Landmark Leadership Conferences for IT Executives
 

The IT Blog



by Fred F. Farkel, Monday, March 24th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

D-Link DIR-615: D-Link has released version 8.05b06 to fix a vulnerability in its DIR-615 wireless router. Updates are available from D-Link’s website.

Google Chrome: Google has released version 33.0.1750.154 of Chrome for Windows and Mac to fix 7 highly critical vulnerabilities. Updates are available through the program.

Google Chrome for Android: Google has released version 33.0.1750.166 of Chrome for Android to fix at least 3 highly critical vulnerabilities. Updates are available through the program or device.

Mozilla Firefox: Mozilla has released version 28.0 of Firefox to fix at least 11 highly critical vulnerabilities. Updates are available within the browser or from Mozilla’s website. There are also updates for Thunderbird and SeaMonkey.

Opera: Opera has released version 20.0.1387.82. Updates are available from within the browser or from Opera’s website.

Oracle Java: Oracle has released Java SE 8. The update is available through Windows Control Panel or Java’s website. [See Citadel's recommendation below]

Current Software Versions

Adobe Flash  12.0.0.77 [Windows 7: IE]

Adobe Flash  12.0.0.77 [Windows 7: Firefox, Mozilla]

Adobe Flash  12.0.0.77 [Windows 8: IE]

Adobe Flash  12.0.0.77 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 28.0

Google Chrome 33.0.1750.154

Internet Explorer 11.0.9600.16518 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 8 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.2 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

D-Link DIR-615 Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-615 Wireless Router reported in revision Ex firmware version 5.10 and prior. No official solution is currently available.

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Adaptive Security Appliance (ASA), IOS and others. Apply updates.

IBM OS/400 Java: Secunia reports that IBM has released updates for its OS/400 to fix at least 25 vulnerabilities, some of which are highly critical, which is due to a bundled version of IBM Java. Apply PTF or APARs.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, March 23, 2014 appeared first on Citadel Information Group.

Read More | No Comments »

by Fred F. Farkel, Monday, March 24th, 2014

 

Guest column by Citadel Information Group

California Leads The Nation In Cybercrime: The same high-profile assets that make California an engine for America’s creativity and economy – think Silicon Valley and Hollywood – have made it a magnet for international criminal enterprises. If that sounds like a cover story for “Duh Magazine,” the first comprehensive report about it was released here Thursday, and it backs up the assertions with data and investigative evidence – and recommends what to do next. Business Insider, March 20, 2014

Citroen becomes the latest victim of Adobe ColdFusion hackers: One of the carmaker’s German websites hacked to include a backdoor last year, following similar cases elsewhere. The Guardian, March 17, 2014

The Long Tail of ColdFusion Fail: Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Today’s post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions. KrebsOnSecurity, March 17, 2014

Sally Beauty Confirms Card Data Breach: Nationwide cosmetics and beauty retailer Sally Beauty today confirmed that hackers had broken into its networks and stolen credit card data from stores. The admission comes nearly two weeks after KrebsOnSecurity first reported that the company had likely been compromised by the same criminal hacking gang that stole 40 million credit and debit cards from Target. KrebsOnSecurity, March 17, 2014

Bitcoin-stealing malware hidden in Mt. Gox data dump, researcher says: An archive containing transaction records from Mt. Gox that was released on the Internet last week by the hackers who compromised the blog of Mt. Gox CEO Mark Karpeles also contains bitcoin-stealing malware for Windows and Mac. PCWorld, March 17, 2014

Cyber Attack

NATO websites attacked by hackers: (CNN) — Hackers apparently attacked several NATO websites Saturday, but they did not interrupt operations nor was the integrity of NATO’s systems affected, NATO spokeswoman Oana Lungescu said on Twitter. CNN, March 16, 2014

Cyber Privacy

Microsoft Software Leak Inquiry Raises Privacy Issues: SEATTLE — Technology companies have spent months denying they know anything about broad government spying on people who use their Internet services. The New York Times, March 20, 2014

FORMER CHURCH COMMITTEE MEMBERS SEE NEED FOR NEW GROUP TO INVESTIGATE NSA: In a letter sent to President Obama and members of Congress, former members and staff of the Church Committee on intelligence said that the revelations of the NSA activities have caused “a crisis of public confidence” and encouraged the formation of a new committee to undertake “significant and public reexamination of intelligence community practices”. ThreatPost, March 20, 2014

Identity Theft

Are Credit Monitoring Services Worth It?: In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America. KrebsOnSecurity, March 19, 2014

Consumers Union’s Guide to Security Freeze Protection: There are more than eight million new victims of identity theft each year in the U.S. Many of these victims find that crooks have used stolen personal information like Social Security numbers to open new accounts in their victim’s name. A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name.When a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed. DefendYourDollars, February 5, 2014

Cyber Warning

EA Games hackers get Apple ID, Origin passwords and payment info: If you’ve been prompted to enter your Apple ID login, payment and security credentials via an EA Games subdomain recently, change your passwords immediately. ZDNet, March 20, 2014

Android Upgrades Open A Backdoor To Malware, Researchers Show: Updating software is to malware as flossing is to gingivitis: a basic practice meant to minimize the risk of infection. But a team of researchers has found that for Google’s Android platform, operating system upgrades can also serve as a stealthy new method for malware to sneak its tricks past Android’s security measures. Forbes, March 19, 2014

Botnet of thousands of Linux servers pumps Windows desktop malware onto web: As many as 25,000 web servers infected with Linux malware have been used in the past two years to hit website visitors with two variants of Windows malware. ZDNet, March 19, 2014

Hackers Use Missing Malaysia Airlines Flight to Bait Users: Cyber scammers are exploiting intense interest in missing Malaysia Airlines Flight 370 to spread malicious malware aimed at attacking users, according to a new warning from security software company Trend Micro. FoxBusiness, March 19, 2014

Cyber Security Management

6 greatest cybersecurity myths and why you should not trust them: Cybersecurity is, without a doubt, becoming one of the dominant security topics (and concerns), not only for security professionals, but also for any executives or managers who want to protect their organizations. Defense Systems, March 17, 2014

Cyber Security Management – Cyber Update

Windows XP Holdouts: 6 Top Excuses: Microsoft cuts support for Windows XP in less than a month, but millions still use the OS. Are these rationales worth the risk? InformationWeek, March 17, 2014

GOOGLE PATCHES FOUR PWN2OWN BUGS IN CHROME 33: Now that the dust has settled after the Pwn2Own contest, the browser manufacturers are beginning to roll out patches for the vulnerabilities exploited by contestants. Google on Monday released fixes for a number of bugs in Chrome discovered and exploited during Pwn2Own, releasing new versions of the browser for Windows, Mac and Linux. ThreatPost, March 17, 2014

Government computers running Windows XP will be vulnerable to hackers after April 8: The deadline for installing secure operating systems on federal government computers will pass next month with the job incomplete, leaving hundreds of thousands of machines running outdated software and unusually vulnerable to hackers. The Washington Post, March 16, 2014

Cyber Security Management – Cyber Defense

FULL DISCLOSURE SECURITY MAILING LIST SHUTS DOWN: The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said. ThreatPost, March 20, 2014

The Year of Encryption: Government spying gives a giant push to data scrambling on the Web. MIT Technology Review, March 18, 2014

Cyber Underworld

Cyber Criminals Using Online Attack Kits to Steal Data: Cyber criminals are now using online attack kits to steal data. The cyber criminal does not need to have advanced hacking skills today to steal someone’s personal banking information. In a few simple steps, they can download a so-called “attack kit” and online theft is just a matter of a few clicks away. LibertyVoice, MArch 16, 2014

ISSA-LA

ISSA-LA Donates $25,000 for Nonprofits to Attend the Sixth Annual Information Security Summit on Cybercrime Solutions: The Los Angeles Chapter of the Information Systems Security Association has created a donation fund of up to $25,000 for 100 free registrations to Executives and IT personnel of nonprofits to attend the Sixth Annual Information Security Summit. PRWeb, March 19, 2014

Cyber Sunshine

Men from Ukraine and New York indicted in U.S. cybercrime case: (Reuters) – Federal prosecutors on Monday announced the indictment of three men they accuse of being members of an international cybercrime ring that tried to steal at least $15 million by hacking into U.S. customer accounts at 14 financial institutions and the Department of Defense’s payroll service. Reuters, March 18, 2014

Cyber Calander

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.

Cyber Crime


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.  The post Cyber Security News of the Week, March 23, 2014 appeared first on Citadel Information Group.

Read More | No Comments »

by Fred F. Farkel, Thursday, March 20th, 2014

 

Companies of all sizes want to maximize their IT infrastructure investment by virtualizing strategic business applications. However, this often comes at a cost. An increase in Virtual Machines (VMs) can stress shared storage infrastructures, causing I/O bottlenecks that hurt application performance.

The traditional solution to this problem – buying more storage hardware in the form of more disks or new Flash – presents several challenges. Upgrading or replacing a SAN can be quite disruptive as storage must be taken offline during the installation and configuration process. In addition, the SAN is “too far” away from the applications/hosts, minimizing potential performance gains. Perhaps more importantly, buying capacity to get performance often results in wasted money.

In this white paper, PernixData explains why the common concepts of storage, performance and capacity need to be abandon and what new concepts should replace the old. Download Building a Business Case for Decoupling Storage Performance from Capacity to get the whole story.

Read More | No Comments »

by Fred F. Farkel, Monday, March 17th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Adobe Flash Player: Adobe has released version 12.0.0.77 for its Flash Player to fix a moderately critical vulnerability. Updates are available through the program or from Adobe’s Flash Web Site.

Adobe Shockwave Player: Adobe has released version 12.1.0.150 to fix a highly critical vulnerability reported in previous versions of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.

Amazon Kindle for PC: Amazon has released version 1.10.8 Build 40514 of Kindle for PC. Updates are available through the program or from the Amazon’s Kindle website.

Apple iOS: Apple  has released version 7.1 of its iOS for iPhone 4 and later, iPad and iPod touch to fix at least 26 vulnerabilities, some of which are highly critical. The update is available through the devices or through Apple’s website.

Apple TV: Apple has released version 6.1 for Apple TV to fix at least 24 highly critical vulnerabilities. Updates are available from within the program or Apple’s website.

AVG Antivirus Free Edition: AVG has released version 2014.0.4336 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.

Google Chrome: Google has released version 33.0.1750.149 of Chrome for Windows and Mac to fix 7 highly critical vulnerabilities. Updates are available through the program.

Microsoft Patch Tuesday: Microsoft released 5 updates addressing at least 23 security weaknesses in almost all versions of the Microsoft OS, Internet Explorer, and more. Updates are available via Windows Update or from Automatic Update.

Opera: Opera has released version 20.0.1387.77. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash  12.0.0.77 [Windows 7: IE]

Adobe Flash  12.0.0.77 [Windows 7: Firefox, Mozilla]

Adobe Flash  12.0.0.77 [Windows 8: IE]

Adobe Flash  12.0.0.77 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 27.0.1

Google Chrome 33.0.1750.149

Internet Explorer 11.0.9600.16518 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.2 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

D-Link DIR-600 Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-600 Wireless Router in firmware versions 2.16WW and prior. No official solution is currently available.

D-Link DSL-2640U Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DSL-2640U Wireless Router in firmware versions 1.0.24W and prior. No official solution is currently available.

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Intelligent Automation for Cloud: Secunia reports an unpatched security issue in Cisco’s Intelligent Automation for Cloud in versions 9.4.1 and prior. Other versions may also be affected. No official solution is currently available.

McAfee Cloud Identity Manager: Secunia reports that McAfee has released an update for its Cloud Identity Manager to fix unpatched a moderately critical vulnerability in previous versions. Upgrade to version 4.0.1.

McAfee Cloud Single Sign On: Secunia reports that McAfee has released an update for its Cloud Single Sign On (formerly McAfee Cloud Identity Manager) to fix a moderately critical vulnerability in previous versions. Upgrade to version 4.0.1.

McAfee Multiple Products: Secunia reports that McAfee has released a partial fix for its Email Gateway and Email and Web Security Appliance to address vulnerabilities reported in Email Gateway versions 7.0, 7.5, and 7.6 and Email and Web Security Appliance version 5.6. Apply patch if available.

McAfee Web Gateway: Secunia reports that McAfee has released updates for its Web Gateway to fix a vulnerability in previous versions. Update to version 7.4.1 or 7.3.2.6.

VMware ESXi: Secunia reports that VMware has released an update to fix a vulnerability. Apply patch if available.

VMware vCenter Server: Secunia reports that VMware has released updates for its VCenter Server to fix at least 51 vulnerabilities, some of which are highly critical. Apply 5.5 Update 1.

VMware vCenter Server Appliance: Secunia reports that VMware has released updates for its VCenter Server Appliance to fix a vulnerability. Apply update.

VMware vSphere Update Manager: Secunia reports that VMware has released updates for its VSphere Update Manager to fix at least 51 vulnerabilities, some of which are highly critical. Apply 5.5 Update 1.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, March 16, 2014 appeared first on Citadel Information Group.

Read More | No Comments »

by Fred F. Farkel, Monday, March 17th, 2014

 

Guest column by Citadel Information Group

Cyber Crime

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It: The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers. BusinessWeek, March 13, 2014

NoMoreRack.com Probes Possible Card Breach: For the second time since Aug. 2013, online retailer NoMoreRack.com has hired a computer forensics team after being notified by Discover about a potential breach of customer card data, KrebsOnSecurity has learned. KrebsOnSecurity, March 12, 2014

Cyber Privacy

NSA’s plans reportedly involve infecting millions of computers with surveillance malware: The U.S. National Security Agency has reportedly been working for the past several years on expanding its ability to infect computers with surveillance malware and creating a command-and-control infrastructure capable of managing millions of compromised systems at a time. PCWorld, March 12, 2014

Snowden Tries to Rally Tech Conference to Buttress Privacy Shields: AUSTIN, Tex. — Edward J. Snowden wants the technology industry to get serious about protecting the privacy of its users and customers. The New York Times, March 10, 2014

Identity Theft

Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records: In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today’s story looks deeper at the damage wrought in this colossal misstep by one of the nation’s largest data brokers. KrebsOnSecurity, March 10, 2014

Financial Fraud

Report: Cybercriminals Bank Nearly $4 Billion On Tax Fraud: Attackers collect almost $4 billion by filing fraudulent tax returns, stealing taxpayer identities, ThreatMetrix report says. DarkReading, March 11, 2014

Cyber Warning

Experts warn of coming wave of serious cybercrime: The rash of attacks against Target and other top retailers is likely to be the leading edge of a wave of serious cybercrime, as hackers become increasingly skilled at breaching the nation’s antiquated payment systems, experts say. The Washington Post, February 9, 2014

Cyber Secrity Management – Cyber Update

Adobe, Microsoft Push Security Updates: Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late. KrebsOnSecurity, March 11, 2014

APPLE IOS 7.1 FIXES MORE THAN 20 CODE-EXECUTION FLAWS: Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error. ThreatPost, March 11, 2014

Cyber Security Management – Cyber Defense

Blogs of War: Don’t Be Cannon Fodder: On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs aren’t used in attacks going forward. KrebsOnSecurity, March 13, 2014

Securing the Village

Financial Networks Increase Collaboration To Improve Information Security: One of the types of business networks that we have previously described on this blog is Financial networks. The nodes in these networks are central and commercial banks, businesses and not-for-profit organizations, individuals and machines. Essentially, financial networks exist to move printed currency and financial instruments, as well as digital equivalents, between those nodes. Forbes, March 10, 2014

ISSA-LA

ISSA-LA Sixth Annual Information Security Summit on Cybercrime Solutions: Cybersecurity Expert Richard A. Clarke and Los Angeles County District Attorney Jackie Lacey to Keynote as well as other numerous prominent information security experts and representatives from law enforcement. PRWeb, March 12, 2014

Tevora to Sponsor the Sixth Annual ISSA Los Angeles Security Summit: Tevora is proud to announce its silver sponsorship of the Sixth Annual ISSA Los Angeles Security Summit at the Universal City Hilton, on Friday, May 16, 2014 from 7:30 am to 6:00 pm. The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. The Information Security Summit is the most renowned event hosted by the local ISSA chapter. For more information please visit: http://www.issala.org/Tevora, February 12, 2014

National Cyber Security

Feinstein: CIA searched Intelligence Committee computers: A behind-the-scenes battle between the CIA and Congress erupted in public Tuesday as the head of the Senate Intelligence Committee accused the agency of breaking laws and breaching constitutional principles in an alleged effort to undermine the panel’s multi-year investigation of a controversial interrogation program. The Washington Post, March 11, 2014

NSA misguided, Edward Snowden says: WASHINGTON — America’s spy agencies are so focused on ‘‘mass surveillance’’ that they have missed clues about terrorism, such as last year’s Boston Marathon bombing and an attempted attack on a jetliner on Christmas in 2009, former intelligence contractor Edward Snowden said Monday. Boston Globe, March 11, 2014

‘What does ISP mean?’ – how government officials are flunking security challenges: Policy on national security and protection is in the hands of people without critical technological understanding, warns cybersecurity expert. The Guardian, March 8, 2014

Cyber Underworld

McAfee warns of ‘Cybercrime-as-a-Service’ as hackers settle in the ‘Dark Web’: Cybercriminals are settling into a comfortable place in the “Dark Web” where they test, refine and distribute malware for online thievery. RawStory, March 10, 2014

New crimeware tool Dendroid makes it easier to create Android malware, researchers warn: A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware. PC World, March 6, 2014

Chinese Government Hacking, One Year Later: A year after first issuing his landmark report titled, ‘APT1: Exposing One of China’s Cyber Espionage Units’, Kevin Mandia gave an update on the report’s aftermath. eSecurity Planet, March 3, 2014

Cyber Misc

Hackers Hit Mt. Gox Exchange’s CEO, Claim To Publish Evidence Of Fraud: The Bitcoin community has been angrily pressing for details on what the Bitcoin exchange Mt. Gox has described as a massive hacker attack that stole hundreds of millions of dollars worth of its users’ bitcoins and left the company bankrupt. Mt. Gox’s staff isn’t talking. So another group of hackers say they’ve broken into the company’s servers to provide answers of their own. Forbes, March 9, 2014

Stop Glorifying Hackers: I WAS at the Museum of Modern Art in New York not long ago, soaking in Edward Hopper’s retro downer mystique, when I got a call that opened up brave new all-night-diners of doom and gloom. The New York Times, March 8, 2014

Cyber Calander

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.  The post Cyber Security News of the Week, March 16, 2014 appeared first on Citadel Information Group.

Read More | No Comments »

by Fred F. Farkel, Monday, March 10th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

D-Link DIR-100 Wired Router: D-Link has released a firmware update for its DIR-100 wired router to fix 4 vulnerabilities. Update to firmware version 4.03B13. Updates can be found on D-Link’s website.

Dropbox: Dropbox has released version 2.6.2 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]

Google Chrome: Google has released version 33.0.1750.146 of Chrome for Windows, Mac, Linux and Chrome Frame to fix 6 highly critical vulnerabilities in previous versions. Updates are available through the program.

Google Picasa: Google has released version 3.9 Build 137.114. Updates are available at the Picasa website.

Opera: Opera has released version 20.00 to fix moderately critical unpatched vulnerabilities in previous versions. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash  12.0.0.70 [Windows 7: IE]

Adobe Flash  12.0.0.70 [Windows 7: Firefox, Mozilla]

Adobe Flash  12.0.0.70 [Windows 8: IE]

Adobe Flash  12.0.0.70 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 27.0.1

Google Chrome 33.0.1750.146

Internet Explorer 11.0.9600.16518 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.2 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its CVR 100W Wireless-N VPN Router, RV215W Wireless-N VPN Router, RV110W Wireless-N VPN Firewall,  2000 Series Wireless LAN Controller, 2100 Series Wireless LAN Controller, 2500 Series Wireless Controller, 4400 Series Wireless LAN Controller, 5500 Series Wireless Controller, Catalyst 6500 Series Wireless Service Module (WiSM), Wireless LAN Controller (WLC 4.x, 5.x, 6.x, 7.x), and others. Apply updates.

Citrix Net Scaler / NetScaler VPX: Secunia reports that Citrix has released updates for its NetScaler and NetScaler VPX to fix at least 8 vulnerabilities. Update to version 10.1-118.7, 10.0-77.5, or 9.3-64.4.

Citrix NetScaler SDX: Secunia reports that Citrix has relased updates for its NetScaler SDX to fix an error within the Service VM Virtual Machine Daemon reported in previous versions. Update to version 10.0-77.5 or 9.3-64.4.

SonicWALL Network Security Appliance (NSA) 2400: SonicWALL has released updates for its Network Security Applicance (NSA) 2400 Series to fix a vulnerability. Update to a fixed version.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, March 9, 2014 appeared first on Citadel Information Group.

Read More | No Comments »

by Fred F. Farkel, Monday, March 10th, 2014

 

Guest column by Citadel Information Group

Cyber Crime

Personal data on L.A. County medical patients stolen from contractor: As many as 168,500 patients of Los Angeles County medical facilities may have had their data stolen in a break-in at a county contractor’s office last month, county officials said Thursday. The Los Angeles Times, March 6, 2014

Sally Beauty Hit By Credit Card Breach: Nationwide beauty products chain Sally Beauty appears to be the latest victim of a breach targeting their payment systems in stores, according to both sources in the banking industry and new raw data from underground cybercrime shops that traffic in stolen credit and debit cards. KrebsOnSecurity, March 5, 2014

Thieves Jam Up Smucker’s, Card Processor: Jam and jelly maker Smucker’s last week shuttered its online store, notifying visitors that the site was being retooled because of a security breach that jeopardized customers’ credit card data. Closer examination of the attack suggests that the company was but one of several dozen firms — including at least one credit card processor — hacked last year by the same criminal gang that infiltrated some of the world’s biggest data brokers. KrebsOnSecurity, March 4, 2014

Cybercrime hits financial firms hardest: survey: (Reuters) – Cybercrime is the second most common type of fraud reported by financial firms, more than double the level across other industries, as criminals turn increasingly to technology as their main weapon against banks, a survey showed. Reuters, March 3, 2014

Detroit Reveals Malware Targeted City Employees: Detroit revealed details of a recent computer security breach Monday that affected files containing personal information for a large number of city employees. CBS Detroit, March 3, 2014

Breach Blind Spot Puts Retailers on Defensive: In response to rumors in the financial industry that Sears may be the latest retailer hit by hackers, the company said today it has no indications that it has been breached. Although the Sears investigation is ongoing, experts say there is a good chance the identification of Sears as a victim is a false alarm caused by a common weaknesses in banks’ anti-fraud systems that becomes apparent mainly in the wake of massive breaches like the one at Target late last year. KrebsOnSecurity, February 28, 2014

Cyber Attack

Meetup.com fights off hackers, refuses to pay $300 ransom: TORONTO (Reuters) – Social networking website Meetup.com is fighting a sustained battle against cyber-criminals who are demanding $300 to call off an attack that has kept the site offline for much of the past four days. Chicago Tribune, March 3, 2014

Identity Theft

After Debit Card Fraud, a Chicago Bank Feels Its Customers’ Frustration: People should no longer use debit or credit cards in Chicago taxicabs. Bank of America should shut off the card-swiping terminals in the back of those cabs. And MasterCard ought to learn to share more information with its customers. The New York Times, March 7, 2014

Illinois Bank: Use Cash for Chicago Taxis: First American Bank in Illinois is urging residents and tourists alike to avoid paying for cab rides in Chicago with credit or debit cards, warning that an ongoing data breach seems to be connected with card processing systems used by a large number of taxis in the Windy City. KrebsOnSecurity, March 3, 2014

Financial Fraud

BMO customer’s account emptied of $87K as bank falls for scam: The Bank of Montreal has reimbursed one of its customers following a CBC Go Public story about how the bank wired $87,555 of his inheritance money into the hands of a scammer. CBC, March 3, 2014

Cyber Warning

95% of bank ATMs face end of security support: Banks everywhere are in a race against time to upgrade their ATMs before they become hot targets for hackers. CNN, March 4, 2014

INDIAN HACKERS POSE AS NETFLIX TECH SUPPORT, AIM TO STEAL FILES, IDENTITY: Malwarebytes, an Internet security firm and developer of anti-malware software, told a story about an attempt on the part of some hackers based in India to pose as Netflix tech support in an effort to steal the poster’s data and identity. Malwarebytes detailed the incident via an official blog post. DigitalTrends, March 3, 2014

Hackers hijack 300,000-plus wireless routers, make malicious changes: Researchers said they have uncovered yet another mass compromise of home and small-office wireless routers, this one being used to make malicious configuration changes to more than 300,000 devices made by D-Link, Micronet, Tenda, TP-Link, and others. ars technica, March 3, 2014

FireEye names malware’s favorite targets, sources: Malware activity has become so pervasive globally that attack servers communicating with Malware are now hosted in 206 countries and territories. PC World, March 2, 2014

Mobile Malware Evolution: Three Infection Attempts Per User In 2013: Nearly 145,000 new malicious programs for mobile devices were detected in 2013. DarkReading, February 28, 2014

New Scam Tricks Caller ID to Show Real Tech Support Phone Numbers: Tech bloggers are warning about a scam that tricks a phone’s caller ID to display a real Verizon Wireless tech support number, duping people into providing personal information to fraudsters. Yahoo News, February 28, 2014

Cyber Security Management

Target CIO resigns following breach: The retailer announces the resignation after data breaches affecting up to 110 million people. CSO, March 5, 2014

Top Tech Internships Pay Big Bucks: How much were you paid when you were an intern? If your college internships were anything like mine, you were paid in experience, not dollars. Enterprise Efficiency, March 3, 2014

Daily Report: Lax Data Security a Problem for Many Start-Ups: While signing up users and raising money are big priorities for young technology companies, data security is often much further down the to-do list, Jenna Wortham and Nicole Perlroth report. The New York Times, March 3, 2014

Cyber Security Management – Cyber Update

CISCO PATCHES AUTHENTICATION FLAW IN WIRELESS ROUTERS: There’s a serious security flaw in some of Cisco’s wireless routers that could allow a remote attacker to take complete control of the router. The bug is in a number of the Cisco small business routers, as well as a wireless VPN firewall. ThreatPost, March 6, 2014

Users Refuse to Chuck XP As Windows 8 Uptake Flattens: For the second month in a row, Windows XP and Windows 8 defied their maker’s wishes, as XP, which Microsoft just wants to go away, gained user share, and Windows 8, the OS Microsoft hopes will fuel sales of new devices, flatlined in February, an analytics firm reported. CIO, March 3, 2014

ISSA-LA

Cybersecurity Expert Richard A. Clarke and LA County District Attorney Jackie Lacey to Speak at ISSA-LA Sixth Annual Information Security Summit on Cybercrime: Former White House cybersecurity czar Richard A. Clarke and Los Angeles County District Attorney Jackie Lacey are among a roster of prominent speakers at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) Sixth Annual Information Security Summit on May 16, 2014 at Hilton Universal City Hotel in Los Angeles. The theme of the Summit—The Growing Cyber Threat: Protect Your Business—reflects the reality that cybercrime impacts the financial health of all our organizations: businesses, not-for-profits, government agencies, schools and others. PRWeb, March 5, 2014

National Cyber Security

N.S.A. Director Says Snowden Leaks Hamper Efforts Against Cyberattacks: WASHINGTON — Gen. Keith B. Alexander, the director of the National Security Agency, said Tuesday that the leaks by the former agency contractor Edward J. Snowden had slowed the effort to protect the country against cyberattacks on Wall Street and other civilian targets. The New York Times, March 4, 2014

Cyber Law

California Court Rules it is Okay for Drivers to Check Mobile Maps: IDG News Service (Bangalore Bureau) — An appeals court in California ruled that it is legal for a person to hold his phone to look at a map application while driving, though he is prohibited from “listening and talking” on the phone unless it is used in a hands-free mode. CIO, February 28, 2014

Cyber Misc

Nearly 150 Breeds Of Bitcoin-Stealing Malware In The Wild, Researchers Say: With a potentially massive hack of the Mt. Gox exchange still unfolding, it’s no secret that cybercriminals see a gold mine in cryptocurrencies. But a new study by security researchers shows just how quickly the cottage industry in Bitcoin theft is evolving: Nearly 150 types of malware are actively stealing bitcoins, more than a hundred of which were created in just the last year. Forbes, February 26, 2014

Cyber Calander

Business and Personal Guide to Staying Safe in Cyber-Space: Join me, Toni Patillo, along with Dr. Stan Stahl, president of the Information Systems Security Association, Los Angeles Chapter, as he speak about cyber security – arguably the greatest challenges of the Internet age. Lunch N Learn, Event Date: March 12, 2014

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.  The post Cyber Security News of the Week, March 9, 2014 appeared first on Citadel Information Group.

Read More | No Comments »

by Fred F. Farkel, Wednesday, March 5th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Apple iOS Multiple Devices: Apple has released updates for its iOS to fix a vulnerability in the iPhone 3GS and later, iPod touch, iPhone 4 and later,  and iPad. Updates are available through the device or Apple’s website.

Apple iTunes: Apple has released version 11.1.5 for iTunes. Updates are available through the program or from Apple’s website.

Apple Safari: Apple has released updates to Safari to fix at least 4 highly critical vulnerabilities reported in versions prior to 6.1.2 and 7.0.2. Updates are available through the program or from Apple’s website.

Apple OS X: Apple has released updates for OS X to fix at least 22 vulnerabilities, some of which are highly critical. Update to version 10.9.2 or apply Security Update 2014-001. Updates are available through Apple’s website.

Apple QuickTime: Apple has released version 7.7.5 of QuickTime to fix vulnerabilities.  Updates are available from within the program or Apple’s website.

Apple TV: Apple has released version 6.0.2 for Apple TV to fix a vulnerability. Updates are available from within the program or Apple’s website.

Google Chrome: Google has released version 33.0.1750.124 of Chrome for Windows, Mac, Linux and Chrome Frame to fix highly critical unpatched vulnerabilities in previous versions. Updates are available through the program.

Piriform CCleaner: Piriform has released version 4.11.4619 for CCleaner. Download is available from Piriform’s website.

Siber Systems RoboForm: Siber Systems has released version 7.9.5 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.

Current Software Versions

Adobe Flash  12.0.0.70 [Windows 7: IE]

Adobe Flash  12.0.0.70 [Windows 7: Firefox, Mozilla]

Adobe Flash  12.0.0.70 [Windows 8: IE]

Adobe Flash  12.0.0.70 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.13 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 27.0.1

Google Chrome 33.0.1750.124

Internet Explorer 11.0.9600.16518 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.5

Safari 5.1.7

Safari 7.0.2 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

Linksys E-Series Wireless Router: Secunia reports unpatched highly critical vulnerabilities in  Linksys’ E-Series Routers including E4200, EA3500, EA2700, and EA4500. Other versions may also be affected. No official solution is currently available.

Linksys WRT120N Wireless Router: Secunia reports a moderately critical unpatched vulnerability in  Linksys’ WRT120N Wireless Router reported in firmware version 1.0.07. Other versions may also be affected. No official solution is currently available.

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, March 2, 2014 appeared first on Citadel Information Group.

Read More | No Comments »

by Fred F. Farkel, Wednesday, March 5th, 2014

 

Guest column by Citadel Information Group

Cyber Crime

360 million newly stolen credentials on black market: cybersecurity firm: (Reuters) – A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access. Reuters, February 25, 2014

Bitcoin Exchange Mt. Gox Goes Offline Amid Allegations of $350 Million Hack: Bitcoin Exchange Mt. Gox Goes Offline Amid Allegations of $350 Million Hack. Wired, February 24, 2014

Embassy Suites Acknowledges Data Breach: Credit card information was illegally obtained ‘with a manual device,’ according to the hotel. eSecurity Planet, February 12, 2014

Bank of the West has data breach in online job-application system: Bank of the West job applicants are scrambling for answers regarding a recent data breach that may have involved stolen personal information such as Social Security and driver’s-license numbers. The Denver Post, February 11, 2014

Cyber Privacy

British Spies Said to Intercept Yahoo Webcam Images: SAN FRANCISCO — A British intelligence agency collected video webcam images — many of them sexually explicit — from millions of Yahoo users, regardless of whether they were suspected of illegal activity, according to accounts of documents leaked by Edward J. Snowden. The New York Times, February 27, 2014

Bush cyberczar: NSA created ‘the potential for a police state’: Richard Clarke, the former cyber advisor under President George W. Bush had some harsh words for the United States National Security Agency during an address in California on Monday: “get out of the business of fucking with encryption standards.” RT, February 25, 2014

Identity Theft – HIPAA

The Rise of Medical Identity Theft: If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft. Government Technology, February 10, 2014

Cyber Warning

Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks: Apple on Tuesday made it clear that it will no longer patch OS X 10.6, aka Snow Leopard, when it again declined to offer a security update for the four-and-a-half-year-old operating system. ComputerWorld, February 26, 2014

iOS 7: Even if you don’t jailbreak your iPhone, bugs STILL CREEP IN: The comforting notion that unmodified iOS phones are more or less immune to security threats has been shaken to the core with the release of new research that shows mobile monitoring applications can bypass Apple’s app review process and successfully exploit non-jailbroken iOS 7 kit. The Register, February 25, 2014

IRS Releases the “Dirty Dozen” Tax Scams for 2014; Identity Theft, Phone Scams Lead List: The Internal Revenue Service today issued its annual “Dirty Dozen” list of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of schemes ranging from identity theft to return preparer fraud. IRS, February 19, 2014

Cyber Security Management

How Well Do We Really Understand Information Security?: Information security is very important, but most people think they know it and that’s half the problem. Wall Street & Technology, February 21, 2014

Cyber Security Management – Cyber Update

OS X 10.9.2 arrives to fix SSL vulnerability, Mail problems, and more: What do fixes for critical security vulnerabilities, improvements to mail delivery, and new FaceTime features have in common? Well, they’re all in OS X 10.9.2, which arrived on Tuesday. It’s available in the Updates tab of the Mac App Store, and even if you’re among those who usually take a wait-and-see approach to system updates, this particular release is worth an expedient installation. MacWorld, February 25, 2014

iOS Update Quashes Dangerous SSL Bug: Apple on Friday released a software update to fix a serious security weakness in its iOS mobile operating system that allows attackers to read and modify encrypted communications on iPhones, iPads and other iOS devices. The company says it is working to produce a patch for the same flaw in desktop and laptop computers powered by its OS X operating system. KrebsOnSecurity, February 23, 2014

Cyber Security Management – Cyber Defense

Apple’s SSL iPhone vulnerability: how did it happen, and what next?: SSL vulnerability in iPhone, iPad and on Mac OS X appeared in September 2012 – but cause remains mysterious as former staffer calls lack of testing ‘shameful’. The Guardian, February 25, 2014

Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: The hackers who raided the credit-card payment system of Neiman Marcus Group set off alerts on the company’s security systems about 60,000 times as they slunk through the network, according to an internal company investigation. BusinessWeek, February 21, 2014

National Cyber Security

Syria War Stirs New U.S. Debate on Cyberattacks: WASHINGTON — Not long after the uprising in Syria turned bloody, late in the spring of 2011, the Pentagon and the National Security Agency developed a battle plan that featured a sophisticated cyberattack on the Syrian military and President Bashar al-Assad’s command structure. The New York Times, February 24, 2014

Cyber Misc

Card Backlog Extends Pain from Target Breach: Last week’s story about steeply falling prices on credit and debit card data stolen from Target mentioned several reasons why many banks may not have already reissued all of their cards impacted by the breach. But it left out one other key reason: A huge backlog of orders at companies that manufacture credit and debit cards on behalf of financial institutions. KrebsOnSecurity, February 25, 2014

Comment: RSA Conference 2014 – Information Security’s Civil War Takes Center Stage: Brian Honan, security consultant and RSA Conference presenter, explains why he has chosen to remain on the event’s speaking roster despite the withdrawal of some peers. InfoSecurity, February 24, 2014

The anti-RSA conference: More security, less NSA: TrustyCon sets up shop across from the RSA Conference, with hopes of opening a debate on the state of security. InfoWorld, February 21, 2014

Cyber-Calendar

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Cyber Security News of the Week, March 2, 2014 appeared first on Citadel Information Group.

Read More | No Comments »

by Fred F. Farkel, Tuesday, February 25th, 2014

 

Guest column by Citadel Information Group

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Important Security Updates

Adobe Flash Player: Adobe has released version 12.0.0.70 for its Flash Player to fix an extremely critical vulnerability. Updates are available through the program or from Adobe’s Flash Web Site. Updates are also available for Adobe AIR.

Adobe Shockwave Player: Adobe has released version 12.0.9.149 to fix two highly critical vulnerabilities reported in previous versions of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.

Apple iOS Multiple Devices: Apple has released updates for its iOS to fix a critical vulnerability in the iPhone 3GS, iPod touch 4th generation, iPhone 4, iPod touch 5th generation, iPad 2 and later, Apple TV 2nd generation and later. Updates are available through the device or Apple’s website.

Dropbox: Dropbox has released version 2.6.13 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]

Foxit Reader: Foxit has released version 6.1.4 to fix a moderately critical vulnerability. Updates are available through the program or from Foxit’s website.

Google Chrome: Google has released version 33.0.1750.117 of Chrome for Windows, Mac, Linux and Chrome Frame to fix highly critical unpatched vulnerabilities in previous versions. Updates are available through the program.

Microsoft Internet Explorer: Microsoft has released an update to versions 9 and 10 of Internet Explorer to fix an extremely critical vulnerability. Updates are available through Windows Updates in the Control Panel. US-CERT recommends upgrading to Internet Explorer 11.

Microsoft Windows: Microsoft has released an update to several versions of Windows, including Windows 8, 8.1 and Server 2012, to fix a highly critical vulnerability caused by the bundling of Adobe Flash Player within Internet Explorer. Updates are available through Windows Updates in the Control Panel.

Siber Systems RoboForm: Siber Systems has released version 7.9.2 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.

Skype: Skype has released Skype 6.14.0.104. Updates are available from the program.

Current Software Versions

Adobe Flash  12.0.0.70 [Windows 7: IE]

Adobe Flash  12.0.0.70 [Windows 7: Firefox, Mozilla]

Adobe Flash  12.0.0.70 [Windows 8: IE]

Adobe Flash  12.0.0.70 [Macintosh OS X: Firefox, Opera, Safari]

Adobe Reader 11.0.06

Dropbox 2.6.13 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]

Firefox 27.0.1

Google Chrome 33.0.1750.117

Internet Explorer 11.0.9600.16518 [Windows 7: IE]

Internet Explorer 11.0.9600.16384 [Windows 8: IE]

Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

QuickTime 7.7.4

Safari 5.1.7

Safari 7.0.1 [Mac OS X]

Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

Netgear D6300B: Secunia reports moderately critical security issues in firmware versions 1.0.0.06 and 1.0.0.14. Other versions may also be affected. No official solution is currently available.

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Unified Communications Manager, Intrusion Prevention Software (IPS), Adaptive Security Appliance (ASA), Unified SIP Phone 3905, Unified Computing System (UCS), Firewall Services Module (FWSM), Email Security Appliance, Videoscape Distribution Suite Transparent Caching (VDS-TC) and others. Apply updates.

Citrix ShareFile for Android: Secunia reports that Citrix has released an update to fix a security issue reported in previous versions of Citrix ShareFile Mobile Application for Android and Citrix ShareFile Mobile for Tablets Application for Android. Update to version 2.4.4.

Symantec Endpoint Protection Manager: Secunia reports that Symantec has released updates for its Endpoint Protection Manager to fix a vulnerability in versions prior to 11.0.7405.1424 and 12.1.4023.4080. Update to a fixed version.


If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

 

Citadel Information Group publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community


Copyright © 2014 Citadel Information Group. All rights reserved.

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you. The post Weekend Vulnerability and Patch Report, February 23, 2014 appeared first on Citadel Information Group.

Read More | No Comments »