Landmark Leadership Conferences for IT Executives
 

The IT Blog



by Fred F. Farkel, Monday, July 29th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

None

Current Software Versions

Adobe Flash 11.8.800.94 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.8.800.94 [Windows 8: IE]

Adobe Flash 11.8.800.94 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.03

Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 22 [Windows]

Google Chrome 28.0.1500.71 [Windows 7] 

Google Chrome 28.0.1500.71 [Windows 8] 

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 6.0.5 [Mac OS X]

Skype 6.6.0.106

Newly Announced Unpatched Vulnerabilities 

None

For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: US-CERT reports that Cisco has released updates for multiple products, including Cisco’s ASA Software, Identity Services Engine, Aironet 3600 Series Access Point, Unified Operations Manager, and others. Apply appropriate updates.

McAfee Network Threat Behavior Analysis: McAfee has released an update for its Network Threat Behavior Analysis to fix a less critical vulnerability reported in versions 7.1 and 7.5. Update to a fixed version or apply workaround.

Symantec Encryption Management Server: Symantec has released an update for its Encryption Management Server to fix a less critical vulnerability in previous versions. Update to version 3.3.0 MP2.

Symantec Web Gateway: Symantec has released an update for its Web Gateway to fix at least 6 moderately critical vulnerabilities in previous versions. Update to version 5.1.1.

Symantec Workspace Virtualization: Secunia reports an unpatched vulnerability in Symantec’s Workspace Virtualization.  No official solution is currently available.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, July 28, 2013

by Fred F. Farkel, Monday, July 29th, 2013

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Crime

Hacker Ring Stole 160 Million Credit Cards: U.S. federal authorities have indicted five men – four Russians and a Ukrainian – for allegedly perpetrating many of the biggest cybercrimes of the past decade, including the theft of more than 160 million credit card numbers from major U.S. retailers, banks and card processors. KrebsOnSecurity, July 25, 2013

Apple Confirms That Its Dev Center Has Been Breached By Hackers: After 3 days of silence as to why the iOS Developer Center has been down, Apple has just confirmed that they are investigating a security breach. TechCrunch, July 21, 2013

Cyber Privacy

Pinterest updating privacy policy soon; stresses ‘Do Not Track’ support: Pinterest has unveiled a number of new changes set to roll out in the coming weeks that could affect how users both discover and share traffic. ZDNet, July 26, 2013

Cyber Threat

What the $500 Billion Cybercrime Estimate Means for Enterprises: For enterprises, breaches have an ongoing cost that can take a long time to manifest as intellectual property continues to be stolen from the organization and is put into practice competitively in global markets. “When an attacker breaches your network his work has just begun,” said security analyst Tom Cross. July 26, 2013

Cyber Warning

Email ‘phishing’ attacks by hackers growing in number, intensity: Fake emails get harder to distinguish from real ones as hackers use ‘phishing’ attacks to access company and government data. LA Times, July 25, 2013

Toward A Greater Mobile Mal-Awareness: Several recent developments in mobile malware are conspiring to raise the threat level for Android users, making it easier for attackers to convert legitimate applications into malicious apps and to undermine the technology that security experts use to tell the difference. KrebsOnSecurity, July 24, 2013

SIM cards vulnerable to hacking, says researcher: IDG News Service – Millions of mobile phones may be vulnerable to spying due to the use of outdated, 1970s-era cryptography, according to new research due to be presented at the Black Hat security conference. ComputerWorld, July 22, 2013

UN warns on mobile cybersecurity bugs in bid to prevent attacks: BOSTON, July 21 (Reuters) – A United Nations group that advises nations on cybersecurity plans to send out an alert about significant vulnerabilities in mobile phone technology that could potentially enable hackers to remotely attack at least half a billion phones. Reuters, July 21, 2013

Cyber Security Management

Fact or Fiction: Your Smartphone and Tablet Are Vulnerable to Hackers: Personal computers have been subject to cyber attacks from the moment we began connecting them to the Internet. Nowadays, malicious software lurking in spam and on Web pages is kept at bay only through effort and expense. So why don’t we have the same security problem with our smartphones and tablets, which are essentially variations on the PC?Scientific American, July 22, 2013

CSIS Releases Study Linking Cybercrime To Job Loss: WASHINGTON, D.C., – July 22, 2013 – McAfee announced today that it has sponsored a first-of-its-kind report quantifying the economic impact of cybercrime. After years of guesswork and innumerable attempts to quantify the costly effects of cybercrime on the U.S. and world economies, McAfee engaged one of the world’s preeminent international policy institutions for defense and security, the Center for Strategic and International Studies (CSIS), to build an economic model and methodology to accurately estimate these losses, which can be extended worldwide. “Estimating the Cost of Cybercrime and Cyber Espionage” posits a $100 billion annual loss to the U.S. economy and as many as 508,000 U.S. jobs lost as a result of malicious cyber activity. DarkReading, July 22, 2013

Cyber Security Management – Cyber Update

http://www.darkreading.com/privacy/somebodys-watching-you-hacking-ip-video/240158990: Turns out those IP cameras used for physical security in businesses and homes can be easily hijacked by bad guys. DarkReading July 25, 2013

Cyber Security Management – Cyber Defense

MALWARE EVASION TECHNIQUES DISSECTED AT BLACK HAT: Malware ingenuity isn’t limited to its functionality or its ability to propagate. Sometimes malicious code has to have guile to survive. ThreatPost, July 26, 2013

Cyber Security Management – HIPAA

United States: Business Associate Agreements (“BAAs”) Under the New HIPAA/HITECH Omnibus Final Rule (“Final Rule”): Earlier this month, I attended the annual meeting of the American Health Lawyers Association in San Diego. This meeting was excellent from a networking perspective and the substantive information imparted during the various break-out sessions. A number of these sessions were devoted to or touched upon the Final Rule that was published on January 25, 2013, those terms that must now be included in BAAs under such Final Rule, and the effect of such Final Rule upon a business associate (“BA”) – someone the Final Rule defines as a person acting on behalf of a covered entity (“CE”) who (i) creates, receives, maintains or transmits protected health information (“PHI”); (ii) for a function or activity regulated by HIPAA; and (iii) provides certain identified services to such CE. Mondaq, July 21, 2013

Securing the Village

Security Vendors: Do No Harm, Heal Thyself: Security companies would do well to build their products around the physician’s code: “First, do no harm.” The corollary to that oath borrows from another medical mantra: “Security vendor, heal thyself. And don’t take forever to do it!” KrebsOnSecurity, July 26, 2013

Critical Infrastructure – Banking

Wall Street’s Exposure to Hacking Laid Bare: The indictment on Thursday of a long-running hacking ring is kindling fears that rogue programmers are going beyond theft and developing the capacity to wreak havoc on the broader financial system. The New York Times, July 25, 2013

Cyber Law

Wyndham Lawsuit Tests FTC’s Data Security Enforcement Authority: A federal court judge in New Jersey on Wednesday agreed to allow the U.S. Chamber of Commerce and several other organizations to seek the dismissal of a closely watched data breach lawsuit filed by the Federal Trade Commission against Wyndham Worldwide Corp. CIO, July 19, 2013

Cyber Underworld

Haunted by the Ghosts of ZeuS & DNSChanger: One of the challenges in malware research is separating the truly novel innovations in malcoding from new nasties that merely include nominal or superficial tweaks. This dynamic holds true for both malware researchers and purveyors, albeit for different reasons. Researchers wish to avoid being labeled alarmist in calling special attention to what appears to be an emerging threat that turns out to be old news; the bad guys just want to avoid getting scammed into paying for an old malware kit dressed up as the new next big thing.KrebsOnSecurity, July 25, 2013

Cyber Misc

Why Cybersecurity is One of the Best Investments You Can Make Right Now: For months now, we’ve been harping to our readers about why cybersecurity is one of the absolute best investments you can get involved with right now. MoneyMorning, July 22, 2013

U.K.-based researcher claims responsibility for Apple Developer Center problems:Claiming that he was only attempting to hunt for bugs – security researcher Ibrahim Baliç has said that he was likely the source of a security breach, which forced Apple to take down their Developer Center portal last week. CSO, July 22, 2013


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, July 28, 2013

by Fred F. Farkel, Monday, July 15th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Adobe Flash Player: Adobe has released version 11.8.800.94 to fix highly critical vulnerabilities in its Flash Player for the Windows, Mac, Linux and Android versions. Updates are available from Adobe’s website.

Adobe Shockwave Player: Adobe has released version 12.0.3.133 for its Shockwave Player to fix a highly critical vulnerability reported found in earlier versions. The update is available from Adobe’s website.

Google Chrome: Google has released version 28.0.1500.71 of Chrome to fix highly critical unpatched vulnerabilities. Updates are available through the browser or Google’s website.

Microsoft Patch Tuesday: Microsoft released several updates addressing at least 34 security vulnerabilities, some of which are highly critical, in Windows, Internet Explorer, Windows Flash Player and more. Updates are available via Windows Update or from Automatic Update.

Current Software Versions

Adobe Flash 11.8.800.94 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.8.800.94 [Windows 8: IE]

Adobe Flash 11.8.800.94 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.03

Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 22 [Windows]

Google Chrome 28.0.1500.71 [Windows 7]

Google Chrome 28.0.1500.71 [Windows 8]

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 6.0.5 [Mac OS X]

Skype 6.6.0.106

Newly Announced Unpatched Vulnerabilities 

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Adobe ColdFusion: Adobe has released a hotfix to its ColdFusion to fix a highly critical vulnerability reportedly found in version 10 for Windows, Macintosh, and Linux. Apply hotfix. Adobe has also released updates to several versions of ColdFusion to fix highly critical vulnerabilities reported in versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Mac and UNIX. Specific steps for the updates are available from Adobe’s website.

Cisco: Cisco reports vulnerabilities in Unified Operations Manager versions 8.6 and prior, Unified Service Monitor versions 8.6 and prior, Content Security Management Appliance versions 8.1 and prior, Email Security Appliance versions 7.8 and prior and Web Security Appliance versions 7.7 and prior. No official solutions are currently available. See Cisco Advisories CSCuh47574, CSCuh95997, CSCuh70323, CSCuh26634, CSCuh70263.

McAfee Data Loss Prevention: McAfee has released an update for its Data Loss Prevention Manager to fix a vulnerability in previous versions. Update to version 9.2.2.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, July 14, 2013

by Fred F. Farkel, Monday, July 15th, 2013

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber-Crime

Nintendo’s Fan Site Hit By Illicit Logins, 24,000 Accounts Accessed: IDG News Service (Tokyo Bureau) – Nintendo said a main fan site was hit by a wave of illicit login attempts in Japan over the last month, with attackers gaining access to nearly 24,000 accounts containing users’ real names, addresses, phone numbers and emails information. CIO, July 8, 2013

Morningstar warns clients of data breach: Morningstar Inc. says personal information of about 2,300 users of its Morningstar Document Research service may have been compromised by a security breach last year. ChicagoTribune, July 5, 2013

Cyber Warning

CRYPTOCAT ENCRYPTED CHAT VULNERABLE TO SIMPLE BRUTE FORCE DECRYPTION: Cryptocat, an open source encrypted Web-based chat application, is taking heat from numerous places after a vulnerability was discovered that put chats at risk for relatively simple decryption, experts say. ThreatPost, July 8, 2013

Cyber Underworld

Styx Exploit Pack: Domo Arigato, PC Roboto: Not long ago, miscreants who wanted to buy an exploit kit – automated software that helps booby-trap hacked sites to deploy malicious code – had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.” KrebsOnSecurity, July 8, 2013

Cyber Security Management

5 Security Bolstering Strategies That Won’t Break the Bank: CSO – Today’s security threats span a broad spectrum of social engineering schemes, international hackers, and insider threats like the recent NSA breach. It’s easy to get overwhelmed by all of the potential threats and where money should be spent to keep up, let alone stay ahead of the curve. CIO, July 8, 2013

Workers Don’t Trust Employers with Personal Data: Survey: A new report from Aruba Networks has outlined a clear disparity between what employees want and what the IT department needs, particularly when it comes to the blending of personal and work-related information. Security Week, July 8, 2013

Cyber Security Management – Cyber Update

Adobe, Microsoft Release Critical Updates: Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software. At least one of the Windows flaws is already being exploited in active attacks. KrebsOnSecurity, July 9, 2013

Securing the Village

NIST seeks input on cybersecurity framework: Starting tomorrow, July 10th, in San Diego, the National Institute of Standards and Technology (NIST) will host the third, and perhaps most important, in a series of workshops aimed at developing a voluntary comprehensive cybersecurity framework that will apply across sixteen critical infrastructure sectors. CSO, July 9, 2013

Record Number of Executives Attend ISSA-LA Information Security Summit on Cybercrime: A diverse group of nearly 800 leading cybercrime experts, information security professionals, and C-suite business executives recently attended the most successful ISSA-LA Cybercrime Summit. PRLog, July 6, 2013

Securing the Village – Online Bank Fraud

Banks’ Commercial Customers Face Online Risks: Written by Dr. Stahl An L.A. accounting firm recently discovered cybercriminals had fraudulently transferred $150,000 from its bank account … The article describes how ISSA-LA and several forward-looking banks – including City National Bank, American Business Bank, BBCN and California United Bank – are working together to combat online bank fraud. Los Angeles Business Journal, July 7, 2013

Critical Infrastructure

EXPOSED ROOT SSH KEY WAS SHIPPING WITH EMERGENCY ALERT SYSTEM DEVICES: UPDATE – Firmware images for the application servers that distribute messages for the Emergency Alert System in the United States were shipping with a private root SSH key that has been disclosed. Hackers who have this key can access one of these servers and interrupt or manipulate an EAS message. ThreatPost, July 8, 2013

FAA CALLED OUT FOR LAX INFORMATION SECURITY CONTROLS: The Federal Aviation Administration’s (FAA) Civil Aviation Registry lacks proper security controls to prevent unauthorized access to its systems, according to a report based on a recent audit undertaken by the Office of the Inspector General (OIG) for the United States Department of Transportation (DoT). ThreatPost, July 8, 2013

Cyber Law

Senate Commerce panel unveils cybersecurity bill: The Senate Commerce, Science and Transportation Committee announced a draft bill on Thursday aimed at improving the nation’s defenses against hackers. The Hill, July 11, 2013

Cyber Misc

DEF CON To Feds: We Need Some Time Apart: One of the more time-honored traditions at DEF CON – the massive hacker convention held each year in Las Vegas – is “Spot-the-Fed,” a playful and mostly harmless contest to out undercover government agents who attend the show. KrebsOnSecurity, July 10, 2013


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, July 14, 2013

by Fred F. Farkel, Monday, July 8th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple Mac OS X: Apple has released a security update for Mac OS X to fix at least 3highly critical vulnerabilities due to a bundled version of QuickTime. Apply Security Update 2013-003. Updates are available from Apple’s website.

Foxit Reader: Foxit has released 6.0.5.0618. Updates are available from Foxit’s website.

Skype: Skype has released 6.6.0.106. Updates are available from Skype’s website.

Current Software Versions

Adobe Flash 11.7.700.224 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash 11.7.700.224 [Windows 8: IE]

Adobe Flash 11.7.700.225 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.03

Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 22 [Windows]

Google Chrome 27.0.1453.116 [Windows 7] 

Google Chrome 28.0.1500.71 [Windows 8] 

Internet Explorer 10.0.9200.16521 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have particular web sites that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 6.0.5 [Mac OS X]

Skype 6.6.0.106

Newly Announced Unpatched Vulnerabilities 

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

HP Multiple Products: HP has released updates for at least 50 of its products, including switches, routers, firewalls, to fix two highly critical vulnerabilities. Update to a fixed version.

Symantec Security Information Manager: Symantec has released version 4.8.1 to fix at least 3 vulnerabilities reported in previous versions.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, July 7, 2013

by Fred F. Farkel, Monday, July 8th, 2013

 

Guest column by Citadel Information Group

Cyber Security News of the Week

ISSA-LA

Summit 5 Videos now on-line at ISSA-LA’s YouTube Channel: ISSA4LA. Howard Schmidt Keynote with Sandra Lambert. Ira Winkler Lunch Keynote. Aaron Turner Closing Keynote. Executive Forum with Bill Lewis, James Aquilina, Michael Gold and Stan Stahl. Law Enforcement Panel. Healthcare Panel. BYOD Panel. CISO Panel.  Web Application Defense.

Cyber Crime

Ubisoft Database Hack Exposes Email Addresses, Passwords: Ubisoft today revealed that a hack of its systems exposed user names, email addresses, and encrypted passwords, but not financial data. PC Magazine, July 2, 2013

Cyber Threat

What’s It Take To Trust A Digitally Signed Program?: The Opera Software breach that came to light last week after attackers compromised Opera’s network in order to steal an expired certificate and use it to sign malware for distribution dredges up some serious concerns from security professionals about the amount of trust that organizations put into legitimately signed programs. Dark Reading, July 3, 2013

Cyber Warning

IPMI Protocol, BMC Vulnerabilities Expose Thousands of Servers to Attack: Baseboard management controllers, embedded computers present in most servers, are vulnerable to a half dozen critical vulnerabilities that could enable an attacker to gain remote control over the host machine. ThreatPost, July 3, 2013

Android Vulnerability Enables Malicious Updates to Bypass Digital Signatures: A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app’s cryptographic signature-an action that would normally set off a red flag that something is amiss. ThreatPost, July 3, 2013

FBI Warns of Spear-Phishing Attacks: Spear-phishing attacks are up, and they are targeting individuals across all industries, according to a new warning issued by the U.S. Federal Bureau of Investigation. BankInfoSecurity, July 2, 2013

Cyber Privacy

National Intelligence Director Clapper Apologizes For ‘Clearly Erroneous’ Congressional Testimony On NSA Surveillance: Whistleblower Edward Snowden isn’t the only one looking for a safe haven since he began leaking a series of top secret documents on the National Security Agency’s surveillance practices. So has Director of National Intelligence James Clapper, whose statements to Congress earlier this year on NSA methods were exposed by Snowden’s leaks as being highly misleading. And as many call for Clapper’s resignation, he’s finally issued a public apology. Forbes, July 2, 2013

What the N.S.A. Knows About You: It’s difficult to have an informed opinion about the National Security Agency’s collection of “metadata” without understanding what “metadata” is, not that that’s stopped anyone. The name suggests that it’s data about data, and the Obama administration has gone to some lengths to reassure Americans that “metadata” is definitely not “content,” which unlike your “metadata” presumably enjoys Fourth Amendment protections. But Glenn Greenwald, among others, has said that’s a distinction without a difference: “In reality, it is hard to distinguish email metadata from email content.” The New York Times, July 2, 2013

Cyber Underworld

The Cost of Online Banking Fraud … for the Perpetrator: A report from McAfee called “Cybercrime Exposed” provides insight into what it costs to operate cyber fraud.American Banker, July 3, 2013

Current cybercrime market is all about Cybercrime-as-a-Service: The cybercrime market is constantly evolving, and it is currently full of knowledgeable individuals who have focused on their core competencies to offer services to those who have not the skills, patience or time to make what they want or need for their criminal exploits.HelpNetSecurity, July 2, 2013

Exploiting the Twitter Underground for Fun and Profit: The underground economy on Twitter is still flourishing, and it appears to be a buyer’s market for followers right now, with new research showing that the price for 1,000 followers has dropped nearly 50 percent in the last few months. ThreatPost, July 1, 2013

Criminals sell access to rooted servers via online shop: Researchers have discovered an online store where criminals sell access to hacked servers, another cautionary example of miscreants’ commercialization of stolen data. SC Magazine, June 27, 2013

Cyber Security Management

Doing More Than Paying Risk Management Lip Service:While the majority of CISOs may profess a commitment to managing security based on risk management principles, the truth about how they execute on those principles may be a lot more imperfect. The unfortunate reality, say experts, is that many organizations simply pay risk management lip service, but aren’t really making security decisions based on risk management metrics. DarkReading, July 5, 2013

California to Focus on Unencrypted Data in Breach Investigations: Data breaches affected more than 2.5 million California residents last year, and the state’s attorney general said that the information belonging to more than half of those victims would have been unaffected had the data been encrypted by the companies storing it. In an effort to remedy this situation, Attorney General Kamala Harris is planning to take a close look at data breaches that involve unencrypted data, making them an enforcement priority. ThreatPost, July 3, 2013

Things CEOs Hate To Pay For and How They Can Help You Make Your Case for Security:As a CEO, I hate spending money on things that don’t help grow my business or improve the products and services we bring to market. While I know there are necessary evils in business that require funding, the thought of spending money on things that are only used in a worst-case scenario are not attractive options to me when it comes to the allocation of limited and important resources. Having spent the majority of my career in the cyber security business, I am well aware that many of my CEO brethren lump security spending into the same bucket as other less desirable expenditures and believe me, I get it. Security Week, July 2, 2013

Cyber Security Management – Cyber Defense

Surrendering The Endpoint: What if you had to design all of your security and monitoring around the fact that it’s not your endpoint any more, and it will never be your endpoint again? Dark Reading, June 28, 2013

Risks of Default Passwords on the Internet: Any system using password authentication accessible from the internet may be affected. Critical infrastructure and other important embedded systems, appliances, and devices are of particular concern. US CERT, June 24, 2013

Cyber Security Management – HIPAA

The Brave New World of HIPAA Breaches: Omnibus Rule Changes the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”) Landscape: Now, more than ever, the health care industry must work diligently to protect privacy and security of health information. The scope of regulation has expanded, the enforcement authority and resources of the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has grown, and the financial penalties have increased. According to a recent Advisory Board survey, general counsel and compliance professionals indicated that compliance with HIPAA was an area where they had the greatest need for legal guidance or support. National Law Review, July 1, 2013

National Cyber Security

China Plans First Talks With U.S. Under Cybersecurity Dialogue: China and the U.S. will hold the first meeting of a cybersecurity working group set up following accusations that the Chinese government is responsible for hacking attacks against American companies. Bloomberg, July 5, 2013

Résumé Shows Snowden Honed Hacking Skills: In 2010, while working for a National Security Agency contractor, Edward J. Snowden learned to be a hacker. The New York Times, July 4, 2013

Europeans Voice Anger Over Reports of Spying by U.S. on Its Allies: LONDON – European officials and politicians reacted angrily on Sunday to reports that the United States has been spying on its European Union allies, saying the claims could threaten impending talks with Washington on an important trade agreement. The New York Times, June 30, 2013

Critical Infrastructure

Critical infrastructure protection: Are we prepared for a massive cyberattack on U.S. systems?: One expert says the financial system deserves more attention, but others say if the power grid goes down, so does everything else. Is there a cyber 9/11 in our future? If so, what is the plan for defense? CSO, July 1, 2013

Cyber Law

EU increases penalties for cybercriminals and hackers: Looking to deter cyberattacks on national infrastructure and halt the illegal interception of communications, the European Union toughens its laws. Cnet, July 4, 2013

Cyber Career

Back from ISSA-LA’s 5th Annual (totally outstanding) Cyber Security Summit: You haven’t seen a Security Recruiter Blog in a few days because I’ve been really busy from early in the morning to late at night for several days. I was invited back to ISSA-LA where I first spoke in September of 2011 to deliver a career development workshop along with a presentation in which I facilitated a very interesting discussion between the members of the Los Angeles CISO forum. SecurityRecruiter, May 23, 2013

Cyber Research

Machine-Learning Project Sifts Through Big Security Data: As an information-security consultant, Alexandre Pinto spent 12 years helping companies set up difficult-to-configure systems to cull security intelligence from logs and security events.DarkReading, June 28, 2013

Cyber Misc

Here’s What It Looks Like When Two Hacker FBI Informants Try To Inform On Each Other: The FBI has so many moles in the hacktivist community, it seems, that at times they’ve even ended up unwittingly doing their best to get each other arrested. Forbes, June 28, 2013


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, July 7, 2013

by Fred F. Farkel, Friday, July 5th, 2013

 

ITB Consulting is a full-service Deltek Premier Partner licensed by Deltek to sell and service both GCS Premier for the government contracting world, and Vision for the  project-based commercial market.

ITB Consulting specializes in fully integrated financial and business software support and consulting. We provide the full spectrum of services, from needs analysis, through product selection and implementation, to staff training and ongoing support. We can customize your new system to meet any specific needs you may have, and then link it to existing applications. We also provide IT management consulting to include equipment selection and Web/server management. We can arrange appropriate hosting services as required. In short, we will assist you in overseeing the entire conversion process to a new and more efficient business/financial software system. www.itbconsultinginc.com.

Read More | Comments Off on Exhibitor Spotlight: ITB Consulting