Monday, March 20, 2017

Cyber Security Vulnerability and Patch Report, March 19, 2017


CYBERSECURITY VULNERABILITY

AND PATCH REPORT

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Important Security Updates

Adobe Flash Player: Adobe has released version 25.0.0.127. Updates are available from Adobe’s website. To see which version you have, go to Adobe’s web page. Adobe AIR was also updated.
Adobe Shockwave Player: Adobe has released version 12.2.8.198 of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Google Drive: Google has released version 1.32.4889.9221 of its Google Drive. Updates are available from Google’s website.
Google Chrome: Google has released Google Chrome version 57.0.2987.110. Updates are available from within the browser or from Google Chrome’s website.
LastPass: LastPass has released version 4.1.42 for its Free Password Manager. Updates are available from LastPass’ website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 4 updates to address at least 15 vulnerabilities, some of which are highly critical within Windows operating systems, Microsoft Edge, Internet Explorer, Office, and other Microsoft products.  Additional details are available at Microsoft’s website.
Mozilla Firefox: Mozilla has released version 52.0.1. Updates are available within the browser or from Mozilla’s website.
Piriform CCleaner: Piriform has released version 5.28.6005 for CCleaner. Updates are available from Piriform’s website.
Skype: Skype has released Skype 7.33.0.105. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash 25.0.0.127
Adobe Reader DC 2015.023.20070
Dropbox 21.4.25 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 52.0.1 [Windows]
Google Chrome 57.0.2987.110
Internet Explorer 11.0.9600.18538
Java SE 8 Update 121 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Microsoft Edge 40.15042.0
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 10.0.3 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.33.0.105

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Apache Struts 2, IOS and IOS XE, Mobility Express 1800, Meshed Wireless LAN Controller, Workload Automation and Tidal Enterprise Scheduler, StarOS SSH, Web Security Appliance, WebEx Meetings Server, UCS Director, Unified Communications Manager, TelePresence, Prime Service, Nexus 9000 Series Switches, Prime Optical, Prime Infrastructure, Nexus 7000 Switches, Adaptive Security Appliance, and others. Apply updates. Additional details are available at Cisco’s website.
VMware Multiple Products: VMware has released updates to address vulnerabilities in Apache Struts 2, Workstation and Fusion, and others. Apply updates. Additional details are available at VMware’s website.

 *******************
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2017 Citadel Information Group. All rights reserved.

 

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



Cyber Security News of the Week, March 19, 2017

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP



Secure The Village

Secure The Village — Events

SecureTheVillage & LA Networks team up for Cybersecurity Roundtable. C-Suite. IT Dirs. Brkfst. Glendale: LA Networks and SecureTheVillage are hosting a cybersecurity seminar that will feature experts in law enforcement, information security, and insurance. Join us for an informative SecureTheVillage Cybersecurity Roundtable and Q&A as we dive into the multi-billion dollar world of cybercrime and learn how to protect your company against a cybersecurity chess match. Secure the Village, Date: March 21, 2017
Financial Services Cybersecurity Roundtable, Speaker: National Cyber-Forensics and Training Alliance. The Financial Services Cybersecurity Roundtable is a cross-organizational, cross-organizational “learning community” committed to working together to better protect our community from bank fraud, credit card theft, identity theft and other forms of cyber crime. City National Bank, April 7, 2017, 7:30 – 10:00AM
Pasadena / Glendale Cybersecurity Roundtable. Speaker: Warren Kato, LA County DA Office, “Cyber-Crime: The Anatomy of a Breach.” The Pasadena Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives and cybersecurity experts. This roundtable is intended for both for-profits and not-for-profits and functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. April 13, 7:30 – 10:00AM
SecureTheVillage Board Member Howard Miller to speak at College of Canyons Cybersecurity Breakfast Briefing. 4/21: Be instructed in the latest on Cybersecurity from a panel of industry experts. College of the Canyons, Date: April 21, 2017

SecureTheVillage — Other

Los Angeles Business Journal honors three SecureTheVillage Leadership Council members as finalists for this year’s CTO of the Year awards. Hersel Shoumer, President of LA Networks. Dave Watts, President of NetFusion. Stan Stahl, President of SecureTheVillage and Citadel Information Group.  Also honored are Citadel co-founder, Kimberly Pease and Shawn Aminian, Vice President, Information Technology and CIO at Children’s Institute, one of LA’s important nonprofits serving the at-risk community, and a Citadel client. Awards Ceremony: Wednesday, March 22, 6:00PM – 8:30 PM, Casa Del Mar
Leadership Council Member, Louie Sadd, Pres of Datastream IT, Honored as Glendale CofC Man of Year: Congratulations to all of our honorees and our sincere appreciation for their contributions to the Glendale business community. Please join us as we celebrate their accomplishments and look forward to this year’s State of the City Address presented by Mayor Paula Devine! Glendale Chamber of Commerce, Date: March 22, 2017

Individuals at Risk

Identity Theft

Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam: Just a friendly reminder that phishing scams which spoof the boss and request W-2 tax data on employees are intensifying as tax time nears. The latest victim shows that even cybersecurity experts can fall prey to these increasingly sophisticated attacks. KrebsOnSecurity, March 17, 2017

Cyber Privacy

FCC says your cybersecurity and privacy isn’t our problem: The new FCC chairman hasn’t wasted any time getting down to business. That is, the business of burning consumer privacy and security to the ground. engadget, March 17, 2017

Cyber Update

Adobe, Microsoft Push Critical Security Fixes: Adobe and Microsoft each pushed out security updates for their products today. Adobe plugged at least seven security holes in its Flash Player software. Microsoft, which delayed last month’s Patch Tuesday until today, issued an unusually large number of update bundles (18) to fix dozens of flaws in Windows and associated software. KrebsOnSecurity, March 14, 2017

Cyber Warning

Newly Discovered WhatsApp Security Flaw Allows Hackers to Access User Account Details & Information: Maintaining a high level of security while being online is no easy task. There are various ways of protecting oneself from all the bad elements on the Internet. Some use virtual private networks while others use encryption. As for WhatsApp, encryption has been chosen as a means of securing messages sent between users. MobiPicker, March 17, 2017

Cyber Defense

Basic password security tips to help you foil hackers: NEW YORK — Details from this week’s federal indictment of Russian hackers charged with compromising hundreds of millions of Yahoo accounts reveal that many people are still not taking routine precautions to safeguard their email accounts — and hackers are exploiting that. CBS, March 17, 2017
Ask.com toolbar being used again to deliver malware. Users should remove it: Businesses that allow the Ask.com toolbar in their environments might want to rethink that after endpoints equipped with the browser add-on were compromised last November and then again the very next month using pretty much the same attack methods. NetworkWorld, March 17, 2017
Cyber crime prevention class to be offered by Police in Simi Valley on April 13: Simi Valley police and the FBI will be offering a cyber-crime prevention class on April 13. Ventura County Star, March 16, 2017

Information Security Management in the Organization

Information Security Management and Governance

HR data security: 5 questions to ask IT today: It can be comforting to think that the people safeguarding your company’s network have it all under control, but before you add even one more sensitive file , find out just how secure your systems are by asking IT these questions…Business Insider, March 17, 2017
Hackers’ delight: Businesses put selves at risk for invasion: NEW YORK — Randell Heath isn’t sure how hackers got into his company’s website — all he knows is a supplier called, saying the site had become an online store selling Viagra and Cialis. USA TODAY, March 17, 2017
A cybersecurity risk assessment is a critical part of M&A due diligence: As of mid-February, the plan for Verizon Communications to acquire a majority of Yahoo’s web assets is still on, despite the announcement of Yahoo having suffered two massive breaches of customer data in 2013 and 2014. The sale price, however, has been discounted by $350 million, and Verizon and Altaba Inc. have agreed to share any ongoing legal responsibilities related to the breaches. Altaba is the entity that will own the portion of Yahoo that Verizon is not acquiring. NetworkWorld, March 17, 2017
Cybersecurity & M&A Due Diligence Process – A 2016 NYSE Governance Services / Veracode Survey Report: CYBERSECURITY 2015 was a phenomenal year for mergers and acquisitions around the globe: Shell, AT&T, Kraft Heinz, Kinder Morgan, Charter Communications, Albertsons, Anthem, Dell, and Aetna, to name a few. NYSE Governance Services, 2016

Cyber Awareness

How did Yahoo get breached? Employee got spear phished, FBI suggests: SAN FRANCISCO—The indictment unsealed Wednesday by US authorities against two agents of the Russian Federal Security Service, or FSB, (Dmitry Dokuchaev and Igor Sushchin) and two hackers (Alexsey Belan and Karim Baratov) provides some details of how Yahoo was pillaged of user data and its own technology over a period of over two years. But at a follow-up briefing at the FBI office here today, officials gave fresh insight into how they think the hack began—with a “spear phishing” e-mail to a Yahoo employee early in 2014. ars technica, March 15, 2017
Nudging Towards Security – Part 4, Sahil Bansal: Traditional Approach of Security Communications – Employees behave in a particular way because there is something that motivates them to do so. Traditionally, the information security teams of organizations have relied on fear as a motivator to drive the right behavior. Highlighting the consequences of not following the right process, citing cases where extreme actions were taken on employees, exaggerating situations to scare employees into believing terrible outcomes could occur, information security has always been about locking down things and scaring the hell out of people. Clearly, it hasn’t worked. SANS, March 9, 2017

Cyber Warning

Unpatched flaw opens Ubiquiti Networks devices to compromise: A critical vulnerability in many of Ubiquiti Networks’ networking devices can be exploited by attackers to take over control of the device and, if that device acts as a router or firewall, to take over the whole network. HelpNetSecurity, March 17, 2017

Cyber Defense

Five Make-It-Happen Defense Strategies Based Upon Improved Use of Automation: Here are five ways we can become more effective for our organizations. Dark Reading, March 17, 2017

Cyber Talent

A New Study Suggests the Serious Gender Gap in Cybersecurity Jobs Isn’t Getting Better: Johanna Vazzana knew the job she’d applied for was a stretch. Vazzana, now a cybersecurity strategist working at Mitre, was interviewing early in her career for a technical cybersecurity position with a Fortune 500 company. Though she lacked a computer science degree, she’d taught herself relevant skills and racked up certifications that she hoped would fill in the educational and experiential gaps. Slate, March 17, 2017

Cyber Security in Society

Cyber Crime

Krebs’ analysis of restaurant cyber-breach exposes POS vendor weaknesses: For the second time in the past nine months, Google has inadvertently but nonetheless correctly helped to identify the source of a large credit card breach — by assigning a “This site may be hacked” warning beneath the search results for the Web site of a victimized merchant. KrebsOnSecurity, March 16, 2017

Cyber Privacy

D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes: The United States Court of Appeals for the District of Columbia Circuit today held that foreign governments are free to spy on, injure, or even kill Americans in their own homes–so long as they do so by remote control. The decision comes in a case called Kidane v. Ethiopia, which we filed in February 2014. EFF, March 14, 2017

Cyber Attack

Attackers take control of popular Twitter app. Use it to tweet Swastikas & Turkish spam: Thousands of high-profile Twitter accounts have been spewing swastikas and spam following the hack of a popular third-party Twitter service. BankInfoSecurity, March 15, 2017

National Cyber Security

Senior British EU Official warns of significant cyber dangers. Says cooperation vital: The most senior British EU official has spoken out to warn of the need for strong security cooperation in Europe, just days before Theresa May triggers Brexit. Independent, March 17, 2017
Trump budget includes big money for cybersecurity: President Donald Trump’s proposed fiscal year 2018 budget introduced Thursday would boost cybersecurity efforts at several federal agencies, including the Pentagon, the Treasury Department and NASA. Though less of a cross-department priority, the budget also calls for more investment in IT to help improve the management and effectiveness of government. CIO Dive, March 17, 2017
Russian Bank Says Trump Link Work of False Flag Hackers: A leading Russian bank says it was targeted by hackers who created a fake cyber trail to suggest extensive links with businesses owned by U.S. President Donald Trump. Voice Of America, March 17, 2017
Cyber War I has already begun: To each American administration, its war. Which will be Donald Trump’s? There is good reason to fear it could be the Second Korean War, with craziness in North Korea and chaos in the South. Or it could be yet another quagmire in the Middle East. Trump’s most excitable critics keep warning that World War III will happen on his watch. But I am more worried about Cyber War I – especially as it has already begun. Harvard Kennedy School Belfer Center, March 15, 2017
Deterrence and Dissuasion in Cyberspace: Can states deter adversaries in cyberspace? Analogies drawn from nuclear deterrence mislead; nuclear deterrence aims for total prevention, whereas states do not expect to prevent every cyberattack. Additionally, cyber deterrence is possible even though it can be hard to identify the source of a cyberattack. Attribution problems do not hinder three of the major forms of cyber deterrence: denial, entanglement, and normative taboos. Harvard Kennedy School Belfer Center, Winter 2016/17
Stewart Baker asks NSA cyberexperts what they tell mom about cybersecurity: In this week’s episode, we ask two acknowledged NSA cybersecurity experts, Curtis Dukes and Tony Sager, both from the Center for Internet Security, what they tell their family members about how to keep their computers, phones, and doorbells safe from hackers. Steptoe Cyberblog, March 13, 2017
America must defend itself against the real national security menace: This week, we have watched the perfect example of a country fighting the last war. The Trump administration has devoted weeks of energy and political capital to rolling out its temporary travel ban against citizens of six Muslim-majority countries, none of whom, according to the libertarian Cato Institute, have committed a single deadly terrorist attack in the United States over the past four decades. Meanwhile, the White House’s response to a devastating barrage of WikiLeaks disclosures that will compromise U.S. security for years was a general vow to prosecute leakers. , The Washington Post, March 9, 2017
Russian bank found communicating with server registered to Trump Organization: This spring, a group of computer scientists set out to determine whether hackers were interfering with the Trump campaign. They found something they weren’t expecting. Slate, October 31, 2016

Know Your Enemy

Churn Under the Surface of Global Cybercrime: Global cybercrime actors generally adhere to the same principal as a handyman: If it’s not broken, don’t fix it. But that’s not so easy when malware works in one area and attackers want to use it to target a new audience or geography. SecurityIntelligence, March 17, 2017
String of fileless malware attacks possibly tied to single hacker group: Several attacks observed over the past few months that rely heavily on PowerShell, open-source tools, and fileless malware techniques might be the work of a single group of hackers. PCWorld, March 17, 2017
Financial Cybercriminals Looking More Like Nation-States, says Mandiant Report: As the cybercriminal-cyber espionage connection in the Yahoo breach demonstrates the security challenges facing organizations today. DarkReading, March 16, 2017
Meet the FBI’s top 5 Most Wanted for cyber crimes: Three of the four people who have been indicted in connection to a massive hack of Yahoo accounts are now on top of the FBI’s Most Wanted list for cyber crimes. CNN, March 16, 2017
Four Men Charged With Hacking 500M Yahoo Accounts: The U.S. Justice Department today unsealed indictments against four men accused of hacking into a half-billion Yahoo email accounts. Two of the men named in the indictments worked for a unit of the Russian Federal Security Service (FSB) that serves as the FBI’s point of contact in Moscow on cybercrime cases. Here’s a look at the accused, starting with a 22-year-old who apparently did not try to hide his tracks. KrebsOnSecurity, March 15, 2017

Cyber Sunshine

Russian charged with computer fraud extradited to Atlanta to stand trial: Federal authorities said a Russian hacker who allegedly hijacked victims’ computers to get banking and other financial information was brought to an Atlanta court this week to face charges. ACJ, March 17, 2017
Russian Spies, Two Others, Indicted in Yahoo Hack: Two of the four individuals indicted for hacking Yahoo in 2014, exposing 500 million user accounts, work for a Russian intelligence service unit that the FBI collaborates with on international cybercrime investigations. BankInfoSecurity, March 15, 2017

Cyber Miscellany

Despite Breaches, Yahoo CEO Gets Golden Parachute: Search giant Yahoo suffered two massive data breaches during the tenure of CEO Marissa Mayer. But when the company wraps up the sale of its primary businesses to Verizon for $4.48 billion in cash, Mayer is set to exit with an extra $23 million in compensation, minus her title as head of Yahoo or CEO of the investment company Altaba being formed by what’s left. BankInfoSecurity, March 14, 2017

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



Sunday, March 12, 2017

Cyber Security Vulnerability and Patch Report, March 12, 2017


CYBERSECURITY VULNERABILITY

AND PATCH REPORT

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

 


Important Security Updates

Dropbox: Dropbox has released version 21.4.25 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released Google Chrome version 57.0.2987.98. Updates are available from within the browser or from Google Chrome’s website.
Kaspersky Password Manager: Kaspersky has released version 8.0.6.538. Updates are available within the browser or from Kaspersky’s website.
Mozilla Firefox: Mozilla has released version 52.0. Updates are available within the browser or from Mozilla’s website.
Panda Free Antivirus: Panda Free Antivirus has released version 18.01.0. Updates are available on Panda Security’s website.
RoboForm: Siber Systems has released Version 8.3.0. Updates are available from within the program or from RoboForm’s website.
Viber: Viber has released version 6.6.1 for Windows. Updates are available on Viber’s website.

Current Software Versions

Adobe Flash 24.0.0.221
Adobe Reader DC 2015.023.20070
Dropbox 21.4.25 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 52.0 [Windows]
Google Chrome 57.0.2987.98
Internet Explorer 11.0.9600.18538
Java SE 8 Update 121 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Microsoft Edge 40.15042.0
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 10.0.3 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.32.0.104

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Apache Strust2, and multiple vulnerabilities in OpenSSL Affecting Cisco Products,  and others. Apply updates. Additional details are available at Cisco’s website.
WordPress: WordPress has released version 4.7.3 to address multiple vulnerabilities in previous versions. Update through the application.
 *******************
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2017 Citadel Information Group. All rights reserved.

 

 

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog