Sunday, November 28, 2010

Weekend Vulnerability and Patch Report, November 26, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Adobe Reader: Adobe has released Reader X. This follows repeated security problems with previous versions of Reader. The new Reader should be more secure than earlier versions as it has been built using advanced "sandbox" technology. You can download Reader X using the Adobe Download Manager from the Adobe Reader web site. To avoid the Download Manager with its attempt to get you to download other software as well, Windows users can download Windows Reader X here while Mac users can download Mac Reader X here.

Apple iOS: Apple has released iOS 4.2 for for the iPhone, iPad and iTouch. In addition to improved performance, this update fixes several security vulnerabilities. These updates are available during synchronization.
 
Trend Micro:  TrendMicro has released an update to OfficeScan 10.x. The update fixes a vulnerability that put users at risk of a cyber criminal taking full control of their computer. 
 
News of Important Vulnerabilities.

Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. 

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Tuesday, November 23, 2010

Bank sued over $440K Cyber Theft

KrebsOnSecurity.com is reporting that Choice Escrow and Land Title, an escrow firm in Missouri, is suing its bank, BancorpSouth Inc., to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.

The epidemic of on-line bank fraud by cyber criminals succeeds because
  • Security procedures at too many businesses fail to prevent the compromise of workstations. This leads to the compromise of online bank credentials which the cyber criminal uses to commit fraud.
  • ACH transfer security procedures at too many banks fail the test of "commercial reasonableness."

In our role of assisting clients with cyber security management, we have seen first-hand how too many companies (i) fail to provide effective awareness training to staff to meet the cyber crime challenge and (ii) fail to impose rigorous security requirements on the management of their IT infrastructures. 

We have also had the opportunity to see first-hand how easy it is for a bank to fail to meet the standard of commercial reasonableness of its ACH security procedures. 
  1. Failing to consider the wishes of its customer expressed to the bank. 
  2. Failing to consider the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank. 
  3. Failing to implement security procedures in general use by customers and receiving banks similarly situated.  
We echo Krebs' warning that "The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud."

Saturday, November 20, 2010

Weekend Vulnerability and Patch Report, November 19, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Apple Safari:  Apple has released Safari 5.0.3 and 4.1.3 to address multiple vulnerabilities in the Safari and WebKit packages. Because of these vulnerabilities, users are at risk of a cyber criminal taking full control of their computer. See Apple article HT4455 for more information.

Adobe Reader and Acrobat: Adobe has released security updates for Reader and Acrobat for Windows and Macintosh. These updates address multiple vulnerabilities that put users at risk of a cyber criminal taking full control of their computer. See Adobe Bulletin APSB10-28 for additional information.

Mac OS X: Apple has released Mac OS X v10.6.5 and Security Update 2010-007 to address multiple highly critical vulnerabilities in OS X. Mac users should install these. These updates are available on Apple's Downloads page and we urge all users to apply them. 

News of Important Vulnerabilities.

Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. 

RealPlayer: RealPlayer users should make sure they are running version 14.0.1.609 or later as serious vulnerabilities have been found in some earlier versions. 

WordPress: For those of you with web sites coded in the popular WordPress, Secunia has announced that an extremely serious security vulnerability has been found in the WordPress' Event Registration Plugin. (This follows the announcement last week of 6 serious WordPress vulnerabilities.) The vulnerability has the potential to allow a cyber criminal full access to any databases connected to a web site using the plug-in. Insist your web-master takes steps to protect any of your sensitive information that this vulnerability puts at risk. Direct your web-master to Secunia Advisory SA42265 for more information.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Thursday, November 18, 2010

Beware of Holiday Season Phishing Scams and Malware Campaigns

US-CERT is receiving reports of an increased number of phishing scams and malicious software campaigns that take advantage of the winter holiday and holiday shopping season. We urge users to be on their guard, mindful of the potential that an email message could be part of a potential phishing scam or malware campaign.

Users are urged to be sensitive to:
  • Electronic greeting cards that may contain malware
  • Requests for charitable contributions that may be phishing scams and may originate from Illegitimate sources claiming to be charities
  • Movie clips, screensavers or other forms of media that may contain malware
  • Credit card applications that may be phishing scams or identity theft attempts
  • Online shopping advertisements that may be phishing scams or identity theft attempts from bogus retailers

We strongly urge users to protect themselves during the holiday season:
  • Don't follow unsolicited web links in email messages. Consider running Firefox with the No-Script Add-in.
  • Use caution when opening email attachments; Is the email from someone you know? Was the email expected? When in doubt, Don't.
  • Maintain up-to-date antivirus and anti-spyware software.
  • Keep your systems patched. Be careful of the latest vulnerabilities. Follow our Weekly Vulnerability and Patch Report, published on our blog, Citadel on Security.

    Sunday, November 14, 2010

    The Great Cyberheist

    The New York Times Magazine: "One night in July 2003, a little before midnight, a plainclothes N.Y.P.D. detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man with long, stringy hair and a nose ring into the A.T.M. lobby of a bank. Pretending to use one of the machines, the detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash. Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something."

    "Indeed, the young man was in the act of “cashing out,” as he would later admit. He had programmed a stack of blank debit cards with stolen card numbers and was withdrawing as much cash as he could from each account. He was doing this just before 12 a.m., because that’s when daily withdrawal limits end, and a “casher” can double his take with another withdrawal a few minutes later. To throw off anyone who might later look at surveillance footage, the young man was wearing a woman’s wig and a costume-jewelry nose ring. The detective asked his name, and though the man went by many aliases on the Internet — sometimes he was cumbajohny, sometimes segvec, but his favorite was soupnazi — he politely told the truth. “Albert Gonzalez,” he said."

    ...

    "Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America: OfficeMax, BJ’s Wholesale Club, Dave & Buster’s restaurants, the T. J. Maxx and Marshalls clothing chains. They hacked into Target, Barnes & Noble, JCPenney, Sports Authority, Boston Market and 7-Eleven’s bank-machine network. In the words of the chief prosecutor in Gonzalez’s case, 'The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled.'"


    Click here to read the fascinating story of master cyber-thief, Albert Gonzalez. 

    Thanks to Dr. Andrea Belz for alerting us to this story.

    Weekend Vulnerability and Patch Report, November 12, 2010

    Microsoft Windows & Office: This month's Patch Tuesday fixed more than 11 security flaws in Microsoft products. One patch fixes a highly critical vulnerability that could allow a cyber criminal to gain control of a user's computer simply by having the user view an email in Outlook's Preview Pane. We strongly recommend all home users make sure that automatic updates is turned on so these and other Microsoft patches will be downloaded and installed automatically. All other things being equal business computers should also have automatic updates turned on, except sometimes the IT department has to manage these updates differently.

    Microsoft did not issue an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

    Mac OS X: Apple has issued several updates to patch highly critical vulnerabilities in OS X. Mac users should install these. These are available on Apple's Downloads page and we urge all users to apply them. 

    iTunes / QuickTime: Users should download and install iTunes 10.1 which includes Apple's QuickTime 7.6.8. Don't be lulled into a false sense of security though. Secunia has announced that a highly critical 0-day vulnerability has already been discovered in the new QuickTime version 7.6.8.

    PayPal for iPhone: PayPal has issued an update fixing a relatively minor security vulnerability in it's iPhone app. We suggest users update to the latest version.

    WordPress: For those of you with web sites coded in WordPress, Secunia has announced a number of security vulnerabilities in various WordPress plug-ins. Direct your web-masters to Secunia's web-site for more information.

    If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

    Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

    The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.
     
    © Copyright 2010. Citadel Information Group. All Rights Reserved.

    Friday, November 12, 2010

    Map of Online Bank Fraud Victims — Updated 11/11/10

    Here's an updated map of known businesses and other organizations which have been victims of online bank fraud. Among the victims in the Southern California:
    1. Genlabs in Chino, CA had $437,000 stolen
    2. Zico USA in La Puente lost $150,000 
    3. Village View Escrow in Redondo Beach had $465,000 stolen.
    Thanks to KrebsOnSecurity.com for alerting us to this.

      Wednesday, November 10, 2010

      New Mobile Banking Flaws Demonstrate Buyers Must Be Skeptical About Security Claims

      In our latest Weekend Patch and Vulnerability Report, we warned readers that significant vulnerabilities had been discovered in mobile banking applications from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade. According to The Wall Street Journal and Yahoo News, the vulnerabilities discovered by viaForensics could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website.

      The report that critical vulnerabilities had been found in mobile banking applications brought to mind my blog post last September when I discussed the wisdom of mobile online banking with my friend, Biz Coach, Terry Corbell. In my interview with Terry on his blog I had said “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”

      Needless to say, Terry received a scathing comment to that blog post from a marketing representative in the mobile banking industry. The commenter was absolutely positively certain that mobile banking was secure, that the software had been thoroughly tested and vetted, and that I didn't know what I was talking about.

      With this week's story, it turns out that I was the one who knew what he was talking about not the mobile banking guy. But this blog isn't about who's right and who's wrong. This blog is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more intellectually humble when we talk about how secure something is.

      Right now, the cyber criminals are winning. They are winning in part because too many people have a false sense of their own security. They have this false sense of security because they haven't "been there, done that." I have.

      For me it was a no-brainer that significant security vulnerabilities were going to be found in mobile banking applications. I had worked for several years in the Aerospace industry securing critical national security software. Before that I had been a research mathematician studying the logic of computer programs. And, as Yogi Berra said,  "You can observe a lot just by watching."

      I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack. I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake. And that's just one example of how experience has taught me that writing high quality software is incredibly challenging (and expensive).


      We're taught that pride goeth before the fall. That is certainly true in the battle against cyber crime. That's why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.

      Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis.

      Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise. We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

      The challenge is that, human nature being what it seems to be, our intellectual humility doesn't easily carry over to domains where we lack firsthand knowledge and experience. We tend to over-simplify in those places we know little about. This isn't usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we're all on the Internet it's as if the lion is right next door. And he's hungry.



      We can't expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system. Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

      You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches. And, lacking the experience, these otherwise well-meaning men and women don't understand the necessity of being intellectually humble in the presence of complex software.

      That's why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: "Trust. But verify." Do him one better: drop the trust.


      © Copyright 2010. Citadel Information Group. All Rights Reserved.

      Sunday, November 7, 2010

      Weekend Vulnerability and Patch Report, November 5, 2010

      Adobe Update for Flash Player: Adobe has now fixed the 0-day Flash vulnerability we reported last week. This update fixes 18 different security holes. Readers are urged to update their Flash version to v 10.1.102.64. Updates are available for Windows, Macintosh, Linux, and Solaris versions of Flash. If you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox or Google Chrome. The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner.

      Microsoft Warns of New IE 0-Day Vulnerability: Microsoft warned Internet Explorer users that attackers are exploiting a previously unknown security hole in their browser to install malicious software on user workstations. User workstations can be compromised simply by visiting a compromised web site. (Compromised web sites are all-too-common. See our blog post of April 19: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August 16: Network Solutions Once Again Serves Up Malware.) Hopefully Microsoft will update IE on this week's Patch Tuesday. We recommend using Firefox with the No-Script add-on for Internet browsing, particularly until this 0-day is patched.

      Mobile Banking Security Holes Discovered; Great Caution Urged: Be very careful  if you access your bank account from your iPhone or Android. Security research firm viaForensics reports that mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes. The bugs could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website. According to The Wall Street Journal and Yahoo News, Wells Fargo and USAA have already released updates, Bank of America should have an update out in the next few days, and TD Ameritrade will fix the issue in the next 30 days. We continue to urge great caution in mobile online banking. If you don't absolutely need it, don't use it. Readers who must use mobile online banking are urged to upgrade their online bank apps as quickly as upgrades become available.

      Beware of ThinkPoint and Other Fake Anti-Virus Products: A small business we know was recently infected with ThinkPoint. It was delivered via a fake Microsoft Security Essentials Alert that was clicked on by an unsuspecting employee. Once installed, ThinkPoint tried to prevent the company from using the workstation until it paid money to buy a licensed version of useless software. ThinkPoint is just one more reminder of how users must be extremely careful what they allow to run on their computers. Don't trust a reminder to upgrade or install software unless you're sure it's legit. Set Microsoft to update automatically. Check Adobe products regularly. Follow our alerts. Better safe than sorry.

      If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

      Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

      The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.

       
      © Copyright 2010. Citadel Information Group. All Rights Reserved.