The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
AVG Antivirus Free Edition: AVG has released version 2014.0.4354 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.
Check Point Technologies Zone Alarm: Check Point has released version 13.0.208.000 of the Free version of Zone Alarm. Updates are available from Check Point’s website.
Piriform CCleaner: Piriform has released version 4.12.4657 for CCleaner. Download is available from Piriform’s website.
Adobe Flash 12.0.0.77 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 28.0
Google Chrome 33.0.1750.154
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 8 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7
Safari 7.0.2 [Mac OS X]
Skype 6.14.0.104
Newly Announced Unpatched Vulnerabilities
D-Link DIR-600L Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-600L Wireless Router reported in revision A1 firmware version 1.0 and revision B1 firmware version 2.0. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
For Your IT Department
Cisco Multiple Products: Secunia reports that Cisco has released updates for its IOS 7600 Series Route Switch, Prime Security Manager (PRSM), IOS SSL VPN, IOS and IOS XE, IOS Network Address Translation, SocialMiner, Unified Contact Center Express, Video Surveillance Manager (VSM), Unified Intelligence Center, Finesse and others. Apply updates.
IBM OS/400: Secunia reports that IBM has released updates for its OS/400 to fix a moderately critical vulnerability reported in version 6.1. Apply APAR SE58604.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
Target Had Chance to Stop Breach, Senators Say: WASHINGTON — Two Democratic senators on Wednesday criticized Target’s management for not stopping a huge data breach of its systems, citing several missed opportunities to thwart the attack and protect customer data. The New York Times, March 26, 2014
ZIP Codes Show Extent of Sally Beauty Breach: Earlier this month, beauty products chain Sally Beauty acknowledged that a hacker break-in compromised fewer than 25,000 customer credit and debit cards. My previous reporting indicated that the true size of the breach was at least ten times larger. The analysis published in this post suggests that the Sally Beauty breach may have impacted virtually all 2,600+ Sally Beauty locations nationwide. KrebsOnSecurity, March 25, 2014
Cyber Attack
Basecamp falls to blackmail-fueled denial of service attack: Users of the popular web-based project management app Basecamp may have a hard time loggoing on the service Monday morning. The company behind the app, also named Basecamp (formerly 37Signals), says it is under a distributed denial of service (DDoS) attack from extortionists hoping to make a quick buck. PCWorld, March 24, 2014
HOOTSUITE BACK ONLINE FOLLOWING DENIAL OF SERVICE ATTACK: Social media management system Hootsuite recovered rapidly from a denial of service (DoS) attack late last week, bouncing back after being offline for a few hours Thursday morning. ThreatPost, March 24, 2014
Cyber Privacy
Microsoft to Stop Inspecting Private Emails in Investigations: SEATTLE — Microsoft will no longer snoop on customers’ private communications during investigations of stolen property, the company’s general counsel said on Friday. The New York Times, March 28, 2014
Obama to Call for End to N.S.A.’s Bulk Data Collection: WASHINGTON — The Obama administration is preparing to unveil a legislative proposal for a far-reaching overhaul of the National Security Agency’s once-secret bulk phone records program in a way that — if approved by Congress — would end the aspect that has most alarmed privacy advocates since its existence was leaked last year, according to senior administration officials. The New York Times, March 24, 2014
Cyber Warning
Forget Stealing Credit Cards, Now Hackers Just Straight-Up Blackmail You: While hackers tried to get rich by stealing millions of credit cards from Target, other cybercriminals have quietly tried another method to make a quick buck: Asking companies to pay them to go away. Huffington Post, March 29, 2014
Watch out, journalists: Hackers are after you: Google security experts say that many of the world’s largest news organizations are being targeted by hackers that are likely state-sponsored. CNet, March 28, 2014
IRS Warns of Email Scam Impersonating Taxpayer Advocate Service: The Internal Revenue Service is warning consumers to beware of a new email phishing scam in which fraudulent emails purport to come from the IRS Taxpayer Advocate Service, complete with a bogus case number. AccountingToday, March 28, 2014
Law Firms Are Pressed on Security for Data: A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount. The New York Times, March 26, 2014
Microsoft: 0Day Exploit Targeting Word, Outlook: Microsoft warned today that attackers are exploiting a previously unknown security hole in Microsoft Word that can be used to foist malicious code if users open a specially crafted text file, or merely preview the message in Microsoft Outlook. KrebsOnSecurity, March 24, 2014
TARGETED ATTACKS EXPLOIT MICROSOFT WORD ZERO DAY: Targeted attacks have been spotted against a zero-day vulnerability in Microsoft Word 2010, leading Microsoft to issue a special security advisory and produce a Fix-it solution for users until a patch is ready. ThreatPost, March 24, 2014
Cyber Security Management – Cyber Update
CISCO PATCHES DENIAL-OF-SERVICE VULNERABILITIES IN IOS: Cisco this week patched a handful of denial-of-service vulnerabilities in its IOS software. The security updates are part of a biannual release from Cisco; the next one is due in September. ThreatPost, March 28, 2014
Cyber Security Management – Cyber Defense
The new security perimeter: Human Sensors: Security Manager George Grachis discusses the current cyber threat landscape and why Human Sensors, our users, are our most underutilized resource that can make all the difference. CSO, March 13, 2014
Cyber Underworld
Who Built the ID Theft Service SSNDOB.ru?: Previous stories on this blog have highlighted the damage wrought by an identity theft service marketed in the underground called ssndobru, which sold Social Security numbers, credit reports, drivers licenses and other sensitive information on more than four million Americans. Today’s post looks at a real-life identity behind the man likely responsible for building this service. KrebsOnSecurity, March 27, 2014
National Cyber Security
Cybercrime could be ‘next black swan event’: ASIC chief: Australian Securities and Investment Commission chairperson Greg Medcraft has used the ASIC Annual Forum to issue a warning about the potential for poor information security to destabilise financial markets. ComputerWorld, March 24, 2014
Cyber Lawsuit
FTC SETTLES WITH FANDANGO, CREDIT KARMA OVER SSL ISSUES IN MOBILE APPS: The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process. ThreatPost, March 28, 2014
Cyber Misc
How does the FBI Know Your Network has been Breached before You Do?: Many of the massive data breaches in the news these days are first revealed to the victims by law enforcement, the Secret Service and Federal Bureau of Investigation. [Dr. Stahl is quoted.] ComputerWorld, March 27, 2014
Markets for Cybercrime Tools and Stolen Data: Criminal activities in cyberspace are increasingly facilitated by burgeoning black markets for both tools (e.g., exploit kits) and take (e.g., credit card information). This report, part of a multiphase study on the future security environment, describes the fundamental characteristics of these markets and how they have grown into their current state to explain how their existence can harm the information security environment. Rand Corporation, 2014
Cyber Calendar
ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman,Founder & iCEO, WhiteHat Security; Marcus Ranum, CSO, Tenable; Marc Maiffret, CTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira Winkler, ISSA International President; Andrea Hoy, ISSA International Vice-President. For more information and to register, visit ISSA-LA.
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
D-Link DIR-615: D-Link has released version 8.05b06 to fix a vulnerability in its DIR-615 wireless router. Updates are available from D-Link’s website.
Google Chrome: Google has released version 33.0.1750.154 of Chrome for Windows and Mac to fix 7 highly critical vulnerabilities. Updates are available through the program.
Google Chrome for Android: Google has released version 33.0.1750.166 of Chrome for Android to fix at least 3 highly critical vulnerabilities. Updates are available through the program or device.
Mozilla Firefox: Mozilla has released version 28.0 of Firefox to fix at least 11 highly critical vulnerabilities. Updates are available within the browser or from Mozilla’s website. There are also updates for Thunderbird and SeaMonkey.
Opera: Opera has released version 20.0.1387.82. Updates are available from within the browser or from Opera’s website.
Oracle Java: Oracle has released Java SE 8. The update is available through Windows Control Panel or Java’s website. [See Citadel’s recommendation below]
Adobe Flash 12.0.0.77 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 28.0
Google Chrome 33.0.1750.154
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 8 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7
Safari 7.0.2 [Mac OS X]
Skype 6.14.0.104
Newly Announced Unpatched Vulnerabilities
D-Link DIR-615 Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-615 Wireless Router reported in revision Ex firmware version 5.10 and prior. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
For Your IT Department
Cisco Multiple Products: Secunia reports that Cisco has released updates for its Adaptive Security Appliance (ASA), IOS and others. Apply updates.
IBM OS/400 Java: Secunia reports that IBM has released updates for its OS/400 to fix at least 25 vulnerabilities, some of which are highly critical, which is due to a bundled version of IBM Java. Apply PTF or APARs.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
California Leads The Nation In Cybercrime: The same high-profile assets that make California an engine for America’s creativity and economy – think Silicon Valley and Hollywood – have made it a magnet for international criminal enterprises. If that sounds like a cover story for “Duh Magazine,” the first comprehensive report about it was released here Thursday, and it backs up the assertions with data and investigative evidence – and recommends what to do next. Business Insider, March 20, 2014
The Long Tail of ColdFusion Fail: Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Today’s post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions. KrebsOnSecurity, March 17, 2014
Sally Beauty Confirms Card Data Breach: Nationwide cosmetics and beauty retailer Sally Beauty today confirmed that hackers had broken into its networks and stolen credit card data from stores. The admission comes nearly two weeks after KrebsOnSecurity first reported that the company had likely been compromised by the same criminal hacking gang that stole 40 million credit and debit cards from Target. KrebsOnSecurity, March 17, 2014
Bitcoin-stealing malware hidden in Mt. Gox data dump, researcher says: An archive containing transaction records from Mt. Gox that was released on the Internet last week by the hackers who compromised the blog of Mt. Gox CEO Mark Karpeles also contains bitcoin-stealing malware for Windows and Mac. PCWorld, March 17, 2014
Cyber Attack
NATO websites attacked by hackers: (CNN) — Hackers apparently attacked several NATO websites Saturday, but they did not interrupt operations nor was the integrity of NATO’s systems affected, NATO spokeswoman Oana Lungescu said on Twitter. CNN, March 16, 2014
Cyber Privacy
Microsoft Software Leak Inquiry Raises Privacy Issues: SEATTLE — Technology companies have spent months denying they know anything about broad government spying on people who use their Internet services. The New York Times, March 20, 2014
FORMER CHURCH COMMITTEE MEMBERS SEE NEED FOR NEW GROUP TO INVESTIGATE NSA: In a letter sent to President Obama and members of Congress, former members and staff of the Church Committee on intelligence said that the revelations of the NSA activities have caused “a crisis of public confidence” and encouraged the formation of a new committee to undertake “significant and public reexamination of intelligence community practices”. ThreatPost, March 20, 2014
Identity Theft
Are Credit Monitoring Services Worth It?: In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America. KrebsOnSecurity, March 19, 2014
Consumers Union’s Guide to Security Freeze Protection: There are more than eight million new victims of identity theft each year in the U.S. Many of these victims find that crooks have used stolen personal information like Social Security numbers to open new accounts in their victim’s name. A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name.When a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed. DefendYourDollars, February 5, 2014
Android Upgrades Open A Backdoor To Malware, Researchers Show: Updating software is to malware as flossing is to gingivitis: a basic practice meant to minimize the risk of infection. But a team of researchers has found that for Google’s Android platform, operating system upgrades can also serve as a stealthy new method for malware to sneak its tricks past Android’s security measures. Forbes, March 19, 2014
Hackers Use Missing Malaysia Airlines Flight to Bait Users: Cyber scammers are exploiting intense interest in missing Malaysia Airlines Flight 370 to spread malicious malware aimed at attacking users, according to a new warning from security software company Trend Micro. FoxBusiness, March 19, 2014
Cyber Security Management
6 greatest cybersecurity myths and why you should not trust them: Cybersecurity is, without a doubt, becoming one of the dominant security topics (and concerns), not only for security professionals, but also for any executives or managers who want to protect their organizations. Defense Systems, March 17, 2014
Cyber Security Management – Cyber Update
Windows XP Holdouts: 6 Top Excuses: Microsoft cuts support for Windows XP in less than a month, but millions still use the OS. Are these rationales worth the risk? InformationWeek, March 17, 2014
GOOGLE PATCHES FOUR PWN2OWN BUGS IN CHROME 33: Now that the dust has settled after the Pwn2Own contest, the browser manufacturers are beginning to roll out patches for the vulnerabilities exploited by contestants. Google on Monday released fixes for a number of bugs in Chrome discovered and exploited during Pwn2Own, releasing new versions of the browser for Windows, Mac and Linux. ThreatPost, March 17, 2014
Government computers running Windows XP will be vulnerable to hackers after April 8: The deadline for installing secure operating systems on federal government computers will pass next month with the job incomplete, leaving hundreds of thousands of machines running outdated software and unusually vulnerable to hackers. The Washington Post, March 16, 2014
Cyber Security Management – Cyber Defense
FULL DISCLOSURE SECURITY MAILING LIST SHUTS DOWN: The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said. ThreatPost, March 20, 2014
The Year of Encryption: Government spying gives a giant push to data scrambling on the Web. MIT Technology Review, March 18, 2014
Cyber Underworld
Cyber Criminals Using Online Attack Kits to Steal Data: Cyber criminals are now using online attack kits to steal data. The cyber criminal does not need to have advanced hacking skills today to steal someone’s personal banking information. In a few simple steps, they can download a so-called “attack kit” and online theft is just a matter of a few clicks away. LibertyVoice, MArch 16, 2014
Men from Ukraine and New York indicted in U.S. cybercrime case: (Reuters) – Federal prosecutors on Monday announced the indictment of three men they accuse of being members of an international cybercrime ring that tried to steal at least $15 million by hacking into U.S. customer accounts at 14 financial institutions and the Department of Defense’s payroll service. Reuters, March 18, 2014
Cyber Calander
ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.
Companies of all sizes want to maximize their IT infrastructure investment by virtualizing strategic business applications. However, this often comes at a cost. An increase in Virtual Machines (VMs) can stress shared storage infrastructures, causing I/O bottlenecks that hurt application performance.
The traditional solution to this problem – buying more storage hardware in the form of more disks or new Flash – presents several challenges. Upgrading or replacing a SAN can be quite disruptive as storage must be taken offline during the installation and configuration process. In addition, the SAN is “too far” away from the applications/hosts, minimizing potential performance gains. Perhaps more importantly, buying capacity to get performance often results in wasted money.
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Adobe Flash Player: Adobe has released version 12.0.0.77 for its Flash Player to fix a moderately critical vulnerability. Updates are available through the program or from Adobe’s Flash Web Site.
Adobe Shockwave Player: Adobe has released version 12.1.0.150 to fix a highly critical vulnerability reported in previous versions of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Amazon Kindle for PC: Amazon has released version 1.10.8 Build 40514 of Kindle for PC. Updates are available through the program or from the Amazon’s Kindle website.
Apple iOS: Apple has released version 7.1 of its iOS for iPhone 4 and later, iPad and iPod touch to fix at least 26 vulnerabilities, some of which are highly critical. The update is available through the devices or through Apple’s website.
Apple TV: Apple has released version 6.1 for Apple TV to fix at least 24 highly critical vulnerabilities. Updates are available from within the program or Apple’s website.
AVG Antivirus Free Edition: AVG has released version 2014.0.4336 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.
Google Chrome: Google has released version 33.0.1750.149 of Chrome for Windows and Mac to fix 7 highly critical vulnerabilities. Updates are available through the program.
Microsoft Patch Tuesday: Microsoft released 5 updates addressing at least 23 security weaknesses in almost all versions of the Microsoft OS, Internet Explorer, and more. Updates are available via Windows Update or from Automatic Update.
Opera: Opera has released version 20.0.1387.77. Updates are available from within the browser or from Opera’s website.
Adobe Flash 12.0.0.77 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0.1
Google Chrome 33.0.1750.149
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7
Safari 7.0.2 [Mac OS X]
Skype 6.14.0.104
Newly Announced Unpatched Vulnerabilities
D-Link DIR-600 Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-600 Wireless Router in firmware versions 2.16WW and prior. No official solution is currently available.
D-Link DSL-2640U Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DSL-2640U Wireless Router in firmware versions 1.0.24W and prior. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
For Your IT Department
Cisco Intelligent Automation for Cloud: Secunia reports an unpatched security issue in Cisco’s Intelligent Automation for Cloud in versions 9.4.1 and prior. Other versions may also be affected. No official solution is currently available.
McAfee Cloud Identity Manager: Secunia reports that McAfee has released an update for its Cloud Identity Manager to fix unpatched a moderately critical vulnerability in previous versions. Upgrade to version 4.0.1.
McAfee Cloud Single Sign On: Secunia reports that McAfee has released an update for its Cloud Single Sign On (formerly McAfee Cloud Identity Manager) to fix a moderately critical vulnerability in previous versions. Upgrade to version 4.0.1.
McAfee Multiple Products: Secunia reports that McAfee has released a partial fix for its Email Gateway and Email and Web Security Appliance to address vulnerabilities reported in Email Gateway versions 7.0, 7.5, and 7.6 and Email and Web Security Appliance version 5.6. Apply patch if available.
McAfee Web Gateway: Secunia reports that McAfee has released updates for its Web Gateway to fix a vulnerability in previous versions. Update to version 7.4.1 or 7.3.2.6.
VMware ESXi: Secunia reports that VMware has released an update to fix a vulnerability. Apply patch if available.
VMware vCenter Server: Secunia reports that VMware has released updates for its VCenter Server to fix at least 51 vulnerabilities, some of which are highly critical. Apply 5.5 Update 1.
VMware vCenter Server Appliance: Secunia reports that VMware has released updates for its VCenter Server Appliance to fix a vulnerability. Apply update.
VMware vSphere Update Manager: Secunia reports that VMware has released updates for its VSphere Update Manager to fix at least 51 vulnerabilities, some of which are highly critical. Apply 5.5 Update 1.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It: The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers. BusinessWeek, March 13, 2014
NoMoreRack.com Probes Possible Card Breach: For the second time since Aug. 2013, online retailer NoMoreRack.com has hired a computer forensics team after being notified by Discover about a potential breach of customer card data, KrebsOnSecurity has learned. KrebsOnSecurity, March 12, 2014
Cyber Privacy
NSA’s plans reportedly involve infecting millions of computers with surveillance malware: The U.S. National Security Agency has reportedly been working for the past several years on expanding its ability to infect computers with surveillance malware and creating a command-and-control infrastructure capable of managing millions of compromised systems at a time. PCWorld, March 12, 2014
Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records: In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers. KrebsOnSecurity, March 10, 2014
Experts warn of coming wave of serious cybercrime: The rash of attacks against Target and other top retailers is likely to be the leading edge of a wave of serious cybercrime, as hackers become increasingly skilled at breaching the nation’s antiquated payment systems, experts say. The Washington Post, February 9, 2014
Cyber Secrity Management – Cyber Update
Adobe, Microsoft Push Security Updates: Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late. KrebsOnSecurity, March 11, 2014
APPLE IOS 7.1 FIXES MORE THAN 20 CODE-EXECUTION FLAWS: Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error. ThreatPost, March 11, 2014
Cyber Security Management – Cyber Defense
Blogs of War: Don’t Be Cannon Fodder: On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs aren’t used in attacks going forward. KrebsOnSecurity, March 13, 2014
Securing the Village
Financial Networks Increase Collaboration To Improve Information Security: One of the types of business networks that we have previously described on this blog is Financial networks. The nodes in these networks are central and commercial banks, businesses and not-for-profit organizations, individuals and machines. Essentially, financial networks exist to move printed currency and financial instruments, as well as digital equivalents, between those nodes. Forbes, March 10, 2014
ISSA-LA
ISSA-LA Sixth Annual Information Security Summit on Cybercrime Solutions: Cybersecurity Expert Richard A. Clarke and Los Angeles County District Attorney Jackie Lacey to Keynote as well as other numerous prominent information security experts and representatives from law enforcement. PRWeb, March 12, 2014
Tevora to Sponsor the Sixth Annual ISSA Los Angeles Security Summit: Tevora is proud to announce its silver sponsorship of the Sixth Annual ISSA Los Angeles Security Summit at the Universal City Hilton, on Friday, May 16, 2014 from 7:30 am to 6:00 pm. The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. The Information Security Summit is the most renowned event hosted by the local ISSA chapter. For more information please visit: http://www.issala.org/. Tevora, February 12, 2014
National Cyber Security
Feinstein: CIA searched Intelligence Committee computers: A behind-the-scenes battle between the CIA and Congress erupted in public Tuesday as the head of the Senate Intelligence Committee accused the agency of breaking laws and breaching constitutional principles in an alleged effort to undermine the panel’s multi-year investigation of a controversial interrogation program. The Washington Post, March 11, 2014
NSA misguided, Edward Snowden says: WASHINGTON — America’s spy agencies are so focused on ‘‘mass surveillance’’ that they have missed clues about terrorism, such as last year’s Boston Marathon bombing and an attempted attack on a jetliner on Christmas in 2009, former intelligence contractor Edward Snowden said Monday. Boston Globe, March 11, 2014
New crimeware tool Dendroid makes it easier to create Android malware, researchers warn: A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware. PC World, March 6, 2014
Chinese Government Hacking, One Year Later: A year after first issuing his landmark report titled, ‘APT1: Exposing One of China’s Cyber Espionage Units’, Kevin Mandia gave an update on the report’s aftermath. eSecurity Planet, March 3, 2014
Cyber Misc
Hackers Hit Mt. Gox Exchange’s CEO, Claim To Publish Evidence Of Fraud: The Bitcoin community has been angrily pressing for details on what the Bitcoin exchange Mt. Gox has described as a massive hacker attack that stole hundreds of millions of dollars worth of its users’ bitcoins and left the company bankrupt. Mt. Gox’s staff isn’t talking. So another group of hackers say they’ve broken into the company’s servers to provide answers of their own. Forbes, March 9, 2014
Stop Glorifying Hackers: I WAS at the Museum of Modern Art in New York not long ago, soaking in Edward Hopper’s retro downer mystique, when I got a call that opened up brave new all-night-diners of doom and gloom. The New York Times, March 8, 2014
Cyber Calander
ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
D-Link DIR-100 Wired Router: D-Link has released a firmware update for its DIR-100 wired router to fix 4 vulnerabilities. Update to firmware version 4.03B13. Updates can be found on D-Link’s website.
Dropbox: Dropbox has released version 2.6.2 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released version 33.0.1750.146 of Chrome for Windows, Mac, Linux and Chrome Frame to fix 6 highly critical vulnerabilities in previous versions. Updates are available through the program.
Google Picasa: Google has released version 3.9 Build 137.114. Updates are available at the Picasa website.
Opera: Opera has released version 20.00 to fix moderately critical unpatched vulnerabilities in previous versions. Updates are available from within the browser or from Opera’s website.
Adobe Flash 12.0.0.70 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0.1
Google Chrome 33.0.1750.146
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7
Safari 7.0.2 [Mac OS X]
Skype 6.14.0.104
Newly Announced Unpatched Vulnerabilities
None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
For Your IT Department
Cisco Multiple Products: Secunia reports that Cisco has released updates for its CVR 100W Wireless-N VPN Router, RV215W Wireless-N VPN Router, RV110W Wireless-N VPN Firewall, 2000 Series Wireless LAN Controller, 2100 Series Wireless LAN Controller, 2500 Series Wireless Controller, 4400 Series Wireless LAN Controller, 5500 Series Wireless Controller, Catalyst 6500 Series Wireless Service Module (WiSM), Wireless LAN Controller (WLC 4.x, 5.x, 6.x, 7.x), and others. Apply updates.
Citrix Net Scaler / NetScaler VPX: Secunia reports that Citrix has released updates for its NetScaler and NetScaler VPX to fix at least 8 vulnerabilities. Update to version 10.1-118.7, 10.0-77.5, or 9.3-64.4.
Citrix NetScaler SDX: Secunia reports that Citrix has relased updates for its NetScaler SDX to fix an error within the Service VM Virtual Machine Daemon reported in previous versions. Update to version 10.0-77.5 or 9.3-64.4.
SonicWALL Network Security Appliance (NSA) 2400: SonicWALL has released updates for its Network Security Applicance (NSA) 2400 Series to fix a vulnerability. Update to a fixed version.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
Personal data on L.A. County medical patients stolen from contractor: As many as 168,500 patients of Los Angeles County medical facilities may have had their data stolen in a break-in at a county contractor’s office last month, county officials said Thursday. The Los Angeles Times, March 6, 2014
Sally Beauty Hit By Credit Card Breach: Nationwide beauty products chain Sally Beauty appears to be the latest victim of a breach targeting their payment systems in stores, according to both sources in the banking industry and new raw data from underground cybercrime shops that traffic in stolen credit and debit cards. KrebsOnSecurity, March 5, 2014
Thieves Jam Up Smucker’s, Card Processor: Jam and jelly maker Smucker’s last week shuttered its online store, notifying visitors that the site was being retooled because of a security breach that jeopardized customers’ credit card data. Closer examination of the attack suggests that the company was but one of several dozen firms — including at least one credit card processor — hacked last year by the same criminal gang that infiltrated some of the world’s biggest data brokers. KrebsOnSecurity, March 4, 2014
Cybercrime hits financial firms hardest: survey: (Reuters) – Cybercrime is the second most common type of fraud reported by financial firms, more than double the level across other industries, as criminals turn increasingly to technology as their main weapon against banks, a survey showed. Reuters, March 3, 2014
Detroit Reveals Malware Targeted City Employees: Detroit revealed details of a recent computer security breach Monday that affected files containing personal information for a large number of city employees. CBS Detroit, March 3, 2014
Breach Blind Spot Puts Retailers on Defensive: In response to rumors in the financial industry that Sears may be the latest retailer hit by hackers, the company said today it has no indications that it has been breached. Although the Sears investigation is ongoing, experts say there is a good chance the identification of Sears as a victim is a false alarm caused by a common weaknesses in banks’ anti-fraud systems that becomes apparent mainly in the wake of massive breaches like the one at Target late last year. KrebsOnSecurity, February 28, 2014
Cyber Attack
Meetup.com fights off hackers, refuses to pay $300 ransom: TORONTO (Reuters) – Social networking website Meetup.com is fighting a sustained battle against cyber-criminals who are demanding $300 to call off an attack that has kept the site offline for much of the past four days. Chicago Tribune, March 3, 2014
Identity Theft
After Debit Card Fraud, a Chicago Bank Feels Its Customers’ Frustration: People should no longer use debit or credit cards in Chicago taxicabs. Bank of America should shut off the card-swiping terminals in the back of those cabs. And MasterCard ought to learn to share more information with its customers. The New York Times, March 7, 2014
Illinois Bank: Use Cash for Chicago Taxis: First American Bank in Illinois is urging residents and tourists alike to avoid paying for cab rides in Chicago with credit or debit cards, warning that an ongoing data breach seems to be connected with card processing systems used by a large number of taxis in the Windy City. KrebsOnSecurity, March 3, 2014
Financial Fraud
BMO customer’s account emptied of $87K as bank falls for scam: The Bank of Montreal has reimbursed one of its customers following a CBC Go Public story about how the bank wired $87,555 of his inheritance money into the hands of a scammer. CBC, March 3, 2014
INDIAN HACKERS POSE AS NETFLIX TECH SUPPORT, AIM TO STEAL FILES, IDENTITY: Malwarebytes, an Internet security firm and developer of anti-malware software, told a story about an attempt on the part of some hackers based in India to pose as Netflix tech support in an effort to steal the poster’s data and identity. Malwarebytes detailed the incident via an official blog post. DigitalTrends, March 3, 2014
Hackers hijack 300,000-plus wireless routers, make malicious changes: Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others. ars technica, March 3, 2014
FireEye names malware’s favorite targets, sources: Malware activity has become so pervasive globally that attack servers communicating with Malware are now hosted in 206 countries and territories. PC World, March 2, 2014
New Scam Tricks Caller ID to Show Real Tech Support Phone Numbers: Tech bloggers are warning about a scam that tricks a phone’s caller ID to display a real Verizon Wireless tech support number, duping people into providing personal information to fraudsters. Yahoo News, February 28, 2014
Cyber Security Management
Target CIO resigns following breach: The retailer announces the resignation after data breaches affecting up to 110 million people. CSO, March 5, 2014
Top Tech Internships Pay Big Bucks: How much were you paid when you were an intern? If your college internships were anything like mine, you were paid in experience, not dollars. Enterprise Efficiency, March 3, 2014
Daily Report: Lax Data Security a Problem for Many Start-Ups: While signing up users and raising money are big priorities for young technology companies, data security is often much further down the to-do list, Jenna Wortham and Nicole Perlroth report. The New York Times, March 3, 2014
Cyber Security Management – Cyber Update
CISCO PATCHES AUTHENTICATION FLAW IN WIRELESS ROUTERS: There’s a serious security flaw in some of Cisco’s wireless routers that could allow a remote attacker to take complete control of the router. The bug is in a number of the Cisco small business routers, as well as a wireless VPN firewall. ThreatPost, March 6, 2014
Users Refuse to Chuck XP As Windows 8 Uptake Flattens: For the second month in a row, Windows XP and Windows 8 defied their maker’s wishes, as XP, which Microsoft just wants to go away, gained user share, and Windows 8, the OS Microsoft hopes will fuel sales of new devices, flatlined in February, an analytics firm reported. CIO, March 3, 2014
ISSA-LA
Cybersecurity Expert Richard A. Clarke and LA County District Attorney Jackie Lacey to Speak at ISSA-LA Sixth Annual Information Security Summit on Cybercrime: Former White House cybersecurity czar Richard A. Clarke and Los Angeles County District Attorney Jackie Lacey are among a roster of prominent speakers at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) Sixth Annual Information Security Summit on May 16, 2014 at Hilton Universal City Hotel in Los Angeles. The theme of the Summit—The Growing Cyber Threat: Protect Your Business—reflects the reality that cybercrime impacts the financial health of all our organizations: businesses, not-for-profits, government agencies, schools and others. PRWeb, March 5, 2014
National Cyber Security
N.S.A. Director Says Snowden Leaks Hamper Efforts Against Cyberattacks: WASHINGTON — Gen. Keith B. Alexander, the director of the National Security Agency, said Tuesday that the leaks by the former agency contractor Edward J. Snowden had slowed the effort to protect the country against cyberattacks on Wall Street and other civilian targets. The New York Times, March 4, 2014
Cyber Law
California Court Rules it is Okay for Drivers to Check Mobile Maps: IDG News Service (Bangalore Bureau) — An appeals court in California ruled that it is legal for a person to hold his phone to look at a map application while driving, though he is prohibited from “listening and talking” on the phone unless it is used in a hands-free mode. CIO, February 28, 2014
Cyber Misc
Nearly 150 Breeds Of Bitcoin-Stealing Malware In The Wild, Researchers Say: With a potentially massive hack of the Mt. Gox exchange still unfolding, it’s no secret that cybercriminals see a gold mine in cryptocurrencies. But a new study by security researchers shows just how quickly the cottage industry in Bitcoin theft is evolving: Nearly 150 types of malware are actively stealing bitcoins, more than a hundred of which were created in just the last year. Forbes, February 26, 2014
Cyber Calander
Business and Personal Guide to Staying Safe in Cyber-Space: Join me, Toni Patillo, along with Dr. Stan Stahl, president of the Information Systems Security Association, Los Angeles Chapter, as he speak about cyber security – arguably the greatest challenges of the Internet age. Lunch N Learn, Event Date: March 12, 2014
ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Apple iOS Multiple Devices: Apple has released updates for its iOS to fix a vulnerability in the iPhone 3GS and later, iPod touch, iPhone 4 and later, and iPad. Updates are available through the device or Apple’s website.
Apple iTunes: Apple has released version 11.1.5 for iTunes. Updates are available through the program or from Apple’s website.
Apple Safari: Apple has released updates to Safari to fix at least 4 highly critical vulnerabilities reported in versions prior to 6.1.2 and 7.0.2. Updates are available through the program or from Apple’s website.
Apple OS X: Apple has released updates for OS X to fix at least 22 vulnerabilities, some of which are highly critical. Update to version 10.9.2 or apply Security Update 2014-001. Updates are available through Apple’s website.
Apple QuickTime: Apple has released version 7.7.5 of QuickTime to fix vulnerabilities. Updates are available from within the program or Apple’s website.
Apple TV: Apple has released version 6.0.2 for Apple TV to fix a vulnerability. Updates are available from within the program or Apple’s website.
Google Chrome: Google has released version 33.0.1750.124 of Chrome for Windows, Mac, Linux and Chrome Frame to fix highly critical unpatched vulnerabilities in previous versions. Updates are available through the program.
Piriform CCleaner: Piriform has released version 4.11.4619 for CCleaner. Download is available from Piriform’s website.
Siber Systems RoboForm: Siber Systems has released version 7.9.5 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.
Adobe Flash 12.0.0.70 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.13 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0.1
Google Chrome 33.0.1750.124
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7
Safari 7.0.2 [Mac OS X]
Skype 6.14.0.104
Newly Announced Unpatched Vulnerabilities
Linksys E-Series Wireless Router: Secunia reports unpatched highly critical vulnerabilities in Linksys’ E-Series Routers including E4200, EA3500, EA2700, and EA4500. Other versions may also be affected. No official solution is currently available.
Linksys WRT120N Wireless Router: Secunia reports a moderately critical unpatched vulnerability in Linksys’ WRT120N Wireless Router reported in firmware version 1.0.07. Other versions may also be affected. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community