Cyber Security News of the Week, January 27, 2013by Fred F. Farkel, Tuesday, January 29th, 2013
Guest column by Citadel Information Group
Inside the Gozi Bulletproof Hosting Facility: Nate Anderson at Ars Technica has a good story about how investigators tracked down “Virus,” the nickname allegedly used by a Romanian man accused by the U.S. Justice Department of running the Web hosting operations for a group that created and marketed the Gozi banking Trojan. Turns out, I’ve been sitting on some fascinating details about this hosting provider for many months without fully realizing what I had. KrebsOnSecurity, January 25, 2013
Letter From Forty-Four Digital Rights Groups Demands Skype Detail Its Surveillance Practices: Skype has long been a quintessential bad actor for the privacy community-one that not only refuses to make promises about protecting user data from government surveillance, but won’t even reveal basic facts about how and when it hands user conversations over to the government. Now, eight months after the voice-over-IP company was officially integrated into Microsoft, a critical mass of privacy activists are demanding answers. Forbes, January 24, 2013
Two Out Of Three Cases Where Google Gives User Data To Government Don’t Involve A Warrant: It may be easier than you think for government entities to demand the private data you’ve stored on Google’s servers. Most of the time, it doesn’t even require a judge’s signature. Forbes, January 23, 2013
Rossen Reports: Webcam hackers can spy on you in secret: Could predators be spying on you and your kids through your computer’s webcam? Authorities say criminals are now able to hack in and watch your every move – without you ever knowing it. Today News, January 22, 2013
Anonymous threatens Justice Department over hacktivist death: In anger over the recent death of an Internet activist who faced federal charges, hackers claiming to be from the group Anonymous threatened early Saturday to release sensitive information about the U.S. Department of Justice. CNN Tech, January 27, 2013
Backdoors Found in Barracuda Networks Gear: A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners. KrebsOnSecurity, January 24, 2013
Researchers Warn: Mega’s New Encrypted Cloud Doesn’t Keep Its Megasecurity Promises: Kim Dotcom, like every smart founder of a startup in a crisis, is pivoting. Since his Mega empire of filesharing websites and financial assets were seized in an indictment over massive alleged copyright violations last year, he’s been working on a relaunch designed to transform the company’s reputation from a business focused on piracy to one focused on privacy-specifically, airtight encryption like no other storage site has ever offered. Forbes, January 21, 2013
WordPress Fixes 37 Bugs with Latest Update: WordPress pushed out version 3.5.1 of its open source blogging platform yesterday, fixing 37 bugs including several cross-site scripting (XSS) errors and a vulnerability that could have allowed an attacker to expose information and compromise an unpatched site.ThreatPost, January 25, 2013
Cyber Security Management
What Antivirus Shortcomings Mean For SMBs: Accepting the risks that come with relying solely on AV not only puts data at risk, but also could kill future earning potential. DarkReading, January 23, 2013
Google’s Move from Passwords Gets Applause from Leading Security Expert: Dr. Stahl is quoted in this story. Google’s efforts to make the Internet more secure by eliminating the use of passwords is drawing praise from one of the nation’s leading authorities on digital security. The Biz Coach, January 22, 2013
Cyber Security Management – HIPAA
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, Federal Register, January 25, 2013
HIPAA omnibus and HITECH civil penalty changes: As healthcare organizations read up on the HIPAA omnibus rule, a significant consideration should be the potential civil penalties tied to the HITECH act that are now associated with the rule. Calculating penalties is no longer just a maximum of $100 per violation and $25,000 per year and can put a far bigger dent in a healthcare organization’s budget. HealthIT Security,January 23, 2013
HIPAA Changes Could Create New Bureaucratic Burdens: Changes coming to the HIPAA Privacy and Security Rule mean added administrative work, and they could mean additional reporting, said Lisa Sotto, head of Hunton & Williams’ global privacy and data security practice in an interview with InformationWeek Healthcare. Information Week HealthCare, January 23, 2013
Cyber Security Management – Critical Infrastructure
SCADA Security 2.0: Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. Dark Reading, January 24, 2013
Supply Chain Uncertainties Complicate Security: Los Alamos National Laboratory’s move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage. DarkReading, January 23, 2013
Cyber Security Management – Fines & Penalties
Sony Fined £250,000 in UK for 2011 Playstation Hack: A government body in the U.K. has fined Sony APS250,000 (US$396,000) for using lax network security when its PlayStation network was hacked in 2011.CIO, January 24, 2013
Rising cyberthreats set backdrop for latest cybersecurity bill: DHS Secretary Janet Napolitano urges Congress to pass the new legislation, saying it should not wait for a ‘9/11 in the cyber world.’ CSO, January 25, 2013
Securing the Village
White House Announces ‘National Day of Civic Hacking’: Whether or not you have coding skills, the U.S. government asks you to roll up your sleeves in June and help solve the nation’s problems. CIO, January 24, 2013
National Day of Civic Hacking: National Day of Civic Hacking is a national event that will take place June 1-2, 2013, in cities across the nation. The event will bring together citizens, software developers, and entrepreneurs from all over the nation to collaboratively create, build, and invent new solutions using publicly-released data, code and technology to solve challenges relevant to our neighborhoods, our cities, our states and our country. National Day of Civic Hacking will provide citizens an opportunity to do what is most quintessentially American: roll up our sleeves, get involved and work together to improve our society.
O’Malley floats $3 million tax credit pool to bolster cybersecurity in Maryland: Maryland is looking to build on the success of a biotechnology tax credit to bolster another industry here – cyber security. Gov. Martin O’Malley proposed in his fiscal 2014 budget a new cyber security tax credit that would set aside $3 million to encourage cyber security companies to expand or set up shop in Maryland.Washington Business Journal, January 24, 2013
Three Charged in Connection with ‘Gozi’ Trojan: Federal prosecutors today announced criminal charges against three men alleged to be responsible for creating and distributing the Gozi Trojan, an extremely sophisticated strain of malicious software that was sold to cyber crooks and was tailor-made to attack specific financial institutions targeted by each buyer. KrebsOnSecurity, January 23, 2013
Securing the Village-Events Calendar
ISC2-LA February Dinner Meeting; February 5, 2013: Email Bill Zajac at firstname.lastname@example.org for more information.
Cloud Security Alliance – Los Angeles Chapter; February 13, 2013: “Can encryption help alleviate concerns about moving to the cloud?” For more information and to register, go to meetup.com/LASC-CSA/.
ISSA-LA February Lunch Meeting; February 20, 2013. For more information and to register, visit ISSA-LA.
ISSA-LA March Dinner Meeting; March 20, 2013.
NAWBO Ventura County March Dinner Meeting, March 22, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: SAVE THE DATE. Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator.
Weekend Vulnerability and Patch ReportThe following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Linksys WRT54GL Wireless Router: Linksys has released and update to its WRT54GL Wireless Router. Update to firmware version 4.30.16 by downloading from the Linksys website.
Current Software Versions
Adobe Flash 11.5.502.146 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]
Adobe Flash 11.3.378.5 [Windows 8: IE]
Adobe Flash 11.5.502.146 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.01
Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 18.0.1 [Windows]
Google Chrome 24.0.1312.56
Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]
Internet Explorer 10.0.9200.16466 [Windows 8: IE]
Java SE 7 Update 11 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows, See warning below]
Safari 6.0.2 [Mac OS X]
Newly Announced Unpatched Vulnerabilities
For Your IT Department
Cisco Wireless LAN Controllers: Secunia reports vulnerabilities in multiple Cisco Wireless LAN Controllers. Apply applicable updates.
Google Web Toolkit: Secunia reports a vulnerability in Google’s Web Toolkit. Update to version 2.5 GA.
PDF-XChange Viewer: Secunia reports a highly critical vulnerability in PDF-XChange Viewer. Update to version 2.5 Build 208.0.
Sourcefire Snort: Secunia reports a moderately critical vulnerability in Sourcefire’s Snort. Update Snort rules to a version released on 2013-01-17 or later.
WordPress: Secunia reports at least 37 moderately critical vulnerabilities in WordPress. Update to version 3.5.1. There are also plugin vulnerabilities for updates.
Important Unpatched Vulnerabilities
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
AOL downloadUpdater2 Firefox Plugin: Secunia reports a highly critical vulnerabilityin version 18.104.22.168. Other versions may also be affected. No solution is currently available. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 12, 2012.
Apple Safari for Windows: Secunia reports a moderately critical vulnerability in Apple’s Safari version 5.1.2 (7534.52.7) on Windows using the RealPlayer and Adobe Flash plug-ins. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 11, 2012.
Apple Safari for Windows: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
CA ARCserve Backup: Secunia reports a less critical vulnerability in CA’s ARCserver Backup in versions 12.0, 12.5, 15, and 16. CA provides a partial fix solution and advises updating to a fixed version. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 25, 2012.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability inWeekend Vulnerability and Patch Report, February 11, 2011.
HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.
McAfee SaaS: The highly critical vulnerability in McAfee SaaS Endpoint Protection remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, January 22, 2012.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7, 2011.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15, 2011.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Samsung / Dell Printers: Secunia reports a moderately critical security issue in Samsung’s ML-2580 and ML-4050 Monochrome Laser Printers and Dell’s 2145cn and 2335dn Multifunction Printers. We first alerted readers to this vulnerability inWeekend Vulnerability and Patch Report, December 2, 2012.
Samsung Galaxy S III: Secunia reports two highly critical vulnerabilities in the Galaxy S3 device. We first alerted readers tothis vulnerability in Weekend Vulnerability and Patch Report, October 14, 2012.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
VLC Media Player: As we reported in our Cyber Security News of the Week, December 16, 2012, Secunia reports a highly critical vulnerability in the VLC Media Player. No patch is available at this time.
ACD Systems: Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.
If you are responsible for the security of your computer, our weekly report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.