Monday, December 15, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of December 15, 2014



CYBER SECURITY NEWS

OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Cyber Crime

Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year: A new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops tracked online ad traffic patterns for 36 major companies and discovered epic levels of abuse. DarkReading, December 9, 2014
Unencrypted Data Lets Thieves ‘Charge Anywhere’: Charge Anywhere LLC, a mobile payments provider, today disclosed that malicious software planted on its networks may have jeopardized credit card data from transactions the company handled between November 2009 and September 2014. KrebsOnSecurity, December 9, 2014
Sony Under Siege: Cyber Crisis Leaves Hollywood Reeling: Hollywood is reeling from the entertainment industry equivalent of WikiLeaks — leaving the entire town on high alert. Variety, December 9, 2014
Donors’ Data Breached But On Smaller Scales: The first thing that might come to mind when you hear the words data breach is the recent hacks of large corporations such as Home Depot, Chase and Target that possibly exposed millions of usernames, passwords and other records. Hacking a nonprofit isn’t likely to breach 76 million records as is estimated with Chase or yield a bounty of credit card information, but who knows the motivation of some people? TheNonProfitTimes, December 9, 2014
Hackers tell Sony to halt the release of The Interview: A new message has been posted on GitHub, purporting to be from the Sony hackers and offering a fresh batch of sensitive corporate data. The message threatens further consequences if the studio continues with its release of “the movie of terrorism,” believed to refer to The Interview, an upcoming comedy starring Seth Rogen and James Franco, which depicts the assassination of North Korean leader Kim Jong-un. It’s the most explicit reference to the film that the attackers have made so far, although many had previously linked the attacks to North Korean retaliation for the film’s release. TheVerge, December 8, 2014
Sony’s Breach Stretched From Thai Hotel to Hollywood: The computer hackers drilled into the network at the elegant St. Regis Bangkok that night and, with a keystroke, laid bare the secrets of Sony Pictures Entertainment. Bloomberg, December 7, 2014

Cyber Privacy

Sony Hackers Flash Disturbing New Warning on Staffers’ Computers (Exclusive): A group claiming to be the #GOP displayed the scary image on Thursday, an insider tells TheWrap. The Wrap, December 11, 2014
As More Documents Appear, Sony Seeks to Calm Nervous Employees: LOS ANGELES – As hackers made public more Sony Pictures Entertainment documents on Monday, Sony sought to calm its jittery employees, announcing in an internal memo that the F.B.I. would visit its Culver City, Calif., lot on Wednesday for security briefings. The New York Times, December 8, 2014
FBI confirms Sony Pictures employees threatened by hackers: Hackers threaten Sony Pictures employees and their familes via email while attack is linked to a hotel in Bangkok, Thailand. The Guardian, December 8, 2014

Financial Cyber Security

‘Poodle’ Bug Returns, Bites Big Bank Sites: Many of the nation’s top banks, investment firms and credit providers are vulnerable to a newly-discovered twist on a known security flaw that exposes Web site traffic to eavesdropping. The discovery has prompted renewed warnings from the U.S. Department of Homeland Security advising vulnerable Web site owners to address the flaw as quickly as possible. KrebsOnSecurity, December 11, 2014
Senate to Hold Hearing on Cyberattacks Against Finance: The Senate Banking Committee plans to hold a hearing next week on ways to “protect the financial sector” from cyberattacks, but for now there are no plans to have anyone from the financial services industry testify. The New York Times, December 5, 2014

Identity Theft

Toward a Breach Canary for Data Brokers: When a retailer’s credit card systems get breached by hackers, banks usually can tell which merchant got hacked soon after those card accounts become available for purchase at underground cybercrime shops. But when companies that collect and sell sensitive consumer data get hacked or are tricked into giving that information to identity thieves, there is no easy way to tell who leaked the data when it ends up for sale in the black market. In this post, we’ll examine one idea to hold consumer data brokers more accountable. KrebsOnSecurity, December 8, 2014

Cyber Warning

Android Malware Installs Pirated Assassin’s Creed App: A pirated version of the Assassin’s Creed application for Android is bundled with malware according to the security-as-as-service from Zscaler. ThreatPost, December 12, 2014
Turla Trojan Unearthed on Linux: Turla, a hard-to-spot Trojan that has for years bedeviled Windows systems, has been discovered to have at least two Linux variants. Linux Turla maintains stealth without requiring elevated privileges while running arbitrary remote commands. The malware cannot be discovered using netstat, a command-line administrative tool, Kaspersky Lab said, and it uses techniques that don’t require root access. LinuxInsider, December 12, 2014
Two stealthy Linux malware samples uncovered, following in Windows variants’ tracks: Security researchers have uncovered two Linux variants of a complex piece of Windows malware, which is known to have previously targeted embassies, the military, and pharmaceutical companies. ZDNet, December 9, 2014

Cyber Security Management – Cyber Defense

The human factor a key challenge to information security, say experts: The lack of awareness and understanding of risks is one of the biggest challenges to information security, according to a panel of experts. ComputerWeekly, December 12, 2014
Sony Is Launching A Counterattack Against Its Hackers: Sony has launched a counterattack against people trying to download leaked files stolen from its servers after a massive hack. Business Insider, December 11, 2014
The Four Horsemen of Cyber Security in 2014: What too many of the year’s high-profile data breaches had in common. DarkReading, December 8, 2014

Cyber Security Management – Cyber Update

Microsoft, Adobe Push Critical Security Fixes: If you use Microsoft or Adobe software products, chances are that software is now dangerously out of date. Microsoft today released seven update bundles to fix two dozen security vulnerabilities in Windows and supported software. Adobe pushed patches to correct critical flaws in Acrobat, Reader and Flash Player, including a bug in Flash that already is being exploited. KrebsOnSecurity, December 9, 2014

Cyber Underworld

Here Are The FBI’s Most Wanted Cyber Criminals: As cybercrime becomes increasingly damaging, the FBI has kept a list of “Cyber’s Most Wanted.” Business Insider, December 8, 2014

Cyber Espionage

Digital Spies Target Diplomats’ iPhones, Androids And PCs With ‘Inception’ Malware: A range of politicians and diplomats have been targeted by stealthy hackers, who have been trying to thrust malware onto dignitaries’ iPhone and Android devices as well as PCs with varying degrees of success since this summer, according to security researchers. Forbes, December 10, 2014

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #46: An Interview with Shane Harris: Our interview focuses on Shane Harris and his new book, @War: The Rise of the Military-Internet Complex. It’s a good read and a good book, marred by the occasional deployment of easy lefty tropes – government contractors are mercenaries, the military sees war as an opportunity to expand turf, cybersecurity is a threat to privacy, anonymity is all about rights, etc. But Harris is first and foremost a storyteller, and his zeal for the story is far more important to him than ideology. When he tells the story of the guys who used cybertactics to break al Qaeda in Iraq during the surge, or of the banks’ cyberbattle with Iran, he lets the reader decide who to root for. Lawfare, December 10, 2014

Critical Infrastructure

Exclusive: Iran hackers may target US energy, defense firms, FBI warns: (Reuters) – The Federal Bureau of Investigation has warned U.S. businesses to be on the alert for a sophisticated Iranian hacking operation whose targets include defense contractors, energy firms and educational institutions, according to a confidential agency document. AOL, December 12, 2014

Cyber Law

Rockefeller, Thune Statement on Passage of Commerce Cybersecurity Bill: WASHINGTON, D.C.- Senate Commerce, Science, and Transportation Committee Chairman John D. (Jay) Rockefeller IV (D-WV) and Ranking Member John Thune (R-SD) today applauded the passage of their bipartisan cyber legislation that will help strengthen and protect the nation’s economic and national security. The passage of the Rockefeller-Thune bill last night follows years of work to reach a bipartisan consensus on cybersecurity legislation. National Journal, December 12, 2014

Cyber Insurance

Cyber Security Practices Insurance Underwriters Demand: Insurance underwriters aren’t looking for companies impervious to risk. They want clients that understand the threat landscape and have demonstrated abilities to mitigate attacks. DarkReading, December 11, 2014

Cyber Misc

‘Security by Antiquity’ Bricks Payment Terminals: Last week, several thousand credit card payment terminals at various retailers across the country suddenly stopped working, their LCD displays showing blank screens instead of numbers and letters. Puzzled merchants began to worry that this was perhaps part of some sophisticated hacker attack on their cash registers. It turns out that the incident was indeed security-related, but for once it had nothing to do with cyber thieves. KrebsOnSecurity, December 12, 2014
Pirate Bay Has Been Raided and Taken Down: Here’s What We Know: The popular file-sharing service Pirate Bay was taken down today following a raid in Sweden by police who seized servers and computers. Wired, December 9, 2014


Weekend Vulnerability and Patch Report, December 15, 2014


Important Security Updates

Adobe Flash Player: Adobe has released version 16.0.0.235 to fix at least 6 extremely critical unpatched vulnerabilities reported in previous versions. Updates are available from Adobe’s website. Updates are also available for Acrobat.
Adobe Reader: Adobe has released version 11.0.10 to fix at least 8 highly critical vulnerabilities reported in previous versions. Updates are available through the program’s Help menu/Check for Updates or from Adobe’s website. Updates are also available for Adobe Acrobat.
Adobe Shockwave Player: Adobe has released version 12.1.5.155 of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Dropbox: Dropbox has released version 3.0.3 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released Google Chrome version 39.0.2171.95. Updates are available from within the browser or from Google Chrome’s website.
Microsoft Internet Explorer: Microsoft has released updates for all versions of Internet Explorer to fix at least 14 highly critical vulnerabilities. Updates are available through the program or from Microsoft’s website.
Microsoft Office Excel: Microsoft has released updates for Excel to fix at least 2 highly critical vulnerabilities in most versions of Office Excel. Updates are available through the program or from Microsoft’s website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 7updates to address at least 24 vulnerabilities, some of which are highly critical within Windows, Internet Explorer, Office, Word, .NET, Windows Flash Player, and other Microsoft products.

Current Software Versions

Adobe Flash  16.0.0.235 [Windows 7: IE]
Adobe Flash  16.0.0.235 [Windows 7: Firefox, Mozilla]
Adobe Flash  16.0.0.235 [Windows 8: IE]
Adobe Flash  16.0.0.235 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 34.0
Google Chrome 39.0.2171.95
Internet Explorer 11.0.9600.17501
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]
Skype 7.0.0.100

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Microsoft Exchange Server: Secunia reports Microsoft has released a partial fix for Exchange Server 2007, 2010, 2013. Apply update.
VMware vCloud: US-CERT reports VMware has released updates to fix a critical vulnerability in its vCloud Automation Center (vCAC). Apply updates.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.


Friday, December 12, 2014

"The first few minutes were worth the price of your coaching"




A career Law Enforcement Division Commander recently came to me for what he thought was just going to be an hour of resume coaching.  What I really like about my 1 Hour Resume Coaching service is that I get to customize it to the unique needs of any given client.

This is what the Law Enforcement Division Commander shared with me following his coaching experience:

"Thank you very much for your wisdom in the corporate world transiting from my law enforcement career. Your paradigm gave me a new way of thinking and a better way to make myself more marketable. The first few minutes were worth the price of your coaching. Thanks again for the beginning of my next career."


In recent weeks, I have delivered this 1 Hour Resume Coaching service to:

  • Chief Information Security Officer
  • Director Information Security
  • Law Enforcement Division Commander
  • Information Security Consultant
  • Special Agent, FBI
  • Special Agent, Secret Service
  • Agent, CIA
  • Executive Director, Operational Risk Management 
  • Chief Operating Officer
  • Department of Defense Program Manager
  • U.S. Air Force Captain
  • U.S. Army Officer
  • Director, Global Corporate Security Security
  • IT Risk Management Analyst
  • Security Engineer
  • Security Analyst

Every one of these clients and every one of my past coaching clients had the option of getting a full refund after 15 minutes of our 1 hour call had expired if they didn't feel like they were receiving the value I promised.

Some of these clients have already accepted new positions.  Others are deeply involved in multiple interview processes achieved when their new resumes opened interview doors. 

Some of these clients are just getting started with their resume projects because I delivered their coaching this week or last week.

One of my clients who landed on his feet in a new position before the end of the year shared this in a recent email:
"I may need to get a new cell phone number because I can't get through the day without 5-6 calls lately about new opportunities--something about a well-crafted resume, I guess.  :)" 
When I deliver my 1 Hour Resume Coaching service, I truly am working out of my passion and my strengths.  This particular coaching service taps into one of my top strengths called "Maximizer".  The simple definition of the Maximizer strength means that I have a built-in passion for taking "Good to Great".  Taking "Good to Great" is in my DNA and I'm delivering at my best when I engage in this kind of work.

I can help you to discover your strengths so you too can determine how to align your strengths with your chosen work to achieve top-shelf results. 

What's your plan for improvement in 2015?

I'm currently working with several coaching clients on Resumes, LinkedIn Profile Optimization, Personal Branding, Career Coaching, Emotional Intelligence Improvement and more.  

How can I help you to improve your personal and professional performance in the coming year?

Jeff Snyder's, Security Job Coach, Security Career Coach, Security Leadership Coach, Security Recruiter Blog, 719.686.8810


Wednesday, December 10, 2014

Hot Cyber-Security Skills for 2015 and Beyond



Cyber Breaches You Don’t Yet Know About
Late last week, I shared a conversation with a CISO who informed me of two breaches in his industry that have not yet been made public.
One breach is a very large POS (Point of Sale) breach. In this case, millions of credit card numbers have been compromised.
The other incident is the breach of a very large company’s PBX telephone system. Long distance calls have been made for quite some time around the globe resulting in significant telephone bills for the company that owns the PBX system.
In both cases, the CISO suggested that the companies involved have Boards of Directors who are not taking cyber threats as seriously as they should. The CISO suggested that these Boards of Directors have a mindset that what’s happening to other companies won’t happen to them.
What’s The Hot Cyber-Security Skill I’m Thinking About?
Over the weekend, I gave a significant amount of thought to the implications of these breaches and other breaches that have already occurred. My thought process traveled beyond the obvious; exposed credit cards and fraud that either banks or the breached merchant will have to absorb.
My thought processes frequently go to what will benefit a security professional’s career growth and “Personal Stock Value”. This is the value an employer will pay a security professional for the value a company perceives the security professional will bring to their organization.
Complicated Issues
On one hand, it would be great for a CISO candidate to go to an interview where he/she talks about having never been breached during their tenure as a CISO.
On the other hand, since breaches are inevitable, it’s not a matter of if but a matter of when a breach will occur in any given company. A hot skill set a CISO can bring to a new employer’s table is that of Incident Response and Handling Breaches.
What’s involved in Incident Response and Handling Breaches?
While there is a significant technical component to handling a cyber-security incident, there is a significant amount of this skill set that has to do with communication skills and behavior.
Beyond one’s technical skill, another skill one needs to master to be great at incident response and handling breaches is this skill set that I came up with many years ago while working on a very complex Chief Security Officer search in the entertainment industry:
Knowing what to say, when to say, how to say, to whom to say and when to say nothing
This skill set involves many of the skills that make up one’s Emotional Intelligence. Beyond IQ alone, it is improved Emotional Intelligence that will move a person’s personal performance from good to great.
It is high Emotional Intelligence that will give a CISO or CSO the interpersonal skills they need to handle the interpersonal communication complexities that come with a cyber breach.
Improved Emotional Intelligence will give a CISO or CSO the skills they need to master the non-technical side of their profession.
What Can You Do?
In 2015, you can make a commitment to find out where your personal Emotional Intelligence scores are relative to other leaders.
If necessary, you can engage in coaching to improve your Emotional Intelligence which in turn can increase your personal performance, your career growth prospects and your “Personal Stock Value”.
Jeff Snyder, @SecurityRecruit, SecurityRecruiter.comSecuirtyJobCoach.com,SecurityCareerCoach.comSecurityLeadershipCoach.com, Certified MasterMind Executive Coach, Certified Stakeholder Centered Coach, Certified Emotional Intelligence Coach, Public Speaker.

Monday, December 08, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of December 8, 2014



CYBER SECURITY NEWS OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Cyber Crime – Sony Attack

Sony Pictures and F.B.I. Widen Hack Inquiry: LOS ANGELES — Sony Pictures Entertainment and the F.B.I. on Wednesday were seeking more information about an attack that crippled Sony’s computer systems — including whether North Korea, or perhaps a former employee, was responsible. The New York Times, December 4, 2014
Sony Films Are Pirated, and Hackers Leak Studio Salaries: LOS ANGELES — Just as Sony Pictures Entertainment appeared to be recovering from a crippling online attack last month, the studio found itself confronting new perils on Tuesday. The Federal Bureau of Investigation warned United States businesses of a similar threat, and additional Sony secrets were leaked online. The New York Times, December 3, 2014
Sony Pictures hackers release list of stolen corporate files: On Monday, employees at Sony Pictures Entertainment—the television and movie subsidiary of Sony Corp.—discovered that their internal corporate network had been hijacked. A message from an individual or group claiming responsibility appeared on corporate systems, pledging to release sensitive corporate data taken from the network by 11pm GMT on Monday. ars technica, November 26, 2014

Cyber Crime

Banks: Credit Card Breach at Bebe Stores: Data gathered from several financial institutions and at least one underground cybercrime shop suggest that thieves have stolen credit and debit card data from Bebe Stores Inc., a nationwide chain of some 200 women’s clothing stores. KrebsOnSecurity, December 4, 2014
Payroll company for SAG-AFTRA members discloses security breach: Employees at Sony Pictures Entertainment aren’t the only ones dealing with a hack attack. The LA Times, December 3, 2014
Hackers With Wall Street Savvy Stealing M&A Data: Hackers with Wall Street expertise have stolen merger-and-acquisition information from more than 80 companies for more than a year, according to security consultants who shared their findings with law enforcement. Bloomberg, December 1, 2014
Hackers Using Lingo of Wall St. Breach Health Care Companies’ Email: SAN FRANCISCO — For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — most of them publicly traded health care or pharmaceutical companies — apparently in pursuit of information significant enough to affect global financial markets. The New York Times, December 1, 2014
Hackers Infiltrate Payment Systems of Major Parking Garage Operator: After the number of major breaches affecting some of the largest retailers this year, some may feel uneasy as they approach the cashier to pay for their purchases. Now consumers have another place to worry about–parking garages. SecurityWeek, November 28, 2014

Financial Cyber Security

Treasury Dept: Tor a Big Source of Bank Fraud: A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online. KrebsOnSecurity, December 5, 2014
What happens when you swipe your card?: As hacking of top retailers make headlines, Bill Whitaker discovers how insecure your credit card information is this holiday season. 60 Minutes, CBS News, November 30, 2014
States, U.S. Beef Up Cybersecurity Training for Bank Examiners: Federal and state regulators are ramping up plans to train bank examiners about cybersecurity risks at a time when the financial institutions they oversee face growing threats from hackers. The Wall Street Journal, November 30, 2014

Cyber Privacy

Hackers Send Emails to Sony Employees: LOS ANGELES — As Hollywood snooped through yet another round of leaked Sony Pictures Entertainment documents on Friday, the studio and the F.B.I. publicly responded to a new threat from the hackers who attacked the company. The New York Times, December 5, 2014

Identity Theft

Sony Pictures hackers stole 47,000 social security numbers, including Sly Stallone’s: A week after it was brought to a standstill by a hacker group that may or may not have hailed from North Korea, things are getting even worse for Sony Pictures. The hackers that crippled the company’s computer systems have now released a vast hoard of Sony Pictures’ private documents onto the internet. An analysis of more than 33,000 documents showed that they displayed passwords to internal computers, credit cards, and social media accounts, as well as the Social Security numbers of 47,000 current and former Sony Pictures workers. TheVerge, December 4, 2014
Sony Execs Confirm Authenticity of Leaked Documents in Staff Memo: Reeling from a massive hack attack, Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal have told studio staff that they are “deeply saddened” that confidential data may be exposed. Variety, December 2, 2014
Black Friday, Cyber Monday for Crooks, Too!: Underground cybercrime shops that sell credit and debit card accounts stolen from retailers are slashing prices and promoting their own Black Friday and Cyber Monday sales as fraudsters gear up for the busy holiday shopping season. KrebsOnSecurity, November 29, 2014

Cyber Warning

Be Wary of ‘Order Confirmation’ Emails: If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities. KrebsOnSecurity, December 3, 2014
Exclusive: FBI warns of ‘destructive’ malware in wake of Sony attack: (Reuters) – The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment. Reuters, December 2, 2014

Cyber Security Management

The Cybersecurity Myths That Small Companies Still Believe: High-profile breaches at Target (TGT), Home Depot (HD), and JPMorgan Chase (JPM) have put cybersecurity on the agenda for companies large and small. But despite the ongoing media commentary and “best practices” memos, consultant Adam Epstein of Third Creek Advisors notes that board members of small-cap companies and those considering or preparing initial public offerings are still befuddled by persistent myths on this topic. BusinessWeek, November 24, 2014

Cyber Law

Judge rules that banks can sue Target for 2013 credit card hack: The development paves the way for more banks to sue merchants with poor POS security. ars technica, December 4, 2014



Weekend Vulnerability and Patch Report, December 7, 2014


Important Security Updates

Apple Safari: Apple has released updates for Safari to fix at least 13 vulnerabilities, some of which are highly critical, reported in previous versions. Update to version 8.0.1, 7.1.1, or 6.2.1. Updates are available from Apple’s website.
Avira Free Antivirus: Avira has released version 14.0.7.468 of its free Antivirus. Updates are available from Avira’s website.
Foxit Reader: Foxit has released version 7.0.6.1126 of its Reader. Updates are available through the program or from Foxit’s website.
Malwarebytes Anti-Exploit: Malwarebytes has released version 1.05.1.1014 of its free Malwarebytes Anti-Exploit. Updates are available from Malwarebytes’ website.
Malwarebytes Anti-Malware: Malwarebytes has released version 2.0.4 of its free Malwarebytes Anti-Malware. Updates are available from Malwarebytes’ website.
Mozilla Firefox: Mozilla has released version 34.0 to fix at least 10 unpatched highly critical vulnerabilities reported in previous versions. Upgrade to version 34 and remove certain files on OS X 10.10 (Yosemite) within the /tmp folder. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 26 to fix multiple moderately critical unpatched vulnerabilities reported in previous versions. Updates are available from within the browser or from Opera’s website.
Siber Systems RoboForm: Siber Systems has released version 7.9.11.5 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.
Skype: Skype has released Skype 7.0.0.100. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash  15.0.0.239 [Windows 7: IE]
Adobe Flash  15.0.0.239 [Windows 7: Firefox, Mozilla]
Adobe Flash  15.0.0.239 [Windows 8: IE]
Adobe Flash  15.0.0.239 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.52 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 34.0
Google Chrome 39.0.2171.71
Internet Explorer 11.0.9600.17420
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]
Skype 7.0.0.100

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for Unified Computing System (UCS), and others. Apply patches.
Citrix XenServer: Secunia reports Citrix has released updates for XenServer. Apply hotfix.
VMware Multiple Products: Secunia reports VMware has released an update for ESX Server, ESXi, vCenter Server Appliance, vSphere and others. Apply patches,
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.


SecurityRecruiter.com's Security Recruiter Blog