Landmark Leadership Conferences for IT Executives
 

The IT Blog



by Fred F. Farkel, Monday, June 24th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

Important Security Updates

Apple Mac OS X: Apple has released an update to Java for Mac OS X to fix at least 34 vulnerabilities, some of which are highly critical. Update to Mac OS X 10.6 Update 16.

Google Chrome: Google has released version 27.0.1453.116 of Chrome to fix avulnerability. Updates are available through the browser or Google’s website.

Oracle Java: Oracle has released Java  SE 7 Update 25 to fix at least 40 vulnerabilities in  Java. Download the update from the Java Console or the Java website.

VLC Media Player: VLC has released version 2.0.7 to its Media Player to fix moderately critical vulnerabilities reported in previous versions. Download the version from VLC’s website.

Current Software Versions

Adobe Flash 11.7.700.224 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.7.700.224 [Windows 8: IE]

Adobe Flash 11.7.700.225 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.03

Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 21 [Windows]

Google Chrome 27.0.1453.116

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 6.0.5 [Mac OS X]

Skype 6.3.0.158

Newly Announced Unpatched Vulnerabilities 

None

For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.

For Your IT Department

Symantec Endpoint: Secunia reports a moderately critical vulnerability in Symantec’s Endpoint Protection Manager. Update to version 12.1 RU3.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, June 23, 2013

by Fred F. Farkel, Monday, June 24th, 2013

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Privacy

Facebook admits year-long data breach exposed six million users: (Reuters) – Facebook Inc has inadvertently exposed 6 million users’ phone numbers and email addresses to unauthorized viewers over the past year, the world’s largest social networking company disclosed late Friday. Reuters, June 22, 201 

Newly disclosed papers give rules for NSA surveillance without a warrant: Classified documents newly made available to The Washington Post and the Guardian describe the National Security Agency’s procedures for protecting the privacy of U.S. citizens. Since Edward Snowden, a former NSA contractor, first leaked documents describing the agency’s surveillance program this month, it has become the subject of intense controversy here and abroad. The new disclosures did not mollify the agency’s critics:The Washington Post, June 21, 2013

Edward Snowden: the truth about US surveillance will emerge: The NSA whistleblower Edward Snowden has warned that the truth about the extent of surveillance carried out by US authorities would emerge, even if he was eventually silenced. The Guardian, June 17, 2013

Intel Leaker Edward Snowden Attacks NSA’s Distinction Between Americans And Foreigners: Debate over the National Security Agency’s spying powers has long focused on its potentially unconstitutional spying on Americans. But as NSA leaker Edward Snowden reveals more of his motives to the public, it now seems he’s equally critical of the NSA’s legal core mission: practically unlimited spying on foreigners. Forbes, June 17, 2013

Cyber Warning

COMMON WEB VULNERABILITIES PLAGUE TOP WORDPRESS PLUG-INS: Since late March, no fewer than a half-dozen high profile attacks have involved a compromised website built on the WordPress platform. Attackers abuse vulnerabilities in the content management system’s customizable plug-ins and themes to pull off anything from drive-by downloads to watering hole attacks. ThreatPost, June 20, 2013

Online Bank Fraud

Double Cashing With Mobile Banking: The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country. KrebsOnSecurity, June 17, 2013

ACH Fraud Cases: Lessons for Banks: Former federal banking examiner Amy McHugh says banks can learn a lot from recent legal decisions and settlements in account takeover cases, including which authentication and online-banking security investments they should make. BankInfoSecurity, June 17, 2013

Cyber Security Management

Cyber crime: Is it on your radar?: The costs associated with cyber crime are rising. Annie Plaskett looks at the solutions available to business. Financial Director, June 17, 2013

How ME Bank moved information security from IT to the boardroom: A concerted effort to push information-security risk from the IT group across the business organisation has had “a dramatic effect” on the profile of IT security at ME Bank, according to information security manager Lachlan McGill. CSO, June 17, 2013

Cyber Security Management – Cyber Update

Critical Update Plugs 40 Security Holes in Java: Oracle today released a critical patch update for its Java software that fixes at least 40 security vulnerabilities in this widely deployed program and browser plugin. Updates are available for Java 7 on both Mac and Windows. KrebsOnSecurity, June 18, 2013

Cyber Security Management – Cyber Defense

Microsoft to Offer Standing Bug Bounty: Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000. KrebsOnSecurity, June 19, 2013

Windows Security 101: EMET 4.0: Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef up the security of third-party applications. This week, Microsoft debuted EMET 4.0, which includes some important new security protections and compatibility fixes for this unobtrusive but effective security tool. KrebsOnSecurity, June 18, 2013

Cyber Security Management – HIPAA

Six legal tips for HIPAA omnibus compliance: The HIPAA omnibus rule will go into effect on Sept. 23, but law firms are already doling out HIPAA advice to covered entities. Eileen Elliott, a partner in the Burlington, VT-based law firm Dunkiel, Saunders, Elliott, Raubvogel & Hand, concentrates on healthcare law and provided six tips for healthcare providers as they prepare for potential HIPAA audits in 2014. Health IT Security, June 18, 2013

Sara Boyns: New definition of ‘breach’ under HIPAA: Q: I am a covered health care provider subject to the Health Insurance Portability and Accountability Act (HIPAA). I recently heard there is a new rule about when we have to report if an employee accesses a patient’s medical record in violation of HIPAA. I know that I am supposed to report breaches of my patient’s protected health information, but how am I supposed to determine whether a breach has occurred? Monterey Herald, May 30, 2013

National Cyber Security

U.S. charges Snowden with espionage: Federal prosecutors have filed a criminal complaint against Edward Snowden, the former National Security Agency contractor who leaked a trove of documents about top-secret surveillance programs, and the United States has asked Hong Kong to detain him on a provisional arrest warrant, according to U.S. officials. The Washington Post, June 21, 2013

MICROSOFT’S BUG BOUNTY PROGRAM AND THE LAW OF UNINTENDED CONSEQUENCES: The Microsoft bug bounty program has been nearly a decade in the making and it is clear from the shape and size of it that the company did not simply slap the program together in order to join the cool kids. Rather, Microsoft’s security team spent years watching the way other programs work, seeing what incentives attract good researchers and looking for a system that made sense for Microsoft’s specific goals. The result is a well thought-out reward system that likely will reward good research while making customers safer at the same time. But the program may also create some unintended consequences and ripples in the security world.ThreatPost, June 21, 2013

NSA Implementing ‘Two-Person’ Rule To Stop The Next Edward Snowden: The next Edward Snowden may need a partner on the inside. On Tuesday, National Security Agency Director Keith Alexander told a congressional hearing of the Intelligence Committee that the agency is implementing a “two-person” system to prevent future leaks of classified information like the one pulled off by 29-year-old Booz Allen contractor Edward Snowden, who exfiltrated “thousands” of files according to the Guardian, to whom he has given several of the secret documents. Forbes, June 18, 2013

Obama Defends Authorization of Surveillance Programs: WASHINGTON – President Obama defended his authorization of recently revealed domestic and international surveillance programs in comments broadcast Monday night but rejected the suggestion that his policies were basically a warmed-over version of those of the last White House. The New York Times, June 17, 2013

GCHQ intercepted foreign politicians’ communications at G20 summits: Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian. Some delegates were tricked into using internet cafes which had been set up by British intelligence agencies to read their email traffic. The Guardian, June 17, 2013

Forget PRISM: Global Cyberchiefs Say They Need to Pry Even Further: The exposure of the PRISM data-collection program might not fall squarely under the heading of the third annual International Cyber Security Conference, which concluded on Wednesday at Tel Aviv University. The secret data-collection program, by which U.S. intelligence agencies routinely vacuum up huge amounts of private communications from Internet users, stands outside the realm of safeguarding the cyberworld from attacks. PRISM is defended as an antiterrorism measure, necessary to detect plots as they are hatched between evildoers communicating with one another online. Time, June 13, 2013

Critical Infrastructure

Energy secretary creates cybersecurity council: Energy Secretary Ernest Moniz said he has created a cybersecurity council to bring together various Energy Department branches, a move that underscores increasing political and policy focus on cyber threats. The Hill, June 12, 2013

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, June 23, 2013

by Fred F. Farkel, Monday, June 10th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

Important Security Updates

Apple iTunes: Apple has released version 11.0.4 of iTunes for both Mac OS X and Windows 64. Update through the iTunes program or Apple’s iTunes website.

Apple Mac OS X: Apple has released an update to OS X to fix at least 33 vulnerabilities, some of which are highly critical. Update to version 10.8.4 or applySecurity Update 2013-002.

Apple Safari for OS X: Apple has released version 6.0.5 of Safari for OS X to fix at least26 vulnerabilities, some of which are highly critical. Download the update from Apple’s website. This update is for OS X only and doesn’t affect the Windows version.

Dropbox: Dropbox has released version 2.0.25. Download the update from within the program or Dropbox’s website.

Google Chrome: Google has released version 27.0.1453.110 of Chrome to fix at least 10 highly critical vulnerabilities. Updates are available through the browser orGoogle’s website.

NetGear DGN1000: NetGear has released an update to its firmware to fix amoderately critical vulnerability in versions prior to 1.1.0.48. Download the latest version from NetGear’s website.

Skype: Skype has released version 6.5.0.158. Updates are available through the program or Skype’s website.

Current Software Versions

Adobe Flash 11.7.700.202 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.7.700.202 [Windows 8: IE]

Adobe Flash 11.7.700.202 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.03

Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 21 [Windows]

Google Chrome 27.0.1453.110

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 21 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 6.0.5 [Mac OS X]

Skype 6.3.0.158

Newly Announced Unpatched Vulnerabilities 

None

For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.

For Your IT Department

Cisco WebEx Meetings Server: Secunia reports a vulnerability in Cisco’s WebEx Meetings Server in version 1.0. Other versions may also be affected. Apply patch or contact the vendor for more information.

FileMaker Pro / Pro Advanced: Secunia reports two unpatched vulnerabilities in FileMaker Pro and Filemaker Pro Advanced in versions prior to 12. This vulnerabilities are reportedly fixed in version 12.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, June 9, 2013

by Fred F. Farkel, Monday, June 10th, 2013

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Privacy

PRISM: Here’s how the NSA wiretapped the Internet: The U.S. National Security Agency’s PRISM program is able to collect, in realtime, intelligence not limited to social networks and email accounts. But the seven tech companies accused of opening ‘back doors’ to the spy agency could well be proven innocent. ZDNet, June 8, 2013

Obama Calls Surveillance Programs Legal and Limited: WASHINGTON – President Obama offered a robust defense of newly revealed surveillance programs on Friday as more classified secrets spilled into public, complicating a summit meeting with China’s new president focused partly on human rights and cybersecurity. The New York Times, June 7, 2013

U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program: The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.The Washington Post, June 6, 2013 

Watch Top U.S. Intelligence Officials Repeatedly Deny NSA Spying On Americans Over The Last Year (Videos): To paraphrase Joseph Heller: Just because you’re paranoid doesn’t mean they aren’t surveilling you. Forbes, June 6, 2013

Europe Continues Wrestling With Online Privacy Rules: BRUSSELS – More than a year ago, the European Union’s top justice official proposed a tough set of measures for protecting the privacy of personal data online. The New York Times, June 6, 2013

NSA’s Verizon Spying Order Specifically Targeted Americans, Not Foreigners: The National Security Agency has long justified its spying powers by arguing that its charter allows surveillance on those outside of the United States, while avoiding intrusions into the private communications of American citizens. But the latest revelation of the extent of the NSA’s surveillance shows that it has focused specifically on Americans, to the degree that its data collection has in at least one major spying incident explicitly excluded those outside the United States. Forbes, June 5, 2013 

NSA collecting phone records of millions of Verizon customers daily: NSA collecting phone records of millions of Verizon customers daily: The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April.The Guardian, June 5, 2013

Online Bank Fraud

FDIC: 2011 FIS Breach Worse Than Reported: A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.KrebsOnSecurity, June 4, 2013

Cyber Warning

Android super-malware discovered – Is Google’s platform in peril?: Android malware has long been a very real, but limited threat to devices. These malicious software packages have so far been poorly coded, easy to detect, and even easier to remove. But a newly detected Trojan targeting Google’s platform looks more like an advanced Windows virus than Android malware. It exploits multiple previously unknown vulnerabilities in the mobile OS, uses complex code obfuscation techniques, and blocks uninstall attempts. ExtremeTech, June 7, 2013 

Android Antivirus Products a Big Flop, Researchers Say: Android smartphones and tablets are under attack, and the most popular tools developed to protect them are easily circumvented, according to new research from Northwestern University and the University of North Carolina. CIO, June 6, 2013

Cyber Security Management – Cyber Defense

Should companies be allowed to ‘hack back’?: Radio featuring Dr. Stahl American businesses are at a loss as to what they could do to end cyber-espionage and intellectual property theft. One Internet security firm estimates that an organization is hit by malware every few minutes, and there’s very little companies can do to protect themselves or seek recourse. Air Talk with Larry Mantle. KPCC. Southern California Public Radio, June 4, 2013

How To Avoid The Virus On Facebook That Can Drain Your Bank Account: If you click on the wrong link on Facebook, a virus may find its way into your bank account and drain it of all your money. The New York Times’ Bits Blogs details how a 6-year-old virus called Zeus is all over Facebook right now. Here’s how to avoid it. Huffington Post, June 4, 2013

Some companies looking at retaliating against cyber attackers: Frustrated by their inability to stem an onslaught of computer hackers, some companies are considering adopting the standards of the Wild West to fight back against online bandits. LA Times, May 31, 2013

Cyber Security Management

Mobile Boom Turns BYOD Into Unmanaged Risk, Check Point Finds: The challenge of securing mobile technology is starting to overwhelm some IT departments, with many BYOD smartphones and tablets left in an unmanaged state despite the risk of data loss, a global survey by Check Point has found. CIO, June 7, 2013

CISOs Must Engage the Board About Information Security: With technology now at the center of nearly all business processes, information security is no longer simply an operational concern. It deserves a place on the board’s strategic agenda. And that means the CISO needs to step up in the boardroom. CIO, May 31, 2013

Securing the Village

Google Ups Bug Bounty Awards: Google has made its vulnerability reward program even more lucrative for security researchers who discover bugs in its software and services. DarkReading, June 7, 2013

Microsoft Authorities Disrupt Hundreds of Citadel Botnets with ‘Operation  B54’:Calling it the company’s “most aggressive” botnet operation operation to date, Microsoft has joined with the FBI for a massive disruption of the Citadel botnet.ThreatPost, June 6, 2013

The Report of the Commission on the Theft of American Intellectual Property: The scale of international theft of American intellectual property (IP) is unprecedented-hundreds of billions of dollars per year, on the order of the size of U.S. exports to Asia.IP Commission, May 2013

National Cyber Security

President Obama to Press Chinese President on Cybersecurity, As NSA Surveillance Looms Large: SAN JOSE, Calif. – News that the U.S. government has been secretly monitoring Americans’ phone calls and internet activity is threatening to derail President Obama’s efforts to press Chinese President Xi Jinping on cybersecurity when the two leaders sit down for two days of talks in California later today. ABC News, June 7, 2013

Cyber Underworld

Vrublevsky Arrested for Witness Intimidation: Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested today in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor. KrebsOnSecurity, June 5, 2013

Cashout Service for Ransomware Scammers: There are 1,001 ways to swindle people online, but the hardest part for crooks is converting those ill-gotten gains into cash. A new service catering to purveyors of ransomware – malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States. KrebsOnSecurity, June 3, 2013

You’re Being Hacked: Cyberspies are everywhere. But who are they helping? Winding through corridors lined with poison-tipped umbrellas, pistols fashioned from lipstick tubes, and bulky button-hole cameras, visitors to Washington’s International Spy Museum will soon be confronted by a modern, quotidian tool of the trade: a small black laptop. According to the computer’s owner, it was employed over a three-year period to briefly knock WikiLeaks offline, disable almost 200 jihadist websites, and develop a handful of sophisticated hacking tools. The laptop, says International Spy Museum executive director Peter Earnest, will “provide historical context to the … world of espionage and the intelligence community, in this instance through the scope of cyberterrorism.” Newsweek, May 29, 2013

Cyber Research

Laws of Physics Say Quantum Cryptography Is Unhackable. It’s Not: In the never-ending arms race between secret-keepers and code-breakers, the laws of quantum mechanics seemed to have the potential to give secret-keepers the upper hand. A technique called quantum cryptography can, in principle, allow you to encrypt a message in such a way that it would never be read by anyone whose eyes it isn’t for. Wired, June 7, 2013

Cyber Misc

Robbing a Gas Station: The Hacker Way: Thieves of the future will look back on today’s stick-up artists and have a good old belly laugh. Why would anyone ever rob a cashier with a gun, when all that is needed is a smartphone? The New York Times, June 6, 2013

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, June 9, 2013