Citrix Breach
Citrix confirmed that the hackers who successfully breached the company’s network stole sensitive personal information of both former and current employees and were able to access internal assets for about six months.
— Sergiu Gatlan
Even somewhat unsophisticated attacks like password spraying or credential stuffing can give someone the foothold they need to access sensitive information. In this case it sounds like an HR system. What surprised me about this story was that it was the FBI that notified Citrix of the breach on March 6th.
NBC News says that the attackers were Iranian-backed and managed to make off with 6-10TB of documents.
President by Putin
PSA: #1
Everything you do on free hotel Wi-Fi is monitored by criminals.
A Law-abiding Citizen’s Guide to Privacy
It’s time to secure Microsoft Office
Kevin Beaumont has posted a fantastic (and pragmatic!) guide for best practices when working with Office documents. His guide to simple configuration management will dramatically improve your security posture by making some changes to how trustworthy Office documents are.
OLE is more popular than ever, and for all the wrong reasons.
Millions of Android devices have flawed full disk encryption
Even though modern Android devices use this security feature, Beniamini’s research found that an attacker can exploit kernel flaws and vulnerabilities in some of Qualcomm’s security measures to get that encryption key. Then, all that stands between the hacker and a device’s information is a password.
Source: Millions of Android devices have flawed full disk encryption
Seagate Phish Exposes All Employee W-2’s — Krebs on Security
Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.
Source: Seagate Phish Exposes All Employee W-2’s — Krebs on Security
Verizon’s 2015 Data Breach Investigations Report
Verizon’s Data Breach Investigations Report (DBIR) is always a great resource — not only does it have the sort of broad overview that helps explain risk and threats, but digs into some of the metrics without taking a hairpin turn into absurdity and hand-wringing that so often dominates this part of the industry.
Whenever I’m asked to give a talk, I refer to the DBIR because the data is good, the information is digestible, and it always manages to steer me into topics that are relevant and realistic rather than lurching off into hypotheticals and Doom and Glooming.
Adobe Security Bulletin
The relevant CVEs ((Common Vulnerabilities and Exposures reference number used by researchers and vendors)) are:
And from Adobe’s release, the list of vulnerable versions is quite broad:
Affected software versions
- Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh
- Adobe Flash Player 11.2.202.336 and earlier versions for Linux
- Adobe AIR 4.0.0.1390 and earlier versions for Android
- Adobe AIR 3.9.0.1390 SDK and earlier versions
- Adobe AIR 3.9.0.1390 SDK & Compiler and earlier versions
Essentially, if you didn’t download a new version of Adobe Flash today, you’re probably vulnerable.
Adobe has released security updates for Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions.