Landmark Leadership Conferences for IT Executives
 

The IT Blog



by Fred F. Farkel, Monday, June 30th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

AVG Antivirus Free Edition: AVG has released version 2014.0.4714 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.

Piriform CCleaner: Piriform has released version 4.15.4725 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash  14.0.0.125 [Windows 7: IE]

Adobe Flash  14.0.0.125 [Windows 7: Firefox, Mozilla]

Adobe Flash  14.0.0.125 [Windows 8: IE]

Adobe Flash  14.0.0.125 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.07

Dropbox 2.8.4 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 30

Google Chrome 35.0.1916.153

Internet Explorer 11.0.9600.17126

Java SE 7 Update 60 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.4 [Mac OS X]

Skype 6.16.0.105

Newly Announced Unpatched Vulnerabilities

VLC Media Player: Secunia reports a moderately critical unpatched vulnerability in version 2.1.4 of VLC Media Player. Other versions  may also be affected.  No official solution is currently available.

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its IOS, IOS XE, Unified Communications Manager, WebEx Meeting Server, and others. Apply updates. Secunia also reports unpatched vulnerabilities for Cisco’s Nexus 2000, 3000 5000, 6000 and 9000 Series switches, MDS 7000 and 9000 Series switches, IOS XE, and others. No official solution is currently available.

McAfee Multiple Products: Secunia reports that McAfee has released updates for its Firewall Enterprise (formerly Sidewinder Firewall) and Web Gateway. Apply updates.

Novell Multiple Products: Secunia reports that Novell has released updates for its Open Enterprise Server and Novell Messenger. Apply updates.

Symantec Multiple Products: Secunia reports that Symantec has released updates for its Data Insight Management Console and Encryption Desktop Professional. Apply updates.

VMware vCenter Operations Manager: Secunia reports that VMware has released a partial fix for its vCenter Operations Manager (vCOps.) Apply update.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, June 29, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Weekend Vulnerability and Patch Report, June 29, 2014

by Fred F. Farkel, Monday, June 30th, 2014

 

Guest column by Citadel Information Group

Cyber Crime

2014: The Year Extortion Went Mainstream: The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime. KrebsOnSecurity, June 26, 2014

MTV: Nokia paid several million to extortionists to keep code secret: The commercial broadcaster MTV reports Tuesday that mobile phone company Nokia handed over millions of euros to extortionists to ensure the protection of part of its mobile phone code. yle uutiset, June 27, 2014

Card Wash: Card Breaches at Car Washes: An investigation into a string of credit card breaches at dozens of car wash locations across the United States illustrates the challenges facing local law enforcement as they seek to connect the dots between cybercrime and local gang activity that increasingly cross multiple domestic and international borders. KrebsOnSecurity, June 23, 2014

Hacker puts ‘full redundancy’ code-hosting firm out of business: A code-hosting and project management services provider was forced to shut down operations indefinitely after a hacker broke into its cloud infrastructure and deleted customer data, including most of the company’s backups. Network World, June 20, 2014

Cyber Attack

As Stuxnet Anniversary Approaches, New SCADA Attack Is Discovered: F-Secure has unearthed a new attack against industrial control systems that goes after European targets, using rare infection vectors. Dark Reading, June 26, 2014

Anonymous hackers found accessing Vietnam ministry computers: Unidentified hackers have launched targeted attacks against computers used by officials of the Vietnamese Ministry of Natural Resources and Environment, an Internet security company said in a report on Friday. tuoitrenews.vn, June 23, 2014

Cyber Privacy

A New Cybersecurity Bill Could Give the NSA Even More Data: Privacy groups are sounding the alarm that a new Senate cybersecurity bill could give the National Security Agency access to even more personal information of Americans. National Journal, June 27, 2014

Cops Need A Warrant To Search Your Phone, Rules Supreme Court: This term, the Supreme Court sank its teeth into yet another technology privacy issue that divided the country: whether the police can snoop in the smartphone of an arrested person without getting a warrant first. Looking at two cases in California and Massachusetts where photos and call logs from phones helped police bust a gang member for a shooting and a drug dealer, the country’s highest court ruled that law enforcement should have gotten warrants before trawling through the contents of their phones. Forbes, June 25, 2014

Financial Cyber Security

Android malware targets South Korean online banking customers: Malicious software that swaps itself for legitimate online banking applications is striking users in South Korea, with thousands of devices infected in the last week, according to a Chinese mobile security company. PCWorld, June 26, 2014

CLONED ANDROID BANKING APP HIDES PHISHING SCHEME: Cloned mobile applications, such as the legions of Flappy Bird knock-offs that surfaced once the popular game was removed from Google Play and the Apple App Store, are an increasingly popular malware vehicle for attackers. ThreatPost, June 25, 2014

Financial firms need ‘skin in the game’ on cybersecurity, DHS official: A top Homeland Security Department official on Tuesday urged the financial services industry to have more “personal skin in the game” if it is serious about fighting cyber security attacks. Politico, June 24, 2014

Cyber Warning

Decades-Old Vulnerability Threatens ‘Internet Of Things’: A newly discovered bug in the pervasive LZO algorithm has generated a wave of patching of open-source tools such as the Linux kernel this week. Dark Reading, June 26, 2014

PATCHED CODE EXECUTION BUG AFFECTS MOST ANDROID USERS: A serious code-execution vulnerability in Android 4.3 and earlier was patched in KitKat, the latest version of the operating system. ThreatPost, June 26, 2014

Beware Flappy Bird clones carrying malware: SAN FRANCISCO – Scratching the Flappy Bird itch could be dangerous, a report by computer security company McAfee finds. USA Today, June 24, 2014

AskMen.com website redirects to Caphaw malware, WebSense says: AskMen.com, a popular website with millions of monthly visitors, was redirecting visitors to other domains that delivered the Caphaw malware, according to security vendor WebSense. PCWorld, June 23, 2014

Hacker Tactic: Holding Data Hostage: THE perpetual cat-and-mouse game between computer hackers and their targets is getting nastier. Cybercriminals are getting better at circumventing firewalls and antivirus programs. More of them are resorting to ransomware, which encrypts computer data and holds it hostage until a fee is paid. Some hackers plant virus-loaded ads on legitimate websites, enabling them to remotely wipe a hard drive clean or cause it to overheat. Meanwhile, companies are being routinely targeted by attacks sponsored by the governments of Iran and China. Even small start-ups are suffering from denial-of-service extortion attacks, in which hackers threaten to disable their websites unless money is paid. The New York Times, June 22, 2014

Cyber Security Management

Why senior leaders are the front line against cyberattacks: All companies are aware of the growing risk of cyberattacks, yet few are taking the steps necessary to protect critical information. The key? Senior managers need to lead. McKinsey&Company, June, 2014

National Cyber Security

China cyber crime cooperation stalls after U.S. hacking charges: WASHINGTON (Reuters) – Fledging cooperation between the United States and China on fighting cyber crime has ground to a halt since the recent U.S. indictment of Chinese military officials on hacking charges, a senior U.S. security official said on Thursday. Yahoo News, June 26, 2014

Cyber Law

MASSACHUSETTS SUPREME COURT RULES DEFENDANT MUST DECRYPT DATA: Encryption software has been enjoying a prolonged day in the sun for about the last year. Thanks to the revelations of Edward Snowden about the NSA’s seemingly limitless capabilities, security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops. ThreatPost, June 26, 2014

Cyber Sunshine

The ‘Fly’ Has Been Swatted: A Ukrainian man who claimed responsibility for organizing a campaign to send heroin to my home last summer has been arrested in Italy on suspicion of trafficking in stolen credit card accounts, among other things, KrebsOnSecurity.com has learned. KrebsOnSecurity, June 24, 2014


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, June 29, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Cyber Security News of the Week, June 29, 2014

by Fred F. Farkel, Monday, June 23rd, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Dropbox: Dropbox has released version 2.8.4 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Opera: Opera has released version 22.0.1471.70. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash  14.0.0.125 [Windows 7: IE]

Adobe Flash  14.0.0.125 [Windows 7: Firefox, Mozilla]

Adobe Flash  14.0.0.125 [Windows 8: IE]

Adobe Flash  14.0.0.125 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.07

Dropbox 2.8.4 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 30

Google Chrome 35.0.1916.153

Internet Explorer 11.0.9600.17126

Java SE 7 Update 60 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.4 [Mac OS X]

Skype 6.16.0.105

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its WebEx Meeting Server, Adaptive Security Appliance (ASA), Adaptive Security Appliance (ASA), IOS XR, IOS XE, MATE, and others. Apply updates. Secunia also reports unpatched vulnerabilities for Cisco’s AnyConnect VPN, Intrusion Prevention System (IPS), multiple Video Surveillance products, Prime Network, and others. No official solution is currently available.

Novell Open Enterprise: Secunia reports that Novell has released updates for its Open Enterprise Server. Apply May 2014 OES11SP1 Scheduled Maintenance Update – 9151.

Trend Micro InterScan: Secunia reports that Trend Micro has released updates for its InterScan Messaging Security Virtual Appliance to fix a vulnerability. Apply imsva_85_en.hfb16060.zip.

VMware Multiple Products: Secunia reports that Trend Micro has released updates for its InterScan Messaging Security Virtual Appliance to fix a vulnerability. Apply imsva_85_en.hfb16060.zip. Secunia also reports a partial fix for  vulnerabilities reported in VMware’s IT Business Management Suite Standard Edition, VMware Data Recovery, VMware vCenter Configuration Manager, VMware vCenter Site Recovery Manager, VMware vCloud Application Director, VMware vCloud Usage Meter, VMware vSphere Data Protection, VMware vSphere Management Assistant, VMware vSphere Replication, VMware vSphere Storage Appliance, VMware Studio, VMware vCenter Converter Standalone, VMware vCenter Server, VMware vCenter Support Assistant, VMware Virtual Disk Development Kit (VDDK), VMware VIX API, VMware vSphere PowerCLI, VMware vSphere SDK for Perl, VMware vSphere Update Manager, VMware ESXi, VMware NSX, VMware vCloud Automation Center (vCAC), Pivotal Web Server (formerly VMware vFabric Web Server), VMware Fusion, VMware Horizon Mirage, VMware Horizon View, VMware Horizon Workspace, VMware Player, VMware vCenter Chargeback Manager, VMware vCenter Operations Manager (vCOps), VMware vCenter Server Appliance, VMware vCloud Director, VMware vCloud Networking and Security (vCNS), VMware View, VMware Workstation, VMware Workstation, vSphere Big Data Extensions. Secunia also reports unpatched vulnerabilities in OVF Tool, Horizon View Client, and VMware vCenter Server Appliance. No official solution is currently available.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, June 22, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Weekend Vulnerability and Patch Report, June 22, 2014

by Fred F. Farkel, Monday, June 23rd, 2014

 

Guest column by Citadel Information Group

Cyber Crime

Cybercriminals Zero In on a Lucrative New Target: Hedge Funds: Computer security experts say hedge funds, with their vast pools of money and opaque nature, have become perfect targets for sophisticated cybercriminals. Over the past two years, experts say, hedge funds have fallen victim to targeted attacks. What makes them such ripe targets is that even as hedge funds expend millions in moving their trading operations online, they have not made the same investment in security. The New York Times, June 19, 2014

Tally of Cyber Extortion Attacks on Tech Companies Grows: Tech start-ups continue to get hit by extortion attempts from cybercriminals who aim to shut down their systems until companies pay their ransom. The New York Times, June 19, 2014

Hedge-Fund Hackers Disrupting Trades for Profits, BAE Says: Hackers disrupted high-speed trading at a large hedge fund and rerouted data that might be used to make money in rogue stock-market transactions, a security official with BAE Systems Plc (BA/) said. Bloomberg, June 19, 2014

P.F. Chang’s Breach Likely Began in Sept. 2013: The recently-announced credit card breach at P.F. Chang’s Chinese Bistro appears to have gone on for at least nine months: New information indicates that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11, one day after KrebsOnSecurity.com broke the news about the break-in. KrebsOnSecurity, June 18, 2014

Cyber Attack

Hackers Take Down World Cup Site in Brazil: Hackers on Friday made good on their threat to take down the 2014 World Cup site in Brazil. The New York Times, June 20, 2014

Hackers Take Down Website of Brazilian Federation: (TERESOPOLIS, Brazil) — The Brazilian football federation says hackers momentarily took down its website on Thursday. Time, June 19, 2014

Cyber Espionage

2nd China Army Unit Implicated in Online Spying: SAN FRANCISCO — The email attachment looked like a brochure for a yoga studio in Toulouse, France, the center of the European aerospace industry. But once it was opened, it allowed hackers to sidestep their victim’s network security and steal closely guarded satellite technology. The New York Times, June 9, 2014

Cyber Privacy

British Spy Agencies Assert Power to Intercept Web Traffic: LONDON — In a broad legal rationale for collecting information from Internet use by its citizens, the British government has asserted the right to intercept communications that go through services like Facebook, Google and Twitter that are based in the United States or other foreign nations, even if they are between people in Britain. The New York Times, June 16, 2014

Financial Cyber Security

New powerful banking malware called Dyreza emerges: Security researchers said they’ve spotted a new type of banking malware that rivals the capabilities of the infamous Zeus malware. PCWorld, June 16, 2014

First Major Mobile Banking Security Threat Hits the U.S.: Is mobile banking safe? It’s a question that’s been in the back of many people’s minds ever since banks introduced apps in 2009. With roughly 102 million Americans using mobile banking, the potential for hackers, phishers and other types of cyberattackers to prey on mobile banking users is vast. American Banker, June 13, 2014

Cyber Warning

Chinese smartphone on sale on Amazon and eBay contains built-in malware: A Chinese Android smartphone on sale on Amazon, eBay and other online stores has been found to contain a virus that pretends to be the Google Play Store but steals user data. The Guardian, June 18, 2014

If It Sounds Too Good To Be True…: The old adage “If it sounds too good to be true, it probably is” no doubt is doubly so when it comes to steeply discounted brand-name stuff for sale on random Web sites, especially sports jerseys, designer shoes and handbags. A great many stores selling these goods appear to be tied to an elaborate network of phony storefronts and credit card processing sites based out of China that will happily charge your card but deliver nothing (or at best flimsy knockoffs). KrebsOnSecurity, June 17, 2014

Cyber Security Management

Information Security Pro Shortage Creates Risks: Scathing headlines about the National Security Agency monitoring the online and telephone communications of global leaders and common citizens apparently haven’t hurt the NSA’s efforts to recruit cybersecurity talent. BankInfoSecurity, June 19, 2014

Cyber Security Management — Cyber Awareness

“Human error” contributes to nearly all cyber incidents, study finds: Even though organizations may have all of the bells and whistles needed in their data security arsenal, it’s the human element that continues to fuel cyber incidents occurring, according to one recent study. SC Magazine, June 16, 2014

Securing the Village

FBI, NYPD and Transit Authority Form Task Force to Combat Cybercrime: The FBI’s New York office said Thursday it’s teaming up with the New York Police Department and the region’s transit authority to form a new cybercrime task force to target cyber-related criminal activity in the area. The Wall Street Journal, June 19, 2014

Cyber Law

Oil Co. Wins $350,000 Cyberheist Settlement: A California oil company that sued its bank after being robbed of $350,000 in a 2011 cyberheist has won a settlement that effectively reimbursed the firm for the stolen funds. KrebsOnSecurity, June 20, 2014

Ruling Raises Stakes for Cyberheist Victims: A Missouri firm that unsuccessfully sued its bank to recover $440,000 stolen in a 2010 cyberheist may now be on the hook to cover the financial institution’s legal fees, an appeals court has ruled. Legal experts say the decision is likely to discourage future victims from pursuing such cases. KrebsOnSecurity, June 16, 2014

Cyber Misc

10 Ways To ‘Fix’ Cybersecurity: Security reporter Byron Acohido and I asked ten cyber-experts to offer up their best ideas for stemming the threats we face when it comes to digital security. Note: Almost every one of them muttered something about there being no silver bullets. Forbes, June 18, 2014

Ukraine election narrowly avoided ‘wanton destruction’ from hackers (+video): A brazen three-pronged cyber-attack against last month’s Ukrainian presidential elections has set the world on notice – and bears Russian fingerprints, some say. Christian Science Monitor, June 17, 2014

Cyber Calendar

Information Systems Infrastructure Security Management: This security course covers physical and logical security over datacenters, buildings, and offices. It will define a management program that protects assets across all levels of technology and the core components that support that technology. It will analyze hacking methodology and how to create a functioning IT Infrastructure program for businesses, whether large or small. It will include change management scenarios and how to approach daily business security issues from an IT perspective. Much of the challenge of IT security remains the fundamental fact that management does not see it as a profit center and as long as there has been no reported breach there is clearly nothing to worry about. With this as a starting point we will investigate how best to explore the myriad options for network security.Internet access required to retrieve course materials. UCLA Extension, Start Date: June 24, 2014


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, June 22, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Cyber Security News of the Week, June 22, 2014

by Fred F. Farkel, Monday, June 9th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Adobe Shockwave Player: Adobe has released version 12.1.2.152 of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.

Opera: Opera has released version 22.0.1471.50 to fix moderately critical unpatched vulnerabilities in previous versions. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash  13.0.0.214 [Windows 7: IE]

Adobe Flash  13.0.0.214 [Windows 7: Firefox, Mozilla]

Adobe Flash  13.0.0.214 [Windows 8: IE]

Adobe Flash  13.0.0.214 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.07

Dropbox 2.8.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 29.0.1

Google Chrome 35.0.1916.114

Internet Explorer 11.0.9600.17105

Java SE 7 Update 60 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.4 [Mac OS X]

Skype 6.16.0.105

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

McAfee Data Loss Prevention: Secunia reports that McAfee has released updates for its Data Loss Prevention to fix moderately critical vulnerabilities. Update to version 9.3.2 and apply hotfixes

OpenSSL: US-CERT reports that OpenSSL has released updates in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, June 8, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Weekend Vulnerability and Patch Report, June 8, 2014

by Fred F. Farkel, Monday, June 9th, 2014

 

Guest column by Citadel Information Group

CyberCrime

Online Pirates Thrive on Legitimate Ad Dollars: LOS ANGELES — Movie and music piracy thrives online in part because crafty website operators receive advertising dollars from major companies like Comcast, Ford and McDonald’s. The New York Times, June 3, 2014

Cyber Attack

They Hack Because They Can: The Internet of Things is coming….to a highway sign near you? In the latest reminder that much of our nation’s “critical infrastructure” is held together with the Internet equivalent of spit and glue, authorities in several U.S. states are reporting that a hacker has once again broken into and defaced electronic road signs over highways in several U.S. states. KrebsOnSecurity, June 5, 2014

Cyber Warning

2 weeks to prepare for ‘powerful’ virus strike-back in major malware offensive: The UK has warned its computer-users they have two weeks to protect their machines from two powerful viruses, GameOver Zeus and Cryptolocker, after a US-led multinational operation announced a coordinated takedown of malware. RT, June 2, 2014

Cyber Security Management – Cyber Defense

Google Previews Gmail Encryption: Gmail users will soon be able to encrypt their messages easily with End-to-End, a free Chrome extension. Google on Tuesday introduced software called End-to-End to encrypt Gmail messages in transit and simultaneously published data about encryption usage by email providers, as if to shame companies with indifferent security practices. Information Week, June 4, 2014

Alert (TA14-150A) – GameOver Zeus P2P Malware: GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet. US-CERT, June 2, 2014

So long, TrueCrypt: 5 alternative encryption tools that can lock down your data: Open-source legend TrueCrypt may be gone, but the usefulness of full disk encryption carries on. So what’s a crypto fan to do now for their encryption needs? PCWorld, May 30, 2014

Cyber Security Management – Cyber Update

OpenSSL fixes another severe vulnerability: The OpenSSL project has reported fixes for several vulnerabilities, at least one of them serious. ZDNet, June 5, 2014

Securing the Village

Cybersecurity Expert Richard A. Clarke and LA County District Attorney Jackie Lacey Spoke at ISSA-LA 6th Annual Information Security Summit on Cybercrime Solutions: Nearly 800 of the country’s leading cybercrime experts, information security professionals, company CEOs and other C-suite business executives recently attended the 6th Annual Information Security Summit, The Growing Cyber Threat: Protect Your Business, that was held by the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA). The diverse group of attendees reflected the new reality that cybercrime impacts the financial stability of all organizations and industries such as business, nonprofits, government agencies, schools, healthcare and financial services. The Summit advances ISSA-LA’s core belief that ‘It takes the village to secure the village’ SM. PRWeb, June 2, 2014

Cyber Underworld

Peek Inside a Professional Carding Shop: Over the past year, I’ve spent a great deal of time trolling a variety of underground stores that sell “dumps” — street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. By way of explaining this bizarro world, this post takes the reader on a tour of a rather exclusive and professional dumps shop that caters to professional thieves, high-volume buyers and organized crime gangs. KrebsOnSecurity, June 4, 2014

Cyber Research

Automating Cybersecurity: If only computers themselves were smart enough to fight off malevolent hackers. The New York Times, June 2, 2014

Cyber Law

UK proposes harsher sentences for hackers: The UK government believes hackers who cause “catastrophic” damage should be imprisoned for life, Queen Elizabeth II said in a speech today, proposing a crime bill that would update the 1990 Computer Misuse Act. The Verge, June 4, 2014

Cyber Misc

13 Google Search Tricks That Make Life A Whole Lot Easier: You think you know how to Google? You don’t know how to Google. Huffington Post, June 4, 2014

Cyber Sunshine

Secret Global Strike Kills 2 Malicious Web Viruses: WASHINGTON — Federal agents over the weekend secretly seized control of two computer networks that hackers used to steal millions of dollars from unsuspecting victims. In doing so, the Justice Department disrupted the circulation of two of the world’s most pernicious viruses and turned a 30-year-old Russian computer hacker into a most-wanted fugitive. The New York Times, June 2, 2014

‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge: The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes. KrebsOnSecurity, June 2, 2014

Cyber Calendar

Information Systems Infrastructure Security Management: This security course covers physical and logical security over datacenters, buildings, and offices. It will define a management program that protects assets across all levels of technology and the core components that support that technology. It will analyze hacking methodology and how to create a functioning IT Infrastructure program for businesses, whether large or small. It will include change management scenarios and how to approach daily business security issues from an IT perspective. Much of the challenge of IT security remains the fundamental fact that management does not see it as a profit center and as long as there has been no reported breach there is clearly nothing to worry about. With this as a starting point we will investigate how best to explore the myriad options for network security.Internet access required to retrieve course materials. UCLA Extension, Start Date: June 24, 2014


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, June 8, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Cyber Security News of the Week, June 8, 2014

by Fred F. Farkel, Monday, June 2nd, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple iTunes: Apple has released version 11.2.2 for iTunes versions in Windows 8, 7, Vista, and XP SP3 or later. Updates are available through the program or from Apple’s website.

Apple OS X Java: Apple has released an update to Java for OS X 2014-001. Updates are available from Apple’s website. [See Citadel’s warning below]

Dropbox: Dropbox has released version 2.8.3 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Current Software Versions

Adobe Flash  13.0.0.214 [Windows 7: IE]

Adobe Flash  13.0.0.214 [Windows 7: Firefox, Mozilla]

Adobe Flash  13.0.0.214 [Windows 8: IE]

Adobe Flash  13.0.0.214 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.07

Dropbox 2.8.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 29.0.1

Google Chrome 35.0.1916.114

Internet Explorer 11.0.9600.17105

Java SE 7 Update 60 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.4 [Mac OS X]

Skype 6.16.0.105

Newly Announced Unpatched Vulnerabilities

D-Link N300 Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s N300 Wireless Router reported in version 1.14 (HW version Ax) and prior. No official solution is currently available.

Microsoft Windows 8:  Secunia reports two unpatched vulnerabilities in Windows 8 and Windows 8.1. No official solution is currently available.

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Cisco Unified Communications Domain Manager (CUCDM), Wide Area Application Services (WAAS), IOS XE, Tidal Enterprise Scheduler, and others. Apply updates.

VMware Multiple Products: Secunia reports that Cisco has released updates for its VMware Workstation, VMware Player, VMware Fusion, and VMware ESXi. Apply updates.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, June 1, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Weekend Vulnerability and Patch Report, June 1, 2014

by Fred F. Farkel, Monday, June 2nd, 2014

 

Guest column by Citadel Information Group

CyberCrime

Thieves Planted Malware to Hack ATMs: A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come. KrebsOnSecuritry, May 30, 2014

Cyber Attack

Complexity as the Enemy of Security: Late last month, hackers allied with the Syrian Electronic Army (SEA) compromised the Web site for the RSA Conference, the world’s largest computer security gathering. The attack, while unremarkable in many ways, illustrates the continued success of phishing attacks that spoof top executives within targeted organizations. It’s also a textbook example of how third-party content providers can be leveraged to break into high-profile Web sites. KrebsOnSecurity, May 27, 2014

Cyber Privacy

AS SNOWDEN ANNIVERSARY NEARS, EFF URGES USERS TO RAMP UP PRIVACY AND SECURITY: Time flies when you’re having fun. But it apparently also flies when there’s a new story every other day about NSA surveillance. It’s been nearly one year since the first story sourced from the documents Edward Snowden stole from the agency appeared, and with that in mind, the EFF is encouraging people to commemorate the day by installing privacy and security tools to protect their communications. ThreatPost, May 30, 2014

Some Privacy, Please? Facebook, Under Pressure, Gets the Message: SAN FRANCISCO — Do you know who can see what you are posting on Facebook, including your photos, birthday and personal cellphone number? The New York Times, May 23, 2014

Cyber Threat

Researchers: Recent Zero-Day Attacks Linked Via Common Exploit Package: Elderwood Platform, a two-year-old package of exploits, has been used to create multiple zero-day threats, Symantec researchers said. DarkReading, May 19, 2014

Cyber Warning

Backdoor in Call Monitoring, Surveillance Gear: If your company’s core business is making software designed to help first responders and police record and intercept phone calls, it’s probably a good idea to ensure the product isn’t so full of security holes that it allows trivial access by unauthorized users. Unfortunately, even companies working in this sensitive space fall victim to the classic blunder that eventually turns most software into Swiss Cheese: Trying to bolt on security only after the product has shipped. KrebsOnSecurity, May 28, 2014

Hackers use ‘Find My iPhone’ to lockout, ransom Mac and iOS device owners in Australia: Owners of Macs and iOS devices in Australia woke up on Tuesday to find their machines locked by Find My iPhone, with the nefarious hackers responsible demanding payment via PayPal before they return control. AppInsider, May 26, 2014

Cyber Security Management

Keeping Up with Cybersecurity Framework: The folks at PricewaterhouseCoopers, after surveying 500 U.S. business, law enforcement and government executives, conclude that the vast majority of cybersecurity programs fall very short of the federal government’s cybersecurity framework goals. BankInfoSecuriy, May 30, 2014

Why are Chief Information Security Officers Critical?: In some corporations, the role of the Chief Information Security Officer (CISO) is becoming as important or even more important than the functions of the once-revered Chief Information Officer (CIO). PaymentWeek, May 29, 2014

Cyber Security Management – Cyber Awareness

How to Avoid Cyberspies on Facebook, LinkedIn: The first line of defense against a social media-related attack recently perpetrated by a suspected Iranian hacker group is to teach employees how to spot cyberspies, experts say. CIO, May 30, 2014

Cyber Security Management – Cyber Defense

A beginner’s guide to BitLocker, Windows’ built-in encryption tool: The creators of TrueCrypt shocked the computer security world this week when they seemingly ended development of the popular open source encryption tool. Even more surprising, the creators said TrueCrypt could be insecure and that Windows users should migrate to Microsoft’s BitLocker. Conspiracy theories immediately began to swirl around the surprise announcement. PCWorld, May 30, 2014

The Mystery Of The TrueCrypt Encryption Software Shutdown: Developers of the open-source software call it quits, saying software “may contain unfixed security issues.” DarkReading, May 30, 2014

True Goodbye: ‘Using TrueCrypt Is Not Secure’: The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP. KrebsOnSecurity, May 29, 2014

Cyber Security Management – Cyber Update

APACHE PATCHES DOS, INFORMATION DISCLOSURE BUGS IN TOMCAT: Apache recently patched Tomcat, fixing a trio of information disclosure bugs and a denial of service bug in the open source web server and servlet container. ThreatPost, May 30, 2014

Securing the Village

Richard Clarke calls for Information Security Manifesto during Keynote Address at ISSA-LA Summit VI: Clarke is Chairman & CEO, Good Harbor and former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States. May 16, 2014.

RETAILERS FORM ISAC TO SHARE THREAT DATA: From the beginning of the cybercrime epidemic, retailers have been among the most frequent targets, and the last year has seen some of the larger compromises in history. The Target data breach is at the top of that list, involving more than 100 million customers, and after years of increasingly serious compromises the retail industry is finally getting together to share information about attacks, threats and vulnerabilities. ThreatPost, May 19, 2014

Financial Cyber Security

Banks Challenged By Cybersecurity Threats, State Regulators Acting: A new report concludes that while financial institutions have taken significant steps to bolster cyber security efforts, they will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats. Forbes, May 26, 2014

National Cyber Security

Report: Hackers in Iran use social media to target senior U.S., Israeli officials: Hackers based in Iran used social networks to spy on high-ranking U.S. and Israeli officials, a new report by a cybersecurity firm claims. CNN, May 30, 2014

Daily Report: U.S. Indictments Shed Some Light on China’s Hacker Army: One man accused of being a hacker for the Chinese military, Wang Dong, better known as UglyGorilla, wrote in a social media profile that he did not “have much ambition” but wanted “to wander the world with a sword, an idiot,” Edward Wong reports. The New York Times, May 23, 2014

Critical Infrastructure

Large Electric Utilities Earn High Security Scores: Critical infrastructure is a big target for attack, but new data shows some operators in that industry suffer fewer security incidents than other industries. DarkReading, May 29, 2014

Cyber Law

House Panel Investigating FTC Data Breach Enforcement: IDG News Service (Washington, D.C., Bureau) — A U.S. House of Representatives committee has reportedly launched an investigation into the Federal Trade Commission’s use of information from a peer-to-peer security vendor to bring a data breach complaint against a medical testing laboratory. CIO, May 30, 2014

Cyber Sunshine

Hacker Helped Disrupt 300 Web Attacks, Prosecutors Say: A prominent hacker set to be sentenced in federal court this week for breaking into numerous computer systems worldwide has provided a trove of information to the authorities, allowing them to disrupt at least 300 cyberattacks on targets that included the United States military, Congress, the federal courts, NASA and private companies, according to a newly filed government court document. The New York Times, May 24, 2014

Cyber Misc

Investors Couldn’t Care Less About Data Breaches: On May 21, EBay (EBAY) revealed that it had suffered a cyber attack and data security breach, and users’ information—names, account passwords, e-mail addresses, physical addresses, phone numbers, and birth dates—was exposed to hackers. While security experts, the news media, and actual EBay users may have all been alarmed, the stock investors weren’t. EBay’s stock finished trading virtually unchanged that day, dropping all of 8 pennies to $51.88. Bloomberg, May 23, 2014


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, June 1, 2014 appeared first on Citadel Information Group.

Read More | Comments Off on Cyber Security News of the Week, June 1, 2014