Monday, November 24, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of November 24, 2014


CYBER SECURITY NEWS OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Cyber Crime

Detroit Mayor Duggan: Detroit database held for ransom: Detroit — Mayor Mike Duggan detailed Monday how Detroit has been victimized by cyber crimes, including how a city database was frozen in April and held for ransom. The Detroit News, November 17, 2014
Link Found in Staples, Michaels Breaches: The breach at office supply chain Staples impacted roughly 100 stores and was powered by some of the same criminal infrastructure seen in the intrusion disclosed earlier this year at Michaels craft stores, according to sources close to the investigation. KrebsOnSecurity, November 17, 2014
Phishing Attack Leads to Title Firm Breach: Title insurance and mortgage services provider Fidelity National Financial is notifying an unspecified number of customers that their personal information may have been accessed by hackers, after its employees were compromised by a phishing attack. BankInfoSecurity, October 30, 2014

Cyber Privacy

Privacy push means free encryption for websites: Secure network connections protect people against snooping and criminals, but it’s a hassle for websites. Mozilla, Cisco, the Electronic Frontier Foundation and others want to change that. CNet, November 18, 2014
Facebook: You post it, we can see it, and that’s that: Facebook lets its users control whether other people can see the information they post, but when it comes to controlling what Facebook itself gets to see, privacy-conscious users are out of luck. PCWorld, November 14, 2014

Cyber Warning

Now e-cigarettes can give you malware: E-cigarettes may be better for your health than normal ones, but spare a thought for your poor computer – electronic cigarettes have become the latest vector for malicious software, according to online reports. The Guardian, November 21, 2014
‘Sophisticated’ Android malware hits phones: Hundreds of thousands of Android phones have been infected with malware that uses handsets to send spam and buy event tickets in bulk. BBC, November 21, 2014
Hackers post webcam, security camera, baby monitor video online: A child playing in Bucheon, South Korea. An empty crib in Absecon, New Jersey. Cattle feeding in Behamberg, Austria. Footage from more than 100 countries is being streamed from bedrooms, office buildings, shops, laundromats, stables and barns. CBC News, November 20, 2014

Cyber Security Management

Mobile: How to Say ‘Yes’ Securely: When Amazon recently announced the pending release of its Android-based Kindle Fire, pre-sales hit 95,000 orders in a single day. How many of these new mobile devices will end up in the workplace when the Kindle Fire hits the streets on Nov. 15? BankInfoSecurity, October 4, 2011

Cyber Security Management – Cyber Defense

Privacy advocates release free ‘Detekt’ tool that finds surveillance malware: A free tool released Thursday allows users to scan their computers for surveillance malware that has been used in attacks against journalists, human rights defenders and political activists around the world. PCWorld, November 20, 2014
Why Cyber Security Starts At Home: Even the grandmas on Facebook need to know and practice basic security hygiene, because what happens anywhere on the Internet can eventually affect us all. DarkReading, November 17, 2014

Cyber Security Management – Cyber Update

Microsoft patches critical Windows Server vulnerability: Microsoft has released an out-of-band update, designated MS14-068, to address a critical vulnerability in server versions of Windows, including Server Core. ZDNet, November 18, 2014

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #43: An Interview with Ambassador Daniel Sepulveda: Our guest this week is Amb. Daniel Sepulveda, the man charged with managing the U.S. relationship with the International Telecommunications Union. The ambassador helps us make sense of the recent ITU meeting in Busan, South Korea, where efforts to validate a greater government role in internet affairs seem to have been turned back for another four years. Markham Erickson, a Steptoe partner specializing in internet law, also joins regulars Jason Weinstein, Michael Vatis, and me. LawFare, November 21, 2014
State Department Targeted by Hackers in 4th Agency Computer Breach: The State Department on Sunday became the fourth government agency to announce a breach of its computer systems in recent weeks, after an infiltration forced the agency to temporarily shut down its unclassified email system and public websites. The New York Times, November 16, 2014

Critical Infrastructure

NSA chief admits China could cripple U.S. power grid, financial networks: China and “probably one or two” other countries could shut down critical computer networks that could force U.S. power and water grids, aviation systems, and financial services offline. ZDNet, November 20, 2014
Hackers attacked the U.S. energy grid 79 times this year: In fiscal year 2014, there were 79 hacking incidents at energy companies that were investigated by the Computer Emergency Readiness Team, a division of the Department of Homeland Security. There were 145 incidents the previous year. CNN, November 18, 2014

Cyber Misc

Anonymous hackers to Ferguson police: ‘We are the law now’: Hackers with the group, Anonymous, sent a stark message to police in Ferguson, as well as to Ku Klux Klan members assembled at the scene, to be on guard — that any injuries to protesters will be duly noted. The Washington Times, November 21, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, November 23, 2014 on Facebook

Weekend Vulnerability and Patch Report, November 23, 2014


Important Security Updates

Apple iOS: Apple has released version 8.1.1 of its iOS to fix at least 5 highly critical vulnerabilities, a weakness, and security issues reported in previous versions. The update is available through the devices or through Apple’s website.
Apple OS X: Apple has released updates for OS X to fix highly critical weaknesses and vulnerabilities. Update to version 10.10.1. Updates are available from Apple’s website.
Apple TV: Apple has released version 7.0.2 for Apple TV to fix at least 2 highly critical vulnerabilities. Updates are available through the device or Apple’s website.
AVG Free Edition: AVG has released version 2015.0.5577 of its 32 bit Free Edition. Updates are available on AVG’s website.
Google Chrome: Google has released Google Chrome version 39.0.2171.65 to fix at least 13 vulnerabilities, some of which are highly critical. Updates are available from within the browser or from Google Chrome’s website.
Opera: Opera has released version 25.0.1614.71 to fix moderately critical unpatched vulnerabilities. Updates are available from within the browser or from Opera’s website.
Skype: Skype has released Skype 6.22.0.106. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash  15.0.0.223 [Windows 7: IE]
Adobe Flash  15.0.0.223 [Windows 7: Firefox, Mozilla]
Adobe Flash  15.0.0.223 [Windows 8: IE]
Adobe Flash  15.0.0.223 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.50 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 33.1.1
Google Chrome 39.0.2171.65
Internet Explorer 11.0.9600.17420
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.6
Safari 5.1.7 
Safari 7.1 [Mac OS X]
Skype 6.22.0.106

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for IOS, Unified Communications Manager, and others. Apply patches.
Microsoft Kerberos: KrebsOnSecurity.com reports that Microsoft has released an update for Kerberos to fix critical vulnerabilities in Kerberos protocol. Additional details are available from Microsoft’s website.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.



Saturday, November 22, 2014

NSA Chief Warns Chinese Cyber Attacks Could Compromise U.S. Plans

NSA Chief Warns Chinese Cyber Attacks Could Compromise U.S. Plans


China and “probably one or two” other countries have the ability to invade and possibly shut down computer systems of U.S. power utilities, aviation networks and financial companies, Admiral Mike Rogers, the director of the (NSA) U.S. National Security Agency, said on Thursday.
Testifying to the House of Representatives Intelligence Committee on cyber threats, Rogers said digital attackers have been able to penetrate such systems and perform “reconnaissance” missions to determine how the networks are put together.
National Security Agency (NSA) Director Michael Rogers testifies before a House (Select) Intelligence Committee hearing on ''Cybersecurity Threats: The Way Forward'' on Capitol Hill in Washington November 20, 2014.
National Security Agency (NSA) Director Michael Rogers testifies before a House (Select) Intelligence Committee hearing on ”Cybersecurity Threats: The Way Forward” on Capitol Hill in Washington November 20, 2014.
“What concerns us is that access, that capability can be used by nation-states, groups or individuals to take down that capability,” he said.

Read more at http://americanlivewire.com/2014-11-21-nsa-chief-warns-chinese-cyber-attacks-compromise-u-s-plans/

Monday, November 17, 2014

IT Risk Management Jobs: Information Security Risk Management Analyst, Southern Wisconsin, Great Relocation Package


Information Security Risk Management Analyst
WI-Southern
$100,000s, Profit Sharing
Relocation: Yes
Education: BA/BS, Masters Preferred
Certification: CISSP, CRISC, CISM, CISA, CISRCP

SecurityRecruiter.com has been engaged to add information security risk management talent to a growing information security / risk management team.  Our client’s story is one of global success.  This role will carry an internal Manager title but will not have management responsibility.  It is an individual contributor role.

The hiring authority and several of his peers have former CISO experience.  The CISO is an individual we have known for many years.

This position is responsible for managing enterprise information security risk on a global basis.  The team is responsible for Governance, Intelligence and Information Security Risk.  The Risk Analyst / Manager will roll out a formal approach to managing information security risk across technology platforms and business environments.

This role and the entire information security program has executive support from the top of this global company.  The risk management program is based on goals, principles and strategy of the company’s global enterprise security strategy. 

Our client is an equal opportunity employer that values diversity.

Responsibilities:

Interact with all levels of business to align and to define and manage controls that reflect business and operational needs balanced with legal, regulatory requirements and risks.

      Develop and prepare general reporting and analysis of information security risk activities, including developing dashboards, trend analysis and alerts.
      Travel significantly as needed – up to 15%
      Participate in enterprise risk assessments and the development of risk management plans across the enterprise.
      Analyze information security and business data to gain deep business knowledge and insight on security risk posture.
      Manage the Information Security Risk program that defines how information security risk is measured, articulated and reported.
      Assess security control effectiveness and efficiency while facilitating governance within the Enterprise Information Security Management Framework.
      Implement tools and controls to measure and articulate current risk levels and ensure that results are understood by stakeholders.  Design communication programs to communicate business risks from cyber threat sources.
      Work across the enterprise with Directors of Information Technology, the Director Information Security Operations, Physical Security and others in the management of the Global Information Security Program.
      Ensure the ongoing integration of information security with business strategies and requirements.
      Drive remediation plans for audit / compliance related findings.
      Build strong relationships and partner closely with business partners.
      Perform data collection and statistical data analysis and understanding, ensure data quality, and develop tracking and reporting systems to determine the information security risk posture of the organization.
      Document action plans and report on issue status for Information Security Risk as needed.
      Identify and evaluate business and technology risks, internal controls which mitigate risks, and related opportunities for internal control improvement.
      Actively participate in decision making with engagement management and seek to understand the broader impact of current decisions.

Qualifications

Required

      BA/BS in information technology, business administration, or IT-related field.
      5+ years Information Security and IT Risk Management experience.
      3+ years of experience performing risk assessments, experience with internal controls, business process security audits and internal IT control testing or operational auditing.
      3+ years of experience interfacing with business leaders.
      3+ years of experience managing relationship across many lines of business.
      Relationship building, influence and communication skills are critical.
      Global experience is greatly appreciated.
      Must be able to pass a background screening process.

Preferred

      Desirable certifications include: CISSP, CISM, CISA, CRISC, CISRCP
      Familiarity with security industry standards (ISO 17799, COBIT, NIST 800 series, etc.)
      Demonstrated ability to write business and technical reports and to participate in delivering presentations.
      Experience in capturing business requirements and converting business requirements into functional and technical specifications.
      Requires excellent time management skills, ability to juggle multiple, competing priorities, with strength in identifying and implementing solutions to address the critical needs.  Ability to work in a fast-paced environment. 
      Ability to prioritize workload and meet deadlines
      Strong understanding and appreciation for the value and use of Information Security Intelligence programs and capabilities.
      Superior written, presentation, and verbal communication skills.
      Exceptional organizational, interpersonal and team skills.
      Ability to take a broad view of his/her position and take initiative to communicate, interact and cooperate with others to ensure that all aspects of a task are addressed.

      Project management experience, including business/process analysis, documenting gaps, and process improvement.

Apply for this position on SecurityRecruiter.com or call Jeff at 719.686.8810 

 https://www.securityrecruiter.com/submit_resume_and_profile.php


Jeff Snyder's, SecurityRecruiter.com, Security Recruiter Blog, 719.686.8810 


Cyber Security News, Education and Vulnerability Patch Report for the Week of November 17, 2014



CYBER SECURITY NEWS OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Cyber Crime

Sheriff’s department files held for ransom by malware: The “Cryptowall” malware demanded more than $500 from the Dickson County Sheriff’s Office to unlock its case files. UPI, November 13, 2014
Home Depot Breach Costs CUs $60M: The Home Depot data breach cost credit unions almost $60 million, nearly twice as much as the Target breach, according to survey results released by CUNA Thursday. CreditUnionTimes, October 30, 2014

Cyber Attack

How Cyber Crime Gang Targets Travelling Executives Through Hotel Wi-Fi: A stealth gang of cyber criminals have carefully targeted travelling executives through hotel Wi-Fi connections in Asia over the past four years and are still active today, according to a report from a leading security firm. ABC News, November 10, 2014

Cyber Privacy

Evidence implicates government-backed hackers in Tor malware attacks: A hacker who was surreptitiously injecting malicious code in downloads in to part of the Tor network has been linked to a series of government-sponsored cyber attacks. The Guardian, November 14, 2014
ISPs Removing Their Customers’ Email Encryption: Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client. Electronic Frontier Foundation, November 11, 2014

Financial Cyber Security

Default ATM passcodes still exploited by crooks: Once again, ATMs have been “hacked” by individuals taking advantage of default, factory-set passcodes. HelpNetSecurity, November 14, 2014

Cyber Warning

Homeland Security Warns iPod, iPhone Users To Watch Out For iOS 8 Masque Attack: Reiterating a software security firm’s warning to iOS users, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team is asking PC and mobile device users to avoid downloading app outside of Apple’s App Store. TechTimes, November 13, 2014
Hackers exploit NFC phone payment technology: Several bugs in Near Field Communication (NFC) payment systems have been found by security experts. BBC, November 13, 2014
POS Malware Continues To Evolve: With a little over two weeks until the holiday shopping season kicks off in earnest, a picture of the evolution of point of sale (POS) malware has come into focus with a number of recent pieces of research of late. A common theme recurring throughout is that POS malware is increasingly maturing with different packages and families refined for specific attack scenarios. DarkReading, November 11, 2014
GONE IN 30 MINUTES: THE RISE OF MANUALLY HACKED EMAIL ACCOUNTS: Email hackers have long since learned how to automate their attacks in order to compromise as many accounts as possible in the shortest time frame. But sometimes the old-fashioned ways of doing things are the best and that is exactly what a new report from Google has discovered. Security-FAQs, November 10, 2014

Cyber Security Management

What We Mean by Maturity Models for Security: The aim is to assess the current state of security against a backdrop of maturity and capability to translate actions into goals that even non-security people can grasp. DarkReading, November 12, 2014

Cyber Security Management – Cyber Defense

Google’s VirusTotal puts Linux malware under the spotlight: As Linux malware matures, Google’s malware checker will give samples the same treatment as those uploaded for Windows. ZDNet, November, 12 2014

Cyber Security Management – Cyber Update

Adobe, Microsoft Issue Critical Security Fixes: Adobe and Microsoft today each issued security updates to fix critical vulnerabilities in their software. Microsoft pushed 14 patches to address problems in Windows, Office, Internet Explorer and .NET, among other products. Separately, Adobe issued an update for its Flash Player software that corrects at least 18 security issues. KrebsOnSecurity, November 11, 2014

Cyber Underworld

Network Hijackers Exploit Technical Loophole: Spammers have been working methodically to hijack large chunks of Internet real estate by exploiting a technical and bureaucratic loophole in the way that various regions of the globe keep track of the world’s Internet address ranges. KrebsOnSecurity, November 13, 2014

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #42: An Interview with Orin Kerr: We share the program this week with Orin Kerr, a regular guest who knows at least as much as we do about most of these topics and who jumps in on many of them. Orin, of course, is a professor of law at George Washington University and well-known scholar in computer crime law and Internet surveillance. Lawfare, November 13, 2014
NOAA Blames China In Hack, Breaks Disclosure Rules: The National Oceanic and Atmospheric Administration finally confirms that four websites were attacked and taken down in September, but details are sketchy and officials want answers. DarkReading, November 13, 2014

Cyber Sunshine

Identity theft conviction nets 9 years in prison for organized cybercrime member: Tony Soprano had nothing on the made men of Carder.su, an organized cybercrime ring that federal prosecutors say stole more than $50 million in an identity theft and credit card scam. Consumer Affairs, November 13, 2014



Weekend Vulnerability and Patch Report, November 17, 2014


Important Security Updates

Adobe Flash Player: Adobe has released version 15.0.0.223 to fix at least 18 highly critical vulnerabilities reported in previous versions. Updates are available from Adobe’s website. Updates are also available for AIR.
Dropbox: Dropbox has released version 2.10.50 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Google Chrome: Google has released Google Chrome version 38.0.2125.122. Updates are available from within the browser or from Google Chrome’s website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 9 updates to address at least 24 vulnerabilities, some of which are highly critical within Windows, Internet Explorer, Office, Word, .NET, Windows Flash Player, Sharepoint, and other Microsoft products.
Mozilla Firefox: Mozilla has released version 33.1.1 for Firefox. Updates are available within the browser or from Mozilla’s website.
Mozy Free Edition: Mozy has released version 2.28.0. Updates are available on Mozy’s website.
Siber Systems RoboForm: Siber Systems has released version 7.9.11 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.
Skype: Skype has released Skype 6.22.81.105. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash  15.0.0.223 [Windows 7: IE]
Adobe Flash  15.0.0.223 [Windows 7: Firefox, Mozilla]
Adobe Flash  15.0.0.223 [Windows 8: IE]
Adobe Flash  15.0.0.223 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.50 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 33.1.1
Google Chrome 38.0.2125.122
Internet Explorer 11.0.9600.17420
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.6
Safari 5.1.7 
Safari 7.1 [Mac OS X]
Skype 6.22.81.105

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released an update to fix 6 moderately critical vulnerabilities in Unified Intelligent Contact Management Enterprise. Please contact the vendor for details about an update as the bug report CSCup24074 indicates a fixed status, however, no dedicated fixed versions are mentioned. Secunia reports a security issue and 2 unpatched moderately critical vulnerabilities in Cisco’s Unified IP Phones 7900 Series. No official solution is currently available.
Novell GroupWise: Secunia reports an unpatched security issue in Novell’s GroupWise reported in versions 8.x, 2012 and 2014. No official solution is available.
Novell Open Enterprise Server: Secunia reports an update to Novell’s Open Enterprise Server to fix 3 highly critical vulnerabilities. Apply patch oes11sp1-MozillaFirefox-9814.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.




SecurityRecruiter.com's Security Recruiter Blog