Monday, April 25, 2016

Cybersecurity Vulnerability and Patch Report for April 24, 2016



CYBERSECURITY VULNERABILITY

AND PATCH REPORT

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Important Security Updates

Apple QuickTime for Window: On April 14, US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.
Avira Free Antivirus:  Avira has released version 15.0.17.273 of its free Antivirus. Updates are available from Avira’s website.
Evernote: Evernote has released version 6.0.4.1688. Updates are available on Evernote’s website.
Google Chrome: Google has released Google Chrome version 50.0.2661.87. Updates are available from within the browser or from Google Chrome’s website.
Oracle Java: Oracle has released versions Java SE 8 Update 91 to fix at least 9 highly critical vulnerabilities. The update is available through Windows Control Panel or Java’s website. [See Citadel’s recommendation below]
SuperAntiSpyware:  SuperAntiSpyware has released version 6.0.1218. Updates are available on SuperAntiSpyware’s website.
Current Software Versions
Adobe Flash 21.0.0.213 [Windows 7: IE, Firefox, Mozilla]
Adobe Flash 21.0.0.213 [Windows 8: IE]
Adobe Flash 21.0.0.213 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader DC 2015.010.20060
Dropbox 3.18.1 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 45.0.1 [Windows]
Google Chrome 50.0.2661.87
Internet Explorer 11.0.9600.18161
Java SE 8 Update 77 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, US-CERT advisedMicrosoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 9.1 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.22.0.109
For Your IT Department
Cisco Multiple Products: Cisco reports patched vulnerabilities in its Cisco IOS 15.5(3)M01 and prior, IOS XE 3.2.0 to 3.18.0S, Secure Real-Time Transport Protocol (SRTP) library (libSRTP) version 1.5.3, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Catalyst 6500 Series Switches and 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), WLC Software, and  WLC devices running Cisco AireOS Software. Additional details are available at Cisco’s website.
Oracle Multiple Products: US-CERT reports Oracle has released updates to fix hundreds of vulnerabilities in its Database Server, Fusion Middleware and Applications, Enterprise Manager, E-Business Suite, Supply Chain Products Suite, PeopleSoft Products, JD Edwards Products, Siebel Products, Communications Applications, Retail Applications, Health Sciences Applications, Financial Services Softwares, Java SE, Sun Systems Products Suite, Linux and Virtualization, MySQL, Bereley DB and others.  Additional details are available atOracle’s website.
Symantec Messaging Gateway: Symantec has released an update for its Messaging Gateway to fix at least four vulnerabilities. Additional details are available at Symantec’s website.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2016 Citadel Information Group. All rights reserved.

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

Cybersecurity News for the Week of April 24, 2016

 CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Cyber Privacy

700 Million People Just Got Encryption That Congress Can’t Touch: Last month, WhatsApp, the hugely popular messaging service that Facebook owns, made end-to-end encryption the default for its 1 billion users. On Tuesday, Viber said it will do the same for the 700 million people who use it. Wired, April 20, 2016
Hackers only need your phone number to eavesdrop on calls, read texts, track you: 60 Minutes showed how hackers only needed a congressman’s phone number to record his calls and track his location. The congressman said people at intelligence agencies, who are aware of the SS7 flaw and abuse it, should be fired. Computerworld, April 18, 2016
How hackers eavesdropped on a US Congressman using only his phone number: A US Congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used. ars technica, April 18, 2016

Cyber Danger

US-CERT to Windows Users: Dump Apple Quicktime: Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched. KrebsOnSecurity, April 18, 2016

Cyber Defense

Report Says PlayStation Network to Get Two-Factor Authentication: Sony plans to add two-factor authentication to its PlayStation Network. PC Magazine, April 21, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

Information Security Culture: It’s Time to Upgrade to 2.0: Information security requires an approach that involves people, process and technology. But, while we have made great strides in technological advancements in information security, security culture for many organizations remains in a state of stasis. InfoSecurity, April 22, 2016
Collaboration & Inclusiveness Keys to Success, Part 1 – IBM Inst for Business Value: A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite” provides valuable insights about the dynamics within the C-suite — insight that anyone in the role of chief information officer (CIO) or chief information security officer (CISO) cannot afford to miss. IBM surveyed more than 700 executives from 28 countries across 18 different industries that occupied nine different roles in the C-suite. SecurityIntellegence, April 5, 2016
Collaboration & Inclusiveness Keys to Success, Part 2 – IBM Inst for Business Value: A 2013 IBM report titled “Exploring the Inner Circle: Insights From the Global C-Suite Study” found that the top-performing organizations all had one quality that set them apart from their peers: collaboration. Top leadership’s view is that “the ability to collaborate is the most important factor” and that “how the members of the C-suite collaborate is as significant as the extent to which they collaborate.” SecurityIntellegence, April 12, 2016
Collaboration & Inclusiveness Keys to Success, Part 3 – IBM Inst for Business Value: Chief executive officers (CEOs) are under intense pressure from all sides. From an economic perspective, areas that were once the domain of a few favored organizations are now ripe for disruption by newcomers. Indeed, according to IBM’s “Redefining Competition: Insights From the Global C-suite Study – The CEO Perspective,” CEOs believe technology is the chief external influence on their enterprises. More specifically, cybersecurity issues have crashed into the C-suite and the boardroom, and top leadership is under the spotlight when it comes to achieving an acceptable cyber posture. SecurityIntelligence, April 19, 2016

Cyber Awareness

Staff Awareness Vital as Law Enforcement, Government Agencies See Phishing as Main Cyber Risk: In a meeting held in New York, representatives of law enforcement and governments from the US and the UK met to agree on a joint plan to tackle cyber threats, and their top priority for the foreseeable future will be phishing attacks. Softpedia, April 21, 2016
Staff Weak Link as Malware Attacks More Frequent, Harder To Fight: The newest Ponemon State of the Endpoint Report found enterprises struggling to enforce endpoint security and to manage their biggest threat: Employees. InformationWeek, April 21, 2016
Staff spoofed to wire money as whaling emerges as major cybersecurity threat: Fraudsters are using legitimate executive names and email addresses to dupe unsuspecting employees to wire money or sensitive documents to their accounts. The CTO of the Boston Celtics, for one, is fighting back. CIO, April 21, 2016

Cyber Defense

The Problem With Patching: 7 Top Complaints: Is your security team suffering from patching fatigue? Check out these tips and eliminate critical vulnerabilities in your IT environment. DarkReading, April 22, 2016
Bypass the Windows AppLocker bouncer with a tweet-size command: Video If you’re relying on Microsoft’s AppLocker to lock down your office or school Windows PCs, then you should check this out. A security researcher says he’s found a way to potentially bypass the operating system’s software whitelist and launch arbitrary scripts. TheRegister, April 22, 2016
DDoS Attacks: Know Your Enemy: Distributed-denial-of-service (DDoS) attacks are more frequent today than they’ve ever been, according to the latest report by Verisign. In the final quarter of 2015, DDoS attacks globally rose by 85% compared with the previous year – and 15% on the previous quarter alone. Not only that – they’re also getting more dangerous, deploying higher volumes of packets than ever before. InformationSecurity, April 20, 2016

Cyber Security in Society

National Cyber Security

U.S. Ratchets Up Cyber Attacks on ISIS: Military hackers are disrupting ISIS’s encrypted chats, implanting viruses in terrorists’ computers, and mining the machines to launch real-world strikes. TheDailyBeast, April 17, 2016

Cyber Law Enforcement

FBI paid at least $1.3M for zero-day to get into San Bernardino iPhone: FBI Director James Comey suggested to a conference in London that his agency paid more than $1.3 million to gray-hat hackers who were able to unlock the iPhone 5C that was used by Syed Farook Rizwan, the dead terrorist who masterminded the attack in San Bernardino, California, in December 2015. ars technica, April 21, 2016

Cyber Lawsuit

Attorney sued after BEC fraud costs couple $1.9m: A Manhattan couple wired a $1.9 million deposit for their new co-op but learned that the messages from an AOL e-mail account hid a crucial detail: They got conned. The Real Deal, April 19, 2016

Financial Cyber Security

‘ATM skimming increased five-fold from 2014 to 2015 while ‘Black Box’ ATM Attacks Loom as Growing Threat: Although skimming attacks remain the No. 1 ATM fraud concern in the United States, so-called “black box” attacks loom as a growing threat. BankInfoSecurity, April 20, 2016
Giant Food Requires Cash for Gift Cards, Reloadables & Prepaid Debit Cards: Citing a recent and large increase in credit card fraud, Washington, DC-area grocer Giant Food says it will no longer allow customers to use credit cards when purchasing gift cards and reloadable or prepaid debit cards. KrebsOnSecurity, April 20, 2016

Cyber Security in Healthcare

NY Presbyterian Hospital Slapped With Second HIPAA Fine: For the second time in two years, federal regulators have slapped New York Presbyterian Hospital with a multi-million dollar penalty as part of a HIPAA settlement. HealthInfoSecurity, April 21, 2016
Lack of Business Associate Agreement Costs Clinic $750,000: A North Carolina orthopedic clinic will pay a $750,000 penalty as part of a breach-related settlement involving the release of 17,300 X-ray films containing protected health information to a vendor without having a business associate agreement in place, as required under HIPAA. HealthInfoSecurity, April 20, 2016

Critical Infrastructure

Upgrade Coming to Grid Cybersecurity in U.S.: The hackers who unplugged 225,000 people from the Ukrainian electricity grid in December—the first confirmed cyber-takedown of a power system—have lent credence to calls by cybersecurity experts for greater vigilance by utilities. “It’s really brought the whole thing to a head and made people aware that this isn’t just chatter about the sky falling,” says Eric Byres, a security consultant who commercialized one of the first firewalls for industrial control systems. IEEE Spectrum, April 20, 2016

Cyber Underworld

Cybercrime Gang Tied to 20 Million Stolen Cards: A previously unknown cybercrime group has hacked into numerous organizations in the retail and hospitality sectors to steal an estimated 20 million payment cards, collectively worth an estimated $400 million via underground cybercrime forum sales, according to the cybersecurity firm FireEye. BankInfoSecurity, April 21, 2016
Criminals in the cloud: How malware-as-a-service is becoming the tool of choice for crooks: Rather than selling their malware as a one-off, virus writers are offering access to the latest exploit kits via on-demand services. ZDNet, April 21, 2016
How One Cybercrime Gang Is Ratcheting Up PoS Attacks: With magnetic-stripe payment card transactions gradually starting to disappear in the US, cybercriminals have been on a tear with PoS attacks against retail and hospitality targets that haven’t yet adopted EMV card payment, FireEye researchers say. DarkReading, April 20, 2016

Cyber Sunshine

SpyEye Makers Get 24 Years in Prison: Two hackers convicted of making and selling the infamous SpyEye botnet creation kit were sentenced in Georgia today to a combined 24 years in prison for helping to infect hundreds of thousands of computers with malware and stealing millions from unsuspecting victims. KrebsOnSecurity, April 20, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



Friday, April 22, 2016

Self-Improvement


Monday, April 18, 2016

Cybersecurity Vulnerability and Patch Report for the Week of April 17, 2016

 

CYBERSECURITY VULNERABILITY

AND PATCH REPORT

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Important Security Updates

AVG Free Edition: AVG has released version 2016.0.7539 of its 64 and 32 bit Free Edition. Updates are available on AVG’s website.

Comodo Free Firewall: Comodo has released version 8.2.0.5005 of its free firewall. Updates are available from Comodo’s website.

Comodo Internet Security: Comodo has released version 8.2.0.5005 of its free security suite. Updates are available from Comodo’s website.

Mozilla Firefox: Mozilla has released version 45.0.2. Updates are available within the browser or from Mozilla’s website.

Google Chrome: Google has released Google Chrome version 50.0.2661.75. Updates are available from within the browser or from Google Chrome’s website.

LastPass for Windows: LastPass has released version 4.1.6 of LastPass for Windows. Updates are available from the LastPass website.

Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 13 updates to address at least 29 vulnerabilities, some of which are highly critical within Windows operating systems, Internet Explorer, Office, and other Microsoft products.  Additional details are available atMicrosoft’s website.

Opera: Opera has released version 36.0.2130.65. Updates are available from within the browser or from Opera’s website.

Skype: Skype has released Skype 7.22.0.109. Updates are available from the program orSkype’s website.

WordPress: WordPress has released version 4.5. Updates are available from within the application or from the WordPress website.

Current Software Versions

Adobe Flash 21.0.0.213 [Windows 7: IE, Firefox, Mozilla]
Adobe Flash 21.0.0.213 [Windows 8: IE]
Adobe Flash 21.0.0.213 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader DC 2015.010.20060
Dropbox 3.18.1 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 45.0.1 [Windows]
Google Chrome 50.0.2661.75
Internet Explorer 11.0.9600.18161
Java SE 8 Update 77 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, ars technica reported that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 9.1 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.22.0.109

For Your IT Department

Cisco Multiple Products: Cisco reports patched vulnerabilities in its Cisco Unified Computing System Platform Emulator, Catalyst Switches running Cisco IOS Software releases prior to 15.2(2)E1, UCS Central Software releases 1.3(1b) and prior, Unity Connection versions 11.0 and prior, and IOS XR Software Releases 4.2.3, 4.3.0, 4.3.4, and 5.3.1 running on Cisco ASR 9000 Series Aggregation Services Routers. Apply updates. Additional details are available at Cisco’s website.

McAfee Web Gateway: McAfee has released an update for its Web Gateway to fix at least five vulnerabilities. Additional details are available at McAfee’s website.

Novell Open Enterprise Server: Novell has released an update to fix multiple vulnerabilities in its Open Enterprise Server versions 11.2 and 2015 (OES 11 SP2 and OES 2015).  For version 11.2 apply patch oes11sp2-samba-10894.  For version 2015 apply patch oes2015-samba-10895.  Additional details are available at Novell’s website.

VMware Client Integration Plugin: VMware has released updates for its Client Integration Plugin that affects vCenter Server, vCloud Director (vCD), and vRealize Automation (vRA).  Apply update.  Additional details are available at VMWare’s website.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2016 Citadel Information Group. All rights reserved.

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog