The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Apple iOS: Apple has released iOS 6.1.3 for the iPhone 3GS or later, iPod touch 4thgeneration or later, and iPad 2 or later to address multiple vulnerabilities. Updates are available through the device or iTunes. Apple has also implemented two step verification, which we recommend. See the story in the Cyber Warning Section of this week’s Cyber Security News of the Week. This update also fixes the vulnerability we first alerted readers to in Weekend Vulnerability and Patch Report, February 17, 2013.
Apple TV: Apple has released version 5.2.1 to fix several vulnerabilities. Updates are available through the device.
RealPlayer: RealPlayer has released version 16.0.1.18 to fix a highly critical vulnerability. The update is available from RealPlayer’s website.
Google Chrome: Google has released version 25.0.1364.173 of Chrome to address multiple vulnerabilities. According to Google, they will be pushing out updates over the next several days.
Google Picasa: Google has released version 3.9.0 an update to fix several highly critical vulnerabilities. Updates are available from Google’s website.
Adobe Flash 11.6.602.180 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.02
Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 19.0.2 [Windows]
Google Chrome 25.0.1364.173
Internet Explorer 10.0.9200.16521 [Windows 7: IE]
Internet Explorer 10.0.9200.16519 [Windows 8: IE]
Java SE 7 Update 17 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows]
Safari 6.0.3 [Mac OS X]
Skype 6.2.0.106
Newly Announced Unpatched Vulnerabilities
None
For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.
For Your IT Department
McAfee: Secunia reports a vulnerability in McAfee’s Vulnerability Manager in versions 7.5.0 and 7.5.1. Apply hotfix. The vendor is planning to release a MVM 7.5.2 patch at the end of March.
Symantec NetBackup: Secunia reports a vulnerability in Symantec’s NetBackup. Upgrade to version 2.5.x or later.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, March 24, 2013
Computer Networks in South Korea Are Paralyzed in Cyberattacks: SEOUL, South Korea – Computer networks running three major South Korean banks and the country’s two largest broadcasters were paralyzed Wednesday in attacks that some experts suspected originated in North Korea, which has consistently threatened to cripple its far richer neighbor. The New York Times, March 20, 2013
Botnet Business Booming: Some dismantled botnets rank in the top ten most prevalent as old bot malware gets repurposed, according to new Fortinet report. Dark Reading, March 19, 2013
The Obscurest Epoch is Today: To say that there is a law enforcement manhunt on for the individuals responsible for posting credit report information on public figures and celebrities at the rogue site exposed.su would be a major understatement. I like to think that when that investigation is completed, some of the information I’ve helped to uncover about those affiliated with the site will come to light. For now, however, I’m content to retrace some of my footwork this past weekend that went into tracking individuals who may have been responsible for attacking my site and SWATing my home last Thursday. KrebsOnSecurity, March 18, 2013
Cyber Privacy
Privacy 101: Skype Leaks Your Location: The events of the past week reminded me of a privacy topic I’ve been meaning to revisit: That voice-over-IP telephony service Skype constantly exposes your Internet address to the entire world, and that there are now numerous free and commercial tools that can be used to link Skype user account names to numeric Internet addresses. KrebsOnSecurity, March 21, 2013
Apple Strengthens iCloud Security With 2-Step Authentication: Apple on Thursday rolled out a tool that strengthens password security for Apple accounts: two-step verification, a feature widely available for many Web services. The New York Times, March 21, 2013
Google Fully Implements Security Feature on DNS Lookups: IDG News Service – Google has fully implemented a security feature that ensures a person looking up a website isn’t inadvertently directed to a fake one. CIO, March 19, 2013
Security-Bug Rating System Gets A Makeover: The Common Vulnerability Scoring System will be moving to its third iteration next year, aiming to make the rankings more objective and add more ratings to increase accuracy. DarkReading, March 19, 2013
Security of Open-Source Software Again Being Scrutinized: A recent round of flaws discovered in open-source software has reignited concerns that security is getting bypassed in the rush to continue expanding the large and extremely popular code base used by millions. CIO, March 13, 2013
Cyber Security Management
Most Small Businesses Don’t Recover From Cybercrime: In light of the growing number of high-profile cyber-attacks hitting tech and financial institutions across the country, the U.S. House Small Business Subcommittee on Health and Technology held a hearing Thursday on the topic of “Protecting Small Businesses Against Emerging and Complex Cyber-Attacks.” Fox News, March 21, 2013
The Seven Deadly Sins of Data Security: There is no shortage of advice on how to secure electronic information. Companies can look to pronouncements by state and federal agencies (for example, the recent statements by the California Attorney General and the Federal Trade Commission on mobile application security), private industry (like the Payment Card Industry’s Data Security Standards) and foreign standards (like the European Union Data Protection Directive). There is guidance regarding technical standards, corporate protocols, contracting requirements and others. Michael Gold, Esq., Robert Braun, Esq., Jeffer Mangels Butler Mitchell, March 18, 2013
National Cyber Security
Privacy Protection for Documents Stored in the Cloud Gets DoJ Nod: As House subcommittee weighs overhaul of 1986 statute to strengthen privacy in the cloud, senators introduce their own legislation to update Electronic Communications Privacy Act. Department of Justice affirms the Obama administration’s support for an overhaul.CIO, March 19, 2013
America’s 3 Biggest Cybersecurity Vunerabilities: When James Clapper, the country’s top intelligence official, visited Capitol Hill this week to discuss the major threats facing America, he put cyberattacks at the top of the list. National Journal, March 13, 2013
Cyber Law
Wholesalers Hid Data Breach From Customers, Suit Says: Restaurant and grocery suppliers Jetro Holdings LLC, Jetro Cash & Carry Enterprises LLC and Restaurant Depot LLC were hit Friday with a proposed class action over their alleged failure to notify consumers of a data breach that exposed confidential credit and debit card information. LAW 360, February 27, 2013
Genesco takes VISA to court over data breach: Nashville-based retailer Genesco Inc. is suing VISA, accusing the credit-card company of wrongfully taking more than $13 million as punishment for a data breach. The Tennessean, March 8, 2013
Cyber Survey
Third-Party Applications to Blame for 87 Percent of Vulnerabilities Last Year: Third-party applications accounted for a whopping percentage of vulnerabilities last year, many more than security flaws found in Microsoft programs according to a report released this week by Danish vulnerability research firm Secunia. ThreatPost, March 15, 2013
Survey: Investors Crave More Cyber Security Transparency: As corporate America continues to grapple with the mounting cyber threat, a new survey reveals investors want more information about security practices and may even shun stocks of companies with a poor cyber track record. Fox News, March 4, 2013
Securing the Village-Events Calendar
NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
SecureIT-2013, March 28, 2013: David Lam, our newest Citadel partner and ISSA Los Angeles VP, will be speaking at SecureIT on 28 March regarding the appropriate use of ISO 27001/2 as an information security framework. David will be showing how the framework is extensible to all different sizes of organizations, and how it helps you achieve both security and compliance. For more information and to register, visitwww.secureitconf.com.
ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visitISSA-LA.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, March 24, 2013
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Adobe Flash Player / AIR: Adobe has released an update to fix at least 4 highly critical vulnerabilities in its Flash Player and AIR. Updates are available from Adobe’s website.
Apple OS X Mountain Lion: Apple has released OS X Mountain Lion v10.8.3 to fix at least 17 vulnerabilities, some of which are highly critical. Updates are available fromApple’s website.
Apple Safari: Apple has released version 6.0.3 of Safari which is a part of OS X Mountain Lion to fix at least 17 vulnerabilities, some of which are highly critical. Updates are available from Apple’s website.
Google Chrome: Google has released an update to Chrome to fix a highly critical vulnerability. Update to version version 25.0.1364.172 for Windows either through the program or from Chrome’s website.
Microsoft Internet Explorer: Microsoft has released version 10.0.9200.16521 for Internet Explorer. This version runs on Windows 7. Update through the Windows Control Panel.
Microsoft Patch Tuesday: Microsoft released 7 updates addressing at least 20 security vulnerabilities, many of them highly critical in Windows, Internet Explorer, Microsoft Silverlight, Microsoft Office and Microsoft SharePoint. Updates are available for Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008 and 2012. Updates are available via Windows Update or from Automatic Update.
Adobe Flash 11.6.602.180 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.02
Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 19.0.2 [Windows]
Google Chrome 25.0.1364.172
Internet Explorer 10.0.9200.16521 [Windows 7: IE]
Internet Explorer 10.0.9200.16519 [Windows 8: IE]
Java SE 7 Update 17 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows]
Safari 6.0.3 [Mac OS X]
Skype 6.2.0.106
Newly Announced Unpatched Vulnerabilities
None
Important Unpatched Vulnerabilities has moved!
For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.
For Your IT Department
Novell Messenger / Groupwise Messenger: Novell has released updates to its Novell Messenger Client and its Groupwise Messenger to fix a highly critical vulnerability in Novell Messenger 2.2.1 and prior, Novell Messenger 2.1 and prior and GroupWise Messenger 2.04 and prior. Update to version 2.2.2 or later.
Oracle Solaris: Secunia reports Oracle has released updates for multiple products to fix numerous vulnerabilities, some of which are highly critical. Apply appropriate updates.
WordPress: Secunia reports vulnerabilities in several WordPress plugins. Patches are available for some of these, but no patches are yet available for others. Check WordPress regularly and monitor closely for updates.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, March 17, 2013
US government cyber-security database taken offline due to hacker attack: A federal government database that stores malicious viruses and cyber-attacks has been taken offline following the detection of a hacker attack on its servers. The database is meant to provide an early warning of Internet infiltration by new viruses. RT, March 15, 2013
Israeli Government Websites Targeted in Watering Hole Attack: A new watering hole attack has been reported, this one targeting two government-related websites based in Israel that have been injected with malware exploiting a six-month-old vulnerability in Internet Explorer. ThreatPost, March 13, 2013
Top Credit Agencies Say Hackers Stole Celebrity Reports: Experian Plc (EXPN), Equifax Inc. (EFX) and TransUnion Corp. (TRUN), the three biggest U.S. credit-reporting companies, said they uncovered cases where hackers gained illegal, unauthorized access to users’ information. Bloomberg, March 12, 2013
Cyber Underworld
The World Has No Room For Cowards: It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home. KrebsOnSecurity, March 15, 2013
Credit Reports Sold for Cheap in the Underweb: Following the online publication of Social Security numbers and other sensitive data on high-profile Americans, the three major credit reporting bureaus say they’ve uncovered cases where hackers gained access to users’ information, Bloomberg reports. The disclosure, while probably discomforting for many, offers but a glimpse of the sensitive data available to denizens of the cybercrime underworld, which hosts several storefronts that sell cheap, illegal access to consumer credit reports. KrebsOnSecurity, March 13, 2013
Cyber Privacy
Privacy backlash against CISPA cybersecurity bill gains traction: A petition to the White House asking the president to “stop” a controversial cybersecurity bill passes the 100,000 mark. The only problem: President Obama has already threatened to veto it.CNet, March 13, 2013
Cyber Defense
New Google Site Aimed At Helping Webmasters of Hacked Sites: IDG News Service (Miami Bureau) – Google has launched a site for webmasters whose sites have been hacked, something that the company says happens thousands of times every day. CIO, March 13, 2013
Help Keep Threats at Bay With ‘Click-to-Play’: Muzzling buggy and insecure Web browser plugins like Java and Flash goes a long way toward blocking attacks from drive-by downloads and hacked or malicious Web sites. But leaving them entirely unplugged from the browser is not always practical, particularly with Flash, which is used on a majority of sites. Fortunately for many users, there is a relatively simple and effective alternative: Click-to-Play. KrebsOnSecurity, March 13, 2013
Microsoft to Roll Out Windows Store App Patches Quickly: IDG News Service – Microsoft will release security updates for applications in its Windows Store as those patches are available in order to speed up the updating process. CIO, March 13, 2013
Cyber Update
Apple Fixes OS X Flaw That Allowed Java Apps to Run With Plugin Disabled: Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. OS X 10.8.3 fixes 21 total vulnerabilities, and also includes a new version of the malware removal tool for Apple machines. ThreatPost, March 15, 2013
Critical Updates for Windows, Adobe Flash, Air: Microsoft and Adobe each released patches today to plug critical security holes in their products. Microsoft issued seven update bundles to address at least 19 20 vulnerabilities in Windows and related software. Adobe released the fourth security update in nearly as many weeks for its Flash Player software, as well as a fix for Adobe AIR. KrebsOnSecurity, March 12, 2013
National Cyber Security
Obama: Cybersecurity ‘key’ in talks with China: In talks with Chinese President Xi Jinping, President Obama stated that cybersecurity is a “key” topic in discussions between both nations. ZDNet, March 15, 2013
Intelligence Officials See Cyberattacks As a Top US Threat: IDG News Service (Washington, D.C., Bureau) – Cyberattacks are near the top of the list of most serious threats facing the U.S., with the rivaling concerns about terrorism and North Korea, intelligence officials with President Barack Obama’s administration said. CIO, March 12, 2013
Cyber Law
Apparel Company Files Landmark Lawsuit Against Visa in PCI Dispute: A Tennessee-based footwear and apparel company has filed a $13 million lawsuit against Visa for what it considers random, subjective penalties for being out of compliance with the Payment Card Industry (PCI) standard the credit card company regulates. ThreatPost, March 12, 2013
Cyber Survey
DDoS, Malware Attacks Cost Victims Thousands Of Dollars A Day: New eye-popping data shows the cost of cyberattacks to victim organizations: They spend as much as $6,500 per hour to recover from DDoS attacks, and $3,000 a day for up to 30 days recovering from malware infections. DarkReading, March 12, 2013
Cyber Research
Cryptographers Demonstrate New Crack For Common Web Encryption: It’s long been known that one of the oldest and most widely used standards for encrypting web sites has some serious weaknesses. But one group of researchers has found a method that downgrades that security scheme from vaguely flawed to demonstrably breakable.Forbes, March 13, 2013
Securing the Village-Events Calendar
ISSA-LA March Dinner Meeting; March 20, 2013. Garret Grajek, CTO / COO, SecureAuth Corporation will speak on Securing Mobile Apps for the Enterprise. Luminaria’s 3500 West Ramona Boulevard. Monterey Park. 6:30 – 8:45. For more information and to register, visit ISSA-LA.
NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
SecureIT-2013, March 28, 2013: David Lam, our newest Citadel partner and ISSA Los Angeles VP, will be speaking at SecureIT on 28 March regarding the appropriate use of ISO 27001/2 as an information security framework. David will be showing how the framework is extensible to all different sizes of organizations, and how it helps you achieve both security and compliance. For more information and to register, visitwww.secureitconf.com.
ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visitISSA-LA.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, March 17, 2013
The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.
Important Security Updates
Adobe Flash: Adobe has released version 11.6.602.171 for Flash to fix extremely critical vulnerabilities. Updates are available from within the program or Adobe’s website.
Mozilla Firefox: Mozilla has released version 19.0.1 of Firefox. Updates are available through Firefox.
Adobe Flash 11.6.602.171 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.01
Dropbox 1.6.11 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 19.0 [Windows]
Google Chrome 25.0.1364.97
Internet Explorer 9.0.8112.16421 [Windows 7: IE], [See warning below]
Internet Explorer 10.0.9200.16484 [Windows 8: IE]
Java SE 7 Update 15 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.3 (1680.64)
Safari 5.1.7 [Windows, See warning below]
Safari 6.0.2 [Mac OS X]
Skype 6.2.0.106
Newly Announced Unpatched Vulnerabilities
Oracle Java: Secunia reports an extremely critical vulnerability in Oracle’s Java. The vulnerability is reported in version 7 update 15 and version 6 update 41. Other versions may also be affected. See Citadel’s recommendation above.
For Your IT Department
McAfee VirusScan Enterprise: McAfee has released updates to its VirusScan. Apply VSE88HF778101 or Patch 3.
Android Browser: Secunia reports a less critical vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Apple iOS for iPhone: Secunia and The Verge both report a weakness in Apple’s iOS for iPhone 3GS and later that would allow someone with physical access to bypass the lock screen. No official solution is currently available. Reportedly Apple is planning to release an update. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 17, 2013.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31, 2011.
Symantec pcAnywhere: As we reported in our Cyber Security News of the Week, January 29, 2012, Symantec has confirmed that the hacker group Anonymous stole source code from the 2006 versions of several Norton security products and the pcAnywhere remote access tool. Symantec has advised users to disable pcAnywhere because of the theft of the pcAnywhere source code.
ACD Systems:Citadel recommends users remove all ACD Systems programs from their computers. ACD Systems has failed to patch significant critical vulnerabilities in their programs dating back more than a year. Consequently Citadel recommends users remove all ACD Systems programs from their computers until the company fixes these vulnerabilities and pays proper attention to the implications of their security vulnerabilities in opening doors to cyber criminals . The community cannot tolerate a head-in-the-sand attitude, whether by developers or the people who purchase and use their programs. The consequences of willful ignorance are too grave.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, March 3, 2013
Microsoft joins Apple, Facebook as target of hackers: Feb. 23 (Bloomberg) – Microsoft Corp., the largest software maker, said a small number of its computers were infected by malicious software in a cyberattack similar to those experienced by Facebook Inc. and Apple Inc. The Washington Post, February 23, 2013
Hack On Zendesk Affects Twitter, Pinterest, Tumblr Users: The hack of a common provider of customer service software may put the personal information of Twitter, Pinterest, and Tumblr customers at risk, the companies said today. DarkReading, February 22, 2013
Cyber Espionage
From Shanghai With Love: Espionage, like so many things these days, ain’t what it used to be now that the computer has supplanted the cloak and dagger. While James Bond used to ply his trade in exotic locales, surrounded by beautiful women and driving fancy sports cars equipped with all sorts of great gadgets, spies now are hackers holed up in nondescript office buildings in Shanghai. Barron’s, February 23, 2013
Cyber Privacy
Audit finds problems with census information security: Weaknesses in Census Bureau information security could compromise the confidentiality and integrity of the agency’s survey data, according to a report released Wednesday by Congress’s auditing department. The Washington Post, February 22, 2013
Identity Theft
Identity Theft Remains Top Consumer Complaint Fielded by FTC: The FTC’s annual look at its Consumer Sentinel Network database of complaints found that 2012 was the first year the agency got more than 2 million complaints overall, and 369,132, or 18%, were related to identity theft. Of those, more than 43% related to tax- or wage-related fraud, the agency stated. CIO, February 26, 2013
Incidence of Identity Theft Hits 3-Year High: Identity theft in the United States rose to a three-year high in 2012, with more than 5 percent of the adult population, or 12.6 million people, falling victim to such crimes, says a new survey. Yahoo, February 25, 2013
Cyber Misc
Here’s What Law Enforcement Can Recover From A Seized iPhone: You may think of your iPhone as a friendly personal assistant. But once it’s alone in a room full of law enforcement officials, you might be surprised at the revealing things it will say about you. Forbes, February 26, 2013
BBC blocked in China just days after reporting on Chinese hackers: The British Broadcasting Corporation may have discovered a new “red line” for the Chinese government: don’t bring reporters near the Shanghai complex where China’s suspected military hacking team is thought to be located. The Washington Post, February 25, 2013
Cyber Warning
Evernote Resets Everyone’s Passwords After Intrusion: Evernote’s security team has detected a coordinated attempt to gain access to secured areas of their systems. So as to be safe, rather than sorry, they have forced all users to reset their passwords before proceeding to use the service. InformationWeek March 2, 2013
Dropbox Users Reporting More Spam Following Last Summer’s Breach: It appears the breach of cloud-based storage service Dropbox last year has spurned another wave of spam over the last week or so. Users began posting complaints on the service’s Bugs and Troubleshooting forum yesterday claiming that their Dropbox-specific accounts started receiving spam again last weekend. ThreatPost, March 1, 2013
New Java 0-Day Attack Echoes Bit9 Breach: Once again, attackers are leveraging a previously unknown critical security hole in Java to break into targeted computers. Interestingly, the malware and networks used in this latest attack match those found in the recently disclosed breach at security firm Bit9. KrebsOnSecurity, March 1, 2013
Japanese agency warns of information-stealing Android porn app: IDG News Service (Tokyo Bureau) – A Japanese Internet security agency has issued a public warning about Android apps that offer free images of scantily clad models to trick users into giving up their personal details. CIO, March 1, 2013
NBC hack infects visitors in ‘drive by’ cyberattack: Chances are, you know not to open that e-mail attachment from the “Nigerian prince” who wants to give you a hundred grand. But a hack of some NBC.com sites on Thursday proves you can accidentally download malware even when visiting a reputable website. CNN, February 23, 2013
Move Over, APTs – The RAM-Based Advanced Volatile Threat Is Spinning Up Fast: For security pros, the advanced persistent threat (APT) has become a term as everyday as virus or Trojan horse. But as defenders become increasingly wise to the APT, experts say, attackers are now trying a new approach: the advanced volatile threat (AVT). Dark Reading, February 22, 2013
Cyber Defense
Amid Hacking Headaches, Twitter Begins Using Email Authentication: Amid a string of hackings this week, Twitter said it has begun using a new security protocol that will help reduce email-based abuse and ensure that emails coming from a Twitter.com address are authentic. Fox News, February 22, 2013
Cyber Security Management
More Companies Reporting Cyber Security Incidents: At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyberassaults last year, a sign of growing openness among corporations about the breadth of cybersecurity incidents plaguing the private sector. The Washington Pose, March 1, 2013
A Vulnerability Disclosure Game Changer: Two new ISO standards will push third-party developers, online service providers and even hardware vendors to stop ignoring vulnerability disclosures. DarkReading, March 1, 2013
Tale Of Two Compromises Provides Lessons For SMBs: The stories behind the hacking of a startup’s CEO and a journalist, as told at the RSA Conference, provides small and medium businesses with good tactics to secure their businesses. DarkReading, March 1, 2013
IT Security Managers Too Focused on Compliance, Experts Say: Companies with IT security strategies that focus mostly on complying with key standards are dangerously unprepared for emerging cyber threats, said security experts at the RSA Conference 2013 here this week. CIO, March 1, 2013
Cloud Security Falls Short … But Could Be Great: SAN FRANCISCO – RSA CONFERENCE 2013 – Public cloud services could have better security than the vast majority of corporate on-premise networks, but today’s tools fail to provide needed protections, and providers and security firms fall short of the cooperation necessary to build security into the cloud. DarkReading, February 26, 2013
Securing the Village
Cyber Attacks and Cyber Crime Abroad: Veteran CLBR guest Stan Stahl returns to explain what is going on and what is or should be done about it. They discuss the major Cyber Attacks against the U.S. and U.S. businesses from Iran and China and of an emerging marketplace for Cyber Crime in Russia. WebmasterRadio, February 28, 2013
NIST seeks cybersecurity guidance: The National Institute of Standards and Technology issued a request for information in the Feb. 26 Federal Register asking for comments to help develop a cybersecurity framework and guidance. FCW, February 26, 2013
An Eerie Silence on Cybersecurity: Apart from a few companies like Google, which revealed that Chinese hackers had tried to read its users’ e-mail messages, American companies have been disturbingly silent about cyberattacks on their computer systems – apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government. The New York Times, February 27, 2013
ISSA-LA
Executive Forum: 5th Annual Information Security Summit The Growing Cyber Threat: Protect Your Business:Tuesday, May 21, 2013 8:30 – 11:00 Information risk is business risk. Managing information risk is now the responsibility of executive and senior management. From Main Street to Wall Street, cybercriminals are stealing our money, our trade secrets, our credit cards, our personal health information, our identities and our ability to conduct commerce. Laws, regulations and contractual agreements are raising the cost of insecurity. Business, not-for-profits and government agencies have become the first line-of-defense. ISSA-LA
National Cyber Security
New Evidence Shows Stuxnet Used Since At Least 2007: IDG News Service – Researchers from security firm Symantec have found and analyzed a version of the Stuxnet cybersabotage malware that predates previously discovered versions by at least two years and used a different method of disrupting uranium enrichment processes at Iran’s nuclear facility at Natanz. CIO, February 26, 2013
U.K., India Sign Cybersecurity Pact: U.K. Prime Minister David Cameron last week signed a cybersecurity deal with India’s Prime Minister Manmohan Singh to reassure Brits about protection of data held by outsourcers or cloud companies in India.Information Week, February 25, 2013
Obama’s Five-Point Plan To Fight Cyber-Crime: Continued cyber-attacks on the United States may soon be met with trade or diplomatic punishment against the nations of origin. The Obama administration last week listed more than a dozen instances of international assaults against U.S. businesses, resulting in stolen trade secrets, blunted competitive edge and lost American jobs. Forbes, February 23, 2013
White House will soon revive cybersecurity legislation push: (Reuters) – A senior adviser to President Barack Obama said the White House will soon renew efforts to push cybersecurity legislation through Congress, though he foresaw an uphill battle given the failure of the last attempt. Reuters, February 25, 2013
Chinese army hackers are the tip of the cyberwarfare iceberg: China is awash with nondescript new office buildings so the 12-storey tower on the outskirts of Shanghai’s Pudong area hardly looked likely to cause global headlines. Not even propaganda posters on walls surrounding it or People’s Liberation Army guards standing at the gates made the building stand out. The Guardian, February 23, 2013
Cyber Sunshine
Latest Kelihos Botnet Shut Down Live at RSA Conference 2013: The third version of the prolific peer-to-peer botnet responsible for volumes of pharmaceutical spam, Bitcoin wallet theft and credential harvesting was shut down before a live audience today at RSA Conference 2013. February 26, 2013
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, March 3, 2013