobe has announced that critical updates are now available for the Adobe Acrobat/Reader vulnerabilities we described in our blog post of September 8: Cybercriminals Exploit New 0-Day Adobe Acrobat/Reader Vulnerability.

      We strongly recommend that users immediately update their Adobe Acrobat and Reader programs. To do so, open the Adobe Acrobat or Adobe Reader program, click on 'Help' and then 'Check for Updates."

      Monday, October 4, 2010

      Hackers Steal $600,000 from Brigantine, NJ

      KrebsOnSecurity.com reports that "organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials. ... Brigantine City officials said the incident began sometime before 6 p.m. on September 28th, when TD Bank notified city finance officers that multiple wire transfers had been made from its accounts. Brigantine Police’s Lt. James Bennett said in a written statement:
      “Unknown person(s) had apparently obtained a user name and password for the city’s main TD Bank account when our finance personnel attempted to login (through either a fake Web page or an undetectable virus). Then several wire transfers were started with amounts ranging from a few thousand to over $300,000, for a total of about $600,000. The last update from TD Bank was that they were able to recall approximately $400,000 in transfers and were working on recalling the remainder. The investigation is being handled by the FBI, New Jersey State Police with the Brigantine Police Department and TD Bank security.”

      "Go Blue" Ends D.C. Online Voting Trial

      The Washington Post reports that—as part of a security test—a team of students from The University of Michigan hacked D.C.'s new Internet-based voting system. The "White Hat" hackers from Michigan  compromised the system so that after a vote was cast the Web site played The University of Michigan fight song, "The Victors."

      According to the Post, Jeremy Epstein, a computer scientist working with the Common Cause good-government nonprofit on online voting issues said "the fight song is a symptom of deeper vulnerabilities. ... In order to do that, they had to be able to change anything they wanted on the Web site."

      Because of the hack, Paul Stenbjorn, the Board of Elections' chief technology officer said a portion of the Internet voting pilot—which was expected to be rolled out this month—is being temporarily scrapped.

      The good news, of course, is that to ensure election integrity, D.C. took the opportunity to open its election web-site to community testing. That the vulnerability was found and exploited by a team of students from my Alma Mater is icing on the cake. That they rigged the system to play The Victors is the maraschino cherry on top. Go Blue!

      The bad news—and one that every organization having a web site has to pay attention to—is that web-sites, like software everywhere, is buggy. That's why this story is a good reminder to all organizations of the importance of effectively managing cybersecurity risk.

      Friday, October 1, 2010

      October is National Cybersecurity Awareness Month

      October 2010 marks the seventh annual National Cybersecurity Awareness Month. This year's theme —Our Shared Responsibility—reflects two facts about cybersecurity:

      1.  The cybersecurity threat has become one of the most serious economic and national security challenges we face. America’s competitiveness and economic prosperity in the 21st century will depend on effective cybersecurity. Every business, not-for-profit, school, government organization and individual is at risk.

      2. Every Internet user has a role to play in securing cyberspace and ensuring the safety of ourselves, our families, and our communities online.

      Cybersecurity Awareness Month is sponsored by the National Cybersecurity Alliance (NCSA)—a nonprofit dedicated to fostering a culture of cybersecurity—along with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, a cybersecurity prevention and protection collaboration for state and local governments.

      As cybersecurity management consultants, Citadel Information Group is proud to join with the Los Angeles Chapter of the Information Systems Security Association, ISACA-LA, InfraGARD-Los Angeles, the LA Chapter of the Open Web Application Security Project (OWASP), and other Los Angeles information security organizations in working together to help keep our community safe from cybercrime.

      Tuesday, September 28, 2010

      Fake LinkedIn Emails Deliver Online Bank Theft Trojan Horse

      KrebsOnSecurity reports that a "major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan," a well-known Trojan horse used in online bank thefts.

      Krebs continues: "The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com. ... On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS."

      This spam campaign is another illustration of how cybercriminals use social engineering to get users to take action (in this case clicking a link in an email) that bypasses normal defenses. As a general rule, it's a good idea to refuse to click on email links unless the sender is known to you. And even when you know the sender, you still must develop a new kind of "common sense" that recognizes the dangers associated with the Internet.

      Monday, September 20, 2010

      Security update available for Critical 0-Day Vulnerability in Adobe Flash Player

      Adobe has released a security update to the Flash vulnerability we reported last week (Adobe Issues Security Advisory for Critical 0-Day Flash Player Vulnerability).

      Adobe recommends all users of Adobe Flash Player 10.1.82.76 and earlier versions upgrade to the newest version 10.1.85.3 by downloading it from the Adobe Flash Player Download Center or by installing it via the auto-update mechanism within the product when prompted.

      To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

      Friday, September 17, 2010

      Interpol Says Cybercrime is "World's Most Dangerous Criminal Threat"

      Concerned with the growing threat from an estimated $105-billion-dollar illegal business, 300 top law enforcement officials from 56 countries met in Hong King for the first ever national police anti-cybercrime conference.

      Ronald K. Noble, secretary general of the Interpol, told the assembled law enforcement officials that "considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face."

      More on this story is available from Yahoo News.

      Monday, September 13, 2010

      Adobe Issues Security Advisory for Critical 0-Day Flash Player Vulnerability

      Adobe has announced a critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability (CVE-2010-2884) could allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows.

      As attacks exploiting this vulnerability are likely to get by anti-virus and anti-malware defenses, users should consider installing advanced intrusion-prevention technology capable of blocking 0-day attacks.

      Wednesday, September 8, 2010

      Cybercriminals Exploit New 0-Day Adobe Acrobat/Reader Vulnerability

      Adobe has announced that a critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX. The vulnerability is also present in Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

      The vulnerability (CVE-2010-2883) could allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

      Users are advised to take extra precautions in opening Adobe PDF files. As attacks exploiting this vulnerability are likely to get by anti-virus and anti-malware defenses, users should consider installing advanced intrusion-prevention technology capable of blocking 0-day attacks.

      Saturday, September 4, 2010

      What's More Powerful than a Strong Password?

      Keyloggers are computer programs that capture every keystroke a user types. This includes user-ids and passwords to sensitive information, like a user's online bank account. When used by cybercriminals, these captured keystrokes are secretly transmitted back to the cybercriminal for their own dishonest use.

      It was a keylogger that enabled cybercriminals to steal $400,000 from Village View Escrow last March. (See our blog post: e-Banking Bandits Target Title and Escrow Companies.) Most, if not all, of the online bank theft stories we've covered involve a keylogger used to steal online bank credentials.
       
      There are several ways users can get their computers infected by a malicious keylogger. They are often surreptitiously installed as part of a virus or malware attack. Inadequately protected web sites can infect visitors with a keylogger. (See our blog post from April: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August: Network Solutions Once Again Serves Up Malware.) There are even physical keyloggers that can be installed on a user's workstation.

      There are three specific things you need to pay attention to keep a malicious keylogger off your workstation.
      1. Diligently keep your workstation updated with security fixes. This includes your operating system (Windows or Apple), your application programs (like Adobe reader), and your browser add-ons (like Flash).
      2. Keep your anti-virus anti-malware up to date, Consider a modern intrusion prevention system able to counter the attacks that get by your anti-malware defenses.
      3. Be very suspicious of emails, particularly those containing attachments. If the email is not from someone you know and is not something you expect, then treat it the same way you would treat a suspicious package you discover ticking in an airport bathroom.
      Today's New York Times has an up-to-date overview of some new thinking about password security: A Strong Password Isn’t the Strongest Security.

      Apple's Ping Service for iTunes Hijacked by Scammers and Spammers

      The good news is that iPhone 10 fixes a number of security vulnerabilities. The bad news is that Apple failed to pay enough attention to the security of its new Ping service, designed as a social network of iPhone users. Anti-malware developer Sophos is reporting that the service has been hit with a barrage of scams and spam messages in the days since the launch.

      Friday, September 3, 2010

      Cyberthieves Steal Nearly $1,000,000 from University of Virginia

      KrebsOnSecurity reports that cyberthieves stole nearly $1,000,000 from a satellite campus of The University of Virginia. Krebs writes that sources familiar with the case had told him that thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

      In an update published by the student newspaper, a University spokesperson said the money was stolen on August 25 but has since been recovered.

      Monday, August 30, 2010

      Cyberthieves Steal $600,000 From Catholic Diocese of Des Moines, Iowa

      KrebsOnSecurity.com reports that "cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals."

      According to Krebs "In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines. ... The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered. ... The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries."

      Saturday, August 28, 2010

      Might the Best CyberSecurity Defense Be a Good Offense?

      According to a story in the Washington Post, the Pentagon is developing a suite of advanced generation cyber-defense weapons that can best be described as "taking the battle to the enemy." The tools can "attack and exploit adversary information systems" and can "deceive, deny, disrupt, degrade and destroy" information and information systems, according to Defense Department budget documents.

      Gen. Keith Alexander, the head of the Pentagon's new Cyber Command, told an audience in Tampa this month "We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us." 

      Deputy Secretary of Defense William J. Lynn III has said the approach includes "reaching out" to block malicious software "before they arrive at the door" of military networks. "We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."

      Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.

      Friday, August 27, 2010

      Cyber-Bank Theft Pits Victim vs Bank. Got Insurance?

      KrebsOnSecurity.com reported recently that "a business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000."

      This is a common story which we continue to write about. [See many of our postings under the tag: Financial Systems Security.]

      The unfortunate truth [as we wrote in an earlier blog] is that banking laws put the responsibility for cybercrime losses onto the customer. If the customer wants the bank to reimburse it for the fraud losses, it's up to the customer to prove that the bank's security procedures are not commercially reasonable [as that phrase is defined in the Uniform Commercial Code, Article 4A-202]. The result, all too often, is that the customer has little choice but to sue the bank. [See our blog post, for example.]

      The good news: There's a very good chance the bank's procedures fail the test of commercial reasonableness. In an analysis of a bank whose customer lost $600,000 when cyberthieves uploaded fraudulent payroll databases, our firm found significant technical, procedural and managerial weaknesses in the banks security procedures. These weaknesses were so egregious that they left us no alternative to the conclusion that the bank's security procedures were not commercially reasonable.

      The bad news: The cost of proving the bank's procedures are not commercially reasonable [so that the bank will share in the responsibility for the loss] is huge. I have no idea of the legal fees involved but I do know that fees for expert analysis do not come cheap. Consequently most organizations will not have the deep pockets to sustain a lawsuit, particularly under the cash flow pressures that will inevitably follow a large loss.

      That's why Citadel continues to recommend that every organization discuss cybercrime insurance with their insurance broker. As Brian Krebs wrote in his blog KrebsOnSecurity.com "cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts."

      Wednesday, August 25, 2010

      Military Computer Attack Confirmed. Classified Systems Breached.

      William J. Lynn III, U.S. Deputy Secretary of Defense, has confirmed a previously classified computer attack in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan. Writing in the latest issue of the journal Foreign Affairs, Lynn describes the 2008 incident as "the most significant breach of U.S. military computers ever."

      According to Lynn, "The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."

      According to the New York Times, Lynn's "article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense.... Various efforts at cyberdefense by the military have been drawn under a single organization, the U.S. Cyber Command, which began operations in late May at Fort Meade, Maryland, under a four-star general, Keith B. Alexander.... But under proposed legislation, the Department of Homeland Security would take the leading role in the defense of civilian systems."