Monday, February 13, 2017

Cyber Security Vulnerability and Patch Report, February 12, 2017







Important Security Updates

Avast: Avast! Free Antivirus has released version 17.1.2286. Updates are available on Avast’s website. Avast! has also released updates for Premier Antivirus and Internet Security.
Dropbox: Dropbox has released version 19.4.13 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released Google Chrome version 56.0.2924.87. Updates are available from within the browser or from Google Chrome’s website.
Opera: Opera has released version 43.0.2442.806. Updates are available from within the browser or from Opera’s website.
PeaZip: PeaZip has released version 6.3.1. Updates are available from Peazip’s website.
Siber Systems RoboForm: Siber Systems has released version 8.2.9 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.
Skype: Skype has released Skype Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash
Adobe Reader DC 2015.023.20053
Dropbox 19.4.13 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 51.0.1 [Windows]
Google Chrome 56.0.2924.87
Internet Explorer 11.0.9600.18538
Java SE 8 Update 121 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Microsoft Edge 39.14986.0.0
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 10.0.3 [Mac OS X Mavericks, Yosemite, El Capitan]

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in ASA Clientless SSL VPN, AnyConnect Secure Mobility Client for Windows and others. Apply updates. Additional details are available at Cisco’s website.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2017 Citadel Information Group. All rights reserved.


Jeff Snyder’s,, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

Cyber Security News of the Week, February 12, 2017




Individuals at Risk

Cyber Privacy

‘Give Us Your Passwords’: What happens if border agents are allowed to demand access to your phone and online accounts—and turn you away if you don’t comply? The Atlantic, February 10, 2017

Cyber Warning

Macro Malware Hits Mac Users: After hounding Windows users for well over two decades, macro malware has taken its first steps towards affecting the other operating system on which the Microsoft Office suite is available, and that’s Apple’s macOS. BleepingComputer, February 10, 2017
Reminder to Beware of Fake Ads as Scammers slip fake Amazon ad under Google’s nose: Last year, Google says it took down 1.7bn bad ads. Well, it missed a whopper on Wednesday: a bad ad perfectly spoofed to look like a legit Amazon ad. Anybody who clicked on it was whisked to a Windows support scam, according to ZDNet. Naked Security, February 10, 2017

Information Security Management in the Organization

Information Security Management and Governance

IANS Research Identifies Stakeholder Collaboration as Key to Improving Information Security Posture: A new study based on two years of work by IANS Research looks at the work of chief information security officers (CISOs) and their role in enterprises. BetaNews, February 9, 2017

Cyber Awareness

SANS Security Awareness Blog | 2017 Planning Ideas and 2016 Lessons Learned: At the end of December I led a webcast reviewing some of the key lessons learned in 2016 and what we can do in 2017 to keep improving the practice, and impact, of security awareness programs. After working with hundreds of clients and awareness officers from around the world throughout last year, here are some specific lessons learned from 2016 and tips to make your program more effective in 2017. SANS, February 7, 2017

Cyber Warning

Newly discovered ‘Ticketbleed’ flaw undermines HTTPS connections for almost 1,000 sites: Encrypted connections established by at least 949 of the top 1 million websites are leaking potentially sensitive data because of a recently discovered software vulnerability in appliances that stabilize and secure Internet traffic, a security researcher said Thursday. ars technica, February 9, 2017

Cyber Defense

Microsoft unveils a bonanza of security capabilities: Companies concerned about cybersecurity have a fleet of new Microsoft tools coming their way. The company announced a host of new security capabilities Friday morning as part of the run-up to the massive RSA security conference next week in San Francisco. PCWorld, February 10, 2017
Keep Employees Secure, Wherever They Are: Nearly 80% of professionals work remotely at least one day a week, and 1.55 billion others are expected to work outside the boundaries of the corporate office by 2020, according to Frost & Sullivan research. This shift to a mobile workforce is causing technology disruption because remote workers require different solutions and infrastructure, which can increase vulnerabilities. DarkReading, February 10, 2017

Cyber Update

Update WordPress to 4.7.2 as 1.5M Unpatched Sites Hacked Following Vulnerability Disclosure: Attackers have taken a liking to a content-injection vulnerability disclosed last week and patched in WordPress 4.7.2 that experts has been exploited to deface 1.5M sites so far. ThreatPost, February 10, 2017

Cyber Talent

To Be, or Not To Be— Certified? That Is the Question. Or, Is It?> I’m lucky. I get to fly all over the world and talk to security teams of all sizes. Regardless of the technology discussion at hand, the one question I seem to get asked the most is, “What certifications should I go get?” A close second is, “Are they worth it?” ITSP, January 31, 2017

Cyber Security in Society

Cyber Crime

Fast Food Chain Arby’s Acknowledges Breach: Sources at nearly a half-dozen banks and credit unions independently reached out over the past 48 hours to inquire if I’d heard anything about a data breach at Arby’s fast-food restaurants. Asked about the rumors, Arby’s told KrebsOnSecurity that it recently remediated a breach involving malicious software installed on payment card systems at hundreds of its restaurant locations nationwide. KrebsOnSecurity, February 9, 2017
InterContinental Confirms Breach at 12 Hotels: InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties. News of the breach was first reported by KrebsOnSecurity more than a month ago. KrebsOnSecurity, February 6, 2017

Know Your Enemy

Spies, hackers & cybersecurity firms compete to find & exploit software flaws: Spies, hackers, and cybersecurity firms compete to find and exploit software flaws, often to infiltrate criminal networks or track terrorists. A look into this complex ecosystem. CS Monitor, February 10, 2017

National Cyber Security

State-sponsored hackers targeting prominent journalists, Google warns: Google has warned a number of prominent journalists that state-sponsored hackers are attempting to steal their passwords and break into their inboxes, the journalists tell POLITICO. Politico, February 10, 2017
Talinn 2.0 – There’s Cyberwar and Then There’s the Big Legal Gray Area: The Russian government-backed hacks of Democratic political organizations that upended the 2016 presidential contest represent the sort of legal gray area U.S. adversaries will continue to exploit if nations don’t create rules of the road in cyberspace, the director of an updated manual on international cyber law said Wednesday. Nextgov, February 9, 2017
Tallinn 2.0 – International Law Applicable to Cyber Operation – Analyzes Legality of Russian DNC Hack: Legally speaking, what can a nation do when its election system is hacked by another country? That’s just one of the many kinds of cases the new Tallinn Manual on the International Law Applicable to Cyber Operations attempts to address. FCW, February 9, 2017
White House CISO Out in Apparent Cybersecurity Staff Shakeup: The Obama-appointed chief information security officer was charged with keeping the president and his staff safe from cyber-threats posed by hackers and nation-state attackers. ZDNet, February 9, 2017
Former government contractor charged with stealing top-secret documents: A former government contractor accused in a massive theft of top secret information has been indicted on charges of mishandling classified materials. LA Times, February 9, 2017
Rep. Jim Langevin – Open Letter to Trump “Important lessons on cybersecurity”:Dear President Trump, In my eight terms in Congress, I have seen cybersecurity explode onto the national stage as an issue of paramount importance to our national security. As you begin to craft your legacy in this emerging domain, I encourage you to use the successes and failures of your predecessor to guide your efforts. The Hill, February 7, 2017
Stewart Baker & Corin Stone, Exec Director of the National Security Agency – Steptoe Cyberlaw: Our guest for episode 149 of the podcast is Jason Healey, whose Atlantic Council paper, “A Nonstate Strategy for Saving Cyberspace,” advocates for an explicit bias toward cyber defense and the private sector. He responds well to my skeptical questioning, and even my suggestion that his vision of “defense dominance” would be more marketable if paired with thigh-high leather boots and a bull whip. #50ShadesofCyber. Steptoe Cyberblog, February 6, 2017

Cyber Law

New Zealand Privacy Chief Backs $1 Million Fines for Breaches: New Zealand’s privacy commissioner is recommending new civil penalties against companies of up to NZ$1 million (US$718,000) for a “serious” data breach to keep up with sterner penalties adopted by Australia and the European Union. BankInfoSecurity, February 10, 2017
House Passes Long-Sought Email Privacy Bill: The U.S. House of Representatives on Monday approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails. Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge. KrebsOnSecurity, February 7, 2017
Judge Breaks Precedent, Orders Google to Give Foreign Emails to FBI: A potentially major blow for privacy advocates occurred on Friday when a U.S. magistrate ruled against Google and ordered it to cooperate with FBI search warrants demanding access to user emails that are stored on servers outside of the United States. The case is certain to spark a fight, because an appeals court ruled in favor of Microsoft in a similar case recently. Gizmodo, February 5, 2017

Financial Cyber Security

A rash of invisible, fileless malware is infecting banks around the globe: Two years ago, researchers at Moscow-based Kaspersky Lab discovered their corporate network was infected with malware that was unlike anything they had ever seen. Virtually all of the malware resided solely in the memory of the compromised computers, a feat that had allowed the infection to remain undetected for six months or more. Kaspersky eventually unearthed evidence that Duqu 2.0, as the never-before-seen malware was dubbed, was derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program. ars technica, February 8, 2017

Critical Infrastructure

Security of Power Grid at Risk from Smart Devices says Research from Mich Tech: Reliability measures of electrical grid has risen to a new norm as it involves physical security and cybersecurity. Threats to either can trigger instability, leading to blackouts and economic losses. PHYS.ORG, February 10, 2017
Cybersecurity Is a Missing Piece of the Smart City Puzzle: While the concern over smart city security is broadly distributed, a survey of government IT professionals reveals that actions to address these concerns are few and far between. GovernmentTechnology, February 10, 2017

Internet of Things

How IoT hackers turned a university’s network against itself: A university found its own network turned against it – as refrigerators and lights overwhelmed it with searches for seafood. ZDNet, February 10, 2017

Cyber Sunshine

Alleged Russian Hacker With Ties To ‘Notorious Cybercriminals’ Arrested In LA: Alexander Tverdokhlebov is being held on charges of conspiring with another hacker to steal money from online bank accounts. DarkReading, February 10, 2017
‘Top 10 Spammer’ Indicted for Wire Fraud: Michael A. Persaud, a California man profiled in a Nov. 2014 KrebsOnSecurity story about a junk email purveyor tagged as one of the World’s Top 10 Worst Spammers, was indicted this week on federal wire fraud charges tied to an alleged spamming operation. KrebsOnSecurity, February 8, 2017

Jeff Snyder’s,, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

Thursday, February 09, 2017

DDoS Protection: 14 Unique Ways to Protect Yourself from DDoS Attacks

DDoS Protection: 14 Unique Ways to Protect Yourself from DDoS Attacks

If your website goes down due to an overload of website traffic, you’re probably a victim of the notorious distributed denial of service (DDoS) attack. DDoS attacks have become a nightmare for companies with an active online presence. From BBC to Twitter and from Donald Trump’s website to Netflix, 2016 saw some of the most unprecedented cyber attacks in the history of the internet.
DDoS attacks have become a nightmare for companies with an active online presence. From BBC to Twitter and from Donald Trump’s website to Netflix, 2016 saw some of the most unprecedented cyber attacks in the history of the internet.
In the ever-changing world of high-tech gadgets and rising popularity of Internet of Things, DDoS attacks have increased 2.5 times over the last 3 years, and are believed to become increasingly frequent in the coming years.
Furthermore, according to a report by Cisco in 2016, the average size of DDoS is accelerating and approaching 1Gbps, which is enough to bring large business offline. Globally, the DDoS attacks grew by 25% in 2015 and are likely to increase by 260% by 2020.
From monetary to brand value, DDoS attacks drastically affect every part of the business. The cost a business can incur from a DDoS attack range up to $20,000 and for airline Virgin Blue lost $20 million in an IT outage that lasted for 11 days in 2010.
Today, businesses need to tighten their seat belts to work and land safely in the highly advanced internet world. Here are 15 unique ways to protect yourself from DDoS attacks.

1. Create an Action Plan in Advance

Why wait for a DDoS attack to ruin your business? Intelligence is in responding to the potential attacks before they happen.
Focus on creating a system that absorbs a potential DDoS attack. Though creating an action plan in advance is not 100% foolproof way of DDoS protection, it does help in mitigating the risk to a great extent.
An action plan might consist of the following items:
  • Use sensors that send an alert whenever the website is down.
  • In case of any malicious activity, dump the logs quickly.
  • Consider contacting your ISP to understand about the free and paid DDoS protection plans.
  • Confirm the DNS TTL (time-to-live) for systems that can be attacked in the future.
  • Document your IT infrastructure and create a network topology diagram with an asset inventory.
  • Purchase DDoS protection products to mitigate the monetary loss due to the attacks.
An action plan comes in handy when your website is under attack because it would reduce the extent of damage caused by the hackers.
2. Monitor Traffic Levels
A DDoS attack brings an unprecedented amount of traffic to your server, which spikes the traffic beyond your imagination.
In fact, an ideal time for any hacker to strike is when your website is likely to witness huge amount of traffic such as Thanksgiving or Christmas. They mix with the genuine traffic and overloads the server with unprecedented traffic, which eventually crashes the server.
Therefore, the best way to quickly notice a DDoS attack is to look out for abnormal traffic increase to your website. If you expect 500 visitors per 10 minutes, an influx of 4000 visitors per minute should trigger an alert.
Staying alert, monitoring the traffic and setting threshold limits when traffic goes beyond a certain level will help you in DDoS protection.

3. Pay Attention to Connected Devices

Internet of things is the latest buzz and a growing topic of conversation both in the workplace and outside. From wearables to retail, healthcare to agriculture, IoT is making an impact in every sector, but even this burgeoning technology is not spared by attackers. Hackers find their way through these connected devices to disrupt the services of a brand.
Paying special attention of the connected devices will help you wade through the DDoS attack. For stronger DDoS protection, change the passwords of the devices regularly, switch off the devices when not in use and verify every device before connecting it.
Until the procession begins, focus on mitigating the threats to protect the connected device and your server.

4. Ensure You Have Extra Bandwidth

It makes sense to have more bandwidth than you would plausibly need because overprovisioning your bandwidth provides extra time to identify and deal with the attack. It also enables the server to accommodate unprecedented spikes in traffic and to some extent lowers the intensity of the attack.
If you overprovision the bandwidth by 200 percent or 600 percent, it will not stop the DDoS attack, but it will buy you crucial time before your resources are overwhelmed.
Therefore, when determining the requirement of bandwidth give your business a healthy margin of error to mitigate the risk of cyberattacks.

5. Train Your Customers On Security

An informed and a trained customer is an asset to your business as they walk with you hand-in-hand for higher DDoS protection.
Explain to the customers the necessity and dire need of safeguarding their systems because hackers target computers with weak passwords.
Gone are those days when birthdate or family name was considered as a strong password for a computer. Urge your customers to keep difficult passwords to protect their privacy. Furthermore, educate the clients to skip any attachments received from email addresses they don’t recognize.
Today, customer education is an essential component of any company’s strategy for DDoS protection. To proactively guard the customers against such cyber bullies, encourage them to review and follow best practices to secure their device.

6. Set up Secured VPS Hosting

In order to save a few dollars, many businesses opt for the lowest price hosting plans available in the market. While the initial cost is low, the threat of DDoS is attack is outrageous. Setting up a secured VPS hosting provides DDoS protection and reduces the probability of an attack.
With a secured VPS, your website has its own portioned space, unique IP address and operating system, thereby isolating the site from cyberattacks. Furthermore, secured VPS hosting provides full access to console, which helps in eliminating the potential malware.
In short, DDoS secured VPS hosting takes away the headache and makes use of the latest technology to put your website in the driving seat.

7. Drop Packets from Obvious Sources of Attack

DDoS attacks have the potential to create a havoc on your business and you need to stop traffic from false sources at any cost. Focus on using the access list at the perimeter of network to prevent malicious activities. Furthermore, instruct the router to drop packets from IPs that are obvious sources of attack. You can also rate limit your router to add another layer of protection.
Again, with the increasing size of online attack, this strategy will only buy time and delay the ramping up of the threat.

8. Purchase a Dedicated Server

Purchasing a dedicated hosting server will provide you with more bandwidth, control over security, and countless resources. With a dedicated server as your first layer of defense, you can successfully run your online site with thousands of legitimate customers without worrying about anything. Undoubtedly, dedicated servers are expensive, but the benefits clearly outweigh any monetary issue you face due to lack of DDoS protection.
Our DDoS protected dedicated servers provide DDoS protection of 20 Gbps with a bandwidth of 10 terabytes. We manage 100% of the server operation, giving you room to focus on other important business aspects.

9. Block Spoofed IP Addresses

“Things are not always what they seem; the first appearance deceives many”.
These words hold true, especially for IP address spoofing. For those of you who are new to the word ‘spoofing’ – in simple English, it means ‘presenting the wrong facts in a decorated manner’. Prevention of IP address forgery leads to harmful DDoS attack and you need to focus on the following tips to stop IP address spoofing.
  • Create an access control list (ACL) to deny all inbound traffic with a particular source IP.
  • Focus on using reverse path forwarding (RPF) or IP verify. It works similar to an anti-spam solution.
  • Filter both outbound and inbound traffic to enhance DDoS protection.
  • Change the configuration of your switches and routers such that they automatically reject packets coming from outside your network.
  • Focus on encrypting different sessions on your router to allow trusted hosts who are outside your network.

10. Install Patches and Updates Frequently

Installing updates on open source platforms like WordPress as soon as possible mitigates the risk of attack because the potential security loophole is filled with an update. Therefore, deploy an update within your network as soon as possible. The longer the lag time between the update and the application, the more vulnerable your system becomes.
This is often neglected by many businesses, mainly because of the frequency of updates and they consider it irrelevant to update the application.

11. Aggressively Monitor Half-Open Connections

In a usually three-way handshake:
  • The client request connection by sending SYN (synchronize) packet to the server,
  • The server returns the SYN-ACK (synchronize-acknowledge) packet to the client,
  • The client answers with an ACK (Acknowledge) that the package is received and communication begins.
In half-open connections, the packets are not sent to the hostile client. However, the client sends multiple requests to the server ports using fake IP addresses. Such a connection is not closed and remains open making it vulnerable to attack.
Detection of such half-open connections is done by:
  • Adding an empty keepalive message to the application protocol framing
  • Adding a null keepalive message to the actual application protocol framing
  • Using an explicit timer
  • Altering the TCP keepalive settings

12. Use Proxy Protection

Proxy protection provides an extra layer of DDoS protection for any website and keeps your website safe from complex cyber threats. Our remote DDoS proxy protection hides your real IP from hackers and sends proxy traffic through their mitigation network. The best part is that the entire process occurs without the visitors realizing it. Furthermore, remote proxy protection increases the security and performance of HTTP applications. It’s a must for any business looking to create an impact in the online world.

13. Set up RST Cookies

RST cookies are a strong defense against the DDoS because the server sends incorrect ACK + SYN to the client and then the client forwards a packet telling the server about the potential error. Therefore, it prevents the business from potential attack.

14. Filter UDP Traffic With Remote Black Holing

Filtering the UDP traffic with remote black holing can effectively stop undesirable traffic to enter a protected network. These remote black holes are areas where the traffic is forwarded and then dropped. And, when an attack is detected it drops all the traffic based on the IP address and the destination. Here are the three steps to set it up:
  • Prepare a null route
  • Prepare a route map
  • Generate a victim route on the management router
Learn more about the various types of DDoS attacks and contact us to see which type of hosting is right for you.

Tuesday, January 31, 2017

How Does Information Leak From Companies?

Frequently, data breaches are extremely complicated and they are carried out by some of the most intellectually gifted people in the world.

Other times though, data leakage can be as simple as a situation I just ran across.  Yesterday, someone from a company I have done business with in another part of the world, pushed a button. 

An email arrived in my Inbox that looked very similar to emails I’d received from my client in the past when they had something to share through their secure system.  Because the email was familiar to me, I proceeded to log into the system I’d logged into in the past.

The log-in only required my email address.  The password was already there. By simply adding my email address and logging into the system, I was in.  In to what you might ask?  Information that I didn’t need to or want to see.

I immediately contacted the person who had initiated the original email that came to me from my client. She recognized the mistake she had made and asked me to disregard what I had been sent.

Yes, this was a simple mistake and we all make simple mistakes from time-to-time.  Because of the work I do working with highly intelligent cyber security professionals, I started wondering how many times simple mistakes like this happen around the world in the course of a day.

Had the email that was sent to me been sent to someone else, they might not have been watching out for my client’s best interests as I was.  If another recipient of the email I received had bad intentions, they could have opened Pandora’s Box. 

There’s one for you Cyber Security folks to ponder.'s Security Recruiter Blog