Landmark Leadership Conferences for IT Executives
 

The IT Blog



by Fred F. Farkel, Monday, April 28th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Adobe Shockwave Player: Adobe has released version 12.1.1.151 to fix a highly critical vulnerability reported in previous versions of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.

Apple AirPort Extreme: Apple  has released updates to fix two vulnerabilities in previous firmware versions  running on Apple AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. Update the firmware to version 7.7.3. Additional information is available through Apple’s website.

Apple iOS: Apple  has released version 7.1.1 of its iOS for iPhone 4 and later, iPad and iPod touch to fix at least 17 vulnerabilities, some of which are highly critical. The update is available through the devices or through Apple’s website.

Apple OS X: Apple has released updates to its OS X to fix at least 9 highly critical vulnerabilities. Apply updates and Security Update 2014-002 which are available through Apple’s website.

Apple TV: Apple has released version 6.1.1 for Apple TV to fix at least 17 highly critical vulnerabilities. Updates are available through the device or Apple’s website.

AVG Antivirus Free Edition: AVG has released version 2014.0.4570 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.

D-Link DNS-327L: D-Link has released a partial fix to address two vulnerabilities in a bundled vulnerable version of OpenSSL, reported in DNS-327L firmware version 1.10. Apply fix when available through for D-Link’s website.

Google Chrome: Google has released version 34.0.1847.131 of Chrome for Windows and Mac. Updates are available through the program.

Piriform CCleaner: Piriform has released version 4.13.4693 for CCleaner. Download is available from Piriform’s website.

Current Software Versions

Adobe Flash  13.0.0.182 [Windows 7: IE]

Adobe Flash  13.0.0.182 [Windows 7: Firefox, Mozilla]

Adobe Flash  13.0.0.182 [Windows 8: IE]

Adobe Flash  13.0.0.182 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.30 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 28.0

Google Chrome 34.0.1847.131

Internet Explorer 11.0.9600.17031 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 8 Update 5 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.2 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

Microsoft Internet Explorer: Secunia reports an extremely critical unpatched vulnerability in all versions of Microsoft’s Internet Explorer. No official solution is currently available.

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

McAfee Virus Scan Enterprise: Secunia reports that McAfee has released an update to its Virus Scan Enterprise for Linux to fix two vulnerabilities caused by a bundled vulnerable version of Open SSL versions 1.7.1 through 1.8 and 2.0. Update to version 1.7.1 Hotfix 961964 or later, 1.9 Hotfix 960962 or later, or 2.0 Hotfix 960961 or later.

Oracle Multiple Products: Secunia reports that Oracle has released updates for its Big Data Appliance, Communications Application Session Controller, Virtual Compute Appliance, Communications Interactive Session Recorder, Communications Network Charging and Control to fix two moderately critical vulnerabilities. Apply patch.

SonicWALL Multiple Products: Secunia reports that SonicWALL has released updates for its SSL-VPN Class EX Series, SSL-VPN SRA Series and Global Management System to fix two moderately critical vulnerabilities. Apply updates.

Symantec Messaging Gateway: Secunia reports that Symantec has released an update for its Messaging Gateway to fix a vulnerability in previous versions.  Update to version 10.5.2.

Symantec Multiple Products: Secunia reports that Symantec has released a partial fix for its NetBackup Appliance, Cluster Server (VCS), Endpoint Protection, Endpoint Protection Manager, NetBackup to address two vulnerabilities caused by a vulnerable version of OpenSSL. No official solution is currently available. Fixes are planned.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, April 27, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Weekend Vulnerability and Patch Report, April 27, 2014

by Fred F. Farkel, Monday, April 28th, 2014

 

Guest column by Citadel Information Group

Cyber Crime

States: Spike in Tax Fraud Against Doctors: An unusual number of physicians in several U.S. states are just finding out that they’ve been victimized by tax return fraud this year, KrebsOnSecurity has learned. An apparent spike in tax fraud cases against medical professionals is fueling speculation that the crimes may have been prompted by a data breach at some type of national organization that certifies or provides credentials for physicians. KrebsOnSecurity, April 22, 2014

Identity Theft

Child Identity Theft: It’s Real and It’s Scary: Identity theft has doubled in the past year for children 5 and younger. It’s difficult for many people to fathom how children could become victims when they are too young to even apply for a credit card, but criminals find ways to get around this fact. Information on an application is often taken at face value, and some reviewers fail to ask for sufficient proof of identity or age. WallStreetCheat, April 26, 2014

Cyber Warning

VULNERABILITY IN VIBER ALLOWS INTERCEPT OF IMAGES, VIDEOS: A vulnerability exists in Viber, a messaging and VoIP application similar to WhatsApp, that could allow an attacker to view sensitive information shared between users like images, videos and location information. ThreatPost, April 25, 2014

Bitcoin-mining malware reportedly found on Google Play: Fake wallpaper apps turned phones into bots for the power- and computationally intensive process of producing crypto-currency, a mobile security firm warns. Cnet, April 24, 2014

Phishers Divert Home Loan Earnest Money: It looks like it’s time to update my Value of a Hacked Email Account graphic: Real estate and title agencies are being warned about a new fraud scheme in which email bandits target consumers who are in the process of purchasing a home. KrebsOnSecurity, April 23, 2014

AOL EMAIL HACKED BY SPOOFERS TO SEND SPAM: In Internet years, AOL and its webmail counterpart AOL Mail are beyond ancient at this point. A relic of electronic mail history, the majority of users have long since jumped ship for Gmail or Yahoo. ThreatPost, April 22, 2014

Warning: Malware Campaign targeting Jailbroken Apple iOS Devices: A new piece of malicious malware infection targeting jailbroken Apple iOS devices in an attempt to steal users credentials, has been discovered by Reddit users. The Hacker News, April 18, 2014

Cyber Threat

EXPLOITING FACEBOOK NOTES TO LAUNCH DDOS: The way Facebook Notes handles HTML image tags could could give an attacker the ability to launch distributed denial of service attacks against external sources, using the power of the massive network to amplify the attack. ThreatPost, April 25, 2014

Financial Cyber Security

SEC seeks data on cyber security policies at Wall Street firms: Cyber defenses at more than 50 broker-dealers and investment advisers will be assessed by federal examiners. ComputerWorld, April 21, 2014

FDIC Urges Financial Institutions to Utilize Available Cyber Resources: The Federal Deposit Insurance Corporation issued the following news release:. The Federal Deposit Insurance Corporation today urges financial institutions to actively utilize available resources to identify and help mitigate potential cyber-related risks. As discussed in yesterday’s meeting of the FDIC Advisory Committee on Community Banking,… InsuranceNewsNet, April 11, 2014

Cyber Security Management

Employees Slacking on Security of Their Mobile Devices: Many employees still don’t take BYOD security seriously, a new survey shows: Nearly 45% have accessed sensitive corporate data on their personal devices via unsecured networks, such as those at airports or coffee shops. DarkReading, April 24, 2014

Cyber Security Management – Cyber Update

APPLE FIXES SERIOUS SSL ISSUE IN OSX AND IOS: Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday in its two main operating systems, and several of the other vulnerabilities have serious consequences as well, including the ability to bypass memory protections and run arbitrary code. ThreatPost, April 22, 2014

Cyber Security Management – HIPAA

FBI Warning Highlights Healthcare’s Security Infancy: Cyberattacks likely to increase against healthcare providers, FBI warns, and experts say it’s no surprise since industry’s security posture is about a decade behind that of the financial services sector. DarkReading, April 25, 2014

Securing the Village

Why Obama needs to take on cybersecurity like Kennedy took on the moon: In 1961, President Kennedy declared that it was America’s intention to send a man to the moon, and within eight years, we had done it. His aim wasn’t simply to gain bragging rights – instead, he and many others believed that our national security was at stake. VentureBeat, April 25, 2014

After Heartbleed, Tech Giants Fund Open Source Security: In the wake of the Heartbleed vulnerability, 12 tech giants — including Facebook, Google, IBM, and Microsoft — each pledge $100,000 annually to improve core open source technology such as OpenSSL. DarkReading, April 25, 2014

Today on CLBR: The State of Cyber Security with Stan Stahl: Stan Stahl, President of Citadel Information Systems, returns to discuss the latest Cyber Security issues and the upcoming ISSA-LA Information Security Summit VI which is the premier information security event in Los Angeles. CyberLawRadio, April 22, 2014

Cyber Misc

Friends, and Influence, for Sale Online: Whoever said, “Money can’t buy you friends,” clearly hasn’t been on the Internet recently. The New York Times, April 20, 2014

Cyber Calendar

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman, Founder & iCEO, WhiteHat SecurityMarcus RanumCSO, Tenable; Marc MaiffretCTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira WinklerISSA International PresidentAndrea HoyISSA International Vice-President. For more information and to register, visit ISSA-LA.


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, April 27, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Cyber Security News of the Week, April 27, 2014

by Fred F. Farkel, Monday, April 21st, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Adobe Reader for Android: Adobe has released an update for Reader for Android to fix a highly critical vulnerability reported in prior versions. Update to version 11.2. Updates are available through the device.

Dropbox: Dropbox has released version 2.6.30 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Google Chrome: Google has released version 34.0.1847.120 of Chrome for Windows and Mac. Updates are available through the program.

Oracle Java: Oracle has released Java SE 8 Update 5 to fix at least 37 vulnerabilities, some of which are highly critical. The update is available through Windows Control Panel or Java’s website. [See Citadel’s recommendation below]

Current Software Versions

Adobe Flash  13.0.0.182 [Windows 7: IE]

Adobe Flash  13.0.0.182 [Windows 7: Firefox, Mozilla]

Adobe Flash  13.0.0.182 [Windows 8: IE]

Adobe Flash  13.0.0.182 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.30 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 28.0

Google Chrome 34.0.1847.120

Internet Explorer 11.0.9600.17031 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 8 Update 5 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.2 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Network Registrar: Secunia reports that Cisco has released updates for its Network Registrar. Upgrade to version 8.1(3.1) or 8.2(0.2).

Google Search Appliance: Secunia reports that Google has released updates for its Search Appliance to fix two vulnerabilities due to a bundled vulnerable version of Open SSL. Apply patch. Please consult the Google Enterprise Support Portal for further details.

Heartbleed: Most of the attention surrounding the Heartbeat Vulnerability has focused on web servers that utilize OpenSSL. However, many other types of services utilize OpenSSL to encrypt sensitive communication including mail, instant messaging, VPNs and voice-over-IP (VoIP). See, e.g., this analysis from The University of Michigan. The analysis includes a list of popular mail servers that are vulnerable.

McAfee Email Gateway: Secunia reports that McAfee has released updates for its Email Gateway to fix multiple moderately critical vulnerabilities.  Apply 7.5h960401 hotfix 2846.114 or MEG 7.6h960405 hotfix 2810.114.

Oracle Multiple Products: Secunia reports that Oracle has acknowledged a weakness, security issues and unpatched vulnerabilities and released updates for its Network Registrar,  MySQL Connector/C, Connector/ODBC, Enterprise Backup, Workbench, Secure Global Desktop, Agile Product Lifecycle Management for Process, Agile PLM Framework, WebCenter Portal, Data Integrator, Hyperion Common Admin, Solaris FreeType,  GnuTLS, XScreenSaver, Solaris, VM VirtualBox, Containers for J2EE, Endeca Server, Event Processing, Access Manager, WebLogic Server, JavaFX and others. Apply updates where available.

VMware Multiple Products: Secunia reports that VMware has released updates for its ESXi, NSX, vCloud Automation Center (vCAC), Fusion, Horizon Mirage, Horizon View, Horizon Workspace, OVF Tool, Player, vCenter Server and others to fix moderately critical vulnerabilities. Apply update or patch if available. Patches are pending for the some products.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, April 20, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Weekend Vulnerability and Patch Report, April 20, 2014

by Fred F. Farkel, Monday, April 21st, 2014

 

Guest column by Citadel Information Group

Cyber Crime

Heartbleed Internet Security Flaw Used in Attack: Within 24 hours of the Heartbleed bug’s disclosure last week, an attacker used it to break into a major corporation, security experts said Friday. The New York Times, April 18, 2014

Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach: Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity. KrebsOnSecurity, April 15, 2014

Cyber Privacy

Google Revises Terms of Its Scans of Gmail: Google updated its terms of service on Monday, informing users that their incoming and outgoing emails are automatically analyzed by software to create targeted ads. The New York Times, April 14, 2014

Identity Theft

1 in 5 Web users report personal info theft, study says: Nearly 1 in 5 Internet users say they’ve had their personal information stolen as a result of online activities, according to a Pew Research Center study. Detroit Free Press, April 15, 2014

Cyber Warning

Heartbleed Hackers Steal Encryption Keys in Threat Test: The crown jewel of secure websites is a single string of data – a very long jumble of letters and numbers and symbols that looks like gibberish. The Heartbleed bug allows hackers to crack it. Bloomberg, April 15, 2014

Fingerprint lock in Samsung Galaxy 5 easily defeated by whitehat hackers: The heavily marketed fingerprint sensor in Samsung’s new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset. ars technica, April 15, 2014

Cyber Security Management

SEC to Launch Cybersecurity Exams of Investment Firms, Offers Sample Document Requests: On April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations quietly disclosed its examination module pertaining to cybersecurity. The disclosure came in the form of a Risk Alert providing “additional information concerning [OCIE’s] initiative to assess cybersecurity preparedness in the securities industry.” Compliance Week, April 18, 2014

The Board’s Role in Cybersecurity: The costs of cyber attack can be significant. To protect finances, liability, reputation, and future growth, corporate boards must ensure that their companies have appropriate processes in place to manage cyber risk in the context of their business. Richard Clarke and Jacob Olcott, The Conference Board. Good Harbor, March 2014

Cyber Security Management – Cyber Defense

Three Rules for Password Sanity: Let’s start with the obvious. We all hate passwords. Users hate passwords because they are hard to remember and they slow you down, getting in the way of the computing experience. IT staff hate passwords because they’re just one more critical thing that needs to be managed, taking valuable time away from keeping computer systems running and users happy. [We originally published this in April 2013. We are reprinting it to guide users as they change passwords in light of Heartbleed.] Citadel Information Group, April 11, 2013

Cyber Security Management – Cyber Update

Critical Java Update Plugs 37 Security Holes: Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all). KrebsOnSecurity, April 16, 2014

Securing the Village

Public-private shield needed against hackers, Tom Ridge says: April 16–The threat cyberwarfare poses to the American economy demands a far more coordinated response from government and the private sector, former Homeland Security Secretary Tom Ridge said Tuesday. SecurityInfoWatch, April 16, 2014

National Cyber Security

Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say: WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday. The New York Times, April 12, 2014

US government denies being aware of Heartbleed internet bug: The White House and US intelligence agencies said on Friday that neither the National Security Agency nor any other part of the government were aware before this month of the “Heartbleed” bug, denying a report that the spy agency exploited the glitch in widely used web encryption technology to gather intelligence. The Guardian, April 12, 2014

Cyber Misc

OpenSSL and Linux: A Tale of Two Open-Source Projects: The Heartbleed bug has cast a bright and not entirely flattering light on the open-source movement’s incentive model. The New York Times, April 18, 2014

Heartbleed Highlights a Contradiction in the Web: SAN FRANCISCO — The Heartbleed bug that made news last week drew attention to one of the least understood elements of the Internet: Much of the invisible backbone of websites from Google to Amazon to the Federal Bureau of Investigation was built by volunteer programmers in what is known as the open-source community. The New York Times, April 18, 2014

GAO Scolds SEC for Ongoing Cyber-Security Deficiencies: The message is increasingly common: “Information security is a critical consideration.” But this time the cyber-security warning wasn’t handed down by a regulator – it was the Securities and Exchange Commission being scolded for its own security gaps and lapses. Compliance Week, April 17, 2014

Cyber Sunshine

U.S. Agent Lures Romanian Hackers in Subway Data Heist: U.S. Secret Service Agent Matt O’Neill was growing nervous. For three months, he’d been surreptitiously monitoring hackers’ communications and watching as they siphoned thousands of credit card numbers from scores of U.S. retailers. Bloomberg, April 17, 2014

Cyber Calendar

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman, Founder & iCEO, WhiteHat SecurityMarcus RanumCSO, Tenable; Marc MaiffretCTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira WinklerISSA International PresidentAndrea HoyISSA International Vice-President. For more information and to register, visit ISSA-LA.


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, April 20, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Cyber Security News of the Week, April 20, 2014

by Fred F. Farkel, Monday, April 14th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Heartbleed – Special Alert

Consumers

Websites you visit: You can check whether or not a website is vulnerable to Heartbleed at the following two websites:

http://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

The Mashable post provides Heartbleed information on an extensive list of sites, including social networks, companies with a large online presence, email providers, financial institutions and others.

If a site you regularly visit has been affected by Heartbleed, you should plan to change your password to the site after the site has been patched.

If a site you visit is not affected by Heartbleed, you need not do anything.

Android Users: Check your version of the Android Operating System. Version 4.1.1 has the Heartbleed flaw and will need to be updated. Contact the manufacturer or your carrier for more information. Follow this link for more information.

Home Routers: Your home router may contain the Heartbleed flaw. Check with your Internet service provider or the manufacturer.

Business: Check your web-sites, any instances of OWA or other web-based access users may have, VPNs, firewalls, routers and switches for the Heartbleed vulnerability and patch as needed. You will also need to get a new security certificate after patching.

For more information on Heartbleed and what to do about it, see our special Heartbleed Section in our Cyber Security News of the Week.

Important Security Updates

Adobe Flash Player: Adobe has released version 13.0.0.182 for its Flash Player to fix at least 4 highly critical vulnerabilities. Updates are available through the program or from Adobe’s Flash Web Site.

AVG Antivirus Free Edition: AVG has released version 2014.0.4355 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.

Dropbox: Dropbox has released version 2.6.27 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Google Android OpenSSL: Google has released an update to fix two moderately critical vulnerabilities reported in previous versions of Android due to a bundled version of OpenSSL.  Google’s Online Security Blog reports that all versions of Android are immune to CVE-2014-0160 (Heartbleed) (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners). Apply patch when available and contact your Android partner for more information.

Google Chrome: Google has released version 34.0.1847.116 of Chrome for Windows and Mac to fix 14 highly critical vulnerabilities. Updates are available through the program.

Google Chrome for Android: Google has released version 34.0.1847.114 of Chrome for Android to fix moderately critical unpatched vulnerabilities reported in previous versions. Updates are available through the program or device.

KeePass: KeePass has released version 1.27 of its open source password manager. Updates are available from the KeePass website.

Microsoft Patch Tuesday: Microsoft released 4 updates addressing at least 11 security vulnerabilities, some of which are highly critical, in almost all versions of the Microsoft OS, Internet Explorer, Office Publisher, Windows Flash and more, including its final batch of fixes for Office 2003 and for systems powered by Windows XP. Updates are available via Windows Update or from Automatic Update.

Current Software Versions

Adobe Flash  13.0.0.182 [Windows 7: IE]

Adobe Flash  13.0.0.182 [Windows 7: Firefox, Mozilla]

Adobe Flash  13.0.0.182 [Windows 8: IE]

Adobe Flash  13.0.0.182 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.27 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 28.0

Google Chrome 34.0.1847.116

Internet Explorer 11.0.9600.16518 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 8 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.2 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

BlackBerry Multiple Products: Secunia reports that BlackBerry has two vulnerabilities due to a bundled version of OpenSSL. The vulnerabilities are reported in Link for Windows and MacOS, BBM for iOS and Android Secure Work Space for BES10 for iOS and Android. No official solution is currently available. For more information, see BlackBerry’s Knowledge Base.

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Adaptive Security Appliance (ASA), ONS 15454 Series,  IOS XR and others. Apply updates.

Cisco Multiple Products OpenSSL: Secunia reports that Cisco has two moderately critical unpatched vulnerabilities in many products due to a bundled vulnerable version of OpenSSL, including Desktop Collaboration Experience DX650, IP Phone 7900 Series, MS200X Series Ethernet Access Switch, TelePresence Conductor, UCS B-Series Blade Servers, USC C-Series Rack Servers, Unified Ip Phones 7900, 8900, and 9900 Series, Universal Small Cell 5000 and 7000 Series, AnyConnect for iOS 3.x, TelePresence Video Communication Server (VCS), Unified Communications Manager 10.x, and WeEx Meetings Server 2.x. No official solution is currently available.

Citrix VDI: Secunia reports that Citrix has released updates for its VDI-in-a-box to fix a security issue reported in previous versions. Update to version 5.3.6 or 5.4.2.

McAfee Asset Manager: Secunia reports that McAfee has released updates for its Asset Manager to fix vulnerabilities reported in previous versions. Update to version 6.6.141.

McAfee Multiple Products OpenSSL: Secunia reports McAfee has moderately critical vulnerabilities in many products due to a bundled version of OpenSSL, including Security Information and Event Management (SIEM) versions 9.1.x, 9.2.x, and 9.3.x, Next Generation Firewall (NGFW) versions prior to 5.5.7, Firewall Enterprise version 8.3.2 prior to ePatch 14, Web Gateway versions 7.3.x and 7.4.x. Apply fixes.

VMware vSphere Client: Secunia reports that VMware has released updates for its vSphere Client to fix vulnerabilities. Apply updates.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, April 6, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Weekend Vulnerability and Patch Report, April 13, 2014

by Fred F. Farkel, Monday, April 14th, 2014

 

Guest column by Citadel Information Group

Identity Theft

GAO: IRS has information security control weaknesses: The Internal Revenue Service continues to have weaknesses in information security control that the Government Accountability Office fears could affect the confidentiality, integrity and availability of financial and sensitive taxpayer data. FCW, April 9, 2014

Cyber Threat

Advanced Attacks Are The New Norm, Study Says: According to the Websense 2014 Threat Report, most malicious exploits now are advanced and targeted. DarkReading, April 4, 2014

Cyber Update

Adobe, Microsoft Push Critical Fixes: Adobe and Microsoft each issued updates to fix critical security vulnerabilities in their software today. Adobe patched its Flash Player software and Adobe AIR. Microsoft issued four updates to address at least 11 unique security flaws, including its final batch of fixes for Office 2003 and for systems powered by Windows XP. KrebsOnSecurity, April 8, 2014

Cyber Warning

Microsoft drops Windows XP support: Microsoft ended support of Windows XP on Tuesday, leaving the many still clinging to the outdated software exposed to cyberattacks. CNN, April 8, 2014

Hackers Lurking in Vents and Soda Machines: Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. The New York Times, April 7, 2014

Cyber Defense — Heartbleed

Millions of Android Devices Vulnerable to Heartbleed Bug: Millions of smartphones and tablets running Google Inc. (GOOG:US)’s Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Internet and into consumer devices. BusinessWeek, April 11, 2014

FFIEC Issues Heartbleed Warning; Major Banks Say They’re Protected: As regulators told financial institutions Thursday to figure out fixes to a website software coding error that could put some online and mobile banking applications at risk, banks assured customers that their online sites are fine. A few lingering vulnerabilities may remain, however, in banks’ networks that will take time to find and patch. American Banker, April 11, 2014

Apple’s iOS, OS X don’t have Heartbleed bug but BBM for iOS and Android do: Apple iOS and OS X devices aren’t affected by the Heartbleed bug, but BlackBerry’s BBM and Secure Work Spaces are — and the company says it lacks a fix for the issue. ZDNet, April 11, 2014

Heartbleed Bug hits at heart of many Cisco, Juniper products: Network World – The Heartbleed Bug, a flaw in OpenSSL that would let attackers eavesdrop on Web, e-mail and some VPN communications, is a vulnerability that can be found not just in servers using it but also in network gear from Cisco and Juniper Networks. Both vendors say there’s still a lot they are investigating about how Heartbleed impacts their products, and to expect updated advisories on a rolling basis. NetworkWorld, April 10, 2014

Heartbleed bug: What you need to know: This week it has emerged that a major security flaw at the heart of the internet may have been exposing users’ personal information and passwords to hackers for the past two years. BBC, April 10, 2014

Heartbleed Bug: What Can You Do?: In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here’s a short primer. KrebsOnSecurity, April 10, 2014

The Heartbleed Hit List: The Passwords You Need to Change Right Now: An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years. Mashable, April 9, 2014

Half a million widely trusted websites vulnerable to Heartbleed bug: A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server. This could allow attackers to retrieve private keys and ultimately decrypt the server’s encrypted traffic or even impersonate the server. NetCraft, April 8, 2014

Experts Find a Door Ajar in an Internet Security Method Thought Safe: A flaw has been discovered in one of the Internet’s key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers. The New York Times, April 8, 2014

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style: Lest readers think “catastrophic” is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet’s Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services. ars technica, April 8, 2014

Cyber Security Management

Inside the NIST Framework to Improve Cybersecurity: President Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” issued a year ago, established U.S. policy for maintaining a cyber environment that encourages “efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” The Order calls for a voluntary, risk-based cybersecurity framework. The National Institute of Standards and Technology (NIST) recently released the framework, a set of industry standards and best practices to help organizations manage cybersecurity risks. The NIST framework is not intended to replace existing processes, but to complement business and cybersecurity operations. Enterprises can use the framework as part of their processes for identifying, assessing and managing cybersecurity risk. An organization can overlay its current process onto the framework to find “gaps in its current cybersecurity risk approach and to develop a roadmap to improvement.” The framework is a collaboration between industry and government and consists of standards, guidelines and practices. For a copy of the framework, click hereCIO Insight, April 10, 2014

National Cyber Security

NSA Said to Exploit Heartbleed Bug for Intelligence for Years: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. Bloomberg, April 11, 2014

Cyber Law

Andrew Auernheimer’s computer hacking conviction is overturned by appeals court: A federal appeals court on Friday overturned the conviction of a prominent computer hacker whose imprisonment had highlighted a growing debate over whether the government is overreaching in its campaign against cybercrime. The Washington Post, April 11, 2014

Judge Says FTC Can Bring Enforcement Actions Regarding Corporate Data Security Practices: In a critically important data security case, a Federal District Court ruling on a motion to dismiss brought by Wyndham hotels, sided with the government in deciding that the Federal Trade Commission has authority under the unfairness prong of the FTC Act to bring enforcement actions to remedy unreasonable data security practices. Forbes, April 8, 2014

Cyber Sunshine

Man behind Carder.su racketeering, other cybercrime, pleading guilty: A Georgia man agreed to plead guilty to federal racketeering charges associated with the so-called Carder.su criminal enterprise that trafficked and manufactured stolen and counterfeit credit cards resulting in $50 million in losses globally. Ars Technica, April 9, 2014

Cyber Calendar

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman, Founder & iCEO, WhiteHat SecurityMarcus RanumCSO, Tenable; Marc MaiffretCTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira WinklerISSA International PresidentAndrea HoyISSA International Vice-President. For more information and to register, visit ISSA-LA.


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, April 13, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Cyber Security News of the Week, April 13, 2014

by Fred F. Farkel, Friday, April 11th, 2014

 

Guest column by SalesLog!x

In today’s mobile world, many employees need access to their tools and company information anytime, anywhere. Gone are the days of the salesperson sitting at his or her desk making 75 calls a day to hit a quota – unable to accomplish anything at all if they step away from the computer. Now, whether they’re selling building materials, pharmaceuticals or fresh produce, sales representatives need comprehensive, intuitive, connected tools that can be used on any device – on the road, in the office or at home.

Customer Relationship Management (CRM) systems have existed since the 1990s, evolving from the early days of contact management software, to nearly dying during the dot-com burst and reviving in the years that followed. In the early 2000s, the book “CRM at the Speed of Light” by Paul Greenberg, later coined the “bible of the CRM industry,” brought to the forefront the concept of a CRM that completely manages the business relationship. Many of Greenberg’s ideas have come to fruition, and as cloud technology has developed, CRM has become an integrated part of the organization, its information, and its processes.

Customers Need More

The drive for better CRM is a result of customer demand. After the start of the social revolution, which was of course, spawned by the Internet and augmented by the widespread use of smartphones, companies began to want innovative technology that could do more than just prompt phone calls and track sales. Now that we have access to more information, to more people, through more channels, and are able to do more with mobile devices than ever, our customers are well informed. They expect prompt, accurate information, when and how they want it. They want integration, connection, and more control. And if your company can’t deliver, there’s surely someone else – just a few taps and swipes away – who can.

On the flipside, organizations often expect a great deal of success from their field sales teams – even those teams that have not been provided the latest tools to give customers what they need, or keep up with the competition. The problem is if your salespeople are blindly making decisions and taking liberties to get the sale without having access to the right information, there can be serious damage done. Nothing makes a hot lead turn cold faster than misinformation or wasted time, good intentions not withstanding.

CRM Goes Mobile

Naturally, since the customer has evolved, sales must evolve too. CRMs are integrating with mobile technology to give salespeople many of the same tools on the road as at the desk. Providing the ability to easily access useful information – buying history, contact information, shipping updates, etc. – on a mobile device to address customer needs has become critical. So are tools to:

  • Connect all devices and applications
  • Collaborate with team members on the fly
  • Enter information such as orders and customer data instantly
  • Receive leads from demand gen systems
  • Keep track of activities

But, not all CRMs are created equal.

Avoiding the Trap of the Wrong CRM

Buying a new tool based solely on features is never a good idea. Even for the most revered, top-rated product, if it doesn’t fit the needs of your organization, or, if it is not properly implemented, the fact is, it will be hated, berated, and worse – avoided. According to Forrester, “The cost of poor adoption is twofold: underutilized investment and unmet business objectives.”1 Therefore, since your sales are highly dependent on the quality and use of your CRM and how it integrates with the rest of your organization, choosing the right one is not a decision to make lightly.

Things to Remember When Choosing a CRM

Too much is too much. A CRM system with too many features is actually a bad thing. Salespeople don’t want to be overwhelmed by their tools – they want easy access to usable tools and information that gets them closer to the sale faster. Watch out for features that sound great, but make you say, “I’ve never thought of that,” or that cause you to question their relevance. Chances are if you haven’t thought of it, read about it, or gotten requests for it, it isn’t going to be used by your team.

For example, Saleslogix is a CRM built for mobility – with a task-oriented user interface that enables users to perform key actions quickly.

Mobile is a must, and it must be affordable. Even inside sales teams need to access information outside the office. Check available mobile features, integration capabilities with your systems and applications, and social networking services and systems. Compare features vs. pricing to ensure you are getting the most usable solution for your money.

Is it good for your company, or good for the customer? It should be good for both! A CRM’s purpose is to improve the work lives of your employees through simplification and automation, while improving the customer experience through better, faster service. “I believe the biggest challenge for the future of CRM systems is trying to make the system simple enough so that the sales force can use it, but at the same time comprehensive enough so that it can manage huge amounts of data,” said Steve Thompson, AgReliant Genetics, winner of Gartner and 1to1 Media’s 2013 CRM Excellence Award for Sales Force Automation. “One of the big trends I see for sales force effectiveness is the continued adoption of smartphone and tablet devices by our salespeople….now they have a wealth of third party apps that they can access that make their customer interactions that much better.”

With Saleslogix, users have a complete view of customer interactions across your entire organization so they can collaborate effectively and respond promptly to customer inquiries – easily and accurately.

Align your CRM strategy with company goals. Positive you’ve found the best solution? Will it pass the scrutiny of even your top salespeople? Great! But if you grow out of the solution in two years, you’ve made the wrong choice. This important project needs to be implemented like an ongoing journey, with a highly experienced IT leader at the helm, executive buy in, and alignment with company strategy. It’s a good idea for all the groups that will be using the system to outline its near-term and long-term goals so that the most important of them can be addressed. Ideally, the solution you choose will be with your company for the long haul, scaling with your growth and expanding with your needs.

Rollout with users in mind. Again, consider this a journey that never ends rather than a project with one deadline. Your CRM capabilities should change as your customer needs change, and as technology advances. In addition, your employees will need training. Don’t assume they will love it right away – people in general are resistant to change. “Avoid mistrust and the feeling of loss of control by getting others involved in the changes before they occur and asking them to offer input and feedback,” says Lisa Quast, in a recent Forbes article on implementing change. And, make a big deal out of it! A little internal promotion with executive backing will help with employee buy in.

Saleslogix is the Mobile CRM for Today and Tomorrow

Saleslogix addresses all of your mobile CRM concerns. It has just the right features to give employees information at their fingertips with an easy-to-use interface. It’s affordable, scalable, and has integration capabilities to grow with your organization.

Saleslogix is a state-of the-art technology platform that is built for mobility. An award-winning CRM solution, Saleslogix provides a comprehensive view of customer interactions across your sales, marketing, customer service and support teams so they can collaborate quickly and respond intelligently to customer needs and sales opportunities. Saleslogix provides:

  • Flexibility. Deploy in the cloud, on-premises, mobile, or hybrid. Integrates with backend applications, social networking services, and with marketing automation software like Salesfusion™.2
  • Control. Define and automate key business processes, sophisticated security and administration capabilities, and maintain control of your data.
  • Usability. Easy-to-learn-and-use interface brings high user acceptance, low learning curves and rapid productivity.
  • Mobility. All the capability your team wants, on any device, anywhere, anytime. Saleslogix brings useful information in customizable dashboards, imbedded menus, dropdowns and one-click access to get what you need.
  • Marketing automation. Connect with customers and act on opportunities. Capture and manage leads from almost anywhere. Saleslogix integrates with your marketing solutions and provides a one-stop view of all customer activities.
  • Reporting and analytics.3 Enable actionable insights from your CRM information.

Saleslogix Mobile4 is the CRM for the mobile world. Give your sales team what it needs to succeed, and improve the customer experience while meeting company goals – today, tomorrow and beyond. Go to saleslogix.com now.

Try Saleslogix free for 30 days at saleslogix.com/trial.


1 Forrester, “CRM Success Hinges On Effective Change Management,” William Band, Claire Schooley. December 3, 2013
2 Salesfusion is a third-party Marketing Automation platform from Salesfusion, a Saleslogix Development Partner, and is available in the Saleslogix Marketplace at saleslogix.com/marketplace.
3 Some analytics solutions require an additional fee.
4 Check the compatibility list at saleslogix.com/compatibility for supported devices and browsers.

Read More | Comments Off on Mandatory Mobile: Taking CRM on the Road

by Fred F. Farkel, Monday, April 7th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple Safari: Apple has released updates for Safari to fix at least 26 vulnerabilities, some of which are highly critical, reported in versions prior to 6.1.3 and 7.0.3 running on OS X Lion version 10.7.5, OS X Lion Server version 10.7.5, OS X Mountain Lion version 10.8.5, and OS X Mavericks version 10.9.2. Update to version 6.1.3 or 7.0.3. Updates are available from Apple’s website.

AVG Antivirus Free Edition: AVG has released version 2014.0.4355 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.

Opera: Opera has released version 20.0.1387.91. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash  12.0.0.77 [Windows 7: IE]

Adobe Flash  12.0.0.77 [Windows 7: Firefox, Mozilla]

Adobe Flash  12.0.0.77 [Windows 8: IE]

Adobe Flash  12.0.0.77 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 28.0

Google Chrome 33.0.1750.154

Internet Explorer 11.0.9600.16518 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 8 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.2 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its IOS, Emergency Responder,  Unifed Communications Manager, Unity Connection and others. Apply updates.

Symantec LiveUdate Administrator: Secunia reports that Symantec has released updates for its LiveUpdate Administrator to fix vulnerabilities reported in prior versions. Update to version 2.3.2.110.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, April 6, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Weekend Vulnerability and Patch Report, April 6, 2014

by Fred F. Farkel, Monday, April 7th, 2014

 

Guest column by Citadel Information Group

Cyber Crime

U.S. States Investigating Breach at Experian: An exclusive KrebsOnSecurity investigation detailing how a unit of credit bureau Experian ended up selling consumer records to an identity theft service in the cybercrime underground has prompted a multi-state investigation by several attorneys general, according to wire reports. KrebsOnSecurity, April 3, 2014

Cyber Privacy

Yahoo Protects Users with Lots More Encryption: We were thrilled to hear today that Yahoo is carrying through a concerted effort to protect users across its sites and services by rolling out routine encryption in several parts of its infrastructure. The company’s statement announced that, among other things, it now encrypts traffic between its data centers, makes secure HTTPS connections the default for some web sites, and has turned on encryption for mail delivery between Yahoo Mail and other email services that support it (like Gmail). Electronic Frontier Foundation, April 2, 2014

Sweeping Away a Search History: YOUR search history contains some of the most personal information you will ever reveal online: your health, mental state, interests, travel locations, fears and shopping habits. The New York Times, April 2, 2014

How the NSA Used a ‘Loophole’ to Spy on Americans: The Obama administration’s top intelligence official has confirmed that the National Security Agency intentionally spied on the communications of Americans under a law intended to apply only to foreigners. NationalJournal, April 1, 2014

SECOND NSA CRYPTO TOOL FOUND IN RSA BSAFE: A team of academics released a study on the maligned Dual EC DRBG algorithm used in RSA Security’s BSafe and other cryptographic libraries that includes new evidence that the National Security Agency used a second cryptographic tool alongside Dual EC DRBG in Bsafe to facilitate spying. ThreatPost, March 31, 2014

Financial Fraud

Android Botnet Targets Middle East Banks: I recently encountered a botnet targeting Android smartphone users who bank at financial institutions in the Middle East. The crude yet remarkably effective mobile bot that powers this whole operation comes disguised as one of several online banking apps, has infected more than 2,700 phones, and has intercepted at least 28,000 text messages. KrebsOnSecurity, April 2, 2014

Account Takeover: Bank Faces Two Suits: Two lawsuits filed against a California bank in the aftermath of account takeover incidents dating back to 2012 and 2013 raise questions about how banking institutions should respond when suspicious account activity occurs. BankInfoSecurity, April 2, 2014

Identity Theft

Is identity-theft insurance a waste of money?: Consumers these days are more worried about fending off hackers than pickpockets. Companies are capitalizing on these fears by pitching the digital-age equivalent of a can of Mace: ID theft insurance. MarketWatch, March 31, 2014

Cyber Threat

Advanced Attacks Are The New Norm, Study Says: According to the Websense 2014 Threat Report, most malicious exploits now are advanced and targeted. DarkReading, April 4, 2014

RESEARCHER IDENTIFIES POTENTIAL SECURITY ISSUES WITH TESLA S: The current move by auto makers to stuff their vehicles full of networked devices, Bluetooth radios and WiFi connectivity has not gone unnoticed by security researchers. Charlie Miller and Chris Valasek spent months taking apart–literally and figuratively–a Toyota Prius to see what vulnerabilities might lie inside; and they found plenty. Now, another researcher has identified a number of issues with the security of the Tesla S, including its dependence upon a weak one-factor authentication system linked to a mobile app that can unlock the car remotely. ThreatPost, March 31, 2014

‘Thingularity’ Triggers Security Warnings: The Internet of Things is creating 50 billion Internet-connected devices. Who is going to keep them updated and secure? DarkReading, March 28, 2014

Cyber Warning

End of Windows XP Support Means Added Opportunity for Hackers: Microsoft is counting down to the end of an era. On April 8, the company officially washes its hands of Windows XP, an operating system introduced in 2001 that comprises 45 million lines of code. You can watch the clock tick down in slightly eerie fashion, green boxes on a purple background, on Microsoft’s website, which also gives some pithy advice on what this means: “It means you should take action.” BusinessWeek, April 4, 2014

Most sophisticated Android malware yet has already infected millions: Android is still the most targeted mobile platform out there in terms of mobile malware, considering the reports that keep detailing ways that hackers can take advantage of it for malicious purposes. But in most cases it’s Android users from certain regions of the world who are affected, because Google’s standard Android services aren’t available. A new report from The Hacker News details some new Android malware that may be the biggest threat to the operating system to date, and it may have already infected millions of devices. BGR, April 4, 2014

Tech Start-Ups Are Targets of Ransom Cyberattacks: Scott Heiferman and Gary Burns had less than four minutes to decide whether to pay up or go down. The New York Times, April 2, 2014

Who’s Behind the ‘BLS Weblearn’ Credit Card Scam?: A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called “BLS Weblearn” is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years. KrebsOnSecurity, March 31, 2014

WIFI BUG PLAGUES PHILIPS INTERNET-ENABLED TVS: UPDATE — Some versions of Philips’ internet-enabled SmartTVs are vulnerable to cookie theft and a mélange of other tricks that abuse a lax WiFi setting. ThreatPost, March 28, 2014

Fraudsters use BBC real news as bait to steal users’ identity: PandaLabs, the antimalware laboratory of Panda Security, The Cloud Security Company, today released a warning of a new malicious spam campaign making use of a story on the reputable BBC News website to add credence to the phishing attempt. DarkReading, March 26, 2014

Cyber Security Management

Incident Response Now Shaping Security Operations: How an organization reacts to hackers infiltrating its network is becoming the key to damage control for data — and the corporate image. DarkReading, March 28, 2014

Cyber Security Management — HIPAA

Electronic Health Record Tracking System Fails to Gain Federal Support: Health information technologies such as smartphone-based ultrasound and electronic health records should be regulated according to the risk they present to patients, per a proposed strategy rolled out Thursday by three federal agencies. The report, which is still subject to public comment, did not call for an extension of regulatory power for the agencies. Instead it emphasized the need for voluntary collaboration and planning by public-private partners. “Nongovernmental, independent programs to perform conformity assessments should be developed to fill current gaps,” it recommended. “The Agencies view this strategy rather than a formal regulatory approach as the appropriate method for advancing conformity assessments.” Scientific American, April 4, 2014

Cyber Security Management — Critical Infrastructure

New Federal Rule Requires Banks to Fight DDoS Attacks: Banks and financial institutions regulated by the federal government must now monitor for distributed denial-of-service (DDoS) attacks against their networks and have a plan in place to try and mitigate against such attacks, a federal regulatory body said this week. CIO, April 4, 2014

ISSA-LA

ISSA-LA Donates $25,000 for Nonprofits to Attend the Sixth Annual Information Security Summit on Cybercrime Solutions: The Los Angeles Chapter of the Information Systems Security Association has created a donation fund of up to $25,000 for 100 free registrations to IT personnel of nonprofits to attend the Sixth Annual Information Security Summit. PRWeb, March 19, 2014

Securing The Village

TEDx Birmingham: Call the police on cybercrime: Cybercrime is a crime, but the police are rarely called because of the difficulty in prosecution. A TEDx Birmingham presentation focused on this topic. TechRepublic, April 1, 2014

Cyber Misc

5-Year-Old Finds Xbox One Password Bug: Watch Dogs, eat your heart out. An industrious little hacker – well, a 5-year-old kid – named Kristoffer Von Hassel found a fairly ingenious way to bypass security restrictions on the Xbox One. PCMag, April 4, 2014

Middle school team of cybersecurity whiz kids from Torrance wins national competition: A team of South Bay middle school students won first place over the weekend in the national championship round of CyberPatriot VI — a race-against-the-clock game of identifying and disabling cyberthreats. DailyBreeze, March 31, 2014

Students hack Waze, send in army of traffic bots: Two Israeli students have successfully hacked popular social GPS map and traffic app Waze, causing it to report a nonexistent traffic jam. Wired, March 25, 2014

Nakamoto’s Neighbor: My Hunt For Bitcoin’s Creator Led To A Paralyzed Crypto Genius: Hal Finney’s light brown eyes are pointed down. I’ve just asked him if he was involved in the creation of Bitcoin. The 57-year-old man’s almost imperceptible eye movement is his only way of telling me that he was not, and that I’ve spent the last week caught in the same futile windmill-tilting that has ensnared so many other reporters trying to solve the puzzle of Bitcoin’s mysterious creator known only as Satoshi Nakamoto. Forbes, March 25, 2014

Cyber Sunshine

Two U.S. hackers admit to international cyber crime in N.J. court: (Reuters) – Two American men said to belong to an international cyber crime ring admitted hacking into accounts at banks, brokerage firms and government agencies in an attempt to steal some $15 million, New Jersey authorities said on Tuesday. Reuters, April 1, 2014

Cyber Calendar

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman, Founder & iCEO, WhiteHat SecurityMarcus RanumCSO, Tenable; Marc MaiffretCTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira WinklerISSA International PresidentAndrea HoyISSA International Vice-President. For more information and to register, visit ISSA-LA.


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, April 6, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Cyber Security News of the Week, April 6, 2014