Citrix Breach

Citrix confirmed that the hackers who successfully breached the company’s network stole sensitive personal information of both former and current employees and were able to access internal assets for about six months.

 — Sergiu Gatlan

Even somewhat unsophisticated attacks like password spraying or credential stuffing can give someone the foothold they need to access sensitive information. In this case it sounds like an HR system. What surprised me about this story was that it was the FBI that notified Citrix of the breach on March 6th.

NBC News says that the attackers were Iranian-backed and managed to make off with 6-10TB of documents.

It’s time to secure Microsoft Office

This week in the office my systems have blocked 150,000 malicious Office documents. All have Office macros attached, or OLE objects. The 90s never finished as attackers learn to automate attacks using Office and old technology. If anything is a sign that the security industry needs to shift up a gear, this is it.

Kevin Beaumont has posted a fantastic (and pragmatic!) guide for best practices when working with Office documents. His guide to simple configuration management will dramatically improve your security posture by making some changes to how trustworthy Office documents are.

OLE is more popular than ever, and for all the wrong reasons.

Seagate Phish Exposes All Employee W-2’s — Krebs on Security

Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.

Source: Seagate Phish Exposes All Employee W-2’s — Krebs on Security

Verizon’s 2015 Data Breach Investigations Report

Verizon’s Data Breach Investigations Report (DBIR) is always a great resource — not only does it have the sort of broad overview that helps explain risk and threats, but digs into some of the metrics without taking a hairpin turn into absurdity and hand-wringing that so often dominates this part of the industry.

Whenever I’m asked to give a talk, I refer to the DBIR because the data is good, the information is digestible, and it always manages to steer me into topics that are relevant and realistic rather than lurching off into hypotheticals and Doom and Glooming.

Adobe Security Bulletin

It is very important that all users of Adobe Flash ensure they have the latest versions installed on all workstations — this one is pretty gnarly and will likely be getting a lot of attention in short order.

The relevant CVEs ((Common Vulnerabilities and Exposures reference number used by researchers and vendors)) are:

And from Adobe’s release, the list of vulnerable versions is quite broad:

Affected software versions

  • Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.336 and earlier versions for Linux
  • Adobe AIR 4.0.0.1390 and earlier versions for Android
  • Adobe AIR 3.9.0.1390 SDK and earlier versions
  • Adobe AIR 3.9.0.1390 SDK & Compiler and earlier versions

Essentially, if you didn’t download a new version of Adobe Flash today, you’re probably vulnerable.

Adobe has released security updates for Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit for CVE-2014-0502 exists in the wild, and recommends users update their product installations to the latest versions.

via Adobe Security Bulletin.