Landmark Leadership Conferences for IT Executives
 

The IT Blog



by Fred F. Farkel, Monday, October 28th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple iOS iPhone: Apple has released version 7.0.3 for iPhone 4 and later to fix 3 passcode lock security bypass weaknesses. Updates are available through the device.

Apple iTunes: Apple has released version 11.1.2 of  iTunes for Windows (64-bit) to fix at least 24 vulnerabilities, some of which are highly critical. Updates are available from Apple’s website.

Apple OS X: Apple has released OS X version 10.9 (Maverick) to fix at least 47 vulnerabilities, some of which are highly critical, found in prior versions.

Apple Remote Desktop: Apple has released version 3.7 of Apple Remote Desktop to address multiple vulnerabilities. For additional details, see Apple’s website.

Apple Safari: Apple has released version 6.1 of Safari to fix at least 21 vulnerabilities, some of which are highly critical, in a bundled version of WebKit.

Current Software Versions

Adobe Flash  11.9.900.117 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash  11.9.900.117 [Windows 8: IE]

Adobe Flash  11.9.900.117 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.05

Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 24.0 [Windows]

Google Chrome 30.0.1599.101

Internet Explorer 10.0.9200.16721 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 45 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 6.1 [Mac OS X]

Skype 6.7.0.102

Newly Announced Unpatched Vulnerabilities

None 

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Apple OS X Server: Secunia reports that Apple has released version 3.0 of OS X Server to address 6 highly critical vulnerabilities in previous versions. Update to version 3.0.

Cisco Multiple Products: Secunia reports that Cisco has released many updates for multiple products, including Cisco’s Unifed Computing System (UCS), Secure Access Control System (ACS), Identity Services Engine (ISE), IOS XR,  Unified SIP Proxy (USP), Business Edition 3000, Content Security Management Appliance, Email Security Appliance, Web Security Appliance, Adaptive Security Appliance (ASA) and others. Apply appropriate updates.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, October 27, 2013

by Fred F. Farkel, Monday, October 28th, 2013

 

Guest column by Citadel Information Group

Cyber Crime

Hackers compromise official PHP website, infect visitors with malware (updated): Maintainers of the open-source PHP programming language have locked down the php.net website after discovering two of its servers were hacked to host malicious code designed to surreptitiously install malware on visitors’ computers. are technics, October 24, 2013

Cyber Attack

U.N. nuclear agency says malware infected some computers: (Reuters) – Malicious software infected some U.N. nuclear agency computers over the past few months but no data in its network has been compromised, the agency said on Tuesday. Reuters, October 22, 2013

Cyber Privacy

Senator Demands More Info From Experian: In the wake of revelations that credit bureau Experian sold consumer data to the proprietors of an underground identity theft service, a powerful U.S. senator is calling on the company to divulge more information on the extent of the potential damage to consumers. KrebsOnSecurity, October 24, 2013

Big Data Is Opening Doors, but Maybe Too Many: IN the 1960s, mainframe computers posed a significant technological challenge to common notions of privacy. That’s when the federal government started putting tax returns into those giant machines, and consumer credit bureaus began building databases containing the personal financial information of millions of Americans. Many people feared that the new computerized databanks would be put in the service of an intrusive corporate or government Big Brother. The New York Times, March 23, 2013

Senator Demands More Info From Experian: In the wake of revelations that credit bureau Experian sold consumer data to the proprietors of an underground identity theft service, a powerful U.S. senator is calling on the company to divulge more information on the extent of the potential damage to consumers. KrebsOnSecurity, October 24, 2013

Cyber Warning

GTA 5 Malware May Have Already Infected Thousands Of Computers: Here’s a good rule of thumb: if a game hasn’t been released for your chosen platform, don’t download it. It’s true on Android, and it’s true on Windows. While we assume that GTA 5 will be coming to PC at some point, there are already torrents claiming to offer the massively popular crime sim to Windows users, and one of them is a giant malware file that may have already infected thousands of computers. Forbes, October 22, 2013

Cyber Security Management – Cyber Update

Cisco Fixes DoS, Remote Code Execution Bugs in Six Products: Telecommunications company Cisco rolled out three patches for multiple products yesterday, addressing vulnerabilities that could’ve led to a denial of service (DoS) attack or allowed an attacker to execute code and obtain sensitive information. ThreatPost, October 24, 2013

Cyber Security Management – Cyber Defense

Not Your Father’s IPS: SANS Releases Results On Its Network Security Survey: BETHESDA, Md., Oct. 25, 2013 /PRNewswire-USNewswire/ – SANS announces the results of a new survey sponsored by Hewlett-Packard on network security. In it, 439 survey responses show that IPS is still mainly deployed at the perimeter and is doing a fairly good job at detection, yet only 11% of respondents are turning on IPS to block automatically for 100% of their traffic. DarkReading, October 25, 2013

Protect your Facebook account from hackers with two-factor authentication: Nobody likes it when their friends suddenly start spewing links to weight-loss supplements and porn on Facebook. Don’t be that person. Using Facebook’s two-factor authentication feature can help keep undesirables out of your account-perhaps saving some friendships. TechHive, October 22, 2013

Cyber Security Management – HIPAA

Calif. AG offers medical identity theft prevention tips: Healthcare providers, payers, healthcare information organizations (HIOs) and policy makers all need to do their part in preventing medical identity theft and there are some best practices they can follow to lower the number of fraud incidents. HealthITSecurity, October 22, 2013

Securing the Village

US government releases draft cybersecurity framework: NIST comes out with its proposed cybersecurity standards, which outlines how private companies can protect themselves against hacks, cyberattacks, and security breaches. CNet, October 22, 2013

Information sharing key to security, say European experts: Sharing information on threats faster is essential in the face of increasingly sophisticated attacks, says Freddy Dezeure, head of the European Union computer emergency response team (EU-Cert). ComputerWeekly, October 23, 2013

National Cyber Security

Amid New Storm in U.S.-Europe Relationship, a Call for Talks on Spying: BERLIN – While President Obama has tried to soften the blow, this week’s disclosures about the extent of America’s spying on its European allies have added to a series of issues that have sharply eroded confidence in the United States’ leadership at a particularly difficult moment. The New York Times, October 25, 2013

Cyber Calendar

The 28th Annual 2013 ISSA SoCal Security Symposium: The SoCal Security Symposium features over 30 vendor exhibits and several industry experts discussing current security issues such as eDiscovery, cloud security, threat vectors, mobile security, and much more. There will be lots of give a ways and prizes! This conference will provide tremendous networking opportunities. You’ll come away with advice and knowledge you can start applying to your environment immediately. Your registration will include your breakfast, lunch, ice cream social, CPE credits (8) and entrance into the conference sessions and exhibit area. ISSA-OC, Event Date: October 30, 2013


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, October 27, 2013

by Fred F. Farkel, Monday, October 21st, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple MacBook Air Firmware: Apple has released updates for its MacBook Air Flash Storage Firmware and EFI Firmware.

Apple OS X Java: Apple has released an update for Java on Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, and OS X Mountain Lion 10.8 or later to address multiple vulnerabilities. Updates are available from Apple’s website.

Google Chrome: Google has released Google Chrome 30.0.1599.101 for Windows, Mac, Linux and Chrome Frame to fix 4 highly critical vulnerabilities. Updates are available from within the browser or from Google Chrome’s website.

Oracle Java: Oracle has released Java SE 7 Update 45 to fix at least 51 vulnerabilities, some of which are highly critical. The update is available through Windows Control Panel or Java’s website.

Current Software Versions

Adobe Flash  11.9.900.117 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash  11.9.900.117 [Windows 8: IE]

Adobe Flash  11.9.900.117 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.05

Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 24.0 [Windows]

Google Chrome 30.0.1599.101

Internet Explorer 10.0.9200.16721 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 45 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 6.0.5 [Mac OS X]

Skype 6.7.0.102

Newly Announced Unpatched Vulnerabilities

None 

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released many updates for multiple products, including Cisco’s Unity Connection, Identity Services Engine (ISE),  Video Surveillance 400 Series IP Camera,  and others. Apply appropriate updates.  

Oracle Multiple Products: Secunia reports that Oracle has released many updates for multiple products, including Oracle’s Java JDK and JRE, MySQL, BPEL Process Manager, Agile PLM Data Manipulation, Instantis Enterprise Track Information, Transportation Management, WebCenter Content, Access Manager, E-Business Suite, Web Cache, Identity Analystics, HTTP Server, Primavera P6 Enterprise, iLearning, Identity Manager, and others. Apply appropriate updates.  

VMWare: Secunia reports that VMWare has released a partial fix at least 40 vulnerabilities, some of which are highly critical, in a bundled version of Java, reported in the following products and versions; vCenter Server versions 4.1, 5.0, and 5.1, Update Manager versions 5.0 and 5.1, and ESX version 4.1. Apply patch if available.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, October 20, 2013

by Fred F. Farkel, Monday, October 21st, 2013

 

Guest column by Citadel Information Group

Cyber Attack

Phony Order Faxed To Registrar Leads to Metasploit Defacement: A pro-Palestine hacker collective went old-school in its takedown of the Metasploit and Rapid7 websites today. ThreatPost, October 18, 2013

Cyber Crime

Breach at PR Newswire Tied to Adobe Hack: Earlier this year, hackers broke into the networks of marketing and press release distribution service PR Newswire, making off with usernames and encrypted passwords that customers use to access the company’s service and upload news releases, KrebsOnSecurity has learned. KrebsOnSecurity, October 16, 2013

Cyber Privacy

Verify, then trust: ONE of the many outcomes of Edward Snowden’s leaks was to confirm what security researchers had long nervously joked about-that Western intelligence agencies spend a great deal of time and money trying to undermine the cryptographic software that secures computers all over the world (similar suspicions swirl around the Chinese and Russian spy agencies, too). The documents suggest that the spies lean on firms to build “back doors” into their products, infiltrate those companies with their own employees, and work to nobble cryptographic standards. The Economist, October 18, 2013

Privacy Fears Grow as Cities Increase Surveillance: OAKLAND, Calif. – Federal grants of $7 million awarded to this city were meant largely to help thwart terror attacks at its bustling port. But instead, the money is going to a police initiative that will collect and analyze reams of surveillance data from around town – from gunshot-detection sensors in the barrios of East Oakland to license plate readers mounted on police cars patrolling the city’s upscale hills. The New York Times, October 13, 2013

Cyber Warning

Apple iMessage Open To Man In The Middle, Spoofing Attacks: The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users’ text messages-or decrypt them and hand them over at the order of a government agency. ThreatPost, October 18, 2013

Facebook ‘stalker’ Tool Uses Graph Search for Powerful Data Mining: IDG News Service – When a high-profile public figure living in Hong Kong hired the security company Trustwave to test if its experts could get his passwords, they turned to Facebook. CIO, October 17, 2013

ISSA-LA Alerts Public to Potential Cybercrime When Microsoft Stops Support of Windows XP in 2014: Los Angeles (I-Newswire) September 23, 2013 – The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) is launching an awareness campaign to alert the public to an increased exposure to cybercrime when Microsoft stops supporting Windows XP on April 8, 2014. According to Net Applications, 38% of computers still use Windows XP. i-Newswire, September 23, 2013

Backdoor found in D-Link home routers: An easy-to-exploit backdoor has been found in seven different models of domestic routers made by D-Link and Planex. BBC, October 14, 2013

Thousands of Sites Hacked Via vBulletin Hole: Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn. KrebsOnSecurity, October 14, 2013

Cyber Security Management

Essential considerations when making changes to security: When it comes to security policies and practices, there are rules (both written and unwritten) that need to be adhered to. An organization simply cannot implement changes to security on the fly as it could lead to disaster. Yet, there are times when changes are necessary, or mandated due to an incident response plan. In that instance, what should business leaders be focusing on? CSO, October 17, 2013

Cyber Risk And The Board of Directors – Closing The Gap: The responsibility of corporate directors to address cyber security is commanding more attention and is obviously a significant issue. Yet here is how one writer entitled her Forbes article about the 2012 Carnegie Mellon Cylab Report: “Boards Are Still Clueless About Cybersecurity.” Bloomberg Law

Cyber Security Management – Cyber Defense

10 Pitfalls Of IT Risk Assessment: As IT organizations seek to make better risk-based decisions about security practices, perhaps the No. 1 component for success is the IT risk assessment. However, even when organizations actually conduct a risk assessment, they frequently fall prey to mistakes that can greatly devalue the exercise. Here are some of the most common blunders to avoid. DarkReading, October 17, 2013

Yahoo Mail is switching to default SSL encryption: On the heels of its recent redesign, Yahoo Mail is adding a new feature many users have been requesting for years: encryption. The Washington Post revealed today that Yahoo Mail will begin using default SSL encryption for its webmail interface as of January 8th, 2014. The encryption, which protects messages sent between a user’s computer and Yahoo servers, was only made available earlier this year as an option from Yahoo, although most security professionals view it as crucial for any level of privacy on the web. The move comes nearly four years after Gmail switched over to default SSL in January of 2010. The Verge, October 14, 2013 

WordPress Attacks: Time To Wake Up: If I wrote a Security 101 story in light of this news – outdated WordPress sites are used to launch malicious attacks on other websites – it would go something like this: Use strong passwords. Stay current on software updates and patches. Educate employees on security risks and fundamentals. Use anti-malware tools and other technologies. Wash, rinse, repeat. InformationWeek, October 2, 2013

Cyber Security Management – HIPAA

SANS Announces Results of its Inaugural Health Care Information Security Survey: BETHESDA, Md., Oct. 17, 2013 /PRNewswire-USNewswire/ – SANS announces results of its inaugural health care information security survey, in which 373 health care IT professionals answered questions about their digital health initiatives, awareness and concerns over risk, and how they are (or are not) managing this risk. The survey was sponsored by Oracle, Redspin, Tenable Network Security and Trend Micro. DarkReading, October 17, 2013

More HIPAA enforcement coming: When Office for Civil Rights Director Leon Rodriguez took the stage Monday to talk HIPAA at the HIMSS Media and Healthcare IT News Privacy and Security Forum, the timing was perfect. Healthcare IT News, September 24, 2013

Cyber Security Management – Cyber Update

Critical Java Update Plugs 51 Security Holes: Oracle has released a critical security update that fixes at least 51 security vulnerabilities in its Java software. Patches are available for Linux, Mac OS X, Solaris and Windows versions of the software. KrebsOnSecurity, October 16, 2013

Cyber Mercenaries

Hackers Target Town After Dropped Sexual-Assault Case: The international band of Internet activists known as Anonymous has chosen the rural Missouri town of Maryville as the target of its latest campaign, after the Kansas City Star published a powerful examination of a possible rape case that went unprosecuted by local authorities. Time, October 14, 2013

Securing the Village

The 28th Annual 2013 ISSA SoCal Security Symposium: The SoCal Security Symposium features over 30 vendor exhibits and several industry experts discussing current security issues such as eDiscovery, cloud security, threat vectors, mobile security, and much more. There will be lots of give a ways and prizes! This conference will provide tremendous networking opportunities. You’ll come away with advice and knowledge you can start applying to your environment immediately. Your registration will include your breakfast, lunch, ice cream social, CPE credits (8) and entrance into the conference sessions and exhibit area. ISSA of Orange County, Event Date: October 30, 2013

Critical Infrastructure

Many energy companies lagging in cybersecurity efforts, expert says: Energy companies are continuing to be hit by cyberattacks, in large part because of complacency by executives who don’t understand the threat, a Verizon executive said Thursday. FuelFix, October 17, 2013

Cyber Law

When Companies Are Hacked, Customers Bear the Brunt. But Not for Long: For the past two weeks, Security States has been exploring the possibility of liability for software design flaws. It’s a critical issue-and likely the right answer from an economic perspective. But at this point that answer is theoretical. There are many steps between where we are today (no liability for any cyber breach) and there (product liability for software defects). The New Republic, October 15, 2013

Cyber Career

Cybercrime fighters in short supply: Governments and corporations are struggling to find enough recruits to help fight cyber attacks with demand outstripping supply when it comes to the sector. ITProPortal, October 14, 2013

Cyber Sunshine

UPDATE: Man charged in TSYS identity theft violated computer policy at Paragon Benefits: A week after he was placed at Paragon Benefits Inc. by a temporary staffing agency, Drew Johnson appeared to be spending more time on his computer than his duties required before personal information from more than 5,200 TSYS employees was sent to his personal Gmail account, records in U.S. District Court stated Tuesday. Ledger-Enquirer, October 15, 2013

Cyber Misc

Cybersecurity companies attracting huge investment: SEATTLE – It’s clear Wall Street has a love affair going with cybersecurity companies. CyberTruth asked Bob Ackerman, founder and managing director of Allegis Capital, to quantify the scale of investment going into cutting-edge technologies to stop cybercriminals. The metrics he pulled together are staggering. USA Today, October 16, 2013

Landmark Leadership Conferences for IT Executives: The IT Summit is the executive technology conference series returning to Los Angeles for our seventh annual event on October 23, 2013. The purpose of the summit is to provide educational and networking resources for the IT leaders in Southern California. The conference is driven by an Executive Board of regional IT professionals that directs the content of the conference. The IT Summit is designed to address the real-world opportunities and challenges faced by today’s executives. The IT Summit, Event Date: October 23, 2013


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, October 20, 2013

by Fred F. Farkel, Tuesday, October 15th, 2013

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

Important Security Updates

Adobe Flash Player: Adobe has released version 11.9.900.117 to fix highly critical vulnerabilities in its Flash Player for the Windows, Mac, Linux and Android versions. Updates are available from Adobe’s website.

Adobe Reader: Adobe has released version 11.0.05 to fix a vulnerability reported in version 11.9.94 for Windows. Updates are available from Adobe’s website. Updates are also available for Acrobat.

Google Chrome: Google has released Google Chrome 30.0.1599.69 for Windows, Mac, Linux, and Chrome Frame. Updates are available from within the browser or from Google Chrome’s website.

MacBook Air: Apple has released a Firmware Update for MacBook Air (mid 2013) models. Updates are available from Apple’s website.

Microsoft Patch Tuesday: Microsoft released several updates addressing at least 26 security vulnerabilities, some of which are highly critical, in Windows, Office, Internet Explorer, Sharepoint, and more. Updates are available via Windows Update or from Automatic Update.

Siber Systems RoboForm: Siber Systems has released version 7.9.2 of Roboform. Updates are available from within the program, look for the "Check New Version" button on the Options menu or download from the Roboform website.

Current Software Versions

Adobe Flash  11.9.900.117 [Windows 7: IE9, Firefox, Mozilla, Netscape, Opera]

Adobe Flash  11.9.900.117 [Windows 8: IE]

Adobe Flash  11.9.900.117 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.05

Dropbox 2.0.25 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 24.0 [Windows]

Google Chrome 30.0.1599.69

Internet Explorer 10.0.9200.16721 [Windows 7: IE]

Internet Explorer 10.0.9200.16519 [Windows 8: IE]

Java SE 7 Update 40 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser – such as Chrome, IE9, Safari, etc – with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7  [Windows]

Safari 6.0.5 [Mac OS X]

Skype 6.7.0.102

Newly Announced Unpatched Vulnerabilities

None 

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Blackberry Enterprise Service: Secunia reports that BlackBerry has released an update to BlackBerry Enterprise Service to fix a vulnerability. Update to version 10.1.3.

Cisco Multiple Products: Secunia reports that Cisco has released many updates for multiple products, including Cisco’s NX-OS, Unified Computing System, Unifed IP Phones 9900, Cisco Firewall Services Module, Adaptive Security Appliance and others. Apply appropriate updates.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Weekend Vulnerability and Patch Report, October 13, 2013

by Fred F. Farkel, Tuesday, October 15th, 2013

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Crime

Nordstrom Finds Cash Register Skimmers: Scam artists who deploy credit and debit card skimmers most often target ATMs, yet thieves can also use inexpensive, store-bought skimming devices to compromise modern-day cash registers. Just this past weekend, for instance, department store chain Nordstrom said it found a half-dozen of these skimmers affixed to registers at a store in Florida. KrebsOnSecurity, October 10, 2013

Online Bank Fraud

Wire and Online Banking Fraud Continues to Spike for Businesses: A $1.5 million bank/wire fraud case made big news this summer, but experts say that malware and other online threats to banks’ business clients have been spiking for at least a year. American Banker, October 7, 2013

Cyber Warning

SPECIAL ALERT: Aggressive Malware Requires User Diligence: We are tracking a new very-aggressive malware. This malware is distributed as a zip file attachment to emails. When the zip-file is run, it encrypts files on the user’s hard drive, rendering them unusable until a ransom is paid. Citadel Information Group, October 7, 2013

Cyber Security Management

Study: Cybercrime Costs Grow 26%: A big challenge when attempting to drum up support for investments in information security is demonstrating the cost of data breaches and other cybercrimes. But because very few cyber-attack victims have revealed the costs involved, sizing up the potential financial impact is tough. And that can make it difficult to justify a hefty security investment. BankInfoSecurity, October 8, 2013

Why mere compliance increases risk: In some cases, poor training is as bad as-if not worse than-no training it all, say John Schroeter and Tom Pendergas. CSO, October 2, 2013

Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches: External data breaches (think: Anonymous) and internal data leaks (think: Edward Snowden) have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are their security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly? DarkReading, September 27, 2013

Cyber Security Management – Cyber Defense

The practicality of the Cyber Kill Chain approach to security: Lysa Myers of the InfoSec Institute explains the Cyber Kill Chain approach and whether or not it’s a good fit for certain organizations. CSO, October 4, 2013

Cyber Security Management – Cyber Update

BlackBerry Fixes Remote Code Vulnerability in BES10: Microsoft and Adobe weren’t the only companies releasing security updates yesterday. BlackBerry piled on the patch parade with an update for its BlackBerry Enterprise Service 10 mobile device management product, fixing a remote code execution vulnerability. ThreatPost, October 9, 2013

Adobe, Microsoft Push Critical Security Fixes: Adobe and Microsoft today each issued software updates to fix critical security issues in their products. Microsoft released eight patch bundles to address 26 different vulnerabilities in Windows and other software – including not just one but two zero-day bugs in Internet Explorer. Adobe’s patches fix a single critical vulnerability present in both Adobe Acrobat and Reader. KrebsOnSecurity, October 8, 2013

Securing the Village

Cybersecurity Is Everyone’s Business: I wish it were possible to simply delegate cybersecurity to the “big guys.” Why not just let the government and big companies handle it? Forbes, October 1, 2013

The 28th Annual 2013 ISSA SoCal Security Symposium: The SoCal Security Symposium features over 30 vendor exhibits and several industry experts discussing current security issues such as eDiscovery, cloud security, threat vectors, mobile security, and much more. There will be lots of give a ways and prizes! This conference will provide tremendous networking opportunities. You’ll come away with advice and knowledge you can start applying to your environment immediately. Your registration will include your breakfast, lunch, ice cream social, CPE credits (8) and entrance into the conference sessions and exhibit area. ISSA of Orange County, Event Date: October 30, 2013

Securing the Village – ISSA-LA

ISSA-LA October Lunch Meeting: Topic: How threat actors are using your databases against you – Hacking databases to maintain access to your network. ISSA-LA, Event Date: October 16, 2013

National Cyber Security

Cybersecurity reform going nowhere fast: For all the bellowing in Washington over Chinese and Iranian cyberspies that are striking at lightning speed, Congress is still stuck slogging at a snail’s pace to offer any solution. Politico, October 9, 2013

Cyber Sunshine

Suspect in ‘Blackhole’ cybercrime case arrested in Russia: source: (Reuters) – Russian authorities have arrested a man believed to be responsible for distributing a notorious software kit known as “Blackhole” that is widely used by cyber criminals to infect PCs, according to a person familiar with the situation. Reuters, October 9, 2013

‘Bulletproof’ Hoster Santrex Calls It Quits: Santrex, a Web hosting provider that has courted cybercrime forums and created a haven for a nest of malicious Web sites, announced last week that it is shutting its doors for good, citing “internal network issues and recent downtime.” KrebsOnSecurity, October 9, 2013

Feds Arrest Alleged Top Silk Road Drug Seller: Federal authorities last week arrested a Washington state man accused of being one of the most active and sought-after drug dealers on the online black market known as the “Silk Road.” Meanwhile, new details about the recent coordinated takedown of the Silk Road became public, as other former buyers and sellers on the fraud bazaar pondered who might be next and whether competing online drug markets will move in to fill the void. KrebsOnSecurity, October 7, 2013

13 alleged hackers indicted in attacks on sites unkind to file sharing, WikiLeaks: Federal prosecutors have charged 13 alleged members of the hacking group Anonymous in connection with cyberattacks that the collective launched in 2010 against ­anti-piracy groups and financial institutions unwilling to process donations to WikiLeaks. The Washington Post, October 3, 2013

Cyber Misc

Landmark Leadership Conferences for IT Executives: The IT Summit is the executive technology conference series returning to Los Angeles for our seventh annual event on October 23, 2013. The purpose of the summit is to provide educational and networking resources for the IT leaders in Southern California. The conference is driven by an Executive Board of regional IT professionals that directs the content of the conference. The IT Summit is designed to address the real-world opportunities and challenges faced by today’s executives. The IT Summit, Event Date: October 23, 2013


The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Read More | Comments Off on Cyber Security News of the Week, October 13, 2013

by Fred F. Farkel, Monday, October 14th, 2013

 

Portland, Oregon – Monday, October 14, 2013:  The IT Summit has announced the dates and locations for its highly anticipated 2014 conference series. Regarded as the ‘Ultimate Conference Series’ for IT executives, professionals, and solution providers, The IT Summit conferences are for senior leaders. The purpose is to promote economic development, education, and the proliferation of information technology. By involving senior leaders and soliciting extensive CIO input in the planning and production of their events, The IT Summit ensures that they continuously provide the highest quality programs for busy executives and professionals.

The IT Summit 2014 series includes:

  • Denver, April 2
  • Seattle, April 22
  • Houston, May 1
  • Los Angeles, October 22
  • San Francisco, November 5

The IT Summit provides complimentary sponsorships for governments, traditional colleges and universities, and key technology associations, and complimentary admission for their IT-professional members.

Additional information on The IT Summit IT conferences and registration is available via:

Internet at https://www.theitsummit.com

Telephone at 503/828-0294

Information requests may also be faxed to 503/616-3291.

An Adobe Acrobat PDF version of this announcement is available for download here.

Read More | 1 Comment »