Citadel on Security

"Citadel on Security" Comes Home

2011-01-23T09:46:00.000-08:00

We have moved our blog to our website www.citadel-information.com. Visit us for continuing posts on information security.

Weekend Vulnerability and Patch Report, December 31, 2010

2011-01-02T22:10:00.000-08:00

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

No upgrades were announced last week for popular home or SOHO (Small Office Home Office) software programs.

Important Vulnerabilities.

Microsoft Internet Explorer Vulnerability: As we reported last week, Microsoft has warned in a security advisory that an exploit now exists for the critical security vulnerability in Internet Explorer that we wrote about recently.The exploit runs remotely over the Internet, compromising a user's system and stealing sensitive information. The vulnerability has been confirmed in all versions of Internet Explorer, including IE 7 and 8. The exploit for this vulnerability gets around two of the key security defenses built into Windows Vista and Windows 7. We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.

Weekend Vulnerability and Patch Report, December 24, 2010

2010-12-26T10:01:00.000-08:00

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Java Update: Sun has published an update to Java, its ubiquitous browser plug-in. The new version is Java 6, Update 23. Readers can identify their version of Java and get installation help here. Readers will want to pay attention in upgrading Java to make sure that the install does not also install other software, such as the Yahoo Toolbar.

Important Vulnerabilities.

Microsoft Internet Explorer Vulnerability: Microsoft has warned in a security advisory that an exploit now exists for the critical security vulnerability in Internet Explorer that we wrote about last week. The exploit runs remotely over the Internet, compromising a user's system and stealing sensitive information. The vulnerability has been confirmed in all versions of Internet Explorer, including IE 7 and 8. The exploit for this vulnerability gets around two of the key security defenses built into Windows Vista and Windows 7. We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

IBM Lotus Notes: Several security vulnerabilities have been identified in IBM Lotus Notes Traveler. Readers should update to version 8.5.1.3 or later. More information is available here.

Adobe Flash: Adobe Flash is a favorite of cyber criminals who seem able to regularly find critical security vulnerabilities in the program. Readers should make sure they are running the latest version of Flash. You can check your version of Adobe Flash here.

Adobe Reader: Adobe Reader is another favorite of cyber criminals who seem able to regularly find critical security vulnerabilities in the program. Readers should make sure they are running the latest version of Reader. Readers can check for update under "Help" in the file menu. The latest version is 10.0.0.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

Weekend Vulnerability and Patch Report, December 17, 2010

2010-12-19T10:53:00.000-08:00

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Microsoft Security Update: This month's Patch Tuesday from Microsoft contains 17 software updates plugging a total of 40 security holes. According to Microsoft the updates include fixes for at least 7 vulnerabilities in Internet Explorer versions 6, 7 & 8, including the 0-day vulnerability we've had on our vulnerability list for the last month. Patches are available through Microsoft Update (using IE) or Automatic Update.

Google Chrome Update: Google has released Chrome 8.0.552.224 to address multiple vulnerabilities. These vulnerabilities allow a cyber criminal to take control of a user's system and steal sensitive information or cause a denial-of-service condition. Users can get the Google Chrome update here.

F-Secure Anti-Virus Products: A vulnerability has been reported in various F-Secure products which can be exploited to compromise a user's system and steal sensitive information. Updates are distributed automatically by the update system.Users should make sure they are running the latest version.

Adobe PhotoShop Update: A critical vulnerability has been discovered in Adobe PhotoShop. A cyber criminal can exploit the vulnerability to take control of a user's system and steal sensitive information. The vulnerability has been confirmed in CS4 and CS5 for Windows. Other versions may also be affected. Users should apply Adobe Photoshop 12.0.3 update for Adobe Photoshop CS5.

Apple AirPort Updates: Apple has released AirPort Utility 5.5.2 for Mac and Windows to fix security vulnerabilities. Apple has also fixed security vulnerabilities in its newly released AirPort Base Station and Time Capsule firmware update 7.5.2. Users can download these updates from Apple's Downloads page.

iTunes Update: Apple has released iTunes 10.1.1 which fixes several performance and security vulnerabilities.

Important Vulnerabilities.

Symantec Antivirus Alert Management System Vulnerability: A vulnerability has been reported in Symantec Antivirus, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is reported in Symantec Antivirus Corporate Edition 10.1.4.4010. Other versions may also be affected. No patch is available at this time.

Opera: Multiple vulnerabilities have been reported in Opera some of which can be exploited by malicious people to disclose potentially sensitive information and manipulate data. The vulnerabilities are reported in versions prior to 11.00. Users should upgrade to version 11.00 which can be found here.

Microsoft Internet Explorer Vulnerability: On the same day that Microsoft finally fixed the security vulnerabilities that we had listed on our blog for a month, a new critical vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system and steal sensitive information. The vulnerability is confirmed in Internet Explorer 7 and 8 on a fully patched Windows XP SP3 system. We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

RealPlayer Vulnerabilities: Twenty eight critical security vulnerabilities have been found in earlier versions of RealPlayer. Windows users want to make sure they are running RealPlayer 14.0.0 or later. Mac users should make sure they are running version 12.0.0.1548 or later.

BlackBerry Vulnerabilities: RIM has released a security advisory to address a vulnerability that allow a cyber criminal to take control of a user's BlackBerry and steal sensitive information or cause a denial-of-service condition. Users should alert their IT staff to BlackBerry server security advisory KB24761 so that they may apply necessary updates to help mitigate these risks. Vulnerabilities in BlackBerry Desktop Software have been discovered. Windows users should make sure they are running BlackBerry Desktop Software version 6.0.1 or later. Macintosh users should make sure they are running BlackBerry Desktop Software version 2.0 or later.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

Weekend Vulnerability and Patch Report, December 10, 2010

2010-12-11T15:38:00.000-08:00

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Apple QuickTime Update: Apple has released QuickTime version 7.6.9. This update fixes 15 highly critical security vulnerabilities that a cyber criminal can use to take control of a user's system and steal sensitive information. Updates are available for both Mac and Windows versions of the program are available through Apple Downloads. Windows users can also download and install the update through the their iTunes or QuickTime Software Update feature. Mac users can update through the Mac's Software Update feature.

Firefox Update: Firefox has released version 3.6.13 fixing several highly critical security vulnerabilities that a cyber criminal can use to take control of a user's system and steal sensitive information. Users can update by going to "Help/Check for Updates" on the Taskbar.

WordPress Update: A week after releasing 3.0.2, WordPress has released version 3.0.3 to address a highly critical vulnerability that allows a cyber criminal to change or delete a web site built in WordPress. A cyber criminal could also exploit the vulnerability to attack the computers of visitors to the web site. Users will want to notify their web master to upgrade to version 3.0.3. Users whose website has been built using Joomla will also want to notify their webmaster of two newly discovered Joomla vulnerabilities in that popular content management system.

Apple MacBook Firmware Update: Apple has released a firmware update to its 11-inch and 13-inch MacBook Air models.According to Apple, the "update resolves a rare issue where MacBook Air boots or wakes to a black screen or becomes unresponsive." While not a security update, users will want to update. Users can download the update here.

Important Vulnerabilities.

Microsoft Patch Tuesday: Microsoft is scheduled to release its monthly updates this coming Tuesday. Let's hope the IE Vulnerability we've been writing about is on the list. Make sure your PC gets updated.

Google Earth: A vulnerability has been discovered in Google Earth, which can be exploited by malicious people to to take control of a user's system. The vulnerability is confirmed in version 5.1.3533.1731. Users want to make sure they are running version 6.0.

Citrix Web Interface Vulnerability: A vulnerability has been found affecting versions 5.0, 5.1, and 5.3. The vulnerability does not affect version 5.4. You most likely want to update but check with IT staff before doing so.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

Weekend Vulnerability and Patch Report, December 3, 2010

2010-12-05T13:18:00.000-08:00

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

McAfee VirusScan Enterprise: A highly critical vulnerability has been found in McAfee VirusScan Enterprise, which can be exploited by malicious people to compromise a user's system. The vulnerability is confirmed in version 8.5.0i. Other versions may also be affected. The vulnerability has been fixed in McAfee VirusScan version 8.7i and later.

Google Chrome: Google has released version 8.0.552.215 to fix multiple vulnerabilities in Google Chrome 7.x. The latest version of Chrome is available here.

WordPress 3.0.2: WordPress has released WordPress 3.0.2 to address multiple security vulnerabilities. The new version is available here.

D-Link DIR-615: Moderately critical vulnerabilities have been found in this popular wireless router. The vulnerabilities have been found in firmware versions prior to revision D.4-13B01. Users should update their routers to the latest firmware version. Information from D-Link on how to upgrade the firmware on the DIR-615 line of routers can be found here.

News of Important Vulnerabilities.

CA Internet Security Suite Plus 2010: A vulnerability has has been discovered in CA Internet Security Suite Plus which can be exploited by malicious, local users to gain escalated privileges. No patch is available at this time.

Palm Pre WebOS: Dark Reading reports a moderately critical vulnerability has been found in WebOS 1.4.x versions. According to Secunia, this vulnerability has reportedly been fixed in WebOS 2.0 beta.We have no more information at this time. Palm's web-site is here.

Kindle for PC: A vulnerability has been discovered in the Kindle for PC program 1.x. According to Secunia, no patch is available at this time. Users are cautioned to only open files from trusted sources.

Adobe Reader: If you have not yet updated to Adobe Reader X (as we recommended last week), you should do so now. You can download Reader X using the Adobe Download Manager from the Adobe Reader web site. To avoid the Download Manager with its attempt to get you to download other software as well, Windows users can download Windows Reader X here while Mac users can download Mac Reader X here.

Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

WikiLeaks Exposes "Vast Hacking by a China Fearful of the Web"

2010-12-04T22:04:00.000-08:00

We began covering the Chinese hack into Google and other western companies on our blog last March. An article in the New York Times based on an analysis of cables released by WikiLeaks provides a fascinating look at Chinese cyber espionage as seen through the eyes of the American government.

Personal Guide to Staying Safe Online

2010-12-01T23:31:00.000-08:00

Cyber criminals want your bank account and credit card numbers so they can take your money and use your credit while stiffing you with the bill. They want your social security number so they can apply for credit in your name, stealing your identity. They have even begun selling stolen medical insurance information.

Cybercriminals steal your sensitive personal information by taking control of your computer. This control also lets them install rogue programs on your computer, turning your computer into a zombie under their control—the cyber-equivalent of Night of the Living Dead. Even reasonably well-protected computers can be turned into computer-zombies if users unwittingly click on Internet links, visit sabotaged web-sites or open attachments on emails.

The consequences of having your computer turned into a zombie under the control of a cyber criminal can be devastating. Just ask the owner of the escrow company in Redondo Beach after cyber criminals withdrew $400,000 from her bank account using the firm’s on-line bank id and password which they stole after turning her computer into a zombie. You can read about her and other victims of on-line bank fraud indexed under Financial Systems Security on our blog: http://blog.citadel-information.com.

Online bank fraud is just one of the ways cyber criminals can make money from turning your computer into a computer-zombie. Besides stealing your credit card numbers and the login credentials to your online bank and brokerage accounts, these cyber criminals also display annoying pop-up ads on your computer, send spam from your computer and use your computer to commit a wide variety of sophisticated computer crimes.

Cybercriminals take control of your computer by exploiting four weaknesses:

Every computer program running on your computer has subtle programming errors (vulnerabilities) that cybercriminals exploit to take control of your computer.
Legitimate internet web sites often fail to prevent cybercriminals from installing malicious programs on their web sites. When you visit these sites, these malicious programs silently install Trojan horses and other malware on your computer.
Default settings for many computer programs make it easy for cyber criminals to take control of your computer.
Users often don’t know what they need to do to minimize the dangers and risks of cybercrime, particularly the need for defense-in-depth.

Defense Strategy 1: Keep Cybercriminals Off Your Computer

Keep Systems Patched: Software manufacturers issue program updates containing patches to fix known vulnerabilities. Set Microsoft Windows and Office to automatically update. Manually update other programs like Adobe Acrobat, iTunes, Flash and Java. We list available updates for some of the more common programs in our Weekly Patch and Vulnerability Report, available on our blog: http://blog.citadel-information.com.
Limit Exposure: Create separate accounts for all family members. This is done in the Control Panel. Set account type to “Limited” unless the account needs to run programs as “Administrator.” This will make it harder for cybercriminals to install malware on your computer.
Protect Your Desktop: Install a reputable antivirus / antispyware product & keep it up-to-date. If you’re technical, run Firefox with the NoScript add-on inside of sandboxie and install a host intrusion prevention system. Sophisticated cybercriminals can get past basic antivirus/antispyware software. Antivirus is necessary. It is not sufficient.
Secure Your WiFi: If you have a wireless network, encrypt it with WPA2 encryption. Otherwise anyone near you can eavesdrop on your communications and piggy-back on your connection.
Stay Away from P2P Networks: Don’t run Peer-to-Peer or other file sharing programs, such as Kazaa, Limewire or BitTorrent. These networks provide strangers access to your computer.
Beware of Scams, 1: Don’t click on web-site ads or pop-ups offering to scan your computer for free. Cybercriminals love to take advantage of people’s fear of getting a virus. Instead of scanning your computer, these programs will infect it. Always be wary.
Beware of Scams, 2: Don’t open unusual or unexpected attachments, not even from people you know. It’s easy to send an email so it looks like it came from someone else. Also, how do you know your friend’s computer hasn’t been taken over? Always be wary.
Beware of Scams, 3: Don’t follow links in unfamiliar or unusual emails, especially those requesting your user names, passwords, or financial information. A SPAM filter can help you avoid these e-mails but you must be on guard for emails that get past your SPAM filter. Always be wary.

Defense Strategy 2: Be Careful With Your Financial Information On-Line

Don’t send your Social Security Number, bank account numbers or credit card numbers in unencrypted email.
Use different strong passwords [8+ characters, upper & lower case, numbers, characters] for all eCommerce websites. Use Password Safe or RoboForm to securely manage online passwords.
Only buy on-line from merchants using SSL, which means the website address begins with https://. Look for the “lock” on the title bar of Internet Explorer or Firefox’s lower right corner.
Use a credit card rather than a debit card when shopping on-line. Link PayPal to your credit card, not your bank account. Federal law limits your credit card exposure to $50. There is no corresponding limit if you use a debit card (even though many banks cover debit card fraud).

Defense Strategy 3: Protect Your Information Away from Home

Keep your laptop with you at all times. Never leave it unattended in your car.
Keep WiFi and Bluetooth turned off except when you are using them.
Encrypt the hard drive of your laptop, protecting it with a strong 15+ character passphrase. If you lose the laptop, the information is still safe. You can get free encryption software at http://www.truecrypt.org/.
Never use a public computer, Kiosk, or public WiFi for online banking, shopping or to access sensitive information. Since you don’t know how secure these are, prudence requires you to assume they are insecure.

Defense Strategy 4: Watch Your Credit

Subscribe to a basic credit monitoring service (AAA California offers members a free service)
Regularly review your bank, credit card and investment accounts for fraudulent activity.

Defense Strategy 5: Better Safe Than Sorry

Always think about the information you are giving out.
When in doubt, don’t.
Stay up-to-date by reading our blog: http://blog.citadel-information.com.

Weekend Vulnerability and Patch Report, November 26, 2010

2010-11-28T11:42:00.000-08:00

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Adobe Reader: Adobe has released Reader X. This follows repeated security problems with previous versions of Reader. The new Reader should be more secure than earlier versions as it has been built using advanced "sandbox" technology. You can download Reader X using the Adobe Download Manager from the Adobe Reader web site. To avoid the Download Manager with its attempt to get you to download other software as well, Windows users can download Windows Reader X here while Mac users can download Mac Reader X here.

Apple iOS: Apple has released iOS 4.2 for for the iPhone, iPad and iTouch. In addition to improved performance, this update fixes several security vulnerabilities. These updates are available during synchronization.

Trend Micro: TrendMicro has released an update to OfficeScan 10.x. The update fixes a vulnerability that put users at risk of a cyber criminal taking full control of their computer.

News of Important Vulnerabilities.

Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

Bank sued over $440K Cyber Theft

2010-11-23T21:19:00.000-08:00

KrebsOnSecurity.com is reporting that Choice Escrow and Land Title, an escrow firm in Missouri, is suing its bank, BancorpSouth Inc., to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.

The epidemic of on-line bank fraud by cyber criminals succeeds because

Security procedures at too many businesses fail to prevent the compromise of workstations. This leads to the compromise of online bank credentials which the cyber criminal uses to commit fraud.
ACH transfer security procedures at too many banks fail the test of "commercial reasonableness."

In our role of assisting clients with cyber security management, we have seen first-hand how too many companies (i) fail to provide effective awareness training to staff to meet the cyber crime challenge and (ii) fail to impose rigorous security requirements on the management of their IT infrastructures.

We have also had the opportunity to see first-hand how easy it is for a bank to fail to meet the standard of commercial reasonableness of its ACH security procedures.

Failing to consider the wishes of its customer expressed to the bank.
Failing to consider the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank.
Failing to implement security procedures in general use by customers and receiving banks similarly situated.

We echo Krebs' warning that "The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud."

Weekend Vulnerability and Patch Report, November 19, 2010

2010-11-20T15:17:00.000-08:00

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Apple Safari: Apple has released Safari 5.0.3 and 4.1.3 to address multiple vulnerabilities in the Safari and WebKit packages. Because of these vulnerabilities, users are at risk of a cyber criminal taking full control of their computer. See Apple article HT4455 for more information.

Adobe Reader and Acrobat: Adobe has released security updates for Reader and Acrobat for Windows and Macintosh. These updates address multiple vulnerabilities that put users at risk of a cyber criminal taking full control of their computer. See Adobe Bulletin APSB10-28 for additional information.

Mac OS X: Apple has released Mac OS X v10.6.5 and Security Update 2010-007 to address multiple highly critical vulnerabilities in OS X. Mac users should install these. These updates are available on Apple's Downloads page and we urge all users to apply them.

News of Important Vulnerabilities.

RealPlayer: RealPlayer users should make sure they are running version 14.0.1.609 or later as serious vulnerabilities have been found in some earlier versions.

WordPress: For those of you with web sites coded in the popular WordPress, Secunia has announced that an extremely serious security vulnerability has been found in the WordPress' Event Registration Plugin. (This follows the announcement last week of 6 serious WordPress vulnerabilities.) The vulnerability has the potential to allow a cyber criminal full access to any databases connected to a web site using the plug-in. Insist your web-master takes steps to protect any of your sensitive information that this vulnerability puts at risk. Direct your web-master to Secunia Advisory SA42265 for more information.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

Beware of Holiday Season Phishing Scams and Malware Campaigns

2010-11-18T19:18:00.000-08:00

US-CERT is receiving reports of an increased number of phishing scams and malicious software campaigns that take advantage of the winter holiday and holiday shopping season. We urge users to be on their guard, mindful of the potential that an email message could be part of a potential phishing scam or malware campaign.

Users are urged to be sensitive to:

Electronic greeting cards that may contain malware
Requests for charitable contributions that may be phishing scams and may originate from Illegitimate sources claiming to be charities
Movie clips, screensavers or other forms of media that may contain malware
Credit card applications that may be phishing scams or identity theft attempts
Online shopping advertisements that may be phishing scams or identity theft attempts from bogus retailers

We strongly urge users to protect themselves during the holiday season:

Don't follow unsolicited web links in email messages. Consider running Firefox with the No-Script Add-in.
Use caution when opening email attachments; Is the email from someone you know? Was the email expected? When in doubt, Don't.
Maintain up-to-date antivirus and anti-spyware software.
Keep your systems patched. Be careful of the latest vulnerabilities. Follow our Weekly Vulnerability and Patch Report, published on our blog, Citadel on Security.

The Great Cyberheist

2010-11-14T15:01:00.000-08:00

The New York Times Magazine: "One night in July 2003, a little before midnight, a plainclothes N.Y.P.D. detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man with long, stringy hair and a nose ring into the A.T.M. lobby of a bank. Pretending to use one of the machines, the detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash. Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something."

"Indeed, the young man was in the act of “cashing out,” as he would later admit. He had programmed a stack of blank debit cards with stolen card numbers and was withdrawing as much cash as he could from each account. He was doing this just before 12 a.m., because that’s when daily withdrawal limits end, and a “casher” can double his take with another withdrawal a few minutes later. To throw off anyone who might later look at surveillance footage, the young man was wearing a woman’s wig and a costume-jewelry nose ring. The detective asked his name, and though the man went by many aliases on the Internet — sometimes he was cumbajohny, sometimes segvec, but his favorite was soupnazi — he politely told the truth. “Albert Gonzalez,” he said."

...

"Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America: OfficeMax, BJ’s Wholesale Club, Dave & Buster’s restaurants, the T. J. Maxx and Marshalls clothing chains. They hacked into Target, Barnes & Noble, JCPenney, Sports Authority, Boston Market and 7-Eleven’s bank-machine network. In the words of the chief prosecutor in Gonzalez’s case, 'The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled.'"

Click here to read the fascinating story of master cyber-thief, Albert Gonzalez.

Thanks to Dr. Andrea Belz for alerting us to this story.

Weekend Vulnerability and Patch Report, November 12, 2010

2010-11-14T14:50:00.000-08:00

Microsoft Windows & Office: This month's Patch Tuesday fixed more than 11 security flaws in Microsoft products. One patch fixes a highly critical vulnerability that could allow a cyber criminal to gain control of a user's computer simply by having the user view an email in Outlook's Preview Pane. We strongly recommend all home users make sure that automatic updates is turned on so these and other Microsoft patches will be downloaded and installed automatically. All other things being equal business computers should also have automatic updates turned on, except sometimes the IT department has to manage these updates differently.

Microsoft did not issue an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

Mac OS X: Apple has issued several updates to patch highly critical vulnerabilities in OS X. Mac users should install these. These are available on Apple's Downloads page and we urge all users to apply them.

iTunes / QuickTime: Users should download and install iTunes 10.1 which includes Apple's QuickTime 7.6.8. Don't be lulled into a false sense of security though. Secunia has announced that a highly critical 0-day vulnerability has already been discovered in the new QuickTime version 7.6.8.

PayPal for iPhone: PayPal has issued an update fixing a relatively minor security vulnerability in it's iPhone app. We suggest users update to the latest version.

WordPress: For those of you with web sites coded in WordPress, Secunia has announced a number of security vulnerabilities in various WordPress plug-ins. Direct your web-masters to Secunia's web-site for more information.

If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.

Map of Online Bank Fraud Victims — Updated 11/11/10

2010-11-12T22:29:00.000-08:00

Here's an updated map of known businesses and other organizations which have been victims of online bank fraud. Among the victims in the Southern California:

Genlabs in Chino, CA had $437,000 stolen
Zico USA in La Puente lost $150,000
Village View Escrow in Redondo Beach had $465,000 stolen.

Thanks to KrebsOnSecurity.com for alerting us to this.

New Mobile Banking Flaws Demonstrate Buyers Must Be Skeptical About Security Claims

2010-11-10T14:35:00.000-08:00

In our latest Weekend Patch and Vulnerability Report, we warned readers that significant vulnerabilities had been discovered in mobile banking applications from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade. According to The Wall Street Journal and Yahoo News, the vulnerabilities discovered by viaForensics could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website.

The report that critical vulnerabilities had been found in mobile banking applications brought to mind my blog post last September when I discussed the wisdom of mobile online banking with my friend, Biz Coach, Terry Corbell. In my interview with Terry on his blog I had said “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”

Needless to say, Terry received a scathing comment to that blog post from a marketing representative in the mobile banking industry. The commenter was absolutely positively certain that mobile banking was secure, that the software had been thoroughly tested and vetted, and that I didn't know what I was talking about.

With this week's story, it turns out that I was the one who knew what he was talking about not the mobile banking guy. But this blog isn't about who's right and who's wrong. This blog is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more intellectually humble when we talk about how secure something is.

Right now, the cyber criminals are winning. They are winning in part because too many people have a false sense of their own security. They have this false sense of security because they haven't "been there, done that." I have.

For me it was a no-brainer that significant security vulnerabilities were going to be found in mobile banking applications. I had worked for several years in the Aerospace industry securing critical national security software. Before that I had been a research mathematician studying the logic of computer programs. And, as Yogi Berra said, "You can observe a lot just by watching."

I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack. I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake. And that's just one example of how experience has taught me that writing high quality software is incredibly challenging (and expensive).

We're taught that pride goeth before the fall. That is certainly true in the battle against cyber crime. That's why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.

Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis.

Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise. We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

The challenge is that, human nature being what it seems to be, our intellectual humility doesn't easily carry over to domains where we lack firsthand knowledge and experience. We tend to over-simplify in those places we know little about. This isn't usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we're all on the Internet it's as if the lion is right next door. And he's hungry.

We can't expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system. Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches. And, lacking the experience, these otherwise well-meaning men and women don't understand the necessity of being intellectually humble in the presence of complex software.

That's why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: "Trust. But verify." Do him one better: drop the trust.

© Copyright 2010. Citadel Information Group. All Rights Reserved.

Weekend Vulnerability and Patch Report, November 5, 2010

2010-11-07T14:36:00.000-08:00

Adobe Update for Flash Player: Adobe has now fixed the 0-day Flash vulnerability we reported last week. This update fixes 18 different security holes. Readers are urged to update their Flash version to v 10.1.102.64. Updates are available for Windows, Macintosh, Linux, and Solaris versions of Flash. If you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox or Google Chrome. The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner.

Microsoft Warns of New IE 0-Day Vulnerability: Microsoft warned Internet Explorer users that attackers are exploiting a previously unknown security hole in their browser to install malicious software on user workstations. User workstations can be compromised simply by visiting a compromised web site. (Compromised web sites are all-too-common. See our blog post of April 19: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August 16: Network Solutions Once Again Serves Up Malware.) Hopefully Microsoft will update IE on this week's Patch Tuesday. We recommend using Firefox with the No-Script add-on for Internet browsing, particularly until this 0-day is patched.

Mobile Banking Security Holes Discovered; Great Caution Urged: Be very careful if you access your bank account from your iPhone or Android. Security research firm viaForensics reports that mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes. The bugs could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website. According to The Wall Street Journal and Yahoo News, Wells Fargo and USAA have already released updates, Bank of America should have an update out in the next few days, and TD Ameritrade will fix the issue in the next 30 days. We continue to urge great caution in mobile online banking. If you don't absolutely need it, don't use it. Readers who must use mobile online banking are urged to upgrade their online bank apps as quickly as upgrades become available.

Beware of ThinkPoint and Other Fake Anti-Virus Products: A small business we know was recently infected with ThinkPoint. It was delivered via a fake Microsoft Security Essentials Alert that was clicked on by an unsuspecting employee. Once installed, ThinkPoint tried to prevent the company from using the workstation until it paid money to buy a licensed version of useless software. ThinkPoint is just one more reminder of how users must be extremely careful what they allow to run on their computers. Don't trust a reminder to upgrade or install software unless you're sure it's legit. Set Microsoft to update automatically. Check Adobe products regularly. Follow our alerts. Better safe than sorry.

Weekend Vulnerability and Patch Report, October 29, 2010

2010-10-29T17:10:00.000-07:00

Adobe Shockwave Update: Adobe has released a critical update for its shockwave player. The shockwave patch plugs 11 different security holes affecting both Windows and Mac computers. Readers should update to the newest Adobe Shockwave Player.

Adobe Advisory for Flash Player, Acrobat Reader and Acrobat: Adobe has issued a security advisory that a new 0-day vulnerability has been found affecting all these products. The vulnerability affects these Adobe products on Windows, Mac and other operating systems. Readers are urged to be cautious until Adobe issues a patch for this vulnerability. We will alert readers to the patch when it is released.

Facebook Users Under Attack: According to KrebsOnSecurity.com, Facebook users running Mac OS X are being attacked by a new version of the Koobface worm. The attack uses a malicious Java applet. In order for the attack to succeed the user must OK a prompt to download and install the malicious software. Readers are urged to be cautious in allowing Facebook applets to run. Readers should also make sure the have the latest version of Java running on their Mac.

Firefox Update: Firefox has been updated to version 3.6.12. The program and its predecessor 3.6.11 (also released this week) fix 10 security vulnerabilities, many critical. Readers should update to the newest version.

Weekend Patch Report, Oct 22, 2010

2010-10-22T17:53:00.000-07:00

RealPlayer: RealPlayer has released a product upgrade that fixes several critical vulnerabilities. The latest versions are available here. (October 20).

Microsoft Windows & Office: This month's Patch Tuesday fixed a record 49 security holes. Always install Microsoft patches. Home computers should have automatic updates turned on. All other things being equal so should business computers, except sometimes the IT department has to manage these updates differently. (October 12)

Java: This is a critical update. Microsoft has issued a warning that it is seeing a huge increase in attacks against security vulnerabilities in Java. When you are on the Internet, Java is running. Make sure to install this update. (October 12)

Adobe Reader & Acrobat: This critical update plugs at least 23 holes in the Adobe PDF Reader and Acrobat software, including two vulnerabilities that are being actively exploited by cyber criminals. Update your program while running it. "Check for Updates" is on the drop-down list under "Help." (Oct 5)

If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). Just like DNA, every program has hidden flaws, or vulnerabilities, in its code. When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

It is the user's responsibility to make sure update patches are installed. Home users usually have to do this themselves. Users working in offices may have IT staff to do this for them, but even here, Citadel recommends strongly that users take the initiative to check that updates are being installed on their computers.

The Weekend Patch report is intended to raise user awareness to the challenges of vulnerability management by alerting them to some of the week's important update patches. We do this to help users get the knowledge they need to take the necessary initiative in making sure the security of their computers is being effectively managed.

Internet Teleconferencing: A Security Concern?

2010-10-20T09:10:00.000-07:00

A colleague asked me whether he should be concerned about the security of teleconferencing websites, like Webex and GoToMeeting. [We regularly use both Webex and GoToMeeting.]

My colleague is right to be concerned as there are several “vulnerability points” in Internet teleconferencing, particularly when video, voice and (potentially sensitive) data is being passed around the internet. [As a sidebar: I designed the security test plan in the mid-1980s on a White House project to provide highly secure emergency teleconferencing between the White House, several cabinet secretaries, and various DoD components.]

First, the good news: I asked my friend and technology expert, Jason Lidow, President of The DigiTrust Group, if they were seeing attacks coming through teleconferencing sites and he said no. Jason’s got a very sensitive pulse on cyber attacks so if he says he’s not seeing them, there’s a pretty good bet that they aren’t there in any meaningful amount. Far better to spend scarce cyber security dollars managing the stuff that’s here and now.

That said, there are a few basics that everyone should always pay attention to given the fact that all of the information being communicated is being sent out over the Internet. The Internet is like the roads in the early west; robbers might be found behind any rock. That’s why the basic foundational principle of cyber security is “Assume nothing is secure if you aren’t actively managing it or assessing it. And even then, be cautious.”

So starting from the perspective of never taking security for granted, here’s a few of the things I would pay attention to when considering a teleconferencing provider:

1. Is all teleconferencing encrypted in transmission? Does the URL begin with https://? This is what keeps communications private during the time the bits are traveling around the Internet. Encryption protects the communication from the cyber equivalent of wire tapping. If the answer to this question is “No,” then find another solution. If all you’re doing is videoconferencing, with no Power Points or QuickBook reports or other data being transmited, then a “yes” answer here is most likely good enough [unless you need to talk securely to the Fed].

2. What communications (data, video, voice) are being passed through the server? (The less the better.) Are communications being stored on teleconference servers. A “No” answer is better than a “Yes” answer.All other things being equal, I’d select the company that is able to meet your teleconferencing needs without getting its servers involved over the company whose servers process and, perhaps store, your sensitive information. I’d pay attention to this but I wouldn’t sweat it.

3. The third thing I’d pay attention to is more dangerous, more subtle, and more strategic, which also makes it more important. This, I sweat over. Here’s the situation: In order for you to show a PowerPoint from your computer to a person or persons at other computers (whether in the building next door or halfway around the world), a software program on your computer must take your PowerPoint, send it out of your computer over the Internet, directing that PowerPoint to the other participants in the teleconference.

For a few technical reasons, it’s not prudent to assume that the software program doing all this teleconferencing work is behaving properly; it’s far more prudent to assume that the software is capable of behaving maliciously, stealing your information or even taking over your PC.

This risk is a generic one affecting every program on your computer. [Sidebar: Every modern complex computer program has software vulnerabilities. This fact is a consequence of (i) the mathematical complexity of computer programming and (ii) the economics of software engineering.] Cybercriminals exploit these vulnerabilities to attack computers on which the program is running. Standard anti-virus, anti-malware solutions manage a piece of the problem. So does patching, keeping software up-to-date with updates that fix known vulnerabilities. An emerging class of solutions in this space—replacing increasingly ineffective anti-virus and anti-spyware software—are called “host intrusion prevention systems.” These systems are capable of actually recognizing a cyber attack and blocking it, something anti-virus anti-spyware solutions can’t do. Several of our clients have installed professionally-managed host intrusion prevention systems as these have become increasingly affordable to small and medium-sized businesses.

The second piece of managing this risk is to prefer—again all other things being equal—software from well known reputable companies with a history of taking security seriously and a positive leadership position in the industry.

That why we use Cisco’s Webex for our teleconferencing. It is a little more expensive but I feel I know what I’m getting, I know the seriousness with which Cisco takes security and the security talent they possess, and I’m confident that they’ll be there should something go wrong. I’ve never heard of tukbox, the program my colleague asked about,so can render no opinion.

One more thing to wrap-up this perhaps overly-long post. It’s important not to neglect the “human side” of security. Everybody needs to think about what they say or put on a PowerPoint; even what’s visible over the camera over someone’s shoulder. Ask yourselves questions like “What can we do to minimize the amount of sensitive data being sent over the Internet?” One strategy, for example, would be for voice communications to take place over regular land lines or a totally separate secure digital line. With this strategy, participants all agree that the ‘really sensitive information’ is to be talked about but not shown on shared PowerPoints, etc.

This is the most important strategic recommendation: That everyone keep thinking about cyber security.

Critical Security Updates Available for Adobe Acrobat/Reader

2010-10-05T18:42:00.000-07:00

Adobe has announced that critical updates are now available for the Adobe Acrobat/Reader vulnerabilities we described in our blog post of September 8: Cybercriminals Exploit New 0-Day Adobe Acrobat/Reader Vulnerability.

We strongly recommend that users immediately update their Adobe Acrobat and Reader programs. To do so, open the Adobe Acrobat or Adobe Reader program, click on 'Help' and then 'Check for Updates."

Hackers Steal $600,000 from Brigantine, NJ

2010-10-04T19:47:00.000-07:00

KrebsOnSecurity.com reports that "organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials. ... Brigantine City officials said the incident began sometime before 6 p.m. on September 28th, when TD Bank notified city finance officers that multiple wire transfers had been made from its accounts. Brigantine Police’s Lt. James Bennett said in a written statement:

“Unknown person(s) had apparently obtained a user name and password for the city’s main TD Bank account when our finance personnel attempted to login (through either a fake Web page or an undetectable virus). Then several wire transfers were started with amounts ranging from a few thousand to over $300,000, for a total of about $600,000. The last update from TD Bank was that they were able to recall approximately $400,000 in transfers and were working on recalling the remainder. The investigation is being handled by the FBI, New Jersey State Police with the Brigantine Police Department and TD Bank security.”

"Go Blue" Ends D.C. Online Voting Trial

2010-10-04T18:11:00.000-07:00

The Washington Post reports that—as part of a security test—a team of students from The University of Michigan hacked D.C.'s new Internet-based voting system. The "White Hat" hackers from Michigan compromised the system so that after a vote was cast the Web site played The University of Michigan fight song, "The Victors."

According to the Post, Jeremy Epstein, a computer scientist working with the Common Cause good-government nonprofit on online voting issues said "the fight song is a symptom of deeper vulnerabilities. ... In order to do that, they had to be able to change anything they wanted on the Web site."

Because of the hack, Paul Stenbjorn, the Board of Elections' chief technology officer said a portion of the Internet voting pilot—which was expected to be rolled out this month—is being temporarily scrapped.

The good news, of course, is that to ensure election integrity, D.C. took the opportunity to open its election web-site to community testing. That the vulnerability was found and exploited by a team of students from my Alma Mater is icing on the cake. That they rigged the system to play The Victors is the maraschino cherry on top. Go Blue!

The bad news—and one that every organization having a web site has to pay attention to—is that web-sites, like software everywhere, is buggy. That's why this story is a good reminder to all organizations of the importance of effectively managing cybersecurity risk.

October is National Cybersecurity Awareness Month

2010-10-01T00:15:00.000-07:00

October 2010 marks the seventh annual National Cybersecurity Awareness Month. This year's theme —Our Shared Responsibility—reflects two facts about cybersecurity:

1. The cybersecurity threat has become one of the most serious economic and national security challenges we face. America’s competitiveness and economic prosperity in the 21st century will depend on effective cybersecurity. Every business, not-for-profit, school, government organization and individual is at risk.

2. Every Internet user has a role to play in securing cyberspace and ensuring the safety of ourselves, our families, and our communities online.

Cybersecurity Awareness Month is sponsored by the National Cybersecurity Alliance (NCSA)—a nonprofit dedicated to fostering a culture of cybersecurity—along with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, a cybersecurity prevention and protection collaboration for state and local governments.

As cybersecurity management consultants, Citadel Information Group is proud to join with the Los Angeles Chapter of the Information Systems Security Association, ISACA-LA, InfraGARD-Los Angeles, the LA Chapter of the Open Web Application Security Project (OWASP), and other Los Angeles information security organizations in working together to help keep our community safe from cybercrime.

Fake LinkedIn Emails Deliver Online Bank Theft Trojan Horse

2010-09-28T19:05:00.000-07:00

KrebsOnSecurity reports that a "major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan," a well-known Trojan horse used in online bank thefts.

Krebs continues: "The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com. ... On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS."

This spam campaign is another illustration of how cybercriminals use social engineering to get users to take action (in this case clicking a link in an email) that bypasses normal defenses. As a general rule, it's a good idea to refuse to click on email links unless the sender is known to you. And even when you know the sender, you still must develop a new kind of "common sense" that recognizes the dangers associated with the Internet.

Security update available for Critical 0-Day Vulnerability in Adobe Flash Player

2010-09-20T18:56:00.000-07:00

Adobe has released a security update to the Flash vulnerability we reported last week (Adobe Issues Security Advisory for Critical 0-Day Flash Player Vulnerability).

Adobe recommends all users of Adobe Flash Player 10.1.82.76 and earlier versions upgrade to the newest version 10.1.85.3 by downloading it from the Adobe Flash Player Download Center or by installing it via the auto-update mechanism within the product when prompted.

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Interpol Says Cybercrime is "World's Most Dangerous Criminal Threat"

2010-09-17T21:10:00.000-07:00

Concerned with the growing threat from an estimated $105-billion-dollar illegal business, 300 top law enforcement officials from 56 countries met in Hong King for the first ever national police anti-cybercrime conference.

Ronald K. Noble, secretary general of the Interpol, told the assembled law enforcement officials that "considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face."

More on this story is available from Yahoo News.

Adobe Issues Security Advisory for Critical 0-Day Flash Player Vulnerability

2010-09-13T18:50:00.000-07:00

Adobe has announced a critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability (CVE-2010-2884) could allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows.

As attacks exploiting this vulnerability are likely to get by anti-virus and anti-malware defenses, users should consider installing advanced intrusion-prevention technology capable of blocking 0-day attacks.

Cybercriminals Exploit New 0-Day Adobe Acrobat/Reader Vulnerability

2010-09-08T18:37:00.000-07:00

Adobe has announced that a critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX. The vulnerability is also present in Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

The vulnerability (CVE-2010-2883) could allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

Users are advised to take extra precautions in opening Adobe PDF files. As attacks exploiting this vulnerability are likely to get by anti-virus and anti-malware defenses, users should consider installing advanced intrusion-prevention technology capable of blocking 0-day attacks.

What's More Powerful than a Strong Password?

2010-09-04T23:22:00.000-07:00

Keyloggers are computer programs that capture every keystroke a user types. This includes user-ids and passwords to sensitive information, like a user's online bank account. When used by cybercriminals, these captured keystrokes are secretly transmitted back to the cybercriminal for their own dishonest use.

It was a keylogger that enabled cybercriminals to steal $400,000 from Village View Escrow last March. (See our blog post: e-Banking Bandits Target Title and Escrow Companies.) Most, if not all, of the online bank theft stories we've covered involve a keylogger used to steal online bank credentials.

There are several ways users can get their computers infected by a malicious keylogger. They are often surreptitiously installed as part of a virus or malware attack. Inadequately protected web sites can infect visitors with a keylogger. (See our blog post from April: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August: Network Solutions Once Again Serves Up Malware.) There are even physical keyloggers that can be installed on a user's workstation.

There are three specific things you need to pay attention to keep a malicious keylogger off your workstation.

Diligently keep your workstation updated with security fixes. This includes your operating system (Windows or Apple), your application programs (like Adobe reader), and your browser add-ons (like Flash).
Keep your anti-virus anti-malware up to date, Consider a modern intrusion prevention system able to counter the attacks that get by your anti-malware defenses.
Be very suspicious of emails, particularly those containing attachments. If the email is not from someone you know and is not something you expect, then treat it the same way you would treat a suspicious package you discover ticking in an airport bathroom.

Today's New York Times has an up-to-date overview of some new thinking about password security: A Strong Password Isn’t the Strongest Security.

Apple's Ping Service for iTunes Hijacked by Scammers and Spammers

2010-09-04T20:11:00.000-07:00

The good news is that iPhone 10 fixes a number of security vulnerabilities. The bad news is that Apple failed to pay enough attention to the security of its new Ping service, designed as a social network of iPhone users. Anti-malware developer Sophos is reporting that the service has been hit with a barrage of scams and spam messages in the days since the launch.

Cyberthieves Steal Nearly $1,000,000 from University of Virginia

2010-09-03T18:25:00.000-07:00

KrebsOnSecurity reports that cyberthieves stole nearly $1,000,000 from a satellite campus of The University of Virginia. Krebs writes that sources familiar with the case had told him that thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

In an update published by the student newspaper, a University spokesperson said the money was stolen on August 25 but has since been recovered.

Cyberthieves Steal $600,000 From Catholic Diocese of Des Moines, Iowa

2010-08-30T19:53:00.000-07:00

KrebsOnSecurity.com reports that "cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals."

According to Krebs "In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines. ... The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered. ... The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries."

Might the Best CyberSecurity Defense Be a Good Offense?

2010-08-28T20:15:00.000-07:00

According to a story in the Washington Post, the Pentagon is developing a suite of advanced generation cyber-defense weapons that can best be described as "taking the battle to the enemy." The tools can "attack and exploit adversary information systems" and can "deceive, deny, disrupt, degrade and destroy" information and information systems, according to Defense Department budget documents.

Gen. Keith Alexander, the head of the Pentagon's new Cyber Command, told an audience in Tampa this month "We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."

Deputy Secretary of Defense William J. Lynn III has said the approach includes "reaching out" to block malicious software "before they arrive at the door" of military networks. "We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."

Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.

Cyber-Bank Theft Pits Victim vs Bank. Got Insurance?

2010-08-27T21:39:00.000-07:00

KrebsOnSecurity.com reported recently that "a business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000."

This is a common story which we continue to write about. [See many of our postings under the tag: Financial Systems Security.]

The unfortunate truth [as we wrote in an earlier blog] is that banking laws put the responsibility for cybercrime losses onto the customer. If the customer wants the bank to reimburse it for the fraud losses, it's up to the customer to prove that the bank's security procedures are not commercially reasonable [as that phrase is defined in the Uniform Commercial Code, Article 4A-202]. The result, all too often, is that the customer has little choice but to sue the bank. [See our blog post, for example .]

The good news: There's a very good chance the bank's procedures fail the test of commercial reasonableness. In an analysis of a bank whose customer lost $600,000 when cyberthieves uploaded fraudulent payroll databases, our firm found significant technical, procedural and managerial weaknesses in the banks security procedures. These weaknesses were so egregious that they left us no alternative to the conclusion that the bank's security procedures were not commercially reasonable.

The bad news: The cost of proving the bank's procedures are not commercially reasonable [so that the bank will share in the responsibility for the loss] is huge. I have no idea of the legal fees involved but I do know that fees for expert analysis do not come cheap. Consequently most organizations will not have the deep pockets to sustain a lawsuit, particularly under the cash flow pressures that will inevitably follow a large loss.

That's why Citadel continues to recommend that every organization discuss cybercrime insurance with their insurance broker. As Brian Krebs wrote in his blog KrebsOnSecurity.com "cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts."

Military Computer Attack Confirmed. Classified Systems Breached.

2010-08-25T22:53:00.000-07:00

William J. Lynn III, U.S. Deputy Secretary of Defense, has confirmed a previously classified computer attack in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan. Writing in the latest issue of the journal Foreign Affairs, Lynn describes the 2008 incident as "the most significant breach of U.S. military computers ever."

According to Lynn, "The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."

According to the New York Times, Lynn's "article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense.... Various efforts at cyberdefense by the military have been drawn under a single organization, the U.S. Cyber Command, which began operations in late May at Fort Meade, Maryland, under a four-star general, Keith B. Alexander.... But under proposed legislation, the Department of Homeland Security would take the leading role in the defense of civilian systems."

Adobe, Apple Issue Security Updates

2010-08-25T17:40:00.000-07:00

KrebsOnSecurity reports that both Adobe and Apple have released security updates or alerts in the past 24 hours. Adobe pushed out a critical patch that fixes at least 20 vulnerabilities in its Shockwave Player, while Apple issued updates to correct 13 flaws in Mac OS X systems.

Apple’s update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , Mac OS X 10.6.4 and is available via Software Update or from Apple Downloads.

Krebs writes "The Adobe patch applies to Shockwave Player 11.5.7.609 and earlier on Windows and Mac operating systems. Adobe recommends that users upgrade to Shockwave Player 11.5.8.612, available at this link. But before you do that, you might want to visit this link, which will tell you whether or not you need to update, and indeed whether you currently have Shockwave installed at all. If you visit it and don’t see an animation, then you don’t have Shockwave (and probably aren’t missing it either)."

Was Malware Responsible for Crash of Spanair Flight 5022?

2010-08-20T21:06:00.000-07:00

The Registry reports that malware may have been a contributory cause of the crash of Spanair flight JK 5022 crashed in August 2008. The flight crashed moments after taking off from Madrid's Barajas Airport on a scheduled flight to Las Palmas with 172 on board.

According to the Registry, the airline's central computer which registered technical problems on planes was infected by Trojans at the time of the fatal crash and this may have resulted in a failure to raise an alarm over multiple problems with the plane.

Adobe Issues Acrobat, Reader Security Patches

2010-08-19T17:47:00.000-07:00

KrebsOnSecurity.com reports Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.”

Krebs writes that "today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. ... More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory."

Apple Patches Fix Security Vulnerabilities

2010-08-18T20:51:00.000-07:00

KrebsOnSecurity reports Apple has released a series of patches to correct security vulnerabilities in several of its products:

QuickTime 7.6.7, for Windows 7, Vista and XP
iTunes 9.2.1, for Mac OS X 10.4.11 or later, and Windows 7, Vista and X
iOS 3.2.2 Update for iPad, iOS 3.2 and 3.21 for iPad [Addresses the flaw that allowed jailbreaking on 3.21 iPads, iPhones and iTouches.]
iOS 4.0.2 Update for iPhone and iPod touch (2nd generation or later) [Addresses the flaw that allowed jailbreaking on these devices
Safari 5.0.1, Update for Mac OS X 10.5.8, 10.6.2 or later, and Windows 7, Vista and XP
Safari 4, on Mac OS X 10.4.11, OS X Server 10.4.11, et al

Network Solutions Once Again Serves Up Malware

2010-08-16T22:00:00.000-07:00

KrebsOnSecurity is reporting that hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in their pages. The problem has been traced to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its GrowSmartBusiness.com blog. Network Solutions has a history of weak security controls that put visitors to its customers web sites at risk of malware infection. See, e.g., our April 19 blog pos t.

The report is a reminder to employ defense-in-depth on business and home computer systems, including

Keep operating system and all applications patched and up-to-date
Keep anti-malware software up-to-date with current data files
Consider switching from less-effective anti-malware solutions to more powerful intrusion detection and prevention systems
Run Firefox instead of Internet Explorer; Run Firefox with the No-Script add-on if you're technical

While nothing you do will make you 100% secure, there's a lot you can do to minimize the risk of attack.

Certificate Authorities: A Weak Link in eCommerce and eBanking?

2010-08-13T20:00:00.000-07:00

Suppose you call up your banker and ask him to send someone over to pick up a cash deposit. An hour later, a woman who identifies herself as having been sent from the bank arrives at your office. You ask for her credentials and she shows you an ID Card that says she works at the bank. Do you give her the deposit?

Suppose, instead of calling your banker, you go online to your bank. The web page in your browser; it's like Sally. She [the web page] says she's from the bank .. you can even see her "ID card;" the "https:" in the browser window and the "closed lock" in the browser. That lock is something we've learned to trust from the earliest days of the web.

Now comes a story in the New York Times that, perhaps, it's time to adjust our thinking. According to the Times, "those sites which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say."

The article quotes Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group, as saying “It is becoming one of the weaker links that we have to worry about.”
According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft’s Internet Explorer and Mozilla’s Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens.

The Times reports that Eckersley identified Etisalat, a wireless carrier in the United Arab Emirates, as the weakest link in the "trust chain."

Stephen Schultze, associate director of the Center for Information Technology Policy at Princeton University. is quoted as saying “I think it is a really big deal,” but “is not a reason to panic and stop doing online banking or e-commerce. But it is a bad enough problem that it should be receiving a lot more attention and we should be trying to fix it.”

Another Survey Tells Same Sad Story of Growing Internet Dangers

2010-08-10T22:48:00.000-07:00

McAfee released a report today showing that incidents of malware (malicious software) reached its highest levels ever in the first half of 2010. The company identified 6 million malicious files in the second quarter, making for a total of 10 million malicious files over the first six months of the year. Among the most common attack vectors were attacks targeted to social media users. Password stealing Trojan horses — commonly used used in online bank thefts — were among the most common payloads.

The report reconfirms everything we've been saying since we began our blog 18 months agoThere has been a sea change in cybercrime. Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.

The report is a reminder to every organization to take a critical look at its defenses — everything from policies and employee awareness training to modern intrusion prevention systems. It needs to make sure it's employing a cost-effective defense-in-depth strategy covering all three critical information security management domains:

Corporate security management
Security management of the IT infrastructure
Point-in-Time security of the IT infrastructure

It's also a time to talk to your attorney and your insurance broker. Your attorney can make sure you're aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.

Thanks to Terry Corbell for alerting us to this story.

Critical Updates for Windows, Flash Player

2010-08-10T18:00:00.000-07:00

KrebsOnSecurity.com reports Microsoft issued a record number of software updates today, releasing 14 update bundles to plug at least 34 security holes in its Windows operating system, Microsoft Office and other software. More than a third of flaws earned a “critical” severity rating, Microsoft’s most serious.

Krebs also reports Adobe released a patch for its ubiquitous Flash Player that fixes at least six flaws in Flash. The newest version brings Flash to v. 10.1.82.76. If you’d like to know what version of Flash you are currently using, browse to this link.

Security Flaw Allows Users to Jailbreak their iPhones

2010-08-08T19:12:00.000-07:00

When is a security flaw not a security flaw? There are a lot of happy iPhone people this week who have been able to "jailbreak" their iPhones thanks to a security flaw in Apple's iOS4 [through version 4.0.1]. While many iPhone users — myself included — are content to run our iPhones the way Steve Jobs intended, many users are known to chafe at the limits that Jobs [and AT&T] have built into the iPhone. Hence the demand for products that allow these disgruntled users to break their iPhone out of the jail to which they have been sentenced by Jobs and [AT&T].

The Apple flaw manifests in PDF readers, like those of Adobe and Foxit. And while no one knows of any security exploits targeting this vulnerability, as security experts, these kinds of holes are the scary stuff that keeps us up at night.

As Brian Krebs writes in KrebsOnSecurity.com : "I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike."

Perhaps we ought to view these jailbreakers the same way we view the proverbial canaries in the mine: as early-warning systems designed to alert the rest of us to vulnerabilities needing to be corrected. If the jailbreakers can find vulnerabilities before the cybercriminals have found and exploited them, then the community benefits from their efforts.

Emergency Windows Patch Due Monday

2010-07-30T21:12:00.000-07:00

Computerworld reports that Microsoft has said it will issue an emergency patch for the critical Windows shortcut bug on Monday, Aug. 2.... The company said that it is satisfied with the quality of the "out-of-band" update -- Microsoft's term for a patch that falls outside the usual monthly delivery schedule -- but also acknowledged that it has tracked an upswing in attacks.

As this is an extremely serious bug, users need to make sure that this patch gets installed on their PC.

Fake Firefox Flash Update is Rogue

2010-07-29T13:02:00.000-07:00

PC Magazine is reporting that F-Secure has uncovered the latest in rogue anti-malware: A fake Firefox "Just Updated" page which pushes you to install an update to Flash. Don't fall victim to rogue software. Make sure that you control what get's installed on your computer.

Digital Forensics Association Research Report: Five Years of Data Breaches

2010-07-25T22:15:00.000-07:00

A new report from the Digital Forensics Association confirms the need for organizations to pay careful attention to all aspects of information security.The report "The Leaking Vault - Five Years of Data Breaches" analyzes over 2,800 data loss incidents from publicly accessible sources, with a known disclosure of 271.9 million records. This study—the largest of its kind to date—provides analysis on which breach vectors carry the most risk, and should help provide organizations with more accurate information when combating this problem.

Key findings include:

Business, government, educational and medical organizations have been responsible for losing on average over 395,000 people's data per day every day for five years.
Hacking was responsible for 45% of all exposed records with an average loss of 716,000 records
Stolen laptops were responsible for 49% of breaches but only 6% of lost records per incident.
The fastest growing attack vector is social engineering
Social Security Numbers (SSNs) are the most frequent data element reported.
The Business sector accounted for 70% of breach incidents

Spyware Targets Industrial Facilities, including SCADA systems

2010-07-23T21:01:00.000-07:00

Following up our blog post of last week in which we described new malware attacks on industrial control systems, the Christian Science Monitor writes "cyberspies have launched the first publicly known global attack aimed at infiltrating hard-to-penetrate computer control systems used to manage factory robots, refineries, and the electric power grid."

According to the Monitor, "the spyware had spread for at least a month undetected and has already penetrated thousands of industrial computer systems in Iran, Indonesia, India, Ecuador, the United States, Pakistan, and Taiwan, according to a Microsoft analysis. ... The attack is part of a sophisticated new wave of industrial cyberespionage that can infiltrate corporate systems undetected and capture the "crown jewels" of corporations – proprietary manufacturing techniques that are worth billions, experts say. It's significant, too, because of its potential to infiltrate and commandeer important infrastructure, such as the power grid."

The Monitor goes on to write "No one knows who's behind it. Cybersecurity analysts aren't even sure yet what the spyware's creators intend it to do to those industrial systems. The intent could be to sell corporate proprietary secrets – or to seek an advantage over the US in some future assymetric conflict, such as a cyberwar."

CyberSecurity Threat Indicator Raised as Critical Windows Zero-Day Vulnerability Discovered

2010-07-19T20:26:00.000-07:00

Computerworld and other sources are reporting a newly-discovered critical bug in all versions of Windows. The bug is so critical that the Internet Storm Center (ISC) has pushed its Infocon threat indicator to "Yellow," a rare move, while Symantec also bumped up the status of its ThreatCon barometer to "Elevated." Users are being warned to expect widespread attacks.

"The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch," said Lenny Zeltser, an ISC security analyst.

Last Friday, Microsoft confirmed that attackers can use a malicious shortcut file, identified by the ".lnk" extension, to automatically execute their malware by getting users to view the contents of a folder containing such a shortcut. Malware can also automatically execute on many systems when a USB drive is plugged into the PC.

All versions of Windows, including the just-released beta of Windows 7 Service Pack 1 (SP1), as well as the recently retired Windows XP SP2 and Windows 2000, contain the bug.

In a related post, we reported that Sieman is warning customers about attacks on its industrial control software that exploit this bug.

New Malware Targets Industrial Control Systems, like SCADA

2010-07-16T22:16:00.000-07:00

PCWorld reports that Siemens is warning customers of new and highly sophisticated malware targeting the computers used to manage large-scale industrial control systems used by manufacturing and utility companies [SCADA]. The malicious software is designed to infiltrate the systems used to run factories and parts of the critical infrastructure. The zero-day malware targets Siemens management software called Simatic WinCC, using a previously undisclosed Windows bug to break into the system.

Microsoft Security Updates ... Support Ends for XP, Service Pack 2

2010-07-13T19:05:00.000-07:00

KrebsOn Security.com reports "Microsoft today released software updates to fix at least five security vulnerabilities in computers running its Windows operating system and Office applications.... Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines."

In related Microsoft security news, today also marks the planned end-of-life deadline for Windows XP Service Pack 2, a bundle of security updates and features that Microsoft first released in 2004.Microsoft will no longer support this product, so if you haven't already done so, it's time to upgrade to at least SP3.

Microsoft Warns of Uptick in Attacks on Unpatched Windows Flaw

2010-07-05T18:52:00.000-07:00

KrebsOnSecurity reports "Microsoft is warning that hackers have ramped up attacks against an unpatched, critical security hole in computers powered by Windows XP and Server 2003 operating systems. The software giant says it is working on an official patch to fix the flaw, but in the meantime it is urging users to apply an interim workaround to disable the vulnerable component." Microsoft issued a statement last week saying the pace of attacks against Windows users had picked up, and that more than 10,000 distinct computers have reported seeing this attack at least one time.

The following graphic from Krebs' blog shows both the daily number of attacks and the cumulative distinct PCs being attacked. As can be seen, peak attacks occurred during the six days from June 22 until June 27.

IT Departments running Windows XP or Server 2003 need to consider running Microsoft’s stopgap “FixIt” tool to disable the vulnerable Help Center component. Users running Windows XP should consider doing this as well. To do so, click this link, then click the “FixIt” button in the middle of the page under the “enable this fix” heading.

New CyberSecurity Study says "Most senior execs unaware of impact from cyberattacks." ISSA-LA Committed to Doing Something About It.

2010-06-29T21:14:00.000-07:00

According to an article in USA Today, a new Ponemon Institute poll of 591 technology managers shows that 83% indicated their organization has been a recent target of advanced threats while 81% felt that senior execs lacked awareness of the seriousness of advanced threats. Our experience confirms the validity of these statistics. The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.

The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management.

It's to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program. Our objective is nothing less than to raise information security awareness throughout the Los Angeles community. This is the most important thing we can do to help our community protect itself from the scourge of cybercrime. Having successfully concluded our 2nd Annual Information Security Summit we know the time is right to bring the community together around this problem and we are dedicated to doing so.

Security Updates for Adobe Acrobat, Reader

2010-06-29T18:29:00.000-07:00

KrebsOnSecurity.com reports "Adobe Systems Inc. is urging users to update installations of Adobe Reader and Acrobat to fix a critical flaw that attackers have been exploiting to break into vulnerable systems. ... The update brings Adobe Acrobat and Reader to version 9.3.3 (another update for the older 8.2 line of both products brings the latest version to v. 8.2.3). Patches are available for Windows, Mac, Linux and Solaris versions of these programs. Adobe’s advisory for this update is here, and the Reader update is available from this link — or by opening the program and clicking “Help” and “Check for Updates.” If you download the update from the Adobe Reader homepage, you’ll end up with a bunch of other stuff you probably don’t want."

Users discouraged by the ongoing discovery of critical vulnerabilities in Acrobat Reader may want to consider switching to other free PDF readers may be less of a target for malicious hackers. Examples of other free PDF readers include Foxit Reader, Nitro PDF Reader, and Sumatra.

White House Unveils National Strategy for Online Identity

2010-06-28T21:58:00.000-07:00

darkReading reports that "the White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure. ...Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity "ecosystem" for users and organizations to conduct online transactions securely and privately such that identities of all parties are trusted.

"For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)," Schmidt blogged late last week."

Computing Now's Gary McGraw interviews Richard Clarke

2010-06-23T22:55:00.000-07:00

From Computing Now's Website: Gary McGraw talks with Richard A. Clarke. Clarke is an internationally-recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. Gary and Richard discuss what needs to change in order for the United States to focus more attention on defense against cyber war (as opposed to offense). They also discuss the importance of software security in preventing cyber crime and cyber war, network scanning as a part of Dick’s "Defensive Triad," and balancing cybersecurity against individual liberty.

Watch Cary McGraw's interview with Richard Clarke.

Thanks to John Cosgrove for this story.

Security Updates for Firefox, Opera Browsers

2010-06-23T18:20:00.000-07:00

KrebsOnSecurity reports "Mozilla has shipped a new version of Firefox that corrects a number of vulnerabilities in the browser. ... Firefox version 3.6.4 addresses seven security holes ranging from lesser bugs to critical flaws. Mozilla says this latest version of Firefox also does a better job of handling plugin crashes, so that if a plugin causes problems when the user browses a site, Firefox will simply let the plugin crash instead of tying up the entire browser process. Firefox should auto-update (usually on your next restart of the browser), but you can force an update check by clicking “Help,” and then “Check for Updates” (when I did this, I noticed that in its place was the “Apply Downloaded Update Now,” option, indicating that Firefox had already fetched this upgrade.)"

According to Krebs, "Mozilla also shipped, 3.5.10, an update that fixes at least nine security vulnerabilities in its 3.5.x line of Firefox. The software maker will only continue to support this version of Firefox for another couple of months, so if you’re on the 3.5.x line, you might consider upgrading soon."

Krebs reports that a new version of Opera is also available that fixes at least five security flaws in the software. Opera’s update brings the browser to version 10.54. Opera is urging users to upgrade to the latest version, available here.

Security Risk: Time to Move Off Windows XP SP2

2010-06-22T21:57:00.000-07:00

Microsoft will stop supporting users of Windows XP SP2 as of July 13, 2010. This means that the company will no longer provide security patches for SP2. All Windows users should immediately upgrade to SP3 or Windows 7. According to a Computerworld article, Windows XP SP2 is still in use in more than 75% of organizations with 36% of the PCs in every organization run SP2.

California Court Knowingly Exposes Confidential Data for 10 Days

2010-06-16T20:08:00.000-07:00

The ABA Journal reports that a court in California's Sacramento County made 443 confidential documents available on a public kiosk. The problem wasn't fixed until June 4 even though a probate lawyer had brought the problem to the attention of the court on May 24. According to Presiding Judge Steve White, court technology employees didn’t act immediately because of another apparently more pressing computer problem.

Read the story here.

Free WiFi at Starbucks — Reminder of Cybersecurity Risk

2010-06-14T19:27:00.000-07:00

The New York Times reports that Starbuck's will begin offering free WiFi on July 1. This makes it a good time to remind everyone about the need to be cautious when using public Wi-Fi. While the most common risk is eavesdropping, one cannot overlook the risk of computer compromise. Here are five basic rules anytime you're on a WiFi network whose security cannot be verified:

No online banking or other eCommerce
No email containing sensitive information except via an approved encrypted link from PC to Mail Server
Keep anti-virus or host intrusion prevention software (better) up-to-date
Make sure software patches are up-to-date
Use VPN for access to office

"CyberWar: Sabotaging the System" on CBS 60 Minutes

2010-06-13T22:11:00.000-07:00

From 60 Minutes: Could foreign hackers get into the computer systems that run crucial elements of the world's infrastructure, such as the power grids, water works or even a nation's military arsenal, to create havoc? They already have. Steve Kroft reports.

Watch the 60 Minutes report.

e-Banking Bandits Target Title and Escrow Companies

2010-06-10T21:02:00.000-07:00

KrebsOnSecurity.com reports that in March, computer criminals broke into the network of Redondo Beach, California based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm.The escrow firm has been the victim of on-line bank theft. Cybercriminals hijacked the firm's online bank account and stole $465,000.

In discussions we've had with law enforcement and bank security personnel, we find that this is a cybercrime trend. Cybercriminals seem to have discovered that title and escrow companies are regular users of the ACH system while their security controls are too often easily bypassed by the advanced hacker tools now in use.

We continue to recommend extreme caution in online banking, including

When possible, have separate computer(s) used exclusively for online banking
Utilize 'out-of-band' confirmation for all online bank transactions
Keep systems patched and all anti-malware software up-to-date
Diligently check bank accounts daily
Limit use of social networking sites
Be on guard for phishing and other social networking attacks

Adobe Flash Update Plugs 32 Security Holes

2010-06-10T18:16:00.000-07:00

KrebsOnSecurity reports Adobe has released a new version of its Flash Player software to fix a critical security flaw that hackers have been exploiting to break into vulnerable systems. The update also corrects at least 31 other security vulnerabilities in the widely used media player software.

According to Krebs "The latest version, v. 10.1, fixes a number of critical flaws in Adobe Flash Player version 10.0.45.2 and earlier. Don’t know what version of Flash you’ve got installed? Visit this page to find out. The new Flash version is available for Windows, Mac and Linux operating systems, and can be downloaded from this link."

Krebs continues "If you use both Internet Explorer and non-IE browsers, you’re going to need to apply this update twice, once by visiting the Flash Player installation page with IE and then again with Firefox, Opera, or whatever other browser you use. "

Microsoft, Apple Ship Big Security Updates

2010-06-08T18:11:00.000-07:00

KrebsOnSecurity.com reports Microsoft today released 10 security updates to fix at least 34 security vulnerabilities in its Windows operating system and software designed to run on top of it.This is the largest patch push so far this year from Microsoft.

Users are reminded to turn "on" Microsoft's "AutoUpdate" to download and install patches when they become available.

Krebs reports in the same post that Apple’s Safari 5.0 update fixes at least four-dozen security vulnerabilities in Safari on Mac OS X and Windows versions. Updates are available for Mac OS X v 10.4.11, Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, and XP. Mac users can grab the update from Software Update or Apple Downloads; Safari users on Windows will need to update using the bundled Apple Software Update utility.

Adobe Warns of Critical Zero-Day Flaw in Flash, Acrobat & Reader

2010-06-05T20:04:00.000-07:00

KrebsOnSecurity.com reports Adobe Systems Inc. warned late Friday that malicious hackers are exploiting a previously unknown security hole present in current versions of its Adobe Reader, Acrobat and Flash Player software. ... “There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat,” the company said in a brief blog post published Friday evening. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.” ... Krebs writes "Adobe said the vulnerability exists in Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and a component (authplay.dll) of Adobe Reader and Acrobat versions 9.x for Windows, Mac and UNIX operating systems."

Like all Zero-Day exploits, these have a higher than acceptable likelihood of getting past anti-malware products. That's why we recommend that management seriously consider using advanced intrusion prevention solutions capable of blocking zero-day attacks.

IBM Distributes Malware-Infected USBs at Conference

2010-05-21T18:41:00.000-07:00

Last August we blogged that an IBM study concluded: Trust No One. Well, I guess that even includes IBM. Several sources including SC Magazine are reporting that USB drives given out by IBM at the Australian Computer Emergency Response Team (AusCERT) 2010 conference were infected with malware.

Thanks to David Nardoni for this post.

US regulators form plans to encourage banks to better protect customers from online fraud

2010-05-19T21:45:00.000-07:00

SC Magazine is reporting that "a panel with representatives from the FDIC, the Federal Reserve System and other agencies is reacting to the rapid evolution of malicious computer programs designed to drain accounts. Among its plans is to require financial institutions to contact customers through means beside the internet, following European banks actions in placing calls to clients' mobile phones to ensure that they intend to transfer money."

Read the entire story at SC Magazine.

Thanks to Richard Greenberg for this story.

Are Cars Next for Cybercriminals?

2010-05-13T20:17:00.000-07:00

The New York Times reports that in a "paper, which will be presented at a computer security conference next week in Oakland, Calif., computer security specialists at the University of Washington and the University of California, San Diego, report that while modern cars have extensive safety engineering in the design of their computer control systems, little thought has been given to the potential threat of hackers who may want to take over the networks that increasingly control modern cars. ...The researchers asked what could happen if a hacker could gain access to the network of a car, said Tadayoshi Kohno, a University of Washington computer scientist. He said the research teams were able to demonstrate their ability to circumvent a wide variety of systems critical to the safety of drivers and passengers. ...They also demonstrated what they described as “composite attacks” that showed their ability to insert malicious software and then erase any evidence of tampering after a crash. ... The researchers were able to activate dozens of functions and almost all of them while the car was in motion."

Read the NY Times story.

Defense Department Creates New Cyber Command Led by Lt. General Keith Alexander

2010-05-11T20:15:00.000-07:00

The Washington Post reports that Lt. General Keith B. Alexander, director of the National Security Agency, has been confirmed to head the new Cyber Command. The new command will have both an offensive and defensive capability, including both the ability to block incoming attacks and of launching attacks against enemy computer networks.

The New York Times reported last month that the Defense Department created Cyber Command in response to hundreds of thousands of attacks every day against the computer networks essential to the Pentagon and military by individual hackers, criminal groups and nations.

NSA Reviews Future Cybersecurity Techniques, Technologies and Challenges

2010-04-30T20:30:00.000-07:00

Brian Krebs reports on a 605 page National Security Association study from 2004. According to Krebs, the document "reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks."

Read more and get the full report at KrebsOnSecurity.com ...

Facebook's Social Web: Protecting Your Privacy

2010-04-29T21:23:00.000-07:00

Facebook's introduction of Open Graph represents a new challenge for consumers. By default, you're now opted in to the company's new social sharing services which stretch way beyond the confines of Facebook.com.If this concerns you -- and it should -- here are some links with advice on setting your privacy settings.

Watch a CNET Tech Minute: Take back your privacy from Facebook ...

Read PC World's advice on protecting your privacy on Facebook ...

Read the NY Times guide on opting out of Facebook's instant personalization ...

Rapport: A Potential Tool for Lowering Risk of Online Bank Theft

2010-04-29T21:07:00.000-07:00

Several banks are asking their online bank customers to use a security tool called Rapport. The tool, part of which installs on user workstations is designed to block online bank theft attacks from ZeuS and other malicious software. Brian Krebs interviews Mickey Boodaei, CEO of Tusteer, the company making Rapport.

Read Brian's interview at KrebsOnSecurity.com ...

Congressman Asks FTC to Investigate Privacy Risks of Copy Machines

2010-04-29T20:07:00.000-07:00

You may not know it but copy machines have computer memories, which means they may store tons of private or otherwise sensitive information. That's why Massachusetts Congressman Edward Markey has asked the Federal Trade Commission to investigate the risk to consumers posed by businesses that don't take steps to erase the memory of their copy machines. Expect a new set of regulations requiring businesses disposing of a copy machine to securely erase its hard drive, just like they are supposed to do for their PCs.

Read the story at the Washington Post ...

Watch the CBS News Report that broke the story: Copy Machines, a Security Risk?

Infamous Spam-Sending "Storm Worm" Stages a Comeback

2010-04-28T20:46:00.000-07:00

Brian Krebs reports that the Storm Worm has once again surfaced. 18 months ago Storm Worm was responsible for approximately 20% of all spam. According to Krebs, "It remains unclear whether this Storm 2.0 strain will be as successful and prolific as its predecessor. But according to a blog post by security firm CA, the curators of the new Storm worm are very actively using the collection of PCs infected with this malware to once again relay junk e-mail advertising male enhancement pills and adult Web sites."

Read the story at KrebsOnSecurity.com ...

Report Shows Weaknesses in Anti-Virus Engines

2010-04-27T21:49:00.000-07:00

Brian Krebs reports on a research report just released by Google on the increasing difficulty defenses have in countering cybercriminals spreading fake anti-virus programs, commonly known as scareware. Using data provided by Google, purveyors of scareware programs have aggressively stepped up their effort to evade detection by legitimate anti-virus programs, both anti-virus software and Google's own detection efforts.

According to Google's Niels Provos, "We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates. It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads."

As to the danger, Krebs writes: "Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them."

Read the story and link to the Google report at KrebsOnSecurity.com ...

For what to do if you become a scareware victim, read Brian Krebs tutorial here ...

Money Mules: The Final Link in Getting Your Money to the Cyberthief Who Stole It

2010-04-26T22:23:00.000-07:00

One of the ways a cybercriminal steals money from a business is to transfer the money in amounts less than $10,000 to the bank accounts of money mules. These money mules then withdraw the money, keep a percentage for themselves and send the rest to the cybercriminal via a money order or other non-bank method. Brian Krebs provides a fascinating glimpse into how money mules are recruited.

Read the story at KrebsOnSecurity.com ...

Cybercriminals Learn to Hide Their Malware From Search Engines

2010-04-23T22:37:00.000-07:00

By now you may have seen security alerts on web-listings returned in a Google or Yahoo search. It's one of the ways that search engines alert their users that the web site contains malicious software. Now Brian Krebs reports that cybercriminals have learned how to 'stealth' their malware so it becomes invisible to the search engines.

Read the whole story at KrebsOnSecurity.com ...

Analysis of 43 Online Bank Thefts Illustrates Diversity of Victims

2010-04-23T22:05:00.000-07:00

Brian Krebs reports on an analysis of 43 on-line bank thefts showing that the preponderance of reported thefts is from the East Coast and Midwest. As these 43 online bank thefts represent a small fraction of the total, it's impossible to make any generalizations from the data. Nevertheless, the data does show how varied the victims are. The only two things that victims have in common may be (1) that they were vulnerable and (2) they got caught up in the 'net' of some cybercriminal, no different from a tuna getting caught up in the net of a tuna boat.

Read the story at KrebsOnSecurity.com ...

White House Moves to Focus Cybersecurity Strategy on Protection, Not Auditing

2010-04-22T21:25:00.000-07:00

In a sign that the traditional information security audit was failing to control increasing cyber-risk, the Office of Management and Budget has ordered federal agencies to adopt a real-time approach to cyber threats. In a memo issued Wednesday, Agencies will be expected to constantly collect information on cyber threats and submit it to the Homeland Security Department, which will analyze the data and offer advice on best practices.

"Agencies have spent too much time, money and energy on generating paperwork that they end up filing away in these secure cabinets and they don't end up protecting systems," said Vivek Kundra, the government's chief information officer, in an interview published in Federal Times.

Kundra and Howard Schmidt, White House Cybersecurity Coordinator, said that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats.

Read the entire story and download the OMB Memo at Information Week ...

Symantec 2009 Global Internet Security Threat Report

2010-04-22T20:55:00.000-07:00

Symantec has published their 2009 Global Internet Security Threat Report. According to the report, the top web-based attacks in 2009 were on Internet Explorer and Adobe Acrobat/Reader. The report notes the growth in PDF attacks, from 11% of web-based attacks in 2008 to 49% in 2009. The report covers topics like threat activities, vulnerability trends, phishing and the underground economy.

Download the Executive Summary from Symantec ...

Download the entire Report ...

Fire Alarm Company Burned by e-Banking Fraud

2010-04-22T20:54:00.000-07:00

KrebsOnSecurity.com reports that a fire alarm company in Arkansas lost more than $110,000 when cybercriminals stole the firm's online bank credentials and drained its payroll account. The bank has told the company that the bank would not accept responsibility for the loss.

Read the story at KrebsOnSecurity.com ...

Cybercriminals Take Advantage of McAfee Snafu

2010-04-22T20:16:00.000-07:00

Brian Krebs reports about McAfee's bad update (see yesterday's blog post: McAfee Anti-Virus Software Locks up PCs) that searching for information about the update returns pages of results that when visited launch the come-ons that try to frighten visitors into purchasing bogus (if not also malicious) anti-virus products. The pages are also capable of being booby-trapped so that unsuspecting users will download and install malicious software on their PCs. Internet Explorer users are most at risk of booby-traps, as the booby-trapped pages simply would not load if users follow our recommendation to use Firefox with the noscript add-on enabled.

Read more at KrebsOnSecurity.com ...

Social Engineering Case Study: Google Hackers Duped Their Victims

2010-04-21T21:47:00.000-07:00

So how did Google and 30 other large companies get hacked? (See our blog post: Google Attacks Highlight Growing Problem of Cyber Security Threats.) Part of the answer is that the attackers duped everyone from system administrators with access to passwords to executives with access to intellectual property and other information, according to a report in the Washington Post. Social engineering attacks, where the cybercriminals take advantage of gullibility and other human weaknesses to gain illegitimate access to sensitive information, have becoming an increasingly common component of cybercriminal attack.

Read the entire story at the Washington Post ...

McAfee Antivirus Software Locks Up PCs

2010-04-21T21:36:00.000-07:00

Several news sources report that McAfee's anti-virus software is erroneously detecting legitimate Windows system files as malicious, causing reboot loops and serious stability problems for many Windows XP users, according to multiple reports.I've talked to several clients who have experienced the same problem. One Citadel client had to rebuild over 100 affected computers, a complete waste of time for IT staff.

Read the whole story at KrebsOnSecurity.com ...

Health Care Survey: Slow Hospital Compliance with New Regulations Causing Increased Data Breaches & Medical Identity Theft

2010-04-20T22:22:00.000-07:00

From the Spring 2010 National Survey of Hospital Compliance Executives conducted by Identity Forces:

Compliance continues to lag as nearly 85% of hospitals are NOT in compliance with the HITECH Act
Breaches are up over 120% from last year's survey
41% of hospitals now have 10 or MORE data breaches annually
Potential patient ID fraud and misuse going un‐investigated as 34% of hospitals keep inadequate records
48% of hospitals do not check to make sure vendors and business associates are in compliance with the HITECH act.

As medical consumers, should we be worried. You betcha!

Download the report (PDF).

Thanks to Hal Amens for this story.

China-Google Controversy Illustrates Cloud Security Risk

2010-04-20T21:01:00.000-07:00

Terry Corbell, The Biz Coach, explores the security implications of the China-Google controversy. Terry was kind enough to quote me about particular Cloud security challenges. Here's what I told Terry:

“As the story makes clear, businesses considering cloud services like those offered by Google, Amazon and others must ‘look before they leap’,” warns Internet security expert Stan Stahl, Ph.D., Citadel Information Group, Inc. “While it’s probably obvious to look at the security provided by the cloud provider, less obvious is that the business needs to also look at that part of security that will still be its responsibility, the part of security that the cloud service provider isn’t providing,” says Dr. Stahl, as the go-to security authority. “Security can never be a matter of looking at ‘this’ or ‘that.’ Security must always be about looking at ‘this’ and ‘that’,” he adds.

Read Terry's blog ...

Rent-a-Fraudster: A Fascinating Look at the Cybercrime Underworld

2010-04-20T20:21:00.000-07:00

KrebsOnSecurity.com reports that a call service catering to online bank and identity thieves has been busted by U.S. and international authorities. The takedown provides a fascinating look at a special niche of service providers in the cybercrime underworld. Suppose, for example, you're a cybercriminal with a thick Russian accent, you have all the appropriate information about David Smith that his bank requires to transfer money, and you want to move $250,000 from David Smith's bank account but Smith's bank requires an out-of-band phone call with the bank before they'll release the money. To get your $250,000, you rent an English-speaking fraudster who calls the bank for you! Another rent-a-fraud service provides a password-protected Web site catering to customers with stolen credit cards. Yet a third Web site, appropriately named the "Fraud Shop," manages cybercriminal transactions at legitimate Web sites, even arranging for shipping stolen merchandise to mules.

Read the story at KrebsOnSecurity.com ...

GAO report says IRS Blase' about Cybersecurity

2010-04-20T14:51:00.000-07:00

There's so much anger at the government that I'm almost embarrassed to post this, but it's an important illustration of just how bloody hard it is to effectively manage information systems security ... and why leadership is so very important. And why, perhaps, some of the anger is well-deserved. The GAO reports that sixty-nine percent of 89 security weaknesses and deficiencies identified by the GAO during a 2008 fiscal year audit remain unresolved and depicts the IRS' attitude toward security as rather blasé.

Read the story at Information Week ...

Mozilla Disables Insecure Java Plugin in Firefox

2010-04-20T12:22:00.000-07:00

KrebsOnSecurity.com: Brian Krebs reports that Mozilla has disabled vulnerable versions of the Java Development Toolkit for Firefox that cybercriminals have been using to install malicious software on users desktops. Mozilla is taking this action to protect Firefox users from the vulnerabilities in older versions in Java that we reported in our April 15th blog post: Java Patch Targets Latest Attacks. To make sure Java is disabled from Firefox, go to Tools, Add-ons and click the Plugins icon. If any Java Plugins are listed, select the Toolkit and hit the “Disable” button.

Read more at KrebsOnSecurity.com ...

A Security Flaw in Palm Pre Demonstrates Need for Caution

2010-04-19T20:30:00.000-07:00

Intrepidus Group announced that they've identified dangerous vulnerabilities in the Palm Pre WebOS. The vulnerabilities illustrate one more reason why we would NEVER use an off-the-shelf mobile device for online banking or anything else really sensitive. Even if the on-line bank app was written without security flaws [which is more than doubtful], flaws in the underlying OS [or Trojan horses embedded in other apps] just make it way too dangerous. Don't be lulled by the fact that Palm has already released an update to WebOS. Remember the mantra: All complex software is flawed and has vulnerabilities.

Read more at V3.co.uk ...

California Senate Passes Strengthened Data Breach Disclosure Law

2010-04-19T20:17:00.000-07:00

Information Week reports that the California Senate has passed SB-1186, a new data breach disclosure law that would require a breach notification letter to include the type of information exposed, a description of the breach, and steps potential victims can take to mitigate risks.

To read the story on Information Security ...

Changing Culture Improves Organization's Data Privacy and Information Security Program

2010-04-19T20:09:00.000-07:00

From a recent report by the renowned Poneman Institute: there is a "strong correlation between an organization’s level of respect for an individual’s personal data and the likelihood that the organization will suffer a data breach. By establishing an environment within an organization that encourages employees to see data as an extension of the customer and not merely something owned by the company, thereby fostering the development of a “culture of caring,” data privacy and information security programs become more effective."

Download the Poneman Report ...

Download our paper "Beyond Awareness Training: It's Time to Change the Culture" from our web site ...

Visitors to Web Sites Hosted by Network Solutions Again at Risk

2010-04-19T19:55:00.000-07:00

KrebsOnSecurity.com reports that Network Solutions has again been hacked by cybercriminals. The cybercriminals installed malicious software on web sites hosted by Network Solutions. This put visitors to these sites at risk that cybercriminals could take control of their computers, allowing them to steal online credit and bank account passwords and other sensitive information.

Read the story at KrebsOnSecurity.com ...

$500 Buys Entry-Level Cybercrime Exploit Pack

2010-04-16T23:48:00.000-07:00

The iPack may sound like Steve Jobs' next great product but don't be fooled. It's a new custom exploit pack for sale to cybercriminals at prices starting at $500. Like many other exploit kits, the iPack make it easy for hackers to booby-trap Web sites with code that installs malicious software.Other exploit kits are available to cybercriminals to make it easy to exploit workstation weaknesses such as missing patches.

Read the story at KrebsOnSecurity.com ...

Java Patch Targets Latest Attacks

2010-04-15T21:09:00.000-07:00

KrebsOnSecurity.com: Oracle Corp. has shipped Java 6 Update 20, a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.The best advice is to turn off Java in your browser, but if you believe you need it, then make sure to keep it patched.

Read more at KrebsOnSecurity.com ...

Download Java Update ...

U.K. Approves Crackdown on Internet Pirates

2010-04-08T23:41:00.000-07:00

NewYorkTimes: The British Parliament on Thursday approved plans to crack down on digital media piracy by authorizing the suspension of repeat offenders’ Internet connections.

Read more at The New York Times ...

In cyberwar, who's in charge?

2010-04-07T22:16:00.000-07:00

This Business Week article continues the public dialogue we need so we can find the common cyber-ground needed to prevail against cyberwar, cyberterrorism and cybercrime.

Read more at Business Week ...

ISP Privacy Proposal Draws Fire

2010-04-07T21:20:00.000-07:00

Brian Krebs reports that the American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses – is considering a proposal to ease rules that require ISPs to publish address and phone number information for their business customers. The proposal is drawing strong criticism from information systems security professionals as it will make it harder to fight spam, malware and other forms of cybercriminal activity.

Read more at KrebsOnSecurity.com ...

Cybersecurity Coordinator Howard Schmidt: Private Sector Key to Stopping Google-style Attacks

2010-04-07T21:07:00.000-07:00

Speaking at CSO Perspectives 2010, White House Cybersecurity Coordinator Howard Schmidt says the information security community is right to be spooked by massive, coordinated attacks that recently targeted Google. But he believes the best defense remains in the hands of the private sector."You guys have been carrying the water," Schmidt told attendees at CSO Perspectives 2010. "The government can do a lot to improve the nation's cyber defenses. But ultimately," he said, "the key to warding off attacks like the one Google experienced remains private-sector vigilance." ... "I see this as a whole range of threats we have to deal with -- everything from script kiddies to organized crime and everything in between," he said. "There are a lot of different actors we need to worry about, and we have to work harder to reduce the number of vulnerabilities out there so we can stop all of them, whoever and wherever they are."

Read more at Network World ...