Landmark Leadership Conferences for IT Executives
 

The IT Blog



by Fred F. Farkel, Monday, April 29th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

RoboForm: Roboform has released version 7.8.8.5. Download the update fromRoboform’s website.

Gallery Project: GalleryProject.org has released version 3.0.7 to fix a vulnerability in Gallery report in prior versions. Update to version 3.0.7 which can be found onGallery’s website.

HP LaserJet Printers: HP has released firmware updates for many of its LaserJet Printers. The firmware fixes a less critical vulnerability. Click here to see a list of the specific models affected and click here to find instructions for updating the firmware.

Current Software Versions

Adobe Flash 11.7.700.169 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.7.700.169 [Windows 8: IE]

Adobe Flash 11.7.700.169 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.02

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 20.0.1 [Windows]

Google Chrome 26.0.1410.64

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 21 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows]

Safari 6.0.4 [Mac OS X]

Skype 6.3.0.105

Newly Announced Unpatched Vulnerabilities

Belkin Advance N900 Dual-Band Wireless Router: Secunia reports an unpatched vulnerability in Belkin’s Advance N900 Dual-Band Wireless Router in firmware version 1.00.06. Other versions may also be affected. No official solution is currently available. 

Belkin N300 Wi-Fi N Router: Secunia reports an unpatched vulnerability in Belkin’s N300 Wi-Fi Router in firmware version 1.00.06. Other versions may also be affected.No official solution is currently available. 

D-Link DIR-300 / DIR-615 Wireless Router: Secunia reports an unpatched vulnerabilityin D-Link’s Wireless Routers; DIR-300 Rev A version 1.05 and DIR-615 Rev D3 version 4.13. Secunia reports a second unpatched vulnerability in D-Link’s DIR-615 Rev D3 version 4.13. Other versions may also be affectedNo official solution is currently available. 

Linksys WRT310N Wireless Router: Secunia reports an unpatched vulnerability in  Linksys’ WRT310N Wireless Router in firmware version 2.0.0.1. Other versions may also be affectedNo official solution is currently available. 

NetGear WNDR4700 Wireless Router: Secunia reports an unpatched moderately critical vulnerability in NetGear’s WNDR4700 Wireless Router in version 1.0.0.34. Other versions may also be affectedNo official solution is currently available. 

TP-LINK TD-8817 Wireless Router: Secunia reports an unpatched vulnerability in TP-LINK’s TD-8817 Wireless Router in version 6.0.1 Build 111128 Rel.26763. Other versions may also be affectedNo official solution is currently available. 

TP-LINK WR1043N Wireless Router: Secunia reports an unpatched vulnerability in TP-LINK’s WR1043N Wireless Router in version TL-WR1043ND_V1_120405. Other versions may also be affectedNo official solution is currently available.

For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.

For Your IT Department

Cisco Unpatched Products: Secunia reports unpatched security issues with Cisco’sFirewall Services Module reported in version 4.1(5) and ASA Software versions 8.2(5) and 8.4(0.3). No official solutions are currently available.

Cisco Multiple Products: Cisco has released updates for multiple products, including Cisco’s NX-OS-based products, Cisco Device Manager, and Cisco Unified Computing System,  and others. Apply appropriate updates.

Citrix CloudPlatform: Citrix has released an update to fix at least 3 moderately critical vulnerabilities reported in versions 3.0.x through 3.0.6 with patch B. Apply security patch.

Citrix NetScaler / Access Gateway: Citrix has released an update to fix a moderately critical vulnerability. Apply appropriate patch.

Citrix Xen Server: Citrix has released an update to fix a vulnerability reported in versions 6.1 and prior. Apply patches.

Firefox FirePHP: Firefox has released an update to fix a weakness in the FirePHP extension for Firefox. Update to version 0.7.2.

HP Managed Printing Administration: HP has released an update to its Managed Printing Administration to fix a vulnerability reported in previous versions. Update to version 2.7.0.

IBM Security AppScan / Java Vulnerabilities: IBM has released version 8.6.0.1 to fix at least 20 vulnerabilities, some of which are highly critical, in IBM Security AppScan Standard versions 8.0 and 8.5 bundled with Java. Previous versions remain unpatched.

Ipswitch IMail Server: Ipswitch has released an update to fix a vulnerability in its IMail Server reported in previous versions of the bundled version of OpenSSL. Update to version 12.3.

Joomla!: Joomla! has released updates to fix at least 6 moderately critical vulnerabilities in Joomla! reported in versions prior to 2.5.10 and 3.1.0. Update to version 2.5.10 or 3.1.0.

Joomla! ALFContact Component: Secunia reports a vulnerability in Joomla!’s ALFContact Component in version 3.1. Otherversions may also be affected. No official solution is currently available. 

McAfee ePolicy Orchestrator: McAfee has released version 8.6.0.1 to fix at least 2 moderately critical vulnerabilities reported in versions 4.5.6 and prior and versions 4.6.5 and prior. Apply patches.

VMware Products / Java Vulnerabilities: VMware has released a partial fix to address at least 30 highly critical vulnerabilities reportedly found in the following products and versions bundled with Java: vCenter Server version 5.0,vCenter Server version 4.1, Update Manager version 5.1, Update Manager version 5.0, ESX version 4.1. Apply patch if available.

VMware vCenter Server: VMware has released an update to its Server Products to fix at least 40 vulnerabilities, some of which are highly critical. Update to version 5.1 Update 1.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, April 28, 2013

by Fred F. Farkel, Monday, April 29th, 2013

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Crime

Cyberattackers hack into LivingSocial, 50 million customers impacted: LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyberattack on its computer systems, according to officials at the company. USA Today, April 26, 2013

Sources: Tea Leaves Say Breach at Teavana: Multiple sources in law enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands. KrebsOnSecurity, April 22, 2013

Cyber Attack

Hackers compromise AP Twitter account: Hackers compromised Twitter accounts of The Associated Press on Tuesday, sending out a false tweet about an attack at the White House. CBS News, April 23, 2013

Syria’s pro-Assad hackers are hijacking high-profile Twitter feeds: The Syrian Electronic Army, an informal network of hackers who wage cyberwar in support of the Syrian government and President Bashar al-Assad, have found yet another way to harass Western Web users. Hackers identifying as part of the Syrian Electronic Army have hijacked a series of Twitter feeds over the last few weeks. The targeted feeds tend to be associated with Western organizations, particularly ones that somehow cover Syria.The Washington Post, April 22, 2013

Cyber Underworld

BRAZEN CRIMEWARE MARKETING BRANCHES OUT TO SOCIAL NETWORKS: The secrecy of underground forums where financial malware and crimeware kits are traded is well guarded, to the point that few are able to penetrate them without some kind of internal sponsor. Here, criminals value their privacy as much as those from whom they steal. ThreatPost, April 26, 2013

MALWARE C&C SERVERS FOUND IN 184 COUNTRIES: In an attempt to better evade detection, cybercriminals are increasingly configuring their command and control infrastructure in such a way that initial malware callbacks communicate with a server located in the same country as the newly infected machines. ThreatPost, April 23, 2013

Cyber Warning

Hackers increasingly target shared Web hosting servers for use in mass phishing attacks: Cybercriminals increasingly hack into shared Web hosting servers in order to use the domains hosted on them in large phishing campaigns, according to a report from the Anti-Phishing Working Group (APWG). ThreatPost, April 26, 2013

VULNERABILITY IN VIBER FOR ANDROID ENABLES LOCK SCREEN BYPASS: Another day, another smartphone lock screen bypass vulnerability. ThreatPost, April 25, 2013

Fireeye Finds Gh0stRAT Cyberespionage Campaigns Continue: Many advanced persistent threat attacks use the malware, believed to have been developed in ChinaCIO, April 24, 2013

Researcher’s Serial Port Scans Find More Than 100,000 Hackable Devices, Including Traffic Lights And Fuel Pumps: You probably remember serial ports as the ancient nine-pin plugs you once used to hook up your mouse or joystick to your computer in the pre-USB dark ages. But tracking down devices that still use serial port connections isn’t so hard, it seems. In fact, according to H.D. Moore, any hacker can find-and tamper with-more than 100,000 of them over the Internet, including critical systems ranging from traffic lights to fuel pumps to building heating and cooling systems to retail point-of-sale devices. Forbes, April 23, 2013

JAVA SANDBOX BYPASS DISCOVERED THAT BREAKS LATEST UPDATE: Optimism and praise followed last week’s Java critical patch update. Oracle not only patched 42 vulnerabilities in the Java browser plug-in, but also added new code-signing restrictions and new prompts warning users when applets are potentially malicious. It took less than a week, however, to deflate any good will toward Java that resulted. ThreatPost, April 23, 2013

New Malware Hijacks Twitter Accounts for Financial Fraud: Cyber criminals are always looking for new ways to avoid detection, escape cyber sleuths, and carry out their cyber crimes. So it shouldn’t be surprising that malicious hackers are now taking advantage of social media. A newly discovered malware, designed to gain access to users’ banking credentials, uses Twitter to spread itself and reach more victims.Mashable, April 22, 2013

Cyber Threat

Businesses Face Growing Threat From Hackers: With government scrambling to fight cyber threats, the private sector sees a growing need to protect itself. US News and World Report, April 26, 2013

New Research Shows Remote Users Expose Companies To Cybercrime: BROOMFIELD, Colo., April 23, 2013 /PRNewswire/ – Results of new remote access security research show half of companies with a remote workforce had their websites compromised in 2012, over a third had passwords hacked, and twice as many companies with remote users were victims of SQL injection attacks. DarkReading, April 23, 2013

Hacktivists Change Tactics From Data Breaches to Disruption: Verizon: The amount of data hacktivists stole plunged in 2012 as politically motivated hackers focused more on DDoS, but state-sponsored attackers and cyber-crooks picked up the slack. eWeek, April 23, 2013

Cybercrime’s easiest prey: Small businesses: A data breach investigations report from Verizon (VZ, Fortune 500), released Tuesday, showed that small businesses continue to be the most victimized of all companies. CNN, April 23, 2013

Report: DDoS Attacks Getting Bigger, Faster Than Ever: Distributed denial-of-service (DDoS) attacks are steadily increasing in size and speed, creating new problems for enterprise defenses, according to a study published today. DarkReading, April 22, 2013

Online Bank Fraud

Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers: Small businesses have had millions of dollars stolen from their accounts by online thieves; court cases have started creating a clear picture of responsibilities. DarkReading, April 22 2013

Cyber Security Management – Cyber Defense

Tech Insight: Time To Set Up That Honeypot:Many companies are simply doing security wrong. While they might have perimeter security nailed down, they are probably failing at securing their workstations from insider abuse or have no true visibility as to what’s going on within their internal networks. DarkReading, Apri 26, 2013

Social engineering in penetration tests: 6 tips for ethical (and legal) use: Social engineering techniques are often crucial to executing penetration tests. But which methods cross the ethical line – or even venture into the dangerous territory of illegal?CSO, April 23, 2013

Cyber Security Management

Many Hacked Businesses Remain Unprepared For The Next Breach: New Ponemon report finds three-fourths of hacked organizations either have had or expect to have a breach that loses them customers and business partners DarkReading, April 24, 2013

Cyber Privacy

It’s privacy versus cybersecurity as CISPA bill arrives in Senate: Cybersecurity and online privacy are two critical interests that seem destined never to get along. Sure, you want malicious hackers, spammers, and other Internet lowlifes brought to justice-but you also want to protect your online data. PC World, April 25, 2013

IN FOCUS: The Directive: In this Q&A, Timothy Toohey, CIPP/US, CIPP/E, of Snell & Wilmer, discusses the tensions and controversies within the proposed EU data protection regulation. IAAP, April 22, 2013

Securing The Village

GOOGLE JOINS FIDO ALLIANCE EFFORT TO MOVE BEYOND PASSWORDS: Google, which gradually has been moving its users away from using passwords as their main form of authentication for Web services, has joined a young organization whose goal is to phase out passwords and replace them with various forms of strong authentication. The FIDO Alliance, formed last year, is working to make two-factor authentication the default mechanism for authentication through the establishment of an open standard for strong authentication. ThreatPost, Aprul 26, 2013

National Cyber Security

EXECUTIVE ORDER EXPANDS WARRANTLESS NETWORK MONITORING TO INCLUDE CRITICAL INFRASTRUCTURE: A little-known policy through which the Departments of Justice, Defense, and Homeland Security offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on the private networks of defense contractors has reportedly been expanded by Executive Order to include a score of other “critical infrastructure” industries, according to information obtained as part of a Freedom of Information Act lawsuit filed by the Electronic Privacy Information Center (EPIC). ThreatPost, April 25, 2013

U.S. and China Put Focus on Cybersecurity: BEIJING – The United States and China held their highest-level military talks in nearly two years on Monday, with a senior Chinese general pledging to work with the United States on cybersecurity because the consequences of a major cyberattack “may be as serious as a nuclear bomb.” The New York Times, April 22, 2013

Stuxnet and the Dawn of Algorithmic Warfare: Though autonomous, destructive robots are a long-time, hackneyed science fiction plot, for some time, this new kind of warfare has been shifting from yesterday’s movie to today’s reality. But unforeseen by the imaginations of both headline and science fiction writers, it was not a missile-laden drone or humanoid Terminator that introduced this new kind of combat, but a piece of software. Stuxnet, part of the “Olympic Games” covert assault by the United States and Israel on Iranian nuclear capability, appears to be the first autonomous weapon with an algorithm, not a human hand, pulling the trigger. While the technology behind Stuxnet or other autonomous weapons is impressive, there has been little or no ethical debate on how (or indeed whether) such weapons should be used. ACUS, April 17, 2013

Cyber Law

Finding Common Threads in Privacy and Information Security Laws: The sheer number and variety of laws and regulations that can apply to even small businesses handling sensitive information can be daunting, if not overwhelming. In some instances, it may be almost impossible for even a large, sophisticated organization to identify all applicable laws, reconcile inconsistencies, and then implement a compliance program. In this discussion, the goal is not to discuss any specific laws or regulations, but to identify three common threads that run through many of them. By understanding those common threads, businesses can more easily understand their baseline compliance obligations. CSO, April 26, 2013

Cyber Survey

VERIZON DBIR TAKES FIRST DEEP DIVE INTO CYBERESPIONAGE: Targeted cyberespionage attacks have dominated discussions within the security community and outside of it from the mainstream media to the halls of the executive and legislative branches of government. But until now, discussions about attacks stemming from China that target intellectual property from engineering, manufacturing and military interests in the United States, have been anecdotal and one-off analyses of specific breaches. ThreatPost, April 22, 2013

No ‘One Size Fits All’ In Data Breaches, New Verizon Report Finds: Verizon Data Breach Investigations Report 2013 says financial cybercrime accounting for three-fourths of real-world breaches, followed by cyberespionage in one-fifth of breaches.DarkReading, April 22, 2013

One in five data breaches are the result of cyberespionage, Verizon says: IDG News Service – Even though the majority of data breaches continue to be the result of financially motivated cybercriminal attacks, cyberespionage activities are also responsible for a significant number of data theft incidents, according to a report that will be released Tuesday by Verizon. CIO, April 22, 2013

Cyber Sunshine

Dutchman Arrested in Spamhaus DDoS: A 35-year-old Dutchman thought to be responsible for launching what’s been called “the largest publicly announced online attack in the history of the Internet” was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as “SK,” was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization.KrebsOnSecurity, April 26, 2013

Leadership

Is It Okay to Show Vulnerability?: Leaders should show a sense of vulnerability. Forbes, April 23, 2013

Securing the Village – Events Calendar

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join 800 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, April 28, 2013

by Fred F. Farkel, Monday, April 22nd, 2013

 

Guest column by Citadel Information Group

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple Java for OS X: Apple has released an update to OS X to fix at least 21 highly critical vulnerabilities in its version of Java. Download the update from Apple’s website.

Apple Safari for OS XApple has released version 6.0.4. of Safari for OS X to fix a highly critical vulnerability. Download the update from Apple’s website. This update is for OS X only and doesn’t affect the Windows version.

Foxit 6.02.0413: Foxit has released a security and performance update. The updated program can be obtained from Foxit’s web site.

NetGear WNR1000: NetGear has released version 1.0.2.60 for its WNR1000 Wireless Router to fix a vulnerability. Download the update from NetGear’s website by providing the model number of the router.

Oracle Java: Oracle has released Java  SE 7 Update 21 to fix at least 42 highly critical vulnerabilities in  Java. Download the update from the Java website.

Picasa 3.9, build 136.20: Picasa has released a security and performance update. The updated program can be obtained from Picasa’s website.

VLC Media Player: VLC has released version 2.0.6 to its Media Player to fix a highly critical vulnerability reported in version 2.05 and prior. Download the version fromVLC’s website. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 3, 2013.

Current Software Versions

Adobe Flash 11.7.700.169 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.7.700.169 [Windows 8: IE]

Adobe Flash 11.7.700.169 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.02

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 20.0.1 [Windows]

Google Chrome 26.0.1410.64

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 21 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows]

Safari 6.0.4 [Mac OS X]

Skype 6.3.0.105

Newly Announced Unpatched Vulnerabilities

D-Link DIR-865L Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-865-L Wireless Router in version 1.03. There is currently no patch at this time.

Linksys EA2700 Wireless Router: Secunia reports unpatched vulnerabilities in Linksys’ EA2700 Wireless Router in firmware version 1.0.12.128947. There is currently no patch at this time. 

Linksys WRT54GL Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-865-L Wireless Router in firmware version 4.30.15. There is currently no patch at this time. 

For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Cisco has released updates for multiple products, including its Adaptive Security Appliance, NAC appliance,  and others. Apply appropriate updates.

Novell GroupWise: Novell has released an update for its GroupWise WebAccess to fix a vulnerability. Apply appropriate patches.

Oracle Multiple Products: US-CERT and Secunia reports that Oracle has released updates for at least 31 of its products, including Oracle Database Server, E-Business Suite, Supply Chain Products Suite, PeopleSoft, My SQL and others. Apply appropriate updates.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, April 21, 2013

by Fred F. Farkel, Monday, April 22nd, 2013

 

Guest column by Citadel Information Group

ISSA-LA – Securing the Village

Healthcare HITECH Privacy and Security Highlights ISSA-LA Fifth Annual Information Security Summit: The Los Angeles Chapter of the Information Systems Security Association and the Healthcare Information and Management Systems Society Southern California hold the Healthcare HITECH Privacy and Security Summit on Tuesday, May 21, 2013 in LA. PRLog, April 17, 2013

Cyber Crime

Reddit hit with a denial-of-service attack: The social news site Reddit is being hit with what the company called a “malicious” denial of service attack, first disclosed via its official Twitter account Friday. The Washington Post, April 19, 2013

Schnucks breach will likely cost millions: Book stores. Banks. Even data security companies. They’ve all become recent targets of increasingly sophisticated, determined – some say talented – hacker gangs. St. Louis Post-Dispatch, April 7, 2013

Cyber Underworld

Where Kim Dotcom Got His Start: The House Of Coolness: Kim Dotcom, who I profile in the latest issue of the magazine, is a born entrepreneur. In fact, he’s launched so many money making ventures in his 39 years that not all of them fit into our print edition. But one, at least, was controversial enough among Dotcom’s one-time hacker peers that it deserves its own historical footnote. Forbes, April 17, 2013

Cyber Warning

Data security firm warns of malware exploiting Boston bombings: Chicago-based data security firm Trustwave said it has detected “a large-scale malicious spam campaign” circulating online that is exploiting this week’s Boston bombings. ChicagoTribune, April 19, 2013

Malware and domain-squatters target Boston Marathon bombing: The scummier end of the online community has been quick to use Monday’s bombing of the Boston Marathon as bait for multiple malware dispersals, plus a spot of old-fashioned online fraud along the way. The Register, April 17, 2013

Cyber Threat

Browsers Pose the Greatest Threat to Enterprise, Microsoft Reports: Microsoft’s latest security report has found that Web-based attacks pose the greatest threat to companies, giving credence to efforts to develop browser alternatives to accessing the Internet. CIO, April 19, 2013

Study: 32.8 Million Android Phones Infected with Malware: Do you have an anti-virus app on your Android phone yet? If not, a new study conducted by security firm NQ Mobile suggests you’re playing with fire: The number of malware threats to your Android phone has increased 163% over the past year alone. Time, April 17, 2013

Microsoft: Worms And Rogue AV Dying, Web Threats Thriving: For the first time in nearly four years, the top malware threat plaguing enterprises is not the Conficker worm: Web-based attacks have taken over, according to new data gathered from more than 1 billion Windows machines worldwide. DarkReading, April 17, 2013

Symantec report finds small businesses battered by cyber crime: Cyber criminals are increasingly targeting small businesses due to their less sophisticated defenses, according to a new report from Symantec. InfoWorld, April 16, 2013

Cyber Security Management – Cyber Update

Java Update Plugs 42 Security Holes: Oracle Corp. today released an update for its Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plugin. The Java update also introduces new features designed to alert users about the security risks of running certain Java content. KrebsOnSecurity, April 16, 2013

Cyber Security Management – Cyber Defense

Microsoft adds two-factor authentication to keep accounts secure: If you’re an active user of Outlook, SkyDrive, Office Web Apps, or other Microsoft services, you may want to add two-step verification for an extra layer of security. PCWorld, April 17, 2013

Google further secures Chrome against malicious extensions, will start malware download prompts next week: Google on Wednesday announced it has added new measures to protect Chrome users being targeted by malicious extensions. This time, the company is focusing on extensions that are abusing enterprise options or manipulating Chrome preferences; the company says you can expect to see “Safe Browsing” malicious download warnings “within a week.” The Next Web, April 17, 2013

Cyber Security Management – Online Bank Fraud

Bank Sues Cyberheist Victim to Recover Funds: A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan. KrebsOnSecurity, April 19, 2013

Cyber Security Management – HIPAA

HIPAA Compliance: What Providers Should Know About HITECH Act Mandatory Audits:Investigations by the Office for Civil Rights related to compliance with the Health Insurance Portability and Accountability Act will no longer be initiated by only complaints and self-reported breaches. Section 13411 of the HITECH Act requires HHS to provide for periodic audits of covered entities’ and business associates’ compliance with the HIPAA Privacy Rule, Security Rule and Breach Notification standards. While the audits are not intended to be investigations, an audit could reveal a serious compliance issue that could lead to a separate enforcement investigation by OCR. These mandatory audits are further evidence of the increased enforcement efforts of HHS. Becker’s Hospital Review, April 17, 2013

National Cyber Security

CISPA Passes In The House, (Again) But Faces Resistance In Senate And White House (Again): The controversial Cyber Intelligence Sharing and Protection Act passed in the House of Representatives Thursday despite growing opposition to the bill, legislation designed to allow data about digital threats to be shared between the government and the private sector, but which opponents say could circumvent protections against users’ private data being siphoned from companies to the Department of Homeland Security or intelligence agencies. The bill now faces an uphill battle in the Senate and a possible veto from the White House. Forbes, April 18, 2013

Cyber Defenders

U.S. Air Force cadets win cyber war game with NSA hackers: HANOVER, Maryland (Reuters) – A U.S. Air Force Academy team on Friday beat out rivals from other elite military colleges after a three-day simulated cyber “war” against hackers from the National Security Agency that is meant to teach future officers the importance of cybersecurity. Yahoo News, April 19, 2013

Cyber Research

Machine Learning Susses Out Social-Network Fraud: Machine learning techniques can be used to detect fraud and spies on social networks based on certain features, such as the number of followers and the number of devices used to access the network.DarkReading, April 19, 2013

Securing the Village – Events Calendar

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join 800 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, April 21, 2013

by Fred F. Farkel, Monday, April 15th, 2013

 

Guest column by Citadel Information Group

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Special Security Alert

Microsoft Patch TuesdayKrebsOnSecurity.com writes that Microsoft is encouraging users to pay strict attention to this weeks patching regarding Microsoft Security Bulletin MS13-036. Those who haven’t installed it yet should hold off on MS13-036, a security update that Microsoft released earlier this week to fix a dangerous security bug in its Windows operating system. Microsoft is seeing a spike in complaints from Windows users who found their machines unbootable after applying the update. Instructions to uninstall are available on Microsoft’s website.

WordPress Websites: As reported in this week’s Cyber Security News of the Week,KrebsOnSecurity.com writes if you have a website developed in WordPress or Joomla!, know your website may be under attack. Citadel strongly recommends you contact your webmaster and 1) set the account lockout threshold to be 5 or less, and 2) make sure the administrative password is complex and at least 15 characters long. See Citadel’s blog post “Three Rules for Password Sanity.” As a general rule, Citadel also recommends ensuring your webmaster keeps your WordPress and Joomla! installations patched and up to date. Further, ensure your webmaster or IT personnel keep servers patched and up to date.

Important Security Updates 

Adobe ColdFusion: Adobe has released updates to several versions of ColdFusion to fix highly critical vulnerabilities reported in versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Mac and UNIX. Specific steps for the updates are available from Adobe’s website.

Adobe Flash Player: Adobe has released version 11.7.700.169 to fix highly critical vulnerabilities in its Flash Player. Updates are available from Adobe’s website. Updates are also available for Adobe AIR.

Adobe Flash Player for the Android: Adobe has released an update to fix highly critical vulnerabilities in its Flash Player for the Android. Updates are available through the device.

Adobe Shockwave Player: Adobe has released version 12.0.2.122 for both Windows and Mac to fix several critical vulnerabilities in earlier versions of its Shockwave Player. Updates are available from Adobe’s website.

Google Chrome Flash Player: Google has released an updated version of Chrome to fix several highly critical vulnerabilities due to a bundled vulnerable version of Adobe Flash Player. Update to version 26.0.1410.63 for Mac and Linux or 26.0.1410.64 for Windows. Update through Chrome settings or go to Chrome’s website.

Microsoft Patch Tuesday: Microsoft released several updates addressing at least 13 security vulnerabilities, some of which are highly critical, in Windows, Internet Explorer, Microsoft Office, Microsoft Server Software, Silverlight, Remote Desktop, and Windows Defender Anti-malware program on Windows 8. Updates are available via Windows Update or from Automatic Update. See Special Security Alert above.

Mozilla Firefox: Mozilla has released version 20.0.1 of Firefox to fix at least 10 highly critical vulnerabilities that remain unpatched in previous versions. Updates are available through the program or Firefox’s website. Updates are also available for Thunderbird and SeaMonkey.

Current Software Versions

Adobe Flash 11.7.700.169 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.7.700.169 [Windows 8: IE]

Adobe Flash 11.7.700.169 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.02

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.

Firefox 20.0.1 [Windows]

Google Chrome 26.0.1410.64

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 17 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows]

Safari 6.0.3 [Mac OS X]

Skype 6.3.0.105

Newly Announced Unpatched Vulnerabilities

Cisco Linksys EA2700 Wireless Router: Threatpost reports several unpatched highly critical vulnerabilities in Cisco’s Linksys EA2700 Network Manager N600 Wireless-N router. There is currently no patch at this time.  

For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Cisco has released updates for multiple products, including its IOS products, Prime Network Control System, Firewall Services, ASA Software,  and AnyConnect VPN. Apply appropriate updates.

Novell Identity Manager: Novell has released an update for its Identify Manager. Apply appropriate patches.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, April 14, 2013

by Fred F. Farkel, Monday, April 15th, 2013

 

Guest column by Citadel Information Group

ISSA-LA – Securing the Village

HP Cyber Security Strategist Rafal Los to Speak at ISSA-LA Annual Information Security Summit: Information security expert Rafal Los to discuss unattainable total security versus defensibility strategies at the LA Chapter of the Information Systems Security Association Fifth Annual Information Security Summit on Wednesday, May 21, 2013. PR Log, April 8, 2013

Cyber Security Management

Three Rules for Password Sanity: Let’s start with the obvious. We all hate passwords.Citadel Information Group, April 11, 2013

Closing the Door on Hackers: For most of my teenage years, I made a hobby of hacking into some of the world’s largest government and corporate computer systems. I was “lucky” enough to be raided by the F.B.I. when I was 17 years old. After that wake-up call, I eventually started a software security company and now find myself helping to plug security holes, not exploit them. The New York Times, April 4, 2013

Cyber Security Management – Cyber Defense

Non-Microsoft vulnerabilities account for 86% of vulnerabilities in the most popular programs: Copenhagen, Denmark, March 14th, 2013: 86% of vulnerabilities discovered in the most popular 50 programs in 2012 were in non-Microsoft (or “third-party”) programs. The result was published today in the Secunia Vulnerability Review 2013. Secunia is a leading provider of IT security solutions that enable management and control of vulnerability threats. The Secunia Vulnerability Review 2013 analyzes the evolution of software vulnerabilities from a global, industry, enterprise, and endpoint perspective. Secunia, March 14, 2013

Cyber Security Management – Cyber Warning

Brute Force Attacks Build WordPress Botnet: Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers. KrebsOnSecurity, April 12, 2013

Angry Birds impersonated to distribute malware: As part of Netcraft’s ongoing work in providing anti-fraud and anti-phishing services, we have recently discovered a significant number of Russian language attacks targeting users of popular pieces of software, including well known brands such as Angry Birds. This type of attack can be particularly successful as it exploits a user’s trust in a brand. Malicious downloads for Android phones are becoming an increasingly common attack vector. Netcraft, April 12, 2013

Hackers Turn a Canon EOS Camera Into a Remote Surveillance Tool: IDG News Service – The high-end Canon EOS-1D X camera can be hacked for use as a remote surveillance tool, with images remotely downloaded, erased and uploaded, a researcher said during the Hack in the Box security conference in Amsterdam on Wednesday. CIO, April 10, 2013

Pwn2Own IE Vulnerabilities Missing from Microsoft Patch Tuesday Updates: UPDATE – In an unexpected turn, Microsoft’s monthly Patch Tuesday security updates released today did not include patches for Internet Explorer vulnerabilities used during the Pwn2Own contest one month ago. ThreatPost, April 9, 2013

Serious Vulnerabilities Found in Popular Home Wireless Routers: Hackers love to attack Java. Why? Well, not only because it is full of holes, but because it’s everywhere, embedded on endpoints, Web browsers, mobile devices and more. The same goes for attacking wireless routers; they’re buggy and they’re everywhere. ThreatPost, April 8, 2013

Cyber Security Management – Cyber Update

Microsoft: Hold Off Installing MS13-036: Microsoft is urging users to who haven’t installed it yet to hold off on MS13-036, a security update that the company released earlier this week to fix a dangerous security bug in its Windows operating system. The advice comes in response to a spike in complaints from Windows users who found their machines unbootable after applying the update. KrebsOnSecurity, April 12, 2013

Critical Fixes for Windows, Flash & Shockwave: The second Tuesday of the month is upon us, and that means it’s once again time to get your patches on, people (at least for readers running Windows or Adobe products). Microsoft today pushed out nine patch bundles to plug security holes in Windows and its other products. Separately, Adobe issued updates for its Flash and Shockwave media players that address four distinct security holes in each program. KrebsOnSecurity, April 9, 2013

Cyber Crime

Video Service Vudu Resets Users’ Passwords After Burglars Steal Its Hard Drives: In an age of daily hacker breaches, Vudu just revealed it’s been the victim of an often-forgotten sort of data theft: The physical kind. Forbes, April 9, 2013

Cyber Attack

Israel Says It Repelled Most Attacks on Its Web Sites by Pro-Palestinian Hackers:JERUSALEM – A loose international coalition of pro-Palestinian computer hackers threatened to carry out what it called “a massive cyberassault” against Israel on Sunday, but the campaign created mostly minor disruptions, and the Israeli government said that as of midday its Web sites were still accessible to the public. The New York Times, April 7, 2013

Online Bank Fraud

Fraud Awareness: A Banking Case Study: New and proposed FFIEC guidance for fraud prevention and social media spurred Bank of the West in March to launch a viral campaign aimed at fraud awareness. What are the campaign’s key elements?BankInfoSecurity, April 1, 2013

Identity Theft

SEC adopts identity theft rule in first act by new chairman: WASHINGTON – Stock brokerages, mutual funds and investment advisers will be required to establish programs to help detect identity theft under new rules adopted by U.S. securities regulators on Wednesday. Fox Business, April 10, 2013

IRS takes steps to combat identity theft: WASHINGTON (AP) – The 2014 budget proposal to be released by the White House on Wednesday will include new steps to combat what the Internal Revenue Service says is an exponential growth in tax refund-related identity theft. US News, April 9, 2013

Cyber Underworld

Phoenix Exploit Kit Author Arrested In Russia?: The creator of a popular crimeware package known as the Phoenix Exploit Kit was arrested in his native Russia for distributing malicious software and for illegally possessing multiple firearms, according to underground forum posts from the malware author himself. KrebsOnSecurity, April 8, 2013

Privacy

Your Facebook Friends May be Evil Bots: How safe is your online social network? Not very, as it turns out. Your friends may not even be human, but rather bots siphoning off your data and influencing your decisions with convincing yet programmed points of view. CIO, April 8, 2013

The 5 Biggest Online Privacy Threats of 2013: Your online life may not seem worth tracking as you browse websites, store content in the cloud, and post updates to social networking sites. But the data you generate is a rich trove of information that says more about you than you realize-and it’s a tempting treasure for marketers and law enforcement officials alike. April 8, 2013

National Cyber Security

Obama Budget Outlines Federal CyberSecurity Spending: The Obama Administration’s budget calls for more military hackers patrolling cyberspace and repelling attacks from nation-states such as Iran and China, or rogue actors around the world. PCMag, April 12, 2013

McConnell: Cybersecurity framework will reduce risk, but not ‘fix the problem’: The cybersecurity executive order signed by President Obama in February calls for a cybersecurity framework and public-sector partnership with critical infrastructure, but Bruce McConnell, senior counsel for cyber at the National Protection and Programs Directorate of the Homeland Security Department says neither will “fix the problem.”FierceGovernmentIT, April 8, 2013

Arming for Virtual Battle: The Dangerous New Rules of Cyberwar: Now that wars are also being fought on digital battlefields, experts in international law have established rules for cyberwar. But many questions remain unanswered. Will it be appropriate to respond to a cyber attack with military means in the future? Spiegel International, April 4, 2013

Cyber Career

Security Job Market ‘Rocking,’ But Pressures Rise: Security continues to be information technology’s hottest necessary evil, but the pressures of doing more with less are starting to wear on professionals. DarkReading, April 9, 2013

Cyber Miscellaneous

Researcher Says He’s Found Hackable Flaws In Airplanes’ Navigation Systems (Update: The FAA Disagrees): Here’s an uncomfortable image to keep in mind during your next flight: A rogue hacker who can redirect planes at will with the touch of an Android phone’s screen. Forbes, April 10, 2013

Cybersecurity lobbying doubled in 2012: Cybersecurity was in the headlines practically every day last year, grabbing the attention of lawmakers – and lobbyists. CNN, Aprul 8, 2013

WikiLeaks’ ‘PLUS D’ Aims To Digitize America’s Secret Diplomatic History: Not so long ago, WikiLeaks represented the world’s most radical group of investigative journalists. Lately, Julian Assange’s organization has been acting more like radical librarians.Forbes, April 7, 2013

Cyber Sunshine

LulzSec Hackers Plead Guilty to Hacks on Nintendo, Sony, More: Three members of LulzSec today pleaded guilty to a computer hacking campaign that targeted many high-profile firms. PCMag, April 9, 2013

Securing the Village – Events Calendar

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visitISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, April 14, 2013

by Fred F. Farkel, Monday, April 8th, 2013

 

Guest column by Citadel Information Group

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Mozilla Firefox: Mozilla has released version 20 of Firefox to fix at least 10 highly critical vulnerabilities that remain unpatched in previous versions. Updates are available through the program or Firefox’s website. Updates are also available for Thunderbird and SeaMonkey.

Mozilla Firefox for Android: Mozilla has released version 20.0 for Firefox for the Android to fix a highly critical vulnerability that remains unpatched in the previous version. The update is available through the device.

Opera: Opera has released version 12.15 to fix a moderately critical vulnerability reported in version 12.15. Prior versions may also be affected. The update is available through the program or Opera’s website.

Skype: Skype has released version 6.3.0.105 to fix several moderately critical vulnerabilities. Updates are available through the program or Skype’s website.

Current Software Versions

Adobe Flash 11.6.602.180 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.6.602.180 [Windows 8: IE]

Adobe Flash 11.6.602.180 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.02

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 20 [Windows]

Google Chrome 26.0.1410.43

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 17 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows]

Safari 6.0.3 [Mac OS X]

Skype 6.3.0.105

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.

For Your IT Department

McAfee Email Gateway: Secunia reports  a vulnerability in McAfee’s Email Gateway in version 7.x. Other versions may also be affected. No patches are available at this time.

VMware vFabric Postgres: Secunia reports three critical vulnerabilities in VMware’s vFabric Postgres. Update to version 9.2.4 or 9.1.9.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, April 7, 2013

by Fred F. Farkel, Monday, April 8th, 2013

 

Guest column by Citadel Information Group

SSA-LA – Securing the Village

Ira Winkler to Speak at ISSA-LA Fifth Annual Information Security Summit on Cybercrime in May: Ira Winkler, president of the Information Systems Security Association to be a featured speaker at the LA Chapter of the Information Systems Security Association Fifth Annual Information Security Summit on Wednesday, May 21, 2013, in Los Angeles. For more information and to register, visit ISSA-LA.

Cyber Security Management – Awareness Training

 Hacking The User Security Awareness And Training Debate: Bruce Schneier says training end users on security is a waste of time. But security awareness experts argue there’s a whole new generation and approach emerging that better schools users on security behaviors. Dark Reading, April 4, 2013

Cyber Security Management – Cyber Defense

A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them: Most systems administrators describe the task of network security as something like defending a castle. Kristin Heckman talks about fighting hackers in terms that sound more like a job as a Walmart greeter.Forbes, April 5, 2013

 

Google Uses Reputation To Detect Malicious Downloads: Using data about Web sites, IP addresses and domains, researchers find that they can detect 99 percent of malicious executables downloaded by users, outperforming antivirus and URL-reputation services.DarkReading, April 5, 2013

Cyber Security Management – Cyber Warning

Shylock Trojan Going Global with New Features, Resilient Infrastructure: The prolific, credential-stealing Shylock banking Trojan is growing increasingly sophisticated as its creators continue adding new modules and functionalities to the man-in-the-browser malware, according to a Symantec report. ThreatPost, April 5, 2013

 

Skype Malware Stealing Victims’ Processing Power to Mine Bitcoins: Bitcoin may still be a virtual unknown quantity for most people, but the digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains. … now there is a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins. ThreatPost, April 5, 2013

 

DHS Warns of ‘TDos’ Extortion Attacks on Public Emergency Networks: As if emergency responders weren’t already overloaded: Increasingly, extortionists are launching debilitating attacks designed to overwhelm the telephone networks of emergency communications centers and personnel, according to a confidential alert jointly issued by the Department of Homeland Security and the FBI.KrebsOnSecurity, April 1, 2013

Cyber Crime

AMI Firmware Source Code, Private Key Leaked: Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan. ThreatPost, April 5, 2013

Cyber Attacks

Anonymous hackers take control of North Korean propaganda accounts: A Twitter and Flickr account associated with a North Korean news agency has been taken over by hackers claiming to be from the hacktivist collective Anonymous. Instead of pro-North Korea propaganda, the accounts are now criticizing North Korea and its leader Kim Jong-un for building nuclear weapons. The hackers controlling the Twitter account also claimed to have hacked the news agency’s website and other North Korean websites, which appear to be offline. Ars Technica, April 4, 2013

CyberUnderworld

Who Wrote the Flashback OS X Worm?: A year ago today, Apple released a software update to halt the spread of the Flashback worm, a malware strain that infected more than 650,000 Mac OS X systems using a vulnerability in Apple’s version of Java. This somewhat dismal anniversary is probably as good a time as any to publish some clues I’ve gathered over the past year that point to the real-life identity of the Flashback worm’s creator.KrebsOnSecurity, April 3, 2013

Cyber Privacy

Google Fights U.S. National Security Probe Data Demand: Google Inc operator of the world’s largest search engine, is challenging a demand by the U.S. government for private user information in a national security probe, according to a court filing. Bloomberg, April 4, 2013

Apple’s iMessage encryption trips up feds’ surveillance: Encryption used in Apple’s iMessage chat service has stymied attempts by federal drug enforcement agents to eavesdrop on suspects’ conversations, an internal government document reveals. CNET, April 4, 2013

Cyber Career

How valuable are security certifications today?: Will investing your time in earning security-industry certifications ultimately mean more money in your paycheck? Which certifications are vital in today’s job market?. CSO Leadership, April 1. 2013

National Cyber Security

Chinese Hackers May Gain Advantage From U.S. Attempt to Block Chinese Hackers: Congress has for years tried to block China’s major telecommunications companies from entering the U.S. market, fearing they may help Chinese hackers snoop on American companies and government agencies. Huffington Post, April 5, 2013

 

NIST Outlines Next Steps in Drafting Cybersecurity Framework: The first of three in-depth workshops on the drafting of a cybersecurity framework will take place at Carnegie Mellon University in Pittsburgh, Pa., May 29-31, allowing time for the National Institute for Standards and Technology (NIST) to coalesce feedback from industry into a guiding document, the agency announced Thursday. HSToday, April 4, 2013

Securing the Village – Events Calendar

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visitISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, April 7, 2013

by Fred F. Farkel, Monday, April 1st, 2013

 

Guest column by Citadel Information Group

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Google Chrome: Google has released version 26.0.1410.43 of Chrome to fix at least 11 highly critical vulnerabilities that remain unpatched in previous versions. Update through Chrome settings or go to Chrome’s website.

Google Picasa: Google has released version 3.9 Build 136.19 of Picasa. Updates are available through the program.

Current Software Versions

Adobe Flash 11.6.602.180 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.6.602.180 [Windows 8: IE]

Adobe Flash 11.6.602.180 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.02

Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 19.0.2 [Windows]

Google Chrome 26.0.1410.43

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 17 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.3 (1680.64)

Safari 5.1.7  [Windows]

Safari 6.0.3 [Mac OS X]

Skype 6.2.0.106

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Cisco has released updates for multiple products, including its IOS products. Apply appropriate updates.

McAfee Firewall Enterprise: Secunia reports  a moderately critical unpatched vulnerability in McAfee’s Firewall. No patches are available at this time. The vendor is currently working on a patch.

Novell ZENworks: Secunia reports a moderately critical vulnerability in Novell ZENworks versions 11.2 and 10.3. Check vendor advisories for patch availability.

VMware ESX / ESXi: Secunia reports a highly critical vulnerability in VMware’s ESXi versions 5.1, 5.0, 4.1, and 4.0 and ESX versions 4.1 and 4.0. Checkvendor advisories for patch availability.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, March 31, 2013

by Fred F. Farkel, Monday, April 1st, 2013

 

Guest column by Citadel Information Group

Cyber Security Management – Citadel On Security

Three Defense Tactics for Improved Workstation Protection: Cyber criminals target users and their workstations. This makes workstation defense a vital tactic in cyber security management. Citadel Information Group, March 27, 2013

Cyber Security Management – HIPAA

HIPAA in a HITECH World: HIPAA Violations on the Rise: Leon Rodriguez, Director Office for Civil Rights, U.S. Department of Health and Human Services shared unexpected insights from early analysis of breach statistics and the audit pilot at the American Healthcare Lawyers Association conference, HIPAA in a HITECH World, along with key messages the new ruling imparts to Covered Entities and Business Associates. This keynote address is summarized from the AHLA’s HIPAA in the HITECH World conference in Baltimore, Maryland…Smart Data Collective, March 25, 2013

Cyber Attack

Cyberattacks Seem Meant to Destroy, Not Just Disrupt: American Express customers trying to gain access to their online accounts Thursday were met with blank screens or an ominous ancient type face. The company confirmed that its Web site had come under attack. The New York Times, March 28, 2013

First-Known Targeted Malware Attack On Android Phones Steals Contacts And Text Messages: Malicious software is nothing new to the cyber security world. So-called malware is what unscrupulous folk use to disrupt or gather sensitive data from our desktop computers. Targeted attacks with malware have been relatively unseen on smartphones, those other computers we carry around that are teeming with personal data. Forbes, March 26, 2013

McAfee warns of malware targeting point-of-sale systems: A new piece of custom malware sold on the underground Internet market is being used to siphon payment card data from point-of-sale (POS) systems, according to security researchers from antivirus vendor McAfee. PCWorld, March 24, 2013

Cyber Attack – SpamHaus vs CyberBunker

Devices Like Cable Boxes Figured in Internet Attack: SAN FRANCISCO – In the aftermath this week of one of the most powerful attacks on the Internet, finger-pointing quickly ensued. The New York Times, March 29, 2013

Provocateur Comes Into View After Cyberattack: Sven Olaf Kamphuis calls himself the “minister of telecommunications and foreign affairs for the Republic of CyberBunker.” Others see him as the Prince of Spam. The New York Times, March 29, 2013

DDoS Spam Feud Backfires: ‘Bulletproof’ CyberBunker Busted: Distributed denial-of-service (DDoS) attack proponents beware: Your own websites may also be targeted for disruption. InformationWeek, March 28, 2013

Firm Is Accused of Sending Spam, and Fight Jams Internet: A squabble between a group fighting spam and a Dutch company that hosts Web sites said to be sending spam has escalated into one of the largest computer attacks on the Internet, causing widespread congestion and jamming crucial infrastructure around the world. The New York Times, March 26, 2013

Cyber Espionage

Top Chinese university linked to alleged military cybercrime unit: Reuters has turned up a research connection between Shanghai Jiaotong University and the People’s Liberation Army unit suspected of participation in cyberattacks on the West. CNet, March 25, 2013

Cyber Warning

Researchers find new point-of-sale malware called BlackPOS: A new piece of malware that infects point-of-sale (POS) systems has already been used to compromise thousands of payment cards belonging to customers of U.S. banks, according to researchers from Group-IB, a security and computer forensics company based in Russia. PC World, March 28, 2013

Identity Theft

IRS expands Identity Theft Program to all 50 states: The Internal Revenue Service announced Thursday a nationwide expansion of the program designed to help law enforcement obtain tax return data vital to their local efforts in investigating and prosecuting specific cases of identity theft. WBTV, March 28, 2013

Cyber Law – Online Bank Fraud

Missouri Court Rules Against $440,000 Cyberheist Victim: A Missouri court last week handed a legal defeat to a local escrow firm that sued its financial institution to recover $440,000 stolen in a 2009 cyberheist. The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank: requiring two employees to sign off on all transfers. KrebsOnSecurity, March 26, 2013

Cyber Law

Draft House Judiciary cybersecurity bill would stiffen anti-hacking law: A draft cybersecurity bill circulating among House Judiciary Committee members would stiffen a computer hacking law used to bring charges against Internet activist Aaron Swartz. The Hill, March 25, 2013

Securing the Village-Events Calendar

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, March 31, 2013