The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Adobe Reader: Adobe has released version 11.0.02 for its Reader. Adobe has also released an update for Adobe Acrobat. Updates are available from within the program or Adobe’s website.
Apple iOS: Apple has released version 6.1.2 to update its operating system for iPhones. Updates are available through the iPhones.
Apple iTunes: Apple has released version 11.0.2 of iTunes. Updates are available through iTunes or Apple’s website.
Apple OS X Java: Apple has released Mac OS X 10.6 Update 13 for Java version SE 6 to 1.6.0_41. Updates are available from Apple’s website.
Google Chrome: Google has released an update to Chrome to fix at least 22 highly critical vulnerabilities. Update to version 25.0.1364.97 for Windows and 25.0.1364.99 for Macs either through the program or from Chrome’s website.
Mozilla Firefox: Mozilla has released version 19.0 of Firefox to fix at least 14 highly critical vulnerabilities. Updates are available through Firefox. Updates are also available for Thunderbird and SeaMonkey.
Adobe Flash 11.6.602.167 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.01
Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 19.0 [Windows]
Google Chrome 25.0.1364.97
Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]
Internet Explorer 10.0.9200.16484 [Windows 8: IE]
Java SE 7 Update 15 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows, See warning below]
Safari 6.0.2 [Mac OS X]
Skype 6.2.0.106
Newly Announced Unpatched Vulnerabilities
None
For Your IT Department
VMWare Multiple Products: VMWare has released updates for multiple products to fix at least 32 vulnerabilities, some of which are highly critical. Apply appropriate updates.
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Apple iOS for iPhone: Secunia and The Verge both report a weakness in Apple’s iOS for iPhone 3GS and later that would allow someone with physical access to bypass the lock screen. No official solution is currently available. Reportedly Apple is planning to release an update. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 17, 2013.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
ACD Systems:Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, February 24, 2013
NBC.com hacked, briefly compromised with RedKit malware: The website NBC.com and other NBC websites were hacked and compromised by malware for a few hours around Thursday 12pm PST with RedKit malware. ZDNet, February 21, 2013
Developer Site That Was Used To Hack Facebook And Apple Issues Mea Culpa: The recent hacker breaches of high-profile tech firms including Facebook and Apple began with the compromise of another site you’ve likely never heard of: iPhoneDevSDK.com. And now that initial victim in the hacking spree is coming clean. Forbes, February 20, 2013
Educause Server Hit With Security Breach: A non-profit association for IT professionals in higher education announced Tuesday its server had been breached. ThreatPost, February 19, 2013
DDoS Attack on Bank Hid $900,000 Cyberheist: A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000. KrebsOnSecurity, February 19, 2013
The Shanghai Army Unit That Hacked 115 U.S. Targets Likely Wasn’t Even China’s ‘A-Team’: In just the last week, the abbreviation APT1 has come to represent the bogeyman of digital espionage nightmares. On Monday, security response firm Mandiant released a report profiling a hacker group of that name-referring to it as Advanced Persistent Threat One-and providing detailed evidence that it represented the most active hacking unit within China’s People’s Liberation Army, one that’s compromised more than 141 private sector and government targets in seven years, 115 of which were American. Forbes, February 21, 2013
China Biggest, But Not the Only Country Engaged in Cyberespionage: Computerworld – China is by far the most aggressive, but not the only, country attempting the sort of extensive cyberespionage described in security firm Mandiant’s dramatic report, released this week. CIO, February 20, 2013
Bit9 Breach Began in July 2012: Malware Found Matches Code Used Vs. Defense Contractors in 2012: Cyber espionage hackers who broke into security firm Bit9 initially breached the company’s defenses in July 2012, according to evidence being gathered by security experts investigating the incident. Bit9 remains reluctant to name customers that were impacted by the intrusion, but the custom-made malicious software used in the attack was deployed last year in highly targeted attacks against U.S. Defense contractors. KrebsOnSecurity, February 20, 2013
Chinese Army Unit Is Seen as Tied to Hacking Against U.S.: On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors. The New York Times, February 18, 2013
Cyber Privacy
If You’re Collecting Our Data, You Ought to Protect It: LAST summer, employees at the National Aeronautics and Space Administration received an in-house newsletter illustrated with mock front pages of USA Today and The Washington Post and seemingly hyperbolic headlines like: “NASA Laptop Stolen, Potential Compromise of 10,000 Employees’ Private Information!” The New York Times, February 16, 2013
The President Revives an Old Debate About Privacy: Few expect Internet privacy legislation in Congress this year. But many were heartened that the “p” word came up at all in the State of Union address Tuesday night. The New York Times, February 14, 2013
Cyber Warning
Hackers circulate tainted version of China cyber security report: (Reuters) – Unknown hackers are trying to infect computers by capitalizing on strong interest in a recent report by a security firm that accuses the Chinese military of supporting widespread cyber attacks on U.S. companies. Reuters, February 22, 2013
Cyber Update
Critical Security Updates for Adobe Reader, Java: Adobe and Oracle each released updates to fix critical security holes in their software. Adobe’s patch plugs two zero-day holes that hackers have been using to break into computers via Adobe Reader and Acrobat. Separately, Oracle issued updates to correct at least five security issues with Java. KrebsOnSecurity, February 20, 2013
Oracle Releases New Java Fixes, Speeds Up Patching Cycle: IDG News Service – Oracle released new Java security updates on Tuesday and announced plans to accelerate the release of future Java patches following recent attacks that have infected computers with malware by exploiting zero-day vulnerabilities in Java browser plug-ins. CIO, February 20, 2013
Chrome 25 Fixes Nine High-Risk Vulnerabilities: Google has fixed nine high-severity vulnerabilities in its Chrome browser, as well as a dozen other flaws with the release of Chrome 25. This release is one of the few for which the company did not pay out much in the way of bug bounties, only giving out $3,500. ThreatPost, February 22, 2013
Cyber Security Management – Employee Awareness
5 myths about awareness: I’m often amazed by all the myths and misconceptions that pervade the security community when it comes to security awareness training. Here are the most common falsehoods I have heard, and why they are wrong. CSO, February 11, 2013
Cyber Security Management – HIPAA
HITRUST Establishing Work Group To Address Cybersecurity Issues: On Wednesday, the Health Information Trust Alliance announced that it will establish a new work group to address cybersecurity issues, Modern Healthcare reports. iHealthBeat, February 22, 2013
National Cyber Security
Smoking gun: Evidence is mounting that China’s government is sponsoring the cybertheft of Western corporate secrets. What should America do to stop it? The Economist, February 23, 2013
Malware getting smarter, says McAfee: Savvier cyberattacks are being directed toward more critical segments of the U.S. economy, says the security provider. CNet, February 21, 2013
Cyber Career
15 tips for landing – and acing – a job interview: 1. Write a great resume to open the door: Interviews are granted to those whose resumes demonstrate accomplishments, contributions and value. If you’re not a great writer and you have trouble tooting your own horn, seek help from industry friends or consider a security-resume writer. CSO, February 4, 2013
Cyber Sunshine
The long arm of the Google: Is Google becoming a key arm of the law-enforcement complex? It certainly seems to be so with respect to art thefts. I first came across this idea back in November, when Bloomberg Markets profiled Jeff Gundlach, who was hit by art thieves in September…Reuters, February 20, 2013
Securing the Village-Events Calendar
ISSA-LA March Dinner Meeting; March 20, 2013. For more information and to register, visit ISSA-LA.
NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, February 24, 2013
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Apple iOS: Apple has released version 6.1.1 to update its operating system for iPhones. Updates are supposed to be available through the device. However, on some devices, “Check for Updates” mistakenly shows 6.1 as current version. We have not found a way to force an update to 6.1.1.
Apple iTunes: Apple has released version 11.0.1 of iTunes. Updates are available through iTunes or Apple’s website.
Microsoft Patch Tuesday: Microsoft released a dozen patches addressing at least 57 security vulnerabilities, many of them highly critical in Windows, Office, Internet Explorer, Exchange and .NET Framework. Updates are available via Windows Update or from Automatic Update.
Adobe Flash 11.6.602.168 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.01
Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 18.0.2 [Windows]
Google Chrome 24.0.1312.57
Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]
Internet Explorer 10.0.9200.16484 [Windows 8: IE]
Java SE 7 Update 13 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows, See warning below]
Safari 6.0.2 [Mac OS X]
Skype 6.1.0.129
Newly Announced Unpatched Vulnerabilities
Adobe Reader / Acrobat: Secunia reports two extremely critical vulnerabilities in both Adobe Reader and Acrobat. The following versions are affected: Adobe Reader XI and Acrobat XI versions 11.0.01 and prior for Windows and Macintosh, Adobe Reader X and Acrobat X versions 10.1.5 and prior for Windows and Macintosh, Adobe Reader versions 9.5.3 and prior for Windows, Macintosh, and Linux and Adobe Acrobat versions 9.5.3 and prior for Windows and Macintosh. There are no patches available at this time.
Adobe Shockwave Player: Secunia reports at least two highly critical vulnerabilities. No patches are available at this time.
Apple iOS for iPhone: Secunia and The Verge both report a weakness in Apple’s iOS for iPhone 3GS and later that would allow someone with physical access to bypass the lock screen. No official solution is currently available. Reportedly Apple is planning to release an update.
For Your IT Department
BlackBerry Enterprise Server: Secunia reports at least two highly critical vulnerabilities in Blackberry’s Enterprise Server. The versions affected are BlackBerry Enterprise Server Express versions 5.0.4 and prior for Microsoft Exchange and IBM Lotus Domino, BlackBerry Enterprise Server versions 5.0.4 and prior for Microsoft Exchange, IBM Lotus Domino, and Novell Groupwise. Update to a fixed version or apply interim security update.
McAfee VirusScan: Secunia reports a vulnerability in McAfee’s VirusScan Enterprise and Host Intrusion Prevention. Apply applicable updates.
Important Unpatched Vulnerabilities
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
ACD Systems:Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, February 17, 2013
Facebook Says Hackers Breached Its Computers: Facebook admitted that it was breached by sophisticated hackers in recent weeks, two weeks after Twitter made a similar admission. Both Facebook and Twitter were breached through a well-publicized vulnerability in Oracle’s Java software. The New York Times, February 15, 2013
Exploit Sat on LA Times Website for 6 Weeks: The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks. KrebsOnSecurity, February 13, 2013
Cyber Privacy
Staying Private on the New Facebook: Facebook is a personal vault that can contain photos of your firstborn, plans to bring down your government and, occasionally, a record of your indiscretions. New York Times, February 6, 2013
Zero-Day Flaws in Adobe Reader, Acrobat: Adobe is warning that attackers are exploiting critical flaws in its PDF Reader and Acrobat software to break into vulnerable systems, and that the exploit being used in attacks evades the sandbox protection built into these products. KrebsOnSecurity, February 15, 2013
iPhone lockscreen can be bypassed with new iOS 6.1 trick: A security flaw in Apple’s iOS 6.1 lets anyone bypass your iPhone password lock and access your phone app, view or modify contacts, check your voicemail, and look through your photos (by attempting to add a photo to a contact). The method, as detailed by YouTube user videosdebarraquito, involves making (and immediately canceling) an emergency call and holding down the power button twice. We followed the steps and managed to access the phone app on two UK iPhone 5s running iOS 6.1. This isn’t the first time this has happened – a very similar bug affected iOS 4.1, and was fixed in iOS 4.2. We’ve reached out to Apple for comment and will update you once we hear back. The Verge, February 14, 2013
Yahoo! Pushing Java Version Released in 2008: At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old. KrebsOnSecurity, February 11, 2013
Cyber Security Management – Cyber Update
Fat Patch Tuesday: Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework. KrebsOnSecurity, February 12, 2013
Cyber Security Management
Hackers Aim Arrows at Retail Bulls Eye: Cyber security breaches may come in all shapes and sizes, but thieves are honing in on the retail industry, hoping to slip through the sector’s security loopholes on the hunt for credit card numbers. Fox News, February 15, 2013
Leaving the door unlocked in information security: Inside the enterprise: Most data security threats are well known and can be prevented. But research shows firms fail to act. ITPro, February 14, 2013
Survey of GCs Sees Cybersecurity Risk, Anxiety:Dr. Stahl Quoted Despite the growing threat of computer security breaches, some 30 percent of general counsel in a recent survey said their companies were not prepared to deal with such a crisis. And experts say more GCs need to overcome their technophobia and help their firms face the increasing risk. Law.com, February 13, 2013
U.S. Agency Issues Call for National Cybersecurity Standards: In the post-Stuxnet world, the prospect of undeclared cyberwar has been dragged out of the shadows to the front pages. With that in mind, yesterday the U.S. National Institute of Standards and Technology (NIST) kicked off an effort to establish a set of best practices for protecting the networks and computers that run the country’s critical infrastructure. The Cybersecurity Framework was initiated at the behest of President Barack Obama, who issued an executive order calling for a common core of standards and procedures aimed at keeping power plants and financial, transportation, and communication systems from falling prey to any of a wide range of cybersecurity threats. ieee Spectrum, February 15, 2013
Securing the Village
Certificate Authorities Form Group to Educate on SSL Best Practices: Responding to the increasing number of threats aimed at certificate authorities and the ecosystem of trusted online transactions they represent, seven certificate authorities have come together to form an advocacy group to advance security standards and promote best practices. CIO, February 15, 2013
European Union: EU Proposed Directive On Network And Information Security: On 7 February, the European Commission (EC) published an EU Cyber Security Strategy encompassing a proposed Directive on Network and Information Security (NIS Directive). The aim of the Strategy and NIS Directive is to establish a secure and trustworthy digital environment while promoting and protecting fundamental rights, including data protection, democracy and the rule of law. Mondaq, February 15, 2013
National Cyber Security
Napolitano Names Top Three Countries Where Cyber Attacks Against U.S. Are Launched: Homeland Security Secretary Janet Napolitano told NewsHour senior correspondent Ray Suarez on Friday that cyber attacks on the United States are on the rise, and internationally, three countries are the biggest sources: Iran, Russia and China. PBS Newshour, February 15, 2013
ACLU Responds to Executive Order on Cybersecurity; Opposes CISPA: WASHINGTON – President Obama tonight signed an executive order to protect U.S. critical infrastructure from cyberattacks by improving cybersecurity information sharing between the government and owners and operators of the nation’s critical infrastructure. Unlike legislation that will be introduced into the House tomorrow, the president’s executive order seeks to protect Americans’ digital privacy when information-sharing occurs, according to the ACLU. ACLU, February 13, 2013
Obama’s cybersecurity executive order: What you need to know: There was grave concern that the president could sign an executive order effectively signing into law some, if not most, parts of the proposed Cyber Intelligence Sharing and Protection Act (CISPA) Bill. Though it was passed by the US House, it failed to gain traction in the Senate, and also faced threats by the White House to veto the Bill altogether. (The whole Bill can be found at the bottom of this article.) ZDNet, February 13, 2013
Obama signs cybersecurity executive order ahead of State Of The Union: President Obama signed an executive order aimed at bolstering U.S. cybersecurity prior to tonight’s State of the Union address. The Order precedes a House Homeland Security Committee hearing on “new threats.” ZDNet, February 13, 2013
President Obama’s Cybersecurity Executive Order Scores Much Better Than CISPA On Privacy: With the reintroduction of the much-maligned Cyber Intelligence Sharing and Protection Act scheduled for the day after the State of the Union, the House of Representatives may have hoped the President’s own cybersecurity initiative would divert some of the attention away from the controversial legislation known as CISPA. Instead, the White House’s long-awaited executive order on cybersecurity is actually scoring points with the privacy advocates-and putting CISPA in a worse light than ever.Forbes, February 12, 2013
Contest aims to boost state of password encryption: A group of cryptographers from academia and the tech industry are hoping to improve online password protection by holding an international competition to develop a new password hash algorithm that is more difficult for hackers to break. CSO, February 15, 2013
Cyber Sunshine
Cybercrime Network Based in Spain Is Broken Up: MADRID – Europol, the European police agency, said Wednesday that it had dismantled one of the most efficient cybercrime organizations to date, led by Russians who had managed to extort millions of euros from online users across more than 30 countries – mostly European – by persuading them to pay spurious police fines for abusive use of the Internet. The New York Times, February 13, 2013
Securing the Village-Events Calendar
ISSA-LA February Lunch Meeting; February 20, 2013. Bring your CFO to Work Day: 5 Tips for Optimizing the InfoSec/ Finance Relationship. For more information and to register, visit ISSA-LA.
ISSA-Ventura County February Dinner Meeting; February 21, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak at the monthly meeting of the Ventura County ISSA Chapter. The meeting is held at Cal Lutheran University. For more information please contact [email protected] or call 805-876-4229.
ISSA-LA March Dinner Meeting; March 20, 2013. For more information and to register, visit ISSA-LA.
NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, February 17, 2013
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Microsoft Flash Player: Microsoft has released an update to fix 2 highly critical vulnerabilities in a version of Adobe Flash Player within Internet Explorer 10.
Mozilla Firefox: Mozilla has released an update to its Firefox browser. Update from within Firefox.
Adobe Flash 11.5.502.149 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.01
Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 18.0.2 [Windows]
Google Chrome 24.0.1312.56
Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]
Internet Explorer 10.0.9200.16466 [Windows 8: IE]
Java SE 7 Update 13 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows, See warning below]
Safari 6.0.2 [Mac OS X]
Skype 6.1.0.129
Newly Announced Unpatched Vulnerabilities
D-Link DIR-300 / DIR-600: Secunia reports multiple moderately critical vulnerabilities in two of D-Link’s wireless routers; DIR-300 and DIR-600. There are no patches available at this time.
For Your IT Department
Apple OS X Server: Secunia reports at least 2 highly critical vulnerabilities in Apple’s OS X Server. Update to version 2.2.1.
Cisco Multiple Products: Cisco has released updates for multiple products, including its Nexus 7000 Series switches, ATA Series devices, IOS Catalyst Switches, and others. Apply appropriate updates.
HP LeftHand Virtual SAN: Secunia reports multiple moderately critical vulnerabilitiesin HP’s LeftHand Virtual SAN Appliance Software. Upgrade to version 10.0.
VMWare: Secunia reports vulnerabilities in several of VMWare’s products, including Workstation, Fusion, View, ESXi, ESX Server and others. Apply appropriate patches.
Important Unpatched Vulnerabilities
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
ACD Systems:Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, February 10, 2013
Secret Service investigating hack of Bush family e-mails: The Secret Service said Friday that it is investigating the theft of numerous personal e-mails from members of the Bush family, after an apparent hacker leaked the e-mails and Bush family photos to the Smoking Gun’s Web site. The Washington Post, February 8, 2013
Security Firm Bit9 Hacked, Used to Spread Malware: Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software. KrebsOnSecurity, February 8, 2013
Crooks Net Millions in Coordinated ATM Heists: Organized cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012, KrebsOnSecurity has learned. The events prompted Visa to warn U.S. payment card issuers to be on high-alert for additional ATM cash-out fraud schemes in the New Year.KrebsOnSecurity, February 6, 2013
Hacktivists
Federal Reserve Admits It was Briefly Hacked During Super Bowl: Two days after the group Anonymous boasted it had broken into a government Web site and had the data dump to prove it, the U.S. Federal Reserve admitted it was hacked. ThreatPost, February 5, 2013
Cyber Espionage
China cyberspies highlighted by Schmidt book, Post report: Hot on the heels of reports from The New York Times and The Wall Street Journal, another storied U.S. newspaper – The Washington Post – has confirmed that it too was attacked by what it suspects were Chinese hackers. And a new book from Google’s Eric Schmidt reportedly calls the Asian country “the most sophisticated and prolific” hacker of foreign companies. CNet, February 2, 2013
Source: Washington Post Also Broadly Infiltrated By Chinese Hackers in 2012: The Washington Post was among several major U.S. newspapers that spent much of 2012 trying to untangle its newsroom computer networks from a Web of malicious software thought to have been planted by Chinese cyberspies, according to a former information technology employee at the paper. KrebsOnSecurity, February 1, 2013
Cyber Privacy
The Threat of Silence: Meet the groundbreaking new encryption app set to revolutionize privacy and freak out the feds. Slate, February 4, 2013
FTC Endorses New Privacy Guidelines, Do Not Track for Mobile Apps, Devices: Hoping to ramp up privacy on mobile devices such as smartphones and tablets, the Federal Trade Commission (FTC) has released a series of suggestions to help app developers, advertising networks and device companies better protect their users online.ThreatPost, February 4, 2013
Cyber Warning
New Whitehole Exploit Toolkit Emerges on the Underground Market: IDG News Service – A new exploit kit called Whitehole has emerged on the underground market, providing cybercriminals with one more tool to infect computers with malware over the Web, security researchers from antivirus vendor Trend Micro reported Wednesday. CIO, February 7, 2013
‘Fragmentation’ leaves Android phones vulnerable to hackers, scammers: In late October, researchers at North Carolina State University alerted Google to a security flaw that could let scam artists send phony text messages to Android phones – a practice called “smishing” that can ensnare consumers in fraud. The Washington Post, February 6, 2013
Android malware emerges on Google Play which installs a trojan on your PC, uses your microphone to record you: We’ve seen malware for PCs that infects mobile devices, but it turns out there’s also malware for mobile devices designed to infect PCs. Kaspersky researchers have discovered a new piece of Android malware that masquerades as a “cleaner” app meant to free memory for Google’s operating system but wreaks havoc on your smartphone in the background and on Microsoft’s operating system when it’s connected to a PC. TNW, February 3, 2013
Pro-Grade Point-of-Sale Skimmer: Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example – images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly. KrebsOnSecurity, February 1, 2013
Cyber Security Management
Ex-Employees Say It’s OK To Take Corporate Data With Them: New Symantec survey finds nearly 70 percent of employees who recently left or were fired from their job say their organizations don’t prevent them from using confidential info. DarkReading, February 7, 2013
More Executives Worry About Cyberattacks, Study Says: More corporate executives are concerned about cyberattacks and data breaches than property damage and investment risk, according to a survey commissioned by insurer American International Group Inc. The Wall Street Journal, February 6, 2013
Calling general counsel to the front lines of cybersecurity: As President Barack Obama studies how the U.S. military should respond to an increasing number of cyber attacks against public and private institutions, general counsel would be wise to examine their own companies’ situations. Daily Report, February 6, 2013
Backup Databases: The Data Security Achilles’ Heel: The same sensitive information on production databases resides on backups – protect them accordingly. Dr. Stahl is quoted in this story.DarkReading, February 5, 2013
Cyber Security Management – Cyber Update
Barracuda Issues Security Update, Apologizes To Customers: Barracuda Networks Monday issued a product update designed to address some of the security vulnerabilities that have been identified in some of its appliances, as well as a mea culpa for building hardcoded, undocumented backdoors into its products.InformationWeek, February 7, 2013
Critical Flash Player Update Fixes 2 Zero-Days: Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software – flaws that attackers are already exploiting to break into systems. Interestingly, Adobe warns that one of the exploits in use is designed to drop malware on both Windows and Mac OS X systems. KrebsOnSecurity, February 7, 2013
Critical Java Update Fixes 50 Security Holes: Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild. KrebsOnSecurity, February 3, 2013
Cyber Security Management – Cyber Defense
The Dreaded Captcha: Beginning Of The End?: If those all-but-impossible-to-read Captchas disappeared tomorrow, would anyone lament their demise?InformationWeek, February 1, 2013
Blood Bank with Big Breach Settles with the FTC: CBR Systems Inc., a cord blood bank vendor, has settled with the Federal Trade Commission and agreed to a proposed consent order to improve its information security practices following a major breach of protected health information in December 2010. HealthDataManagement, January 30, 2013
We need a cybersecurity policy: Reports are that the latest round of cyber-attacks have been aimed at large media outlets like the New York Times, Wall Street Journal and Washington Post. Before media, large banks and other financial institutions were being targeted. Before the financial industry, it was something else. All the while, the U.S. government is under constant bombardment from potential cyber threats probing for weaknesses. NetworkWorld, February 4, 2013
Cyber Sunshine
Microsoft, Symantec Hijack ‘Bamital’ Botnet: Microsoft and Symantec said Wednesday that have teamed up to seize control over the “Bamital” botnet, a multi-million dollar crime machine that used malicious software to hijack search results. The two companies are now using that control to alert hundreds of thousands of users whose PCs remain infected with the malware. KrebsOnSecurity, February 7, 2013
Securing the Village
NIST Seeks Comments to Final Public Draft of Major Federal Cybersecurity Document:The National Institute of Standards and Technology (NIST) is requesting comments on the final public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP)800-53, Revision 4. The document, two years in the making, is the latest revision to a document that is considered the principal catalog of security safeguards and countermeasures that federal agencies use to protect their information and information systems. NIST, February 6, 2013
Flaw Flood Busts Bug Bank: The Common Vulnerability & Exposures (CVE) index, the industry standard for cataloging software security flaws, is growing so rapidly that it will soon be adding a few more notches to its belt: The CVE said it plans to allow for up to 100 times more individual vulnerabilities to be indexed each year to accommodate an increasing number of software flaw reports. KrebsOnSecurity, February 4, 2013
National Cyber Security
Department of Energy Compromised in Sophisticated Attack: Hackers targeted and compromised computer networks at United States Department of Energy headquarters in Washington DC two weeks ago, according to a report published by the Washington Free Beacon earlier this morning. ThreatPost, February 4, 2013
Broad Powers Seen for Obama in Cyberstrikes: WASHINGTON – A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review. The New York Times, February 3, 2013
Cyber Attacks on Press Reveal Gap in US Diplomacy: On January 30, The New York Times reported that it had been under sustained cyber attacks from Chinese hackers who had infiltrated their system to steal login credentials and information from its reporters and employees. The Times noted that the attacks coincided with its coverage concerning the massive financial holdings of relatives of China’s prime minister, Wen Jiabao, and continued for months. Using tactics similar to those previously attributed by security experts to the Chinese military, the attackers weaved their communications through U.S. university systems in an attempt to mask their origin. One day later, The Wall Street Journal reported that its computer systems also have been subjected to “”wide-ranging electronic surveillance” by Chinese attackers in an attempt to gain intelligence on the publication’s coverage of Chinese issues. The articles revealed that Bloomberg LP and Thomson Reuters PLC have acknowledged that they, too, have suffered attacks, but they have not indicated who may have been behind them. Forbes, February 1, 2013
Securing the Village-Events Calendar
Cloud Security Alliance – Los Angeles Chapter; February 13, 2013: “Can encryption help alleviate concerns about moving to the cloud?” For more information and to register, go to meetup.com/LASC-CSA/.
ISSA-LA February Lunch Meeting; February 20, 2013. Bring your CFO to Work Day: 5 Tips for Optimizing the InfoSec/ Finance Relationship. For more information and to register, visit ISSA-LA.
ISSA-Ventura County February Dinner Meeting; February 21, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak at the monthly meeting of the Ventura County ISSA Chapter. The meeting is held at Cal Lutheran University. For more information please contact [email protected] or call 805-876-4229.
ISSA-LA March Dinner Meeting; March 20, 2013. For more information and to register, visit ISSA-LA.
NAWBO Ventura County March Dinner Meeting, March 22, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, February 10, 2013
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Apple iOS: Apple has released iOS 6.1 for the iPhone 3 GS and later, iPod touch 4th generation and later, and iPad 2 and later to address multiple vulnerabilities. The update is available through iTunes.
Apple TV: Apple has released an update to fix a vulnerability in its TV. To update to version 5.2, select Settings > General > Update Software through the TV.
D-Link Wireless Camera: D-Link has released two updates to fix a moderately critical vulnerability in two of its cameras; DCS-930L and DCS-932L. The updates are available for DCS-930L and DCS-932L through D-Link’s website.
Foxit PDF-Reader: Foxit has released version 5.4.5.0124 to fix a highly critical vulnerability. The update is available from Foxit’s website.
Java for Apple Mac OS X: Apple has released Java 1.6.0_37 for Mac OS X 10.6 Update 11 to fix at least 30 vulnerabilities, some of which are highly critical. Updates are available from Apple’s website.
Oracle Java: Oracle has released Java 7 Update 13 to fix at least 39 extremely critical vulnerabilities. Note: The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.
Adobe Flash 11.5.502.146 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.01
Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 18.0.1 [Windows]
Google Chrome 24.0.1312.56
Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]
Internet Explorer 10.0.9200.16466 [Windows 8: IE]
Java SE 7 Update 13 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows, See warning below]
Safari 6.0.2 [Mac OS X]
Skype 6.1.0.129
Newly Announced Unpatched Vulnerabilities
Universal Plug and Play (UPnP): US-CERT and others have announced that multiple critical vulnerabilities have been found in the software used by Universal Plug and Play. Rapid7 offers a free scanner that checks whether one’s network-enabled devices might be vulnerable to attack through the UPnP protocol. Rapid7s free scanning tool is available here. Cisco has acknowledged the problem in its Linksys routers here and its non-Linksys equipment here. Other router manufacturers have yet to comment. In line with industry recommendations, Citadel advises users to disable UPnP on endpoint devices that use the protocol on their internal network and on their Internet router. For ongoing information see the story on our Cyber Security News of the Week, February 3, 2013.
VLC Media Player: Secunia reports a highly critical vulnerability in VLC’s Media player, version 2.05 and prior. No patch is available at this time.
For Your IT Department
Cisco Multiple Products: Cisco has released updates for multiple products, including its NAC appliance, IOS XR, Adaptive Security Appliances (ASA), WebEx Social and others. Apply appropriate updates.
Novell GroupWise Client: Secunia reports at least 2 highly critical vulnerabilities in Novell’s GroupWise Client. Update to version 8.0.3 Hot Patch 2 (or later) or 2012 SP1 Hot Patch 1.
VMWare: Secunia reports moderately critical vulnerabilities in several of VMWare’s products, including vSphere, ESXi,ESX Server and others. Apply appropriate patches and partial fixes.
Wireshark: Secunia reports at least 19 vulnerabilities, some of which are highly critical in Wireshark’s product. Update to version 1.8.5 or 1.6.13.
Important Unpatched Vulnerabilities
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
ACD Systems:Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, February 3, 2013
Twitter, Washington Post targeted by hackers: SAN FRANCISCO – Social media giant Twitter is among the latest U.S. companies to report that it is among a growing list of victims of Internet security attacks, saying that hackers may have gained access to information on 250,000 of its more than 200 million active users. And now, The Washington Post is joining the chorus, revealing the discovery of a sophisticated cyberattack in 2011. NewsDay, February 1, 2013
New York Times hacking revelations shed new light on China cybercrime: Revelations that China apparently targeted the New York Times in a campaign of cyber-espionage have cast a rare spotlight on attempts by Beijing to crack down on any criticism of its ruling elite. The Guardian, January 31, 2013
Cyber Espionage
Wall Street Journal Infiltrated by Chinese Hackers: The Wall Street Journal says its computer systems have been infiltrated by Chinese hackers who were trying to monitor the newspaper’s coverage of China. ABC News, February 1, 2013
Hackers in China Attacked The Times for Last 4 Months: SAN FRANCISCO – For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. The New York Times, January 31, 2013
Cyber Threat
Facts and figures behind the current threat landscape: Mobile malware up, spam down, the age of privacy is over and porn is less dangerous than advertisements – just some of the findings in a new annual security report. InfoSecurity, January 31, 2013
Cyber Warning
The New Child Pornography Malware. Blackmailing malware has been around for some time of course. A trojan or virus gets into the computer then locks it until a ransom has been paid: as I say, this has been around for some time now. However, there’s a variation of it that is much, much, more dangerous: it actually displays a piece of child pornography while claiming that this is what you’ve been watching and thus you must pay the fine. Forbes, February 1, 2013
Hacking The Laptop Docking Station: Black Hat Europe researcher builds prototype device that could be used to steal corporate data, listen in on voice calls, videoconferences. DarkReading, January 31, 2013
Yahoo Mail Breach Linked to Old WordPress Vulnerability: Researchers at Australia-based BitDefender say they’ve found how some Yahoo Mail accounts are being hijacked, and it leads back to “buggy” blog software Yahoo’s developers used.ThreatPost, January 31, 2013
Symantec Gets A Black Eye In Chinese Hack Of The New York Times: Having your email hacked and malicious software spread on your servers for months may be embarrassing. But being outed as the antivirus vendor that failed to catch the vast majority of that malware is likely more humiliating still. Forbes, January 31, 2013
5 Years After Major DNS Flaw is Discovered, Few U.S. Companies have Deployed Long-Term Fix: Network World – Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat. CIO, January 29, 2013
Hackers squeeze through DVR hole, break into CCTV cameras: The digital video recorders of several CCTV video cameras are vulnerable to attacks that create a means for hackers to watch, copy or delete video streams, according to security researchers. The Register, January 28, 2013
Cyber Security Management
Lesson Learned in Cyberattack on The New York Times: CSO – The New York Times’ description of a cyberespionage campaign waged against the news media company by Chinese hackers demonstrates the importance of assuming criminals will eventually break into a computer system, and the best defense is to detect the intrusion as soon as possible. CIO, February 1, 2013
Cyber Security Management – Online Bank Fraud
Big Bank Mules Target Small Bank Businesses: A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions. KrebsOnSecurity, January 28, 2013
Cyber Security Management – Cyber Update
Apple Releases iOS 6.1 With Fixes for More Than 20 Vulnerabilities: Apple has fixed dozens of security vulnerabilities in iOS with the release of version 6.1, including a serious flaw in the kernel and a number of bugs in the WebKit framework. The company also revoked trust in the bad TurkTrust certificates that were discovered late last year. ThreatPost, January 29, 2013
Cyber Defense
Apple’s anti-malware blacklists Java 7 plug-in again: Apple has once again effectively blacklisted Java 7 web plug-ins on Macs by enforcing a minimum version for the software – a version that has yet to be released by Oracle. ZDNet, February 1, 2013
RSA, IBM Bet On Big Data Analytics To Boost Security: RSA and IBM’s turning to big data analytics to improve security monitoring mark what some analysts say could be the wave of the future. DarkReading, January 31, 2013
Former Obama Cybersecurity Czar Warns Against Use of Cyberweapons: Talks of cyberwar and a cyber Pearl Harbor seem to be a regular fixture of news reports in the last few months, with prominent U.S. administration officials like Janet Napolitano or Leon Panetta regularly touting the threat of a cyber attack on the United States. But not everybody is buying it. For one, Howard Schmidt, the former chief cybersecurity advisor to President Barack Obama, is skeptical. Mashable, January 31, 2013
Rockefeller: Fortune 500 companies back voluntary cybersecurity standards: Leading U.S. companies will support a voluntary program enabling the government and industry to develop a set of cybersecurity best practices, according to a memo from Senate Commerce Committee Chairman Jay Rockefeller (D-W. Va.). The Hill, January 30, 2013
Pentagon Cyber Force Turns To Hackers To Meet Growing Demand: Faced with growing fears of potentially crippling cyber attacks and not enough skilled technicians to combat the threat, the Defense Department has launched a massive recruitment drive that’s tapping an unlikely group: computer hackers. HuffingtonPost, January 28, 2013
Unseen, all-out cyber war on the U.S. has begun: Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet InfoWorld, January 28, 2013
Living in today’s “Any-to-any” world: Cybercriminals are taking advantage of the rapidly expanding attack surface found in today’s “any-to-any” world, where individuals are using any device to access business applications in a network environment that utilizes decentralized cloud services. The 2013 Cisco® Annual Security Report highlights global threat trends based on real-world data, and provides insight and analysis that helps businesses and governments improve their security posturing for the future.Cisco 2013 Annual Security Report
Cyber Misc
Ticketmaster abandons Captcha verification system: Ticketmaster will use a new verification system after deciding that Captcha has become too complex for human users to understand easily. The Telegraph, January 30, 2013
Securing the Village-Events Calendar
ISC2-LA February Dinner Meeting; February 5, 2013: Email Bill Zajac at [email protected] for more information.
Cloud Security Alliance – Los Angeles Chapter; February 13, 2013: “Can encryption help alleviate concerns about moving to the cloud?” For more information and to register, go to meetup.com/LASC-CSA/.
ISSA-LA February Lunch Meeting; February 20, 2013. For more information and to register, visit ISSA-LA.
ISSA-LA March Dinner Meeting; March 20, 2013.
NAWBO Ventura County March Dinner Meeting, March 22, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, February 3, 2013