The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Adobe Flash Player: Adobe has released version 12.0.0.70 for its Flash Player to fix an extremely critical vulnerability. Updates are available through the program or from Adobe’s Flash Web Site. Updates are also available for Adobe AIR.
Adobe Shockwave Player: Adobe has released version 12.0.9.149 to fix two highly critical vulnerabilities reported in previous versions of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Apple iOS Multiple Devices: Apple has released updates for its iOS to fix a critical vulnerability in the iPhone 3GS, iPod touch 4th generation, iPhone 4, iPod touch 5th generation, iPad 2 and later, Apple TV 2nd generation and later. Updates are available through the device or Apple’s website.
Dropbox: Dropbox has released version 2.6.13 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Foxit Reader: Foxit has released version 6.1.4 to fix a moderately critical vulnerability. Updates are available through the program or from Foxit’s website.
Google Chrome: Google has released version 33.0.1750.117 of Chrome for Windows, Mac, Linux and Chrome Frame to fix highly critical unpatched vulnerabilities in previous versions. Updates are available through the program.
Microsoft Internet Explorer: Microsoft has released an update to versions 9 and 10 of Internet Explorer to fix an extremely critical vulnerability. Updates are available through Windows Updates in the Control Panel. US-CERT recommends upgrading to Internet Explorer 11.
Microsoft Windows: Microsoft has released an update to several versions of Windows, including Windows 8, 8.1 and Server 2012, to fix a highly critical vulnerability caused by the bundling of Adobe Flash Player within Internet Explorer. Updates are available through Windows Updates in the Control Panel.
Siber Systems RoboForm: Siber Systems has released version 7.9.2 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.
Skype: Skype has released Skype 6.14.0.104. Updates are available from the program.
Adobe Flash 12.0.0.70 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.13 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0.1
Google Chrome 33.0.1750.117
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7
Safari 7.0.1 [Mac OS X]
Skype 6.14.0.104
Newly Announced Unpatched Vulnerabilities
Netgear D6300B: Secunia reports moderately critical security issues in firmware versions 1.0.0.06 and 1.0.0.14. Other versions may also be affected.No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
For Your IT Department
Cisco Multiple Products: Secunia reports that Cisco has released updates for its Unified Communications Manager, Intrusion Prevention Software (IPS), Adaptive Security Appliance (ASA), Unified SIP Phone 3905, Unified Computing System (UCS), Firewall Services Module (FWSM), Email Security Appliance, Videoscape Distribution Suite Transparent Caching (VDS-TC) and others. Apply updates.
Citrix ShareFile for Android: Secunia reports that Citrix has released an update to fix a security issue reported in previous versions of Citrix ShareFile Mobile Application for Android and Citrix ShareFile Mobile for Tablets Application for Android. Update to version 2.4.4.
Symantec Endpoint Protection Manager: Secunia reports that Symantec has released updates for its Endpoint Protection Manager to fix a vulnerability in versions prior to 11.0.7405.1424 and 12.1.4023.4080. Update to a fixed version.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
Fire Sale on Cards Stolen in Target Breach: Last year’s breach at Target Corp. flooded underground markets with millions of stolen credit and debit cards. In the days surrounding the breach disclosure, the cards carried unusually high price tags — in large part because few banks had gotten around to canceling any of them yet. Today, two months after the breach, the number of unsold stolen cards that haven’t been cancelled by issuing banks is rapidly shrinking, forcing the miscreants behind this historic heist to unload huge volumes of cards onto underground markets and at cut-rate prices. KrebsOnSecurity, February 19, 2014
Database Attack Exposes Personal Data At University of Maryland: IDG News Service — Personal records for more than 309,000 students and staff were exposed this week in a “sophisticated” database attack at the University of Maryland, the university said Wednesday. CIO, February 19, 2014
Kickstarter hacked, user data stolen:The crowd-funding site says hackers broke into its systems and made off with data. Apparently credit card numbers escaped the attack. Cnet, February 15, 2014
Cyber Privacy
Facebook Deal on Privacy Is Under Attack: SAN FRANCISCO — Despite a class-action settlement in August that was supposed to ensure that Facebook users clearly consent to their comments, images and “likes” being used in ads, it has been business as usual on the service. The New York Times, February 13, 2014
Cyber Warning
70 PERCENT OF ANDROID DEVICES EXPOSED FOR 93 WEEKS TO SIMPLE ATTACK: Android devices prior to version 4.2.1 of the operating system—70 percent of the phones and tablets in circulation—have been vulnerable to a serious and simple remote code execution vulnerability in the Android browser for more than 93 weeks. ThreatPost, February 18, 2014
TWO-FACTOR AUTHENTICATION VULNERABILITY IDENTIFIED IN WORDPRESS PLUGINS: Hosted two-factor authentication firm Duo Security acknowledged late last week that it discovered a vulnerability in its WordPress plugin (duo_wordpress plugin) that could allow a user to bypass two-factor authentication (2FA) on a multisite network. ThreatPost, February 19, 2014
Security message from FORBES: Forbes.com was targeted in a digital attack and our publishing platform was compromised. Forbes, February 2014
The New Normal: 200-400 Gbps DDoS Attacks: Over the past four years, KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet — a nearly 200 Gbps assault leveraging a simple attack method that industry experts say is becoming alarmingly common. KrebsOnSecurity, February 14, 2014
Cyber Security Management
How CFOs Can Face The Threat Of Cyber Crime: Cyber threats are a serious problem for businesses, and boards, investors and finance executives are sitting up and taking notice. Forbes, February 6, 2014
Cyber Security Management – Cyber Update
Adobe, Microsoft Push Fixes For 0-Day Threats: For the second time this month, Adobe has issued an emergency software update to fix a critical security flaw in its Flash Player software that attackers are already exploiting. Separately, Microsoft released a stopgap fix to address a critical bug in Internet Explorer versions 9 and 10 that is actively being exploited in the wild. KrebsOnSecurity, February 20, 2014
Cyber Security Management – Cyber Defense
Time to Harden Your Hardware?: Most Internet users are familiar with the concept of updating software that resides on their computers. But this past week has seen alerts about an unusual number of vulnerabilities and attacks against some important and ubiquitous hardware devices, from consumer-grade Internet routers, data storage and home automation products to enterprise-class security solutions. KrebsOnSecurity, February 18, 2014
Cyber Security Management – HIPAA
HEALTH CARE SYSTEMS POORLY PROTECTED, MANY ALREADY COMPROMISED: A new report from the SANS Institute warns that the push to digitize all health care records along with the emergence of HealthCare.gov and the general proliferation of electronic protected health information (ePHI) online will only exacerbate the security problems faced by those that store sensitive health care data. In other words, the report says, health care critical information assets are poorly protected and already compromised in many cases. ThreatPost, February 18, 2014
Securing the Village
Closing the cyber security threat intelligence gap: It’s no secret that one of the effects of the Edward Snowden revelations has been a slowdown in the effort to pass new cyber security legislation that facilitates information sharing between the government and the private sector. However, the need for cyber threat intelligence sharing is still vital, and with Congress sidelined, it’s going to take leadership from the nation’s corporate executives to make progress on this issue within the framework of our current laws. SC Magazine, February 18, 2014
National Cyber Security
Spy Chief Says Snowden Took Advantage of ‘Perfect Storm’ of Security Lapses: WASHINGTON — The director of national intelligence acknowledged Tuesday that nearly a year after the contractor Edward J. Snowden “scraped” highly classified documents from the National Security Agency’s networks, the technology was not yet fully in place to prevent another insider from stealing top-secret data on a similarly large scale. The New York Times, February 11, 2014
Cyber Law
The Year Ahead in Privacy and Data Security: 2014 promises to be another eventful year in the privacy and data security fields. Although predictions are necessarily risky, there is little sign that the revelations regarding government surveillance will cease, that cyber criminals and insiders will stop hacking into personal and proprietary data and that the FTC and other regulatory authorities will stop focusing on companies’ privacy and security policies and practices. [Author Tim Toohey is a member of ISSA-LA Community Outreach Advisory Board.] Morris, Pollich & Purdy, January 27, 2014
Cyber Misc
Reporting From the Web’s Underbelly: SAN FRANCISCO — In the last year, Eastern European cybercriminals have stolen Brian Krebs’ identity a half dozen times, brought down his website, included his name and some unpleasant epithets in their malware code, sent fecal matter and heroin to his doorstep, and called a SWAT team to his home just as his mother was arriving for dinner. The New York Times, February 17, 2014
Cyber-Calendar
ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Adobe Shockwave Player: Adobe has released version 12.0.9.149 to fix two highly critical vulnerabilities reported in previous versions of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Check Point Technologies Zone Alarm: Check Point has released version 12.0.121.000 of the Free version of Zone Alarm. Updates are available from Check Point’s website.
Dropbox: Dropbox has released version 2.6.10 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Microsoft Patch Tuesday: Microsoft released several updates addressing at least 31 security vulnerabilities, some of which are highly critical, in Microsoft Office, Internet Explorer, and more. Updates are available via Windows Update or from Automatic Update.
Mozilla Firefox: Mozilla has released version 27.0.1 of Firefox. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 19.0.1326.63. Updates are available from within the browser or from Opera’s website.
Adobe Flash 12.0.0.44 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.10 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0.1
Google Chrome 32.0.1700.107
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7
Safari 7.0.1 [Mac OS X]
Skype 6.13.0.104
Newly Announced Unpatched Vulnerabilities
None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
For Your IT Department
Cisco Multiple Products: Secunia reports that Cisco has released updates for it Unified Communications Manager. Apply updates.
McAfee Firewall Enterprise: McAfee has released version 8.2.1 to its Firewall Enterprise (formerly Sidewinder Firewall) to fix an unpatched vulnerability in previous versions.
SonicWALL UMA EM5000: SonicWALL has released updates for its UMA EM5000 to fix a vulnerability reported in previous versions. Apply 7.1 SP2 or update to version 7.2.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
Criminals Control, Cash Out Bank’s ATM Machines: In what could be a sign of what’s ahead in ATM fraud, a highly sophisticated and well-funded criminal gang targeted an overseas bank and commandeered at least four of its ATM machines with malware-rigged USB sticks in order to empty them of cash. DarkReading, February 13, 2014
Email Attack on Vendor Set Up Breach at Target: The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation. KrebsOnSecurity, February 12, 2014
Experts warn of coming wave of serious cybercrime: The rash of attacks against Target and other top retailers is likely to be the leading edge of a wave of serious cybercrime, as hackers become increasingly skilled at breaching the nation’s antiquated payment systems, experts say. Washington Post, February 9, 2014
Unveiling ‘The Mask’: Sophisticated malware ran rampant for 7 years: A cyberespionage operation that used highly sophisticated multi-platform malware went undetected for more than five years and compromised computers belonging to hundreds of government and private organizations in more than 30 countries. PC World, February 11, 2014
Cyber Attack
Attack on US Veterans Website May have Been Aimed At Military Members: IDG News Service — A cyberattack against the Veteran of Foreign Wars website, believed to have been initiated in China, may have sought to spy on U.S. military members, security company FireEye said Thursday. CIO, February 13, 2014
Cyber Privacy
Sidestepping the Risk of a Privacy Breach: This week, we reached the inevitable point in the controversy over the credit and debit card breaches where grim-faced retail executives from Target and Neiman Marcus, industry experts and consumer advocates turned up in Washington. They raised their hands and delivered well-rehearsed statements to our elected representatives. The New York Times, February 7, 2014
Identity Theft
Dogged by Data Theft: “What is stopping us from moving to this kind of technology?” asked a perplexed Senator Amy Klobuchar, Democrat from Minnesota. It was last Tuesday, and the Senate Judiciary Committee, on which Klobuchar sits, was holding a hearing about the recent breaches of Target and Neiman Marcus in which the data from tens of millions of credit and debit cards were stolen. The New York Times, Febraury 10, 2014
Keeping Swindlers Out of Your Bank and Brokerage Accounts: Data breaches at Target and Neiman Marcus were certainly scary. Personal information from tens of millions of people fell into the hands of cybercriminals. The New York Times, February 8, 2014
Cyber Warning
Bizarre attack infects Linksys routers with self-replicating malware: Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware. ars technica, February 13, 2014
New zero-day bug in IE 10 exploited in active malware attack, MS warns (updated): Microsoft has confirmed reports of a recently active attack that surreptitiously installed malware on computers running a fully patched version 10 of the Internet Explorer browser. The attacks also work on IE 9, the company warned. ars technica, February 13, 2014
CERTIFICATES SPOOFING GOOGLE, FACEBOOK, GODADDY COULD TRICK MOBILE USERS: Dozens of phony SSL certificates were discovered this week mocking legitimate certs from banks, e-commerce sites, ISPs and social networks. If a user stumbled over one of the bogus certificates on a mobile device it could put them at risk for a man-in-the-middle attack. ThreatPost, February 13, 2014
REALISTIC RISK ASSESSMENT KEY TO SECURITY MANAGEMENT: PUNTA CANA – Although it may not be the most thrilling part of a security team’s job, the idea of operational risk assessment and management is perhaps the most important aspect of organizational security. ThreatPost, February 10, 2014
How To Get The Most Out Of Risk Management Spend: Even with most security budgets growing or at least staying flat for 2014, no organization ever has unlimited funds for protecting the business. That’s where a solid risk management plan can be a lifesaver. DarkReading, January 24, 2014
The 7 best habits of effective security pros: It’s easy for security professionals who are passionate about their careers to get caught up in the technology, but success today requires a lot more than technical savvy. Here are the traits successful security pros say are needed to succeed. CSO, January 8, 2014
Cyber Security Management – Cyber Update
Security Updates for Shockwave, Windows: Adobe and Microsoft today each issued patches to fix critical security flaws in their software. Microsoft’s February Patch Tuesday includes seven patch bundles addressing at least 31 vulnerabilities in Windows and related software. Adobe pushed out an update that fixes two critical bugs in its Shockwave Player. KrebsOnSecurity, February 11, 2014
Cyber Security Management – Cyber Defense
Microsoft Offers Multifactor Authentication to All Office 365 Users: IDG News Service (Bangalore Bureau) — Microsoft is offering multifactor authentication free as an option to all users of its Office 365 suite, a hosted set of Microsoft Office tools and applications. CIO, February 11, 2014
Cyber Security Management – HIPAA
Healthcare Information Security: Still No Respect: More than a decade after publication of HIPAA’s security rule, healthcare information security officers still struggle to be heard. Information Week, Febraury 10, 2014
National Cyber Security
Feds Launch Cyber Security Guidelines For US Infrastructure Providers: The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. Critics say these voluntary guidelines enshrine the status quo. Information Week, February 12, 2014
NIST Framework Released to Widespread Praise, But What Happens Next?: Following a solid year of intensive work, the National Institute of Standards and Technology (NIST) released yesterday its “final” framework for improving critical infrastructure cybersecurity as mandated under a February 2013 executive order by President Obama. The 41-page document closely tracks, with some notable changes, the preliminary framework released by NIST in November. CIO, February, 13, 2014
Launch of the Cybersecurity Framework: Today the Obama Administration is announcing the launch of the Cybersecurity Framework, which is the result of a year-long private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity. The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union. The White House, February 12, 2014
Florida Targets High-Dollar Bitcoin Exchangers: State authorities in Florida on Thursday announced criminal charges targeting three men who allegedly ran illegal businesses moving large amounts of cash in and out of the Bitcoin virtual currency. Experts say this is likely the first case in which Bitcoin vendors have been prosecuted under state anti-money laundering laws, and that prosecutions like these could shut down one of the last remaining avenues for purchasing Bitcoins anonymously. KrebsOnSecurity, February 7, 2014
Cyber Calander
ISSA-LA February Lunch Meeting: In March 2013, attackers launched an attack against Spamhaus that topped 300Gbps. Spamhaus gave us permission to talk about the details of the attack. While CloudFlare was able to fend off the attack, it exposed some vulnerabilities in the Internet’s infrastructure that attackers will inevitably exploit. If an Internet-crippling attack happens, this is what it will look like. And here’s what the network needs to do in order to protect itself. ISSA-LA, Event Date: February 19, 2014
Cybersecurity Essentials for Business Professionals: Please join us in this free presentation where we will discuss essential issues that every entrepreneur and business professional must know about cybersecurity laws, guidelines, and protocols. This event will be moderated and conducted by Salar Atrizadeh, Esq., principal and founder of the Law Offices of Salar Atrizadeh. Also, Stan Stahl, Ph.D., President of Citadel Information Group and ISSA-LA, Brad Maryman, and Howard Miller will serve as panelists Law Offices of Salar Atrizadeh, Event Date: February 21, 2014
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Adobe Flash Player: Adobe has released updates for its Flash Player to fix an extremely critical vulnerability. Updates are available through the program or from Adobe’s Flash Web Site.
AVG Antivirus Free Edition: AVG has released version 2014.0.4335 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.
Dropbox: Dropbox has released version 2.6.8 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released version 32.0.1700.107 of Chrome for Windows, Mac, Linux and Chrome Frame to fix a highly critical vulnerability in previous versions. Updates are available through the program.
Microsoft Windows: Microsoft has released an update to several versions of Windows, including Windows 8.1 and Server 2012, to fix a highly critical vulnerability caused by the bundling of Adobe Flash Player within Internet Explorer. Updates are available through Windows Updates in the Control Panel.
Mozilla Firefox: Mozilla has released version 27.0 to fix at least 11 highly critical vulnerabilities in unpatched prior versions. Updates are available through the browser. Updates are also available for Thunderbird and SeaMonkey.
Opera: Opera has released version 19.0.1326.59. Updates are available from within the browser or from Opera’s website.
VLC Media Player: VLC has released version 2.1.3 (32-bit) of its Media Player. Download from the VLC website.
Adobe Flash 12.0.0.44 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.8 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0
Google Chrome 32.0.1700.107
Internet Explorer 11.0.9600.16476 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7
Safari 7.0.1 [Mac OS X]
Skype 6.13.0.104
Newly Announced Unpatched Vulnerabilities
None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
For Your IT Department
None
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
Penn. vendor confirms link to Target data probe: A western Pennsylvania heating and refrigeration contractor said it was the victim of a “sophisticated cyber attack operation” that is being investigated by the Secret Service and possibly linked to the data breach that enabled hackers to access millions of credit card numbers belonging to Target store customers. MPR News, February 7, 2014
Target Hackers Broke in Via HVAC Company: Last week, Target told reporters at The Wall Street Journal and Reuters that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers. KrebsOnSecurity, February 5, 2014
Heat System Called Door to Target for Hackers: SAN FRANCISCO — Investigators say they believe they have identified the entry point through which hackers got into Target’s systems, zeroing in on the remote access granted through the retailer’s computerized heating and cooling software, according to two people briefed on the inquiry. The New York Times, February 5, 2014
These Guys Battled BlackPOS at a Retailer: Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Target’s cash registers. KrebsOnSecurity, February 4, 2014
Hackers access 800,000 Orange customers’ data: Orange customers in France could see a spike in phishing attempts after hackers nabbed hundreds of thousands of customers’ unencrypted personal data in an attack on the operator’s website. ZDNet, February 3, 2014
Hotel Franchise Firm White Lodging Investigates Breach: White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned. KrebsOnSecurity, January 31, 2014
N.S.A. Program Gathers Data on a Third of Nation’s Calls, Officials Say: WASHINGTON — The National Security Agency’s once-secret program that is collecting bulk records of Americans’ domestic phone calls is taking in a relatively small portion of the total volume of such calls each day, officials familiar with the program said on Friday. The New York Times, February 7, 2014
Identity Theft
The Rise Of Medical Identity Theft In Healthcare: If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft. Kaiser Health News, February 7, 2014
Target Vows to Speed Anti-Fraud Technology: WASHINGTON — A top executive of Target told a Senate committee on Tuesday that the company was accelerating plans to adopt a technology widely used in Europe but rare in the United States that reduces potential for credit card fraud, and lawmakers from both parties called on other businesses to do the same. The New York Times, February 4, 2014
File Your Taxes Before the Fraudsters Do: Jan. 31 marked the start of the 2014 tax filing season, and if you haven’t yet started working on your returns, here’s another reason to get motivated: Tax fraudsters and identity thieves may very well beat you to it. KrebsOnSecurity, February 3, 2014
Hackers use a trick to deliver Zeus banking malware: Hackers found a new way to slip past security software and deliver Zeus, a long-known malicious software program that steals online banking details. PC World, February 3, 2014
Malicious Java app infects Mac, Linux systems with DDoS bot: Criminals are once again using Java’s cross-platform design to add Linux and Mac users to their usual Windows target list, Kaspersky Labs researchers have discovered. PC World, February 1, 2014
Cyber Security Management
How to use Syrian Electronic Army attacks to improve security awareness: Recently, the authors have been called in to help companies handle attacks from the Syrian Electronic Army (SEA). Our first priority is to help contain the damage, figure out which accounts have been compromised that have not been used yet to cause damage, and clean things up. CSO, February 3, 2014
Cyber Security Management – Cyber Defense
Microsoft Takes to the Front Lines in the War on Cybercrime: The global cost of cybercrime in 2013 was estimated by McAfee to be upwards of $300 billion. One in five small businesses have now been on the receiving end of an attack and every day one million more individuals become victims of cyber-criminal activity. The internet is under attack, and we are the targets. Entrepreneur, February 6, 2014
Cyber Security Management – Cyber Update
Adobe Pushes Fix for Flash Zero-Day Attack: Adobe Systems Inc. is urging users of its Flash Player software to upgrade to a newer version released today. The company warns that an exploit targeting a previously unknown and critical Flash security vulnerability exists in the wild, and that this flaw allows attackers to take complete control over affected systems. KrebsOnSecurity, February 4, 2014
National Cyber Security
Snowden Used Low-Cost Tool to Best N.S.A.:WASHINGTON — Intelligence officials investigating how Edward J. Snowden gained access to roughly a huge trove of the country’s most highly classified documents say they have determined that he used inexpensive and widely available software to “scrape” the National Security Agency’s networks, and kept at it even after he was briefly challenged by agency officials. The New York Times, February 8, 2014
Senate cybersecurity report finds agencies often fail to take basic preventive measures: The message broadcast in several states last winter was equal parts alarming and absurd: “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. . . . Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous.” The Washington Post, February 3, 2014
“Lunch Meeting – It Takes the Village to Secure the Village”: Dr. Stan Stahl, President of the Los Angeles Chapter of the Information Systems Security Association and President of Citadel Information Group presents. SOCALAFP, Event Date: February 14, 2014
ISSA-LA February Lunch Meeting: In March 2013, attackers launched an attack against Spamhaus that topped 300Gbps. Spamhaus gave us permission to talk about the details of the attack. While CloudFlare was able to fend off the attack, it exposed some vulnerabilities in the Internet’s infrastructure that attackers will inevitably exploit. If an Internet-crippling attack happens, this is what it will look like. And here’s what the network needs to do in order to protect itself. ISSA-LA, Event Date: February 19, 2014
Cybersecurity Essentials for Business Professionals: Please join us in this free presentation where we will discuss essential issues that every entrepreneur and business professional must know about cybersecurity laws, guidelines, and protocols. This event will be moderated and conducted by Salar Atrizadeh, Esq., principal and founder of the Law Offices of Salar Atrizadeh. Also, Stan Stahl, Ph.D., President of Citadel Information Group and ISSA-LA, Brad Maryman, and Howard Miller will serve as panelists Law Offices of Salar Atrizadeh, Event Date: February 21, 2014
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Google Chrome: Google has released version 32.0.1700.102 of Chrome for Windows, Mac, Linux and Chrome Frame to fix multiple highly critical vulnerabilities in previous versions. Updates are available through the program.
Opera: Opera has released version 19.00 to fix unpatched moderately critical vulnerabilities reported in a previously bundled version of Chromium. Updates are available from within the browser or from Opera’s website.
VLC Media Player: VLC has released version 2.1.2 (32-bit) of its Media Player to fix a highly critical vulnerability. Download from the VLC website.
Adobe Flash 12.0.0.38 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 26
Google Chrome 32.0.1700.102
Internet Explorer 11.0.9600.16476 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7
Safari 7.0.1 [Mac OS X]
Skype 6.13.0.104
Newly Announced Unpatched Vulnerabilities
None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
For Your IT Department
Cisco Multiple Products: Secunia reports that Cisco has released many updates for multiple products, including Cisco TelePresence Systems (CTS), Secure Access Control System (ACS), NX-OS, Video Surveillance 5000 Series, Identity Services Engine (ISE), WebEx Meeting and others.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
Point-Of-Sale System Attack Campaign Hits More Than 40 Retailers: Another day, another point-of-sale (POS) breach revelation: Dozens of retailers have been infected with a family of malware that stole payment card and personal information from some 50,000 customers. DarkReading, January 30, 2014
Target traces security breach to stolen vendor credentials: Target’s investigation of the massive security breach which allowed hackers to take millions of credit and debit card numbers has revealed a stolen vendor’s credentials as a source of access. ZDNet, January 30, 2014
New Clues in the Target Breach: An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internalb network. KrebsOnSecurity, January 29, 2014
Sources: Card Breach at Michaels Stores: Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States. KrebsOnSecurity, January 25, 2014
Cyber Attack
Hackers attack Yahoo Mail accounts: Yahoo Mail was recently the target of a cyber-attack, the company revealed in a blog post Thursday. CNN, January 30, 2014
EFF ACTIVISTS, JOURNALISTS HIT BY TARGETED MALWARE ATTACK: Phishing and malware attacks are among the more democratic and populist threats on the Internet. You don’t have to stand in the crowd in order to be targeted; the attackers will get to you sooner or later. But while most malware campaigns are aimed at the masses, attackers often save their best stuff for high-value targets, as a recent campaign targeting American journalists and activists from the EFF shows. ThreatPost, January 20, 2014
Flipping the Switches on Facebook’s Privacy Controls: FACEBOOK is all about sharing. But if you value your privacy, using the service means deciding not only what you want to share, but also who gets to see it. The New York Times, January 29, 2014
U.S. Relaxes Some Data Disclosure Rules: WASHINGTON — The Obama administration says it will allow Internet companies to give customers a better idea of how often the government demands their information, but will not allow companies to disclose what is being collected or how much. The New York Times, January 27, 2014
Spy Agencies Tap Data Streaming From Phone Apps: When a smartphone user opens Angry Birds, the popular game application, and starts slinging birds at chortling green pigs, spies could be lurking in the background to snatch data revealing the player’s location, age, sex and other personal information, according to secret British intelligence documents. The New York Times, January 27, 2014
Cyber Warning
DAILYMOTION STILL INFECTED, SERVING FAKE AV MALWARE: More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is still infected. Threatpost, January 31, 2014
Careful! Malicious FileZilla FTP Client Circulating Steals FTP Login Credentials: Looking for a solid and feature rich FTP client? FileZilla is one of the better ones out there, but surfer beware, malware writers have taken notice of the popular program and have decided to prey on individuals who aren’t super diligent with their downloading habits. In other words, be real careful when downloading the FileZilla FTP client because there are fake copies making the rounds that are coded to steal your FTP login credentials. Hot HardWare, January 28, 2014
Lack of stronger cyber security may cost world economy $3 trillion: Failure to boost cyber security could cost the world economy a staggering $3 trillion as new regulations and approaches to deal with destructive attacks would stifle innovation, says a report. Economic Times, January 20, 2014
Cyber Security Management – Cyber Defense
Chip-and-PIN Security Push To Pit Retailers Against Banks: While the cost of breaches typically falls on the merchants, card issuers and banks would foot much of the bill for improving the security of the payment-card system. DarkReading, January 30, 2014
Apple.com does more to protect your password, study of top 100 sites finds: Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding customer passwords, according to a comprehensive study of the top 100 e-commerce websites that also ranked Major League Baseball, Karmaloop, Dick’s Sporting Goods, Toys R Us, and Aeropostale as performing the worst. ars technica, January 24, 2014
N.S.A. Choice Is Navy Expert on Cyberwar: WASHINGTON — In nominating Vice Adm. Michael S. Rogers as the new director of the National Security Agency on Thursday, President Obama chose a recognized expert in the new art of designing cyberweapons, but someone with no public track record in addressing the kinds of privacy concerns that have put the agency under a harsh spotlight. The New York Times, January 30, 2014
Pentagon, GSA map out acquisition cybersecurity; tester finds issues remain: (Reuters) – The U.S. Defense Department and General Services Administration on Wednesday mapped out six broad reforms to improve the cybersecurity of more than $500 billion in goods and services acquired by the U.S. federal government each year. Reuters, January 29, 2014
Cyber Career
Information security salaries set to rise in 2014: Salaries for information security professionals are set to rise across the board in the coming year as demand for people with skills in this sector increases. ComputerWeekly, January 30, 2014
Cyber Survey
Microsoft Maps Out Malware Haves And Have-Nots: Some countries suffer disproportionately from malware infections and cybercrime, and Windows XP could exacerbate the problem. Dark Reading, January 22, 2014
Cyber Sunshine
Feds to Charge Alleged SpyEye Trojan Author: Federal authorities in Atlanta today are expected to announce the arrest and charging of a 24-year-old Russian man who allegedly created and maintained the SpyEye Trojan, a sophisticated botnet creation kit that has been implicated in a number of costly online banking thefts against businesses and consumers. KrebsOnSecurity, January 28, 2014
Revenge-porn king Hunter Moore indicted on 7 counts of aggravated identity theft: Hunter Moore, king of revenge porn, aka “the most hated man on the internet”, he who claims to have slept well in spite of posting nude or sexually explicit photos without victims’ permission, was indicted on Thursday by a federal grand jury. NakedSecurity, January 27, 2014
Cyber Calender
“Lunch Meeting – It Takes the Village to Secure the Village”: Dr. Stan Stahl, President of the Los Angeles Chapter of the Information Systems Security Association and President of Citadel Information Group presents. SOCALAFP, Event Date: February 14, 2014
Cybersecurity Essentials for Business Professionals: Please join us in this free presentation where we will discuss essential issues that every entrepreneur and business professional must know about cybersecurity laws, guidelines, and protocols. This event will be moderated and conducted by Salar Atrizadeh, Esq., principal and founder of the Law Offices of Salar Atrizadeh. Also, Stan Stahl, Ph.D., President of Citadel Information Group and ISSA-LA, Brad Maryman, and Howard Miller will serve as panelists Law Offices of Salar Atrizadeh, Event Date: February 21, 2014