Landmark Leadership Conferences for IT Executives
 

The IT Blog



by Fred F. Farkel, Monday, December 23rd, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple Motion: Apple has released  version 5.1 to fix a highly critical vulnerability reported in previous versions. Updates are available through the program or from Apple’s website.

Apple OS X: Apple has released version 10.9.1. to fix at least 10 highly critical vulnerabilities reported in a previous bundled version of Apple Safari. Updates are available through the Mac App Store icon or from Apple’s website.

Apple Safari: Apple has released updates to Safari to fix at least 8 highly critical vulnerabilities reported in versions prior to 6.1.1 and 7.0.1. Updates are available through the program or from Apple’s website.

Dropbox: Dropbox has released updates for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Google Picasa: Google has released updates to Picasa to fix at least 4 highly critical vulnerabilities  in version 3.9.0 Build 136.20 running on Windows and in version prior to 3.9.0 Build 137.69 running on Mac. Prior versions may also be affected.  Update to version 3.9.0 Build 137.74 or later. Updates are available at the Picasa website.

Opera: Opera has release version 18.0.1284.68 to update its browser. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash  11.9.900.170 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash  11.9.900.170 [Windows 8: IE]

Adobe Flash  11.9.900.170 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.05

Dropbox 2.4.10 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 26 [Windows]

Google Chrome 31.0.1650.63

Internet Explorer 11.0.9600.16428 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 7 Update 45 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 7.0.1 [Mac OS X]

Skype 6.11.0.102

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department 

Cisco EPC3925: Secunia reports an unpatched vulnerability in Cisco EPC3925. Reportedly a fix is in progress. Please contact the vendor for more information.

Cisco Prime Collaboration Assurance: Secunia reports an unpatched vulnerability in Cisco Prime Collaboration Assurance. No official solution is currently available.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, December 22, 2013

by Fred F. Farkel, Monday, December 23rd, 2013

 

Guest column by Citadel Information Group

Cyber Crime

Cards Stolen in Target Breach Flood Underground Markets: Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned. KrebsOnSecurity, December 20, 2013

Prosecutor Says Kate Middleton’s Phone Was Hacked: LONDON – A prosecutor in a high-profile trial on Thursday accused Rupert Murdoch’s News of the World tabloid of hacking into the voice mail of the Duchess of Cambridge when she was known as Kate Middleton, before her marriage to Prince William, second in line to the throne. The New York Times, December 19, 2013

Washington Post Servers Infiltrated, Employee Credentials Stolen: The Washington Post late today reported that its servers were hacked and employee usernames and passwords were compromised in the attack, which was detected by a contractor that monitors the news organization’s network. DarkReading, December 18, 2013

L.A. Gay & Lesbian Center Information Systems Compromised By Cyberthieves: LOS ANGELES, Dec. 10, 2013 /PRNewswire-USNewswire/ – The L.A. Gay & Lesbian Center was recently the victim of a sophisticated cyberattack that, according to data security and technology experts, was designed to collect credit card, Social Security numbers and other financial information, although there is no evidence that anyone’s information was actually accessed or acquired. Dark Reading, December 10, 2013

Cyber Privacy

N.S.A. Dragnet Included Allies, Aid Groups and Business Elite: Secret documents reveal more than 1,000 targets of American and British surveillance in recent years, including the office of an Israeli prime minister, heads of international aid organizations, foreign energy companies and a European Union official involved in antitrust battles with American technology businesses. The New York Times, December 20, 2013

$10m NSA contract with security firm RSA led to encryption ‘back door.’ As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the National Security Agency arranged a secret $10m contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned. The Guardian, December 20, 2013

Obama Is Urged to Sharply Curb N.S.A. Data Mining: WASHINGTON – A panel of outside advisers urged President Obama on Wednesday to impose major oversight and some restrictions on the National Security Agency, arguing that in the past dozen years its powers had been enhanced at the expense of personal privacy. The New York Times, December 18, 2013

Revelations That Ikea Spied on Its Employees Stir Outrage in France: PARIS – Virginie Paulin’s voice still trembles when she recounts how she was fired from what she considered her dream job at Ikea in France. The New York Times, December 15, 2013

NSA Can ‘Easily’ Break Cellphone Encryption, Report Says: The U.S. National Security Agency (NSA) has the technical capacity to crack the most commonly-used cellphone encryption technology, and in doing so it can decode and access the content of calls and text messages, according to a Washington Post report published Friday. Mashable, December 13, 2013

Help Bring Privacy Laws Into 21st Century: Lost in the ongoing media firestorm over the National Security Agency’s domestic surveillance activities is the discussion about concrete steps to bring the nation’s communications privacy laws into the 21st Century. Under current laws that were drafted before the advent of the commercial Internet, federal and local authorities can gain access to mobile phone and many email records without a court-issued warrant. In this post, I’ll explain what federal lawmakers and readers can do to help change the status quo. KrebsOnSecurity, December 11, 2013

Tech Giants Issue Call for Limits on Government Surveillance of Users: Eight prominent technology companies, bruised by revelations of government spying on their customers’ data and scrambling to repair the damage to their reputations, are mounting a public campaign to urge President Obama and Congress to set new limits on government surveillance. The New York Times, December 9, 2013

Identity Theft

Chase to Limit Use of Debit Cards From Target Breach: JPMorgan Chase on Saturday notified customers who used debit cards at Target stores during the recent security breach that it was limiting use of the cards to cash withdrawals of $100 a day and purchases totaling $300 a day. The New York Times, December 21, 2013

Financial Fraud

“But I don’t bank online!”: You might think that someone who doesn’t choose to have online access to his or her bank account would be safe from online banking fraud. ABA Banking, December 13, 2013

Cyber Warning

Botnet Enlists Firefox Users to Hack Web Sites: An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities, an investigation by KrebsOnSecurity has discovered. KrebsOnSecurity, December 16, 2013

Securing the Village – ISSA-LA

Richard Greenberg, CISSP, Named ISSA Fellow: The Los Angeles Chapter of the Information Security Association (ISSA-LA) announced that Richard Greenberg has been named a Fellow by the Information Systems Security Association (ISSA). ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk, and protecting critical information and infrastructure. PR Log, December 18, 2013

National Cyber Security

Officials Say U.S. May Never Know Extent of Snowden’s Leaks: WASHINGTON – American intelligence and law enforcement investigators have concluded that they may never know the entirety of what the former National Security Agency contractor Edward J. Snowden extracted from classified government computers before leaving the United States, according to senior government officials. The New York Times, December 14, 2013


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, December 22, 2013

by Fred F. Farkel, Monday, December 9th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Cyber Alert – Password Theft Discovered – Time to Change

As we reported in this week’s Cyber Security News, Trustwave’s SpiderLabs recently discovered a botnet server with about 2 million stolen Internet passwords. Stolen passwords included those for Facebook, Google, Twitter, Yahoo, LinkedIn and payroll provider ADP.
 
Prudence dictates users should change their passwords on these sites. This is particularly true for companies using ADP.
 
For guidance in creating strong passwords, see our blog post Three Rules for Password Sanity.  
 
Important Security Updates

Apple Remote Desktop
: Apple released updates to it’s Remote Desktop Client, Admin and Dashboard Widget. Updates are available on Apple’s website.
 
Google Chrome: Google released version 31.0.1650.63 of Chrome to fix at least 7 highly critical vulnerabilities. Updates are available through the browser.
 
Current Software Versions
Adobe Flash  11.9.900.152 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]
Adobe Flash  11.9.900.152 [Windows 8: IE]
Adobe Flash  11.9.900.152 [Macintosh OS X: Firefox, Opera, Safari]
 
Adobe Reader 11.0.05
 
Dropbox 2.4.7 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
 
Firefox 25.0.1 [Windows]
 
Google Chrome 31.0.1650.63
 
Internet Explorer 11.0.9600.16428 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
 
Java SE 7 Update 45 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]
 
QuickTime 7.7.4
 
Safari 5.1.7  [Windows]
Safari 6.1 [Mac OS X]
 
Skype 6.11.0.102

Newly Announced Unpatched Vulnerabilities

None
   
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released many updates for multiple products, including Cisco Access Control System, IOS XR, IOS XE, Prime Network Registrar and others. Update to 7.1 SP1 and apply Hotfix 134235.  
 
IBM i / OS/400: Secunia reports that IBM has released updates to fix at least 40 vulnerabilities, some highly critical, in a bundled version of IBM Java reported in version V6R1M0. Apply PTF SI51086 or SI51087.
 
Microsoft Windows Server 2008: Secunia reports an unpatched vulnerability in a fully-patched Microsoft Windows Server 2008. Other versions may also be affected. No official solution is currently available.  
 
Novell Open Enterprise: Secunia reports that Novell has released updates to fix a vulnerability in its Open Enterprise Server. Fixed in rpm novell-nrm-2.0.2-297.305.302.3 included in the OES-May-13 channel updates.
 
SonicWALL Multiple Products: Secunia reports that SonicWALL has released updates for multiple products to fix a guest privilege escalation vulnerability in ESX Server, ESXi, Fusion, Workstation, and Player. Apply appropriate updates.  
 
VMware ESX Server: Secunia reports that VMware has released a partial fix for ESX Server Service Console to fix two vulnerabilities reported in version 4.0 and 4.1. Apply patch if available.  
 
VMware Multiple Products: Secunia reports that VMware has released updates for multiple products to fix a guest privilege escalation vulnerability. Apply appropriate updates.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, December 8, 2013

by Fred F. Farkel, Monday, December 9th, 2013

 

Guest column by Citadel Information Group

Cyber Crime

Thieves Covering Tracks Following $100M Bitcoin Heist: As if Bitcoin malware and Bitcoin mining malware weren’t enough to worry about, there was more trouble for the users of the digital crypto-currency last week as 96,000 Bitcoins disappeared from the Sheep Marketplace. ThreatPost, December 3, 2013

Cyber Privacy

How the NSA is tracking people right now: Documents obtained by The Washington Post indicate that the National Security Agency iscollecting billions of records a day to track the location of mobile phone users around the world. This bulk collection, performed under the NSA’s international surveillance authority,taps into the telephony links of major telecommunications providers including some here in the United States. The Washington Post, December 5, 2013

Microsoft to encrypt services, notify users of gov’t data requests: Microsoft moved to reassure business and government customers worldwide that it is committed to informing them of legal orders related to their data, and will fight in court any ‘gag order’ that prevents it from sharing such information with customers. ComputerWorld, December 5, 2013

Identity Theft

How To Keep The Grinch From Stealing Your Identity: With Cyber Monday sales up 20.6% from 2012 according to the IBM Digital Analytics Benchmark, it’s clear that more shoppers will be spending online than ever before. That means more will also become victims to identity theft. While there are no guarantees, there are some smart-and not t0o burdensome-steps you can take to protect yourself from the identity thieves both online and off. Forbes, December 3, 2013

Cyber Warning

Simple But Effective Point-of-Sale Skimmer: Point-of-sale (POS) skimmers – fraud devices made to siphon bank card and PIN data at the cash register – have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards. KrebsOnSecurity, December 3, 2013

Cyber Security Management

How to create security awareness with incentives: Gamification is an alternative to pushing employees to improve security awareness. Ira Winkler and Samantha Manke offer tips for making incentives work for your program. CSO, December 2, 2013

Cyber Security Management – Cyber Update

Important Security Update for D-Link Routers: D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers. KrebsOnSecurity, December 2, 2013

Cyber Security Management – Cyber Defense

How Many Zero-Days Hit You Today?: On any given day, nation-states and criminal hackers have access to an entire arsenal of zero-day vulnerabilities – undocumented and unpatched software flaws that can be used to silently slip past most organizations’ digital defenses, new research suggests. That sobering conclusion comes amid mounting evidence that thieves and cyberspies are ramping up spending to acquire and stockpile these digital armaments. KrebsOnSecurity, December 5, 2013

HOW THE NSA COULD BE BREAKING SSL: In order for the National Security Agency to collect the massive amounts of communication it has from email and Web traffic, it needs to elude, leapfrog or bash through the barrier that is SSL. ThreatPost, December 4, 2013

Massive hack shows users still don’t know how to create safe passwords: Cyber security researchers recently discovered a server with about 2 million stolen Internet passwords, and as expected, many of the login credentials are no more complex than “1234.” LA Times, December 4, 2013

Securing the Village

Microsoft Launches Cybercrime Center: Microsoft expands global role supporting law enforcement, government, and businesses fighting cybercrime. InformationWeek, December 4, 2013

Cyber Law

LabMD latest to challenge FTC’s cybersecurity regulation authority: The medical testing laboratory follows hotelier Wyndham in saying the FTC can’t regulate its security measures. Inside Counsel, December 4, 2013

Cyber Calendar

ISSA-LA December Lunch Meeting: Please join us for our annual Holiday Party! Let’s gather to celebrate another successful year for ISSA-LA at our final meeting of 2013. Network. Lunch. Raffles & more! ISSA-LA, Event Date: December 18, 2013


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, December 8, 2013

by Fred F. Farkel, Friday, December 6th, 2013

 

Guest editorial by Stan Stahl, Ph.D.

_________________________

I publish 6 or so essays a year in honor of the Fourth of July, Memorial Day, Thanksgiving, etc. My objective is to write in ways that bring us together around the ideals of America, rather than in ways that separate us. I am proud that readers often tell me they find my essays inspiring, for it means that I have captured that inspiration which is America.

What must it take for a man to fight for freedom with the commitment and courage Nelson Mandela showed … and … then … after 27 years in prison … forgive his oppressors? Truly forgive them. Not just some platitude about forgiveness but true forgiveness, in the deepest most heartfelt most spiritual sense of that word. What must it take for a man to do this?

For this was Nelson Mandela.

Think about how hard this is. Feel it. All around us in the world of 2013 we see hate and anger. And this man, who saw more hate and more anger and more oppression than most of us ever will found the ability to forgive. Feel in your own heart how difficult this must be.

What a lesson he is for humankind!

Mandela appreciated that South Africa could only find a better future if it was a future in which all participated. It could not be whites or blacks; it HAD to be blacks and whites.

As a species, this is our future … our only successful future … that we become as one people …. E Pluribus Unum … learning to get along in a world in which we all get to live as free as we possibly can … each of us … endowed with those inalienable rights of life, liberty and the pursuit of happiness.

And, ultimately, the primary thing holding us back – what Mandela understood – is the fear and the anger in our hearts. Mandela understood that forward progress demanded forgiveness and that forgiveness demanded truth and reconciliation. As someone once said “You will never have a better future if you insist on having a prefect past.”

We all need this lesson, both as individuals and as a species. The only way to grow beyond the past is to forgive the past.

Thank you, Nelson Mandela, for illuminating the path.

Now cracks a noble heart.

Good night, sweet prince, And flights of angels sing thee to thy rest!

Hamlet

 

Let Freedom Ring.

_________________________

By son, Jonathan, wrote this about Nelson Mandela on his Facebook page:

Nothing needs to be said. If you are not aware of what this man has done for the world you are missing out on 100% awesome. The closest I could draw a hypothetical comparison is if Martin Luther King Jr. was born a slave, gained his freedom but was still oppressed, was imprisoned for being outspoken (as he was), then goes on to become president of the country that imprisoned him AND considerably reduces segregation in his country, eventually celebrated by the world. Good night, Mr. President. You have done your part to make the world a better place AND you’ve done it better than most ever could. That smile will keep your words alive for ever. Thank you.

My friend, Shad Meshad, sent me the following collection of quotes that personify Mandela’s spirit. Shad’s another hero as he and his colleagues at the National Veterans Foundation continue to do wonderful peace-loving work for America’s veterans: www.nvf.org.

1) “Difficulties break some men but make others. No axe is sharp enough to cut the soul of a sinner who keeps on trying, one armed with the hope that he will rise even in the end.”

2) “It always seems impossible until it’s done.”

3) “If I had my time over I would do the same again. So would any man who dares call himself a man.”

4) “I like friends who have independent minds because they tend to make you see problems from all angles.”

5) “Real leaders must be ready to sacrifice all for the freedom of their people.”

6) “A fundamental concern for others in our individual and community lives would go a long way in making the world the better place we so passionately dreamt of.”

7) “Everyone can rise above their circumstances and achieve success if they are dedicated to and passionate about what they do.”

“Education is the most powerful weapon which you can use to change the world.”

9) “I learned that courage was not the absence of fear, but the triumph over it. The brave man is not he who does not feel afraid, but he who conquers that fear.”

10) “For to be free is not merely to cast off one’s chains, but to live in a way that respects and enhances the freedom of others.”

11) “Resentment is like drinking poison and then hoping it will kill your enemies.”

12) “Lead from the back – and let others believe they are in front.”

13) “Do not judge me by my successes, judge me by how many times I fell down and got back up again.”

14) “I hate race discrimination most intensely and in all its manifestations. I have fought it all during my life; I fight it now, and will do so until the end of my days.”

_________________________

Copyright © 2013. Stan Stahl, Ph.D. All Rights Reserved. Permission is granted to republish this essay provided the essay is reproduced unedited and in its entirety, its source is identified as The Agnostic Patriot at www.agnosticpatriot.org and this copyright notice is included.

Read More | Comments Off on Nelson Mandela, December 5, 2013