Tuesday, September 02, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of September 1, 2014



Cyber Security News of the Week

From our friends at Citadel Information Group


Cyber Crime

JPMorgan Hackers Came In the Front Door — in June. Two Months of Mayhem: Hackers burrowed into the databanks of JPMorgan Chase & Co. and deftly dodged one of the world’s largest arrays of sophisticated detection systems for months. Bloomberg, August 29, 2014
JPMorgan and Other Banks Struck by Hackers: A number of United States banks, including JPMorgan Chase and at least four others, were struck by hackers in a series of coordinated attacks this month, according to four people briefed on a continuing investigation into the crimes. The New York Times, August 27, 2014
DQ Breach? HQ Says No, But Would it Know?: Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters. KrebsOnSecurity, August 26, 2014

Cyber Attack

FBI-Hunted Hacking Group Continues Attacks, Targets Twitch: Despite tweeting out a bomb threat to ground a Sony executive’s flight this Sunday and landing themselves on the radar of the FBI, hacking group “Lizard Squad” remains unmolested and continues to orchestrate attacks on various gaming services. Forbes, August 27, 2014

Financial Cyber Security

The Cyber-Terror Bank Bailout: They’re Already Talking About It, and You May Be on the Hook: Bankers and U.S. officials have warned that cyber-terrorists will try to wreck the financial system’s computer networks. What they aren’t saying publicly is that taxpayers will probably have to cover much of the damage. Bloomberg, August 30, 2014

Cyber Threat

BACKOFF SINKHOLE REVEALS SORRY POINT-OF-SALE SECURITY: Kaspersky Lab researchers say that a recent analysis of two Backoff malware command and control servers paints “a very bleak picture of the state of point-of-sale security.” ThreatPost, August 29, 2014

Cyber Security Management

People, Process, Technology: How Good Information Security Can Grow Your Business: Companies must strike a balance between being able to share information and protect it, in order to support business growth. BAE Systems’ Malcolm Carrie explains where the answer lies… InfoSecurity Magazine, August 29, 2014
From IT Security to Information Security — How Technology Is Not The Greatest Challenge in Protecting Your Information Online: Michael Rothery, First Assistance Secretary for National Security Resilience Policy at Department of the Attorney General says that in order to deliver effective security and risk management the key question is “Who owns the risk?”. CSO, August 27, 2014

Securing the Village

It Does Matter That The White House Cybersecurity Czar Lacks Technical Chops: Michael Daniel, the White House cybersecurity coordinator or “cyber czar”, made comments recently that being a coder or “being too down in the weeds at the technical level could actually be a little bit of a distraction.” This statement raised concerns in the cybersecurity community. A quick examination of his background elevated those concerns. Mr. Daniel has never been involved with cybersecurity before; he has a strong background in policy and budgeting but nothing in even the basics of cybersecurity. This seems to be a problem just for the government cybersecurity community, but it has farther reaching impacts. Forbes, August 25, 2014

Critical Infrastructure

Green Lights Forever: Analyzing the Security of Traffic Infrastructure: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. USENIX Workshop on Offensive Technologies, August 2014

share on TwitterLike Weekend Vulnerability and Patch Report, August 31, 2014 on Facebook

 


Weekend Vulnerability and Patch Report, August 31, 2014


Important Security Updates

AVG Free Edition: AVG has released version 2014.0.4765 of its 32 bit Free Edition. Updates are available on AVG’s website.
Evernote: Evernote has released version 5.6.4.4632. Updates are available on Evernote’s website.
Google Chrome: Google has released Google Chrome version 37.0.2062.102 for Windows, Mac, and Linux to fix at least 10 highly critical vulnerabilities reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Lavasoft Ad_Aware Free Edition: Lavasoft has released version 11.3.6321.0 of its free Ad_Aware edition. Updates are available on Lavasoft’s website.
Mozy Free Edition: Mozy has released version 2.26.7. Updates are available on Mozy’s website.
Piriform CCleaner: Piriform has released version 4.17.4808 for CCleaner. Updates are available from Piriform’s website.
TechSmith Corporation SnagIt: TechSmith has released version 12.2.0.1656 for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash  14.0.0.176 [Windows 7: IE]
Adobe Flash  14.0.0.179 [Windows 7: Firefox, Mozilla]
Adobe Flash  14.0.0.176 [Windows 8: IE]
Adobe Flash  14.0.0.176 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.08
Dropbox 2.10.28 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 31.0
Google Chrome 36.0.1985.143
Internet Explorer 11.0.9600.17126
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]
Skype 6.18.0.106

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports several unpatched vulnerabilities, some of which are moderately critical, for IOS XR, Quantum Policy Suite, Transport Gateway for Smart Call Home and others. No official solution is currently available.
Citrix CloudPlatform: Secunia reports Citrix has released updates for CloudPlatform to fix a moderately critical vulnerability reported in versions prior to 4.2.1.3 and 3.0.7 Patch D. Update to a fixed version.
Novell File Reporter: Secunia reports Novell has released updates for File Reporter to fix 5 moderately critical vulnerabilities reported in previous versions. Update to version 2.0.2.3.
Novell Kanaka for Mac: Secunia reports Novell has released updates for Kanaka for Mac to fix 5 moderately critical vulnerabilities reported in previous versions. Update to versions 2.7.1.3 or 2.8.0.2.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.

Thursday, August 28, 2014

My Personal ALS Challenge


It is awesome to see the outpouring of gifts to back ALS research.  This topic is near and dear to me as my mother and her brothers died from this horrible disease.  There has never been a time when this topic hasn't been on my mind.

Not enough is known about this disease but here’s some information my wife came up with that I’d like to share for anyone who wants to be more informed.

Forms of ALS

Three classifications of ALS have been described:
·         Sporadic - the most common form of ALS in the United States - 90 to 95% of all cases.
·         Familial - occurring more than once in a family lineage (genetic dominant inheritance) accounts for a very small number of cases in the United States - 5 to 10% of all cases.
·         Guamanian - an extremely high incidence of ALS was observed in Guam and the Trust Territories of the Pacific in the 1950's.
The most common form of ALS in the United States is "sporadic" ALS. It may affect anyone, anywhere. "Familial" ALS (FALS) means the disease is inherited. Only about 5 to 10% of all ALS patients appear to have genetic or inherited form of ALS. In those families, there is a 50% chance each offspring will inherit the gene mutation and may develop the disease.
There are several inheritance patterns, but the most common inheritance pattern for FALS is called autosomal dominant. Autosomal means that it is equally likely that a female or male would inherit the gene mutation for FALS because the gene is located on an autosome – a chromosome that both males and females share in common. Dominant refers to the fact that a person only needs one gene to have a mutation in a gene for FALS to have an increased risk for ALS. Someone who has FALS would have one copy of the gene with a mutation and one copy of the gene without a mutation. Therefore, a child born to someone who has FALS has a 50% chance to inherit the FALS gene mutation and conversely, a 50% chance to not inherit the FALS gene mutation. This 1 in 2, or 50% chance, comes from the fact that parents randomly pass on only one member of their gene pair, so that either the gene with the mutation will be passed on or the gene without the mutation will be passed on. Even though parents often feel responsible for their children's health, they have no control over which gene they pass on, just as their parent had no control which gene they passed onto their child. It is also important to remember that inheriting the gene for FALS in no way guarantees that a person will develop symptoms of ALS. Also, if a child does not inherit the gene mutation for ALS, they cannot pass it onto their children.

I’ve watched lots of water being dumped over people’s heads.  If this action brought ALS to a higher level of awareness, I’m all for it.  If this action caused people to donate to ALS research, I’m all for that too.

Although we’re in our rainy season in Colorado at the moment, we’ve experienced a decade or so of drought conditions across most of this state.  Seeing reservoirs in California and Oregon that were once full of water and they’re now not full, I’m inclined to save my water.

I’ll just donate to the cause. 






Wednesday, August 27, 2014

Leadership or Technical Skills…Make a Choice


An Inbound Sales Lead!

A while back, my phone rang. On the other end was an IT Executive in a company that provides alarm services and remote video surveillance services.  It sounded as if the business was growing despite a significant challenge.  I was initially intrigued.

A Strategic Leader

The request from the IT Executive to me was for me to find a strategic leader for his company. At first, the words strategic and leader got me excited.  That’s precisely the kind of person I love to recruit.

As the conversation progressed, the IT Executive told me that the strategic leader he was seeking would be overseeing an operation where he / she would oversee employees who would be watching multiple camera feeds on multiple monitors on their desktop. 

So far, this conversation was going well and there was nothing about the conversation that I couldn't comprehend.  Then, the IT Executive told me that the strategic leader he wanted would have to possess deep experience with a particular video surveillance software package. 

Past Hires

My gut feeling about this conversation was beginning to change but I hung with it.  I asked for some information on the history of the open position.  The IT Executive explained that they’d hired the wrong person two times in a row.  This would be their third try.

They Couldn't Lead

I probed more deeply and found out that in both cases, they’d hired someone who had the right technical skills but where both incumbents came up short was in the realm of their strategic leadership skills.  They simply didn't have the ability to lead; the IT Executive told me.

The Wind Left My Sail

It was at this point that my interest level hit rock bottom.  I knew how to fix this problem but I was clearly communicating with someone who wanted to make the same mistake for the third time.  In baseball, three strikes equate to an out and the batter gets to take a seat on the bench.

Someone once said that repeating the same behavior over and over but expecting different results was the definition of insanity. Taking on an assignment that was built to fail wasn't and still isn't of any interest to me. 

Technical Subject Matter Expertise Does Not = Leadership

While people who have specific technology subject matter expertise can possess leadership abilities, it is highly unlikely that a search focused on specific technical skills will produce someone who has bot the skills and leadership abilities.

Management Does Not = Leadership....both skills are important

What this IT Executive was really asking me for was a manager who possessed deep experience with a particular technical software package.  What I couldn't get past was this IT Executive’s inability to separate management from leadership.  If he hired a manager in the first place and set expectations for this person to be a great manager with his or her sleeves rolled up, the IT Executive might not have had two failed hires before he called on me.


Tuesday, August 26, 2014

Open Heart Surgery Update and a Few Personal Goals Crushed Along the Way


Anticipation

It’s just the end of August to most people.  A time when summer is winding down and kids return to school.  High in the Rocky Mountains in Colorado, we’re letting go of summer and embracing fall before it soon begins to snow. No I’m not complaining...stay with me.

Open Heart Surgery

I have plenty of business, security recruiting, career coaching, resume writing and career development topics to share before this year ends but this particular August is significant for me. This August has been and continues to be part of my open heart surgery recovery timetable.  

If you’ve followed my Security Recruiter Blog or you’ve followed SecurityRecruiter.com on LinkedIn for any length of time, you’ll know that I recently went through an open heart surgery to repair a genetic problem in my heart.

Whether a person is in great shape or lousy shape, open heart surgery is similar to being run over by a fully loaded mile-long train.  That’s the only way I can describe the pain connected to the experience and I still have pain to this day.

I approached my surgery having skated over 200 hockey games in the past 4 years.  I’d just finished a 225,000 vertical foot, 500 mile ski season as well.  I asked for help from friends and colleagues to help me get through my recovery (still working on this). 

Setting Goals

A couple of weeks prior to my surgery, I met with my heart surgeon.  From that meeting, I picked up enough information to set goals.  

I set goals for walking, skating, playing hockey and mountain biking.  Rather than facing my goals alone given that I had no idea what to expect after having my chest cut open and separated, I enlisted hiking, biking, skiing and hockey friends to help me with various parts of my recovery.  

I owe thanks to a number of people.

Accomplishments

I’m excited to say that prior to July 1, I got back on the ice to skate.  To my shock, after speaking with the heart surgeon’s office on Monday July 14, I was released to play hockey on Tuesday July 15.  This accomplishment came a full 1.5 months before I had planned to be back on the ice. I shocked my entire hockey team when I showed up in the locker room on 7.15.14.

In early August, I rolled the dice again and rode my mountain bike down the mountain at Park City Mountain Resort.  This accomplishment happened a full 1.5 months prior to when I had originally planned to be back on the mountain bike based on the plans on my white board.

Public Speaking

In June and again in August, I flew to Dallas and Las Vegas to participate in conferences as a Keynote Public Speaker.  I won’t tell you that either trip was easy but I got through both and I’ve been invited back by both organizations.  

The reward for this work is that as of last week, I’m scheduled to speak at least 8 more times in 2014 in September, October and November in Austin, Colorado Springs, San Antonio, Houston, Orlando, Phoenix, Northern New Jersey and Toronto.  If you live in any of these areas, please let me know so we can meet in person.  I'll share updates as each speaking opportunity gets closer.

Setbacks

Just so you know that I'm 100% human, I have had and continue to have setbacks.  It hasn't just been a forward moving progression based on my goals and plans.  I just prefer to not focus on the setbacks because I've either overcome them or I'm currently working on overcoming.

Crushed This One!

Over the weekend, one of my walking, skating, skiing, hiking, biking buddies talked me into getting on my mountain bike for a 12.11 mile ride at 9,000’.  This is a different ride than having your bike carried up a mountain on a ski lift and then you just have to navigate the downhill portion on the bike

For this kind of ride, you are powering the bike up and down hills for the full 12.11 miles. While the lake might be flat, the trail around the lake is anything but flat.  I won't lie to you.  This event hurt and this was the greatest physical challenge I've taken on since my surgery.

I made it through this entire loop around the reservoir after donating a little bit of blood to a slab of granite, having to fix a flat tire and having to borrow Eric’s last Power Bar to give me enough energy to complete the ride.

didn't plan to be able to take on and complete this kind of ride until at least mid-September. 

Check that Accomplishment box! 

Persistence

As much as I didn't feel like doing it, my wife joined me this morning for a 2.1 mile walk before I got my business day started.  

There is truth to the statement: 

“No Pain, No Gain”

There is also truth to the statement that is engraved on my mountain bike handlebar stem:  

“All Work and No Play Is No Fun At All”

Coming Soon

It’s almost ski season in Colorado.  My next written goal is to get through my first ski day of the 2014-2015 season to include 12,000+ vertical feet of skiing and to still feel like I could do one more run when the day is done.  Stay tuned!

How Can I Help You?

I share this story with you to let you know that I'm human, I'm a goal setter, I know how to deal with adversity and I'm passionate about helping others to win.  I'm an executive recruiterjob coach, career coach and executive coach and I can help you get from wherever you are to where you want to be.  

 I'm ready to share my qualifications and experiences with you!


Monday, August 25, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of August 25, 2014


Cyber Security News of the Week

From our friends at Citadel Information Group


Cyber Crime

Hackers Compromise 51 UPS Stores Across the United States: A gang of cybercriminals from Eastern Europe, which is believed to be behind this year’s high profile breaches of Target, P.F. Chang’s, Neiman Marcus and other retailers has also compromised 51 UPS Stores across the United States. Mashable, August 21, 2014
Chinese Hackers Hit Community Health System: Hackers who broke into network hospital group Community Health Systems stole non-medical customer data including credit cards, says new report. InformationWeek, August 18, 2014
Community Health says data stolen in cyber attack from China: (Reuters) – Community Health Systems Inc (CYH.N), one of the biggest U.S. hospital groups, said on Monday it was the victim of a cyber attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients. Reuters, August 18, 2014
Hacked: Data breach in Star, Shaw and Jewel-Osco Stores: A massive data breach has been suffered by Jewel-Osco through which information of millions of customers may have been exposed. Wall Street OTC, August 17, 2014
Why So Many Card Breaches? A Q&A: The news wires today are buzzing with stories about another potentially major credit/debit card breach at yet another retail chain: This time, the apparent victim is AB Acquisition, which operates Albertsons stores under a number of brands, including ACME Markets, Jewel-Osco, Shaw’s and Star Markets. Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them. KrebsOnSecurity, August 15, 2014

Cyber Privacy

As governments invade privacy, tools for encryption grow more popular: In the wake of Edward Snowden’s revelations about the NSA collecting massive amounts of user meta-data, many people went in search of safer, more secure ways to use the internet anonymously. Once thought to be something only used by the tech-savvy, increased interest in end-to-end e-mail encryption has prompted both Google and Yahoo to develop user-friendly versions of the protocol that would, in theory, make personal messages exceedingly difficult to intercept. PBS, August 22, 2014
New Search Engine Promises to Keep Your Data Private: Privacy-minded Internet users gained a new search option Tuesday with the debut of Private.me. US News and World Report, August 19, 2014
The Internet’s Original Sin: It’s not too late to ditch the ad-based business model and build a better web. The Atlantic, August 14, 2014
Foursquare Now Tracks Users Even When the App Is Closed: Hiding in Foursquare’s revamped mobile app is a feature some users might find creepy: It tracks your every movement, even when the app is closed. The Wall Street Journal, August 6, 2014
The Internet With a Human Face: Marc emailed me a few weeks ago to ask if I thought my talk would be appropriate to close the conference. “Marc,” I told him, “my talk is perfect for closing the conference! The first half is this incredibly dark rant about how the Internet is alienating and inhuman, how it’s turning us all into lonely monsters.” Maciej CegÅ‚owski Lecture, May 2014

Financial Cyber Security

CRIDEX MALWARE TAKES LESSON FROM GAMEOVER ZEUS: The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day. ThreatPost, August 22, 2014

Cyber Threat

How Hackers Could Mess With 911 Systems and Put You at Risk: The female caller was frantic. Why, she asked 911 dispatchers, hadn’t paramedics arrived to her home? She’d already called once to say her husband was writhing on the floor in pain. “Hurry up!,” she’d pleaded, as she gave the operator her address. And then she hung up and waited for help to arrive, but it never did. By the time she called back, her husband had turned blue. “He’s dying!” she cried helplessly into the phone. Wired, August 21, 2014

Cyber Warning

US warns ‘significant number’ of major businesses hit by Backoff malware: Over a thousand major enterprise networks and small and medium businesses in the U.S. have been compromised by a recently discovered malware package called “Backoff” and are probably unaware of it, the U.S. Department of Homeland Security (DHS) said in a cybersecurity alert on Friday. PCWorld, August 22, 2014
JPMorgan Chase customers targeted in massive phishing campaign: Customers of JPMorgan Chase are the target of a massive multifaceted phishing campaign impacting mostly people in the U.S., according to security firm Proofpoint. SC Magazine, August 22, 2014
FBI warns healthcare firms they are targeted by hackers: (Reuters) – The FBI has warned that healthcare industry companies are being targeted by hackers, publicizing the issue following an attack on U.S. hospital group Community Health Systems Inc that resulted in the theft of millions of patient records. Reuters, August 20, 2014

Cyber Security Management

BlackHat 2014: Businesses Look to NIST Risk Management Framework in Bid to Improve Security Posture: The recently released Risk Management Framework from the National Institute for Standards and Technology outlines what organizations need to do to improve their information security posture against serious attacks. The roundtable discussion at Black Hat last week focused on the Framework’s elements, what some of the issues are, and how organizations can apply these guidelines to protect their networks and data. InfoSecurity, August 13, 2014
5 Ways Boards Could Tackle Cybersecurity: A new handbook from National Association of Corporate Directors, titled Cyber-Risk Oversight, offers five principles to guide boards of directors in helping their organizations address IT security threats. HealthCare Info Security, July 29, 2014
The 5 Biggest Cybersecurity Myths, Debunked: “A domain for the nerds.” That is how the Internet used to be viewed back in the early 1990s, until all the rest of us began to use and depend on it. But this quote is from a White House official earlier this year describing how cybersecurity is too often viewed today. And therein lies the problem, and the needed solution. Wired, July 2, 2014

Securing the Village

How to Save the Net: A CDC for Cybercrime: The Internet may be made up of software and hardware, but it is an ecosystem that depends on a key human value: trust. The networks and systems must be able to trust the information we are sending, and in turn we have to be able to trust the information we receive. Wired, August 19, 2014

Critical Infrasturcture

Infographic: 70 Percent of World’s Critical Utilities Breached: New research from Unisys and Ponemon Institute finds alarming security gaps in worldwide ICS and SCADA systems within the last 12 months. DarkReading, August 15, 2014

Cyber Research

Technology Can Make Lawful Surveillance Both Open and Effective: With cryptography, surveillance processes could be open and preserve privacy without undermining their investigative power. MIT Technology Review, August 18, 2014

Cyber Misc

Worldwide Spending On Information Security To Surpass $70B By End Of 2014: Report: Worldwide spending on information security is estimated to reach $71.1 billion in 2014, representing an increase of 7.9 percent over 2013, as organizations adapt to the growing threat of cyber crime, according to a new report from Gartner. International Business Times, August 22, 2014
If a Self-Driving Car Gets in an Accident, Who—or What—Is Liable?: On first contact with the idea that robots should be extended legal personhood, it sounds crazy. The Atlantic, August 13, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, August 24, 2014 on Facebook

Weekend Vulnerability and Patch Report, August 24, 2014


Important Security Updates

AVG Free Edition: AVG has released version 2014.0.4745 of its 32 bit Free Edition. Updates are available on AVG’s website.
Avira Antivirus: Avira has released version 1.1.19.30000 of its free Antivirus. Updates are available from Avira’s website.
Foxit Reader: Foxit has released version 6.2.3.815 of its Reader. Updates are available through the program or from Foxit’s website.
Opera: Opera has released version 23.0.1522.77 to fix moderately critical vulnerabilities. Updates are available from within the browser or from Opera’s website
Siber Systems RoboForm: Siber Systems has released version 7.9.9 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.

Current Software Versions

Adobe Flash  14.0.0.176 [Windows 7: IE]
Adobe Flash  14.0.0.179 [Windows 7: Firefox, Mozilla]
Adobe Flash  14.0.0.176 [Windows 8: IE]
Adobe Flash  14.0.0.176 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.08
Dropbox 2.10.28 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 31.0
Google Chrome 36.0.1985.143
Internet Explorer 11.0.9600.17126
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]
Skype 6.18.0.106

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Packet Data Network Gateway: Secunia reports that Cisco has released updates for its Packet Data Network Gateway (PGW). Apply updates.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.


SecurityRecruiter.com's Security Recruiter Blog