Apple Mac OS X: Apple has released an update to Java for Mac OS X to fix at least 34 vulnerabilities, some of which are highly critical. Update to Mac OS X 10.6 Update 16.
Google Chrome: Google has released version 27.0.1453.116 of Chrome to fix avulnerability. Updates are available through the browser or Google’s website.
Oracle Java: Oracle has released Java SE 7 Update 25 to fix at least 40 vulnerabilities in Java. Download the update from the Java Console or the Java website.
VLC Media Player: VLC has released version 2.0.7 to its Media Player to fix moderately critical vulnerabilities reported in previous versions. Download the version from VLC’s website.
Adobe Flash 11.7.700.225 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.03
Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 21 [Windows]
Google Chrome 27.0.1453.116
Internet Explorer 10.0.9200.16521 [Windows 7: IE]
Internet Explorer 10.0.9200.16519 [Windows 8: IE]
Java SE 7 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7 [Windows]
Safari 6.0.5 [Mac OS X]
Skype 6.3.0.158
Newly Announced Unpatched Vulnerabilities
None
For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.
For Your IT Department
Symantec Endpoint: Secunia reports a moderately critical vulnerability in Symantec’s Endpoint Protection Manager. Update to version 12.1 RU3.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, June 23, 2013
Facebook admits year-long data breach exposed six million users: (Reuters) – Facebook Inc has inadvertently exposed 6 million users’ phone numbers and email addresses to unauthorized viewers over the past year, the world’s largest social networking company disclosed late Friday. Reuters, June 22, 201
Newly disclosed papers give rules for NSA surveillance without a warrant: Classified documents newly made available to The Washington Post and the Guardian describe the National Security Agency’s procedures for protecting the privacy of U.S. citizens. Since Edward Snowden, a former NSA contractor, first leaked documents describing the agency’s surveillance program this month, it has become the subject of intense controversy here and abroad. The new disclosures did not mollify the agency’s critics:The Washington Post, June 21, 2013
Edward Snowden: the truth about US surveillance will emerge: The NSA whistleblower Edward Snowden has warned that the truth about the extent of surveillance carried out by US authorities would emerge, even if he was eventually silenced. The Guardian, June 17, 2013
Intel Leaker Edward Snowden Attacks NSA’s Distinction Between Americans And Foreigners: Debate over the National Security Agency’s spying powers has long focused on its potentially unconstitutional spying on Americans. But as NSA leaker Edward Snowden reveals more of his motives to the public, it now seems he’s equally critical of the NSA’s legal core mission: practically unlimited spying on foreigners. Forbes, June 17, 2013
Cyber Warning
COMMON WEB VULNERABILITIES PLAGUE TOP WORDPRESS PLUG-INS: Since late March, no fewer than a half-dozen high profile attacks have involved a compromised website built on the WordPress platform. Attackers abuse vulnerabilities in the content management system’s customizable plug-ins and themes to pull off anything from drive-by downloads to watering hole attacks. ThreatPost, June 20, 2013
Online Bank Fraud
Double Cashing With Mobile Banking: The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country. KrebsOnSecurity, June 17, 2013
ACH Fraud Cases: Lessons for Banks: Former federal banking examiner Amy McHugh says banks can learn a lot from recent legal decisions and settlements in account takeover cases, including which authentication and online-banking security investments they should make. BankInfoSecurity, June 17, 2013
Cyber Security Management
Cyber crime: Is it on your radar?: The costs associated with cyber crime are rising. Annie Plaskett looks at the solutions available to business. Financial Director, June 17, 2013
How ME Bank moved information security from IT to the boardroom: A concerted effort to push information-security risk from the IT group across the business organisation has had “a dramatic effect” on the profile of IT security at ME Bank, according to information security manager Lachlan McGill. CSO, June 17, 2013
Cyber Security Management – Cyber Update
Critical Update Plugs 40 Security Holes in Java: Oracle today released a critical patch update for its Java software that fixes at least 40 security vulnerabilities in this widely deployed program and browser plugin. Updates are available for Java 7 on both Mac and Windows. KrebsOnSecurity, June 18, 2013
Cyber Security Management – Cyber Defense
Microsoft to Offer Standing Bug Bounty: Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000. KrebsOnSecurity, June 19, 2013
Windows Security 101: EMET 4.0: Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef up the security of third-party applications. This week, Microsoft debuted EMET 4.0, which includes some important new security protections and compatibility fixes for this unobtrusive but effective security tool. KrebsOnSecurity, June 18, 2013
Cyber Security Management – HIPAA
Six legal tips for HIPAA omnibus compliance: The HIPAA omnibus rule will go into effect on Sept. 23, but law firms are already doling out HIPAA advice to covered entities. Eileen Elliott, a partner in the Burlington, VT-based law firm Dunkiel, Saunders, Elliott, Raubvogel & Hand, concentrates on healthcare law and provided six tips for healthcare providers as they prepare for potential HIPAA audits in 2014. Health IT Security, June 18, 2013
Sara Boyns: New definition of ‘breach’ under HIPAA: Q: I am a covered health care provider subject to the Health Insurance Portability and Accountability Act (HIPAA). I recently heard there is a new rule about when we have to report if an employee accesses a patient’s medical record in violation of HIPAA. I know that I am supposed to report breaches of my patient’s protected health information, but how am I supposed to determine whether a breach has occurred? Monterey Herald, May 30, 2013
National Cyber Security
U.S. charges Snowden with espionage: Federal prosecutors have filed a criminal complaint against Edward Snowden, the former National Security Agency contractor who leaked a trove of documents about top-secret surveillance programs, and the United States has asked Hong Kong to detain him on a provisional arrest warrant, according to U.S. officials. The Washington Post, June 21, 2013
MICROSOFT’S BUG BOUNTY PROGRAM AND THE LAW OF UNINTENDED CONSEQUENCES: The Microsoft bug bounty program has been nearly a decade in the making and it is clear from the shape and size of it that the company did not simply slap the program together in order to join the cool kids. Rather, Microsoft’s security team spent years watching the way other programs work, seeing what incentives attract good researchers and looking for a system that made sense for Microsoft’s specific goals. The result is a well thought-out reward system that likely will reward good research while making customers safer at the same time. But the program may also create some unintended consequences and ripples in the security world.ThreatPost, June 21, 2013
NSA Implementing ‘Two-Person’ Rule To Stop The Next Edward Snowden: The next Edward Snowden may need a partner on the inside. On Tuesday, National Security Agency Director Keith Alexander told a congressional hearing of the Intelligence Committee that the agency is implementing a “two-person” system to prevent future leaks of classified information like the one pulled off by 29-year-old Booz Allen contractor Edward Snowden, who exfiltrated “thousands” of files according to the Guardian, to whom he has given several of the secret documents. Forbes, June 18, 2013
Obama Defends Authorization of Surveillance Programs: WASHINGTON – President Obama defended his authorization of recently revealed domestic and international surveillance programs in comments broadcast Monday night but rejected the suggestion that his policies were basically a warmed-over version of those of the last White House. The New York Times, June 17, 2013
GCHQ intercepted foreign politicians’ communications at G20 summits: Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian. Some delegates were tricked into using internet cafes which had been set up by British intelligence agencies to read their email traffic. The Guardian, June 17, 2013
Forget PRISM: Global Cyberchiefs Say They Need to Pry Even Further: The exposure of the PRISM data-collection program might not fall squarely under the heading of the third annual International Cyber Security Conference, which concluded on Wednesday at Tel Aviv University. The secret data-collection program, by which U.S. intelligence agencies routinely vacuum up huge amounts of private communications from Internet users, stands outside the realm of safeguarding the cyberworld from attacks. PRISM is defended as an antiterrorism measure, necessary to detect plots as they are hatched between evildoers communicating with one another online. Time, June 13, 2013
Critical Infrastructure
Energy secretary creates cybersecurity council: Energy Secretary Ernest Moniz said he has created a cybersecurity council to bring together various Energy Department branches, a move that underscores increasing political and policy focus on cyber threats. The Hill, June 12, 2013
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, June 23, 2013
Apple iTunes: Apple has released version 11.0.4 of iTunes for both Mac OS X and Windows 64. Update through the iTunes program or Apple’s iTunes website.
Apple Mac OS X: Apple has released an update to OS X to fix at least 33 vulnerabilities, some of which are highly critical. Update to version 10.8.4 or applySecurity Update 2013-002.
Apple Safari for OS X: Apple has released version 6.0.5 of Safari for OS X to fix at least26 vulnerabilities, some of which are highly critical. Download the update from Apple’s website. This update is for OS X only and doesn’t affect the Windows version.
Dropbox: Dropbox has released version 2.0.25. Download the update from within the program or Dropbox’s website.
Adobe Flash 11.7.700.202 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.03
Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 21 [Windows]
Google Chrome 27.0.1453.110
Internet Explorer 10.0.9200.16521 [Windows 7: IE]
Internet Explorer 10.0.9200.16519 [Windows 8: IE]
Java SE 7 Update 21 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7 [Windows]
Safari 6.0.5 [Mac OS X]
Skype 6.3.0.158
Newly Announced Unpatched Vulnerabilities
None
For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.
For Your IT Department
Cisco WebEx Meetings Server: Secunia reports a vulnerability in Cisco’s WebEx Meetings Server in version 1.0. Other versions may also be affected. Apply patch or contact the vendor for more information.
FileMaker Pro / Pro Advanced: Secunia reports two unpatched vulnerabilities in FileMaker Pro and Filemaker Pro Advanced in versions prior to 12. This vulnerabilities are reportedly fixed in version 12.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Groupfor allowing us to provide this information to you.
Read More
| Comments Off on Weekend Vulnerability and Patch Report, June 9, 2013
PRISM: Here’s how the NSA wiretapped the Internet: The U.S. National Security Agency’s PRISM program is able to collect, in realtime, intelligence not limited to social networks and email accounts. But the seven tech companies accused of opening ‘back doors’ to the spy agency could well be proven innocent. ZDNet, June 8, 2013
Obama Calls Surveillance Programs Legal and Limited: WASHINGTON – President Obama offered a robust defense of newly revealed surveillance programs on Friday as more classified secrets spilled into public, complicating a summit meeting with China’s new president focused partly on human rights and cybersecurity. The New York Times, June 7, 2013
U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program: The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.The Washington Post, June 6, 2013
Europe Continues Wrestling With Online Privacy Rules: BRUSSELS – More than a year ago, the European Union’s top justice official proposed a tough set of measures for protecting the privacy of personal data online. The New York Times, June 6, 2013
NSA’s Verizon Spying Order Specifically Targeted Americans, Not Foreigners: The National Security Agency has long justified its spying powers by arguing that its charter allows surveillance on those outside of the United States, while avoiding intrusions into the private communications of American citizens. But the latest revelation of the extent of the NSA’s surveillance shows that it has focused specifically on Americans, to the degree that its data collection has in at least one major spying incident explicitly excluded those outside the United States. Forbes, June 5, 2013
NSA collecting phone records of millions of Verizon customers daily: NSA collecting phone records of millions of Verizon customers daily: The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April.The Guardian, June 5, 2013
Online Bank Fraud
FDIC: 2011 FIS Breach Worse Than Reported: A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.KrebsOnSecurity, June 4, 2013
Cyber Warning
Android super-malware discovered – Is Google’s platform in peril?: Android malware has long been a very real, but limited threat to devices. These malicious software packages have so far been poorly coded, easy to detect, and even easier to remove. But a newly detected Trojan targeting Google’s platform looks more like an advanced Windows virus than Android malware. It exploits multiple previously unknown vulnerabilities in the mobile OS, uses complex code obfuscation techniques, and blocks uninstall attempts. ExtremeTech, June 7, 2013
Android Antivirus Products a Big Flop, Researchers Say: Android smartphones and tablets are under attack, and the most popular tools developed to protect them are easily circumvented, according to new research from Northwestern University and the University of North Carolina. CIO, June 6, 2013
Cyber Security Management – Cyber Defense
Should companies be allowed to ‘hack back’?:Radio featuring Dr. Stahl American businesses are at a loss as to what they could do to end cyber-espionage and intellectual property theft. One Internet security firm estimates that an organization is hit by malware every few minutes, and there’s very little companies can do to protect themselves or seek recourse. Air Talk with Larry Mantle. KPCC. Southern California Public Radio, June 4, 2013
How To Avoid The Virus On Facebook That Can Drain Your Bank Account: If you click on the wrong link on Facebook, a virus may find its way into your bank account and drain it of all your money. The New York Times’ Bits Blogs details how a 6-year-old virus called Zeus is all over Facebook right now. Here’s how to avoid it. Huffington Post, June 4, 2013
Some companies looking at retaliating against cyber attackers: Frustrated by their inability to stem an onslaught of computer hackers, some companies are considering adopting the standards of the Wild West to fight back against online bandits. LA Times, May 31, 2013
Cyber Security Management
Mobile Boom Turns BYOD Into Unmanaged Risk, Check Point Finds: The challenge of securing mobile technology is starting to overwhelm some IT departments, with many BYOD smartphones and tablets left in an unmanaged state despite the risk of data loss, a global survey by Check Point has found. CIO, June 7, 2013
CISOs Must Engage the Board About Information Security: With technology now at the center of nearly all business processes, information security is no longer simply an operational concern. It deserves a place on the board’s strategic agenda. And that means the CISO needs to step up in the boardroom. CIO, May 31, 2013
Securing the Village
Google Ups Bug Bounty Awards: Google has made its vulnerability reward program even more lucrative for security researchers who discover bugs in its software and services. DarkReading, June 7, 2013
President Obama to Press Chinese President on Cybersecurity, As NSA Surveillance Looms Large: SAN JOSE, Calif. – News that the U.S. government has been secretly monitoring Americans’ phone calls and internet activity is threatening to derail President Obama’s efforts to press Chinese President Xi Jinping on cybersecurity when the two leaders sit down for two days of talks in California later today. ABC News, June 7, 2013
Cyber Underworld
Vrublevsky Arrested for Witness Intimidation: Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested today in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor. KrebsOnSecurity, June 5, 2013
Cashout Service for Ransomware Scammers: There are 1,001 ways to swindle people online, but the hardest part for crooks is converting those ill-gotten gains into cash. A new service catering to purveyors of ransomware – malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States. KrebsOnSecurity, June 3, 2013
You’re Being Hacked: Cyberspies are everywhere. But who are they helping? Winding through corridors lined with poison-tipped umbrellas, pistols fashioned from lipstick tubes, and bulky button-hole cameras, visitors to Washington’s International Spy Museum will soon be confronted by a modern, quotidian tool of the trade: a small black laptop. According to the computer’s owner, it was employed over a three-year period to briefly knock WikiLeaks offline, disable almost 200 jihadist websites, and develop a handful of sophisticated hacking tools. The laptop, says International Spy Museum executive director Peter Earnest, will “provide historical context to the … world of espionage and the intelligence community, in this instance through the scope of cyberterrorism.” Newsweek, May 29, 2013
Cyber Research
Laws of Physics Say Quantum Cryptography Is Unhackable. It’s Not: In the never-ending arms race between secret-keepers and code-breakers, the laws of quantum mechanics seemed to have the potential to give secret-keepers the upper hand. A technique called quantum cryptography can, in principle, allow you to encrypt a message in such a way that it would never be read by anyone whose eyes it isn’t for. Wired, June 7, 2013
Cyber Misc
Robbing a Gas Station: The Hacker Way: Thieves of the future will look back on today’s stick-up artists and have a good old belly laugh. Why would anyone ever rob a cashier with a gun, when all that is needed is a smartphone? The New York Times, June 6, 2013
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.
Read More
| Comments Off on Cyber Security News of the Week, June 9, 2013