Monday, February 17, 2014

Cyber Security New and Education for the Week of February 17, 2014


Cyber Security News of the Week


Shared with permission from our friends at Citadel Information Group

Cyber Crime

Hackers circulate thousands of FTP credentials, New York Times among those hit: Hackers are circulating credentials for thousands of FTP sites and appear to have compromised file transfer servers at The New York Times and other organizations, according to a security expert. PC World, February 13, 2014
Criminals Control, Cash Out Bank’s ATM Machines: In what could be a sign of what’s ahead in ATM fraud, a highly sophisticated and well-funded criminal gang targeted an overseas bank and commandeered at least four of its ATM machines with malware-rigged USB sticks in order to empty them of cash. DarkReading, February 13, 2014
Silk Road 2.0 ‘Hack’ Blamed On Bitcoin Bug, All Funds Stolen: The same bug that has plagued several of the biggest players in the Bitcoin economy may have just bitten the Silk Road. Forbes, February 13, 2014
Email Attack on Vendor Set Up Breach at Target: The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation. KrebsOnSecurity, February 12, 2014
Experts warn of coming wave of serious cybercrime: The rash of attacks against Target and other top retailers is likely to be the leading edge of a wave of serious cybercrime, as hackers become increasingly skilled at breaching the nation’s antiquated payment systems, experts say. Washington Post, February 9, 2014
Unveiling ‘The Mask’: Sophisticated malware ran rampant for 7 years: A cyberespionage operation that used highly sophisticated multi-platform malware went undetected for more than five years and compromised computers belonging to hundreds of government and private organizations in more than 30 countries. PC World, February 11, 2014

Cyber Attack

Attack on US Veterans Website May have Been Aimed At Military Members: IDG News Service — A cyberattack against the Veteran of Foreign Wars website, believed to have been initiated in China, may have sought to spy on U.S. military members, security company FireEye said Thursday. CIO, February 13, 2014

Cyber Privacy

Sidestepping the Risk of a Privacy Breach: This week, we reached the inevitable point in the controversy over the credit and debit card breaches where grim-faced retail executives from Target and Neiman Marcus, industry experts and consumer advocates turned up in Washington. They raised their hands and delivered well-rehearsed statements to our elected representatives. The New York Times, February 7, 2014

Identity Theft

Dogged by Data Theft: “What is stopping us from moving to this kind of technology?” asked a perplexed Senator Amy Klobuchar, Democrat from Minnesota. It was last Tuesday, and the Senate Judiciary Committee, on which Klobuchar sits, was holding a hearing about the recent breaches of Target and Neiman Marcus in which the data from tens of millions of credit and debit cards were stolen. The New York Times, Febraury 10, 2014
Keeping Swindlers Out of Your Bank and Brokerage Accounts: Data breaches at Target and Neiman Marcus were certainly scary. Personal information from tens of millions of people fell into the hands of cybercriminals. The New York Times, February 8, 2014

Cyber Warning

Bizarre attack infects Linksys routers with self-replicating malware: Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware. ars technica, February 13, 2014
New zero-day bug in IE 10 exploited in active malware attack, MS warns (updated): Microsoft has confirmed reports of a recently active attack that surreptitiously installed malware on computers running a fully patched version 10 of the Internet Explorer browser. The attacks also work on IE 9, the company warned. ars technica, February 13, 2014
CERTIFICATES SPOOFING GOOGLE, FACEBOOK, GODADDY COULD TRICK MOBILE USERS: Dozens of phony SSL certificates were discovered this week mocking legitimate certs from banks, e-commerce sites, ISPs and social networks. If a user stumbled over one of the bogus certificates on a mobile device it could put them at risk for a man-in-the-middle attack. ThreatPost, February 13, 2014
Instagram Bug Would Have Let Hackers Peek At Private Photos For At Least Last Six Months: If at any point before last Tuesday you suddenly found your private Instagram pics embarrassingly exposed to public perusal, Christian Lopez might be able to offer an explanation. Forbes, February 10, 2014
New Mac OS X Malware Steals Your Bitcoins: There’s a new piece of Mac malware that can spy on your web browser to steal your bitcoins. ReadWrite, February 10, 2014

Cyber Security Management

REALISTIC RISK ASSESSMENT KEY TO SECURITY MANAGEMENT: PUNTA CANA – Although it may not be the most thrilling part of a security team’s job, the idea of operational risk assessment and management is perhaps the most important aspect of organizational security. ThreatPost, February 10, 2014
How To Get The Most Out Of Risk Management Spend: Even with most security budgets growing or at least staying flat for 2014, no organization ever has unlimited funds for protecting the business. That’s where a solid risk management plan can be a lifesaver. DarkReading, January 24, 2014
The 7 best habits of effective security pros: It’s easy for security professionals who are passionate about their careers to get caught up in the technology, but success today requires a lot more than technical savvy. Here are the traits successful security pros say are needed to succeed. CSO, January 8, 2014

Cyber Security Management – Cyber Update

Security Updates for Shockwave, Windows: Adobe and Microsoft today each issued patches to fix critical security flaws in their software. Microsoft’s February Patch Tuesday includes seven patch bundles addressing at least 31 vulnerabilities in Windows and related software. Adobe pushed out an update that fixes two critical bugs in its Shockwave Player. KrebsOnSecurity, February 11, 2014

Cyber Security Management – Cyber Defense

Microsoft Offers Multifactor Authentication to All Office 365 Users: IDG News Service (Bangalore Bureau) — Microsoft is offering multifactor authentication free as an option to all users of its Office 365 suite, a hosted set of Microsoft Office tools and applications. CIO, February 11, 2014

Cyber Security Management – HIPAA

Healthcare Information Security: Still No Respect: More than a decade after publication of HIPAA’s security rule, healthcare information security officers still struggle to be heard. Information Week, Febraury 10, 2014

National Cyber Security

Feds Launch Cyber Security Guidelines For US Infrastructure Providers: The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. Critics say these voluntary guidelines enshrine the status quo. Information Week, February 12, 2014
NIST Framework Released to Widespread Praise, But What Happens Next?: Following a solid year of intensive work, the National Institute of Standards and Technology (NIST) released yesterday its “final” framework for improving critical infrastructure cybersecurity as mandated under a February 2013 executive order by President Obama. The 41-page document closely tracks, with some notable changes, the preliminary framework released by NIST in November. CIO, February, 13, 2014
Launch of the Cybersecurity Framework: Today the Obama Administration is announcing the launch of the Cybersecurity Framework, which is the result of a year-long private-sector led effort to develop a voluntary how-to guide for organizations in the critical infrastructure community to enhance their cybersecurity. The Framework is a key deliverable from the Executive Order on “Improving Critical Infrastructure Cybersecurity” that President Obama announced in the 2013 State of the Union. The White House, February 12, 2014

Cyber Law

FFIEC issues risk management guidance on social media: FFIEC issues risk management guidance on social media. Lexology, January 31, 2014

Cyber Sunshine

Florida Targets High-Dollar Bitcoin Exchangers: State authorities in Florida on Thursday announced criminal charges targeting three men who allegedly ran illegal businesses moving large amounts of cash in and out of the Bitcoin virtual currency. Experts say this is likely the first case in which Bitcoin vendors have been prosecuted under state anti-money laundering laws, and that prosecutions like these could shut down one of the last remaining avenues for purchasing Bitcoins anonymously. KrebsOnSecurity, February 7, 2014

Cyber Calander

ISSA-LA February Lunch Meeting: In March 2013, attackers launched an attack against Spamhaus that topped 300Gbps. Spamhaus gave us permission to talk about the details of the attack. While CloudFlare was able to fend off the attack, it exposed some vulnerabilities in the Internet’s infrastructure that attackers will inevitably exploit. If an Internet-crippling attack happens, this is what it will look like. And here’s what the network needs to do in order to protect itself. ISSA-LA, Event Date: February 19, 2014
Cybersecurity Essentials for Business Professionals: Please join us in this free presentation where we will discuss essential issues that every entrepreneur and business professional must know about cybersecurity laws, guidelines, and protocols. This event will be moderated and conducted by Salar Atrizadeh, Esq., principal and founder of the Law Offices of Salar Atrizadeh. Also, Stan Stahl, Ph.D., President of Citadel Information Group and ISSA-LA, Brad Maryman, and Howard Miller will serve as panelists Law Offices of Salar Atrizadeh, Event Date: February 21, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, February 16, 2014 on Facebook

Weekend Vulnerability and Patch Report, February 16, 2014


Important Security Updates

Adobe Shockwave Player: Adobe has released version 12.0.9.149 to fix two highly critical vulnerabilities reported in previous versions of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Check Point Technologies Zone Alarm: Check Point has released version 12.0.121.000 of the Free version of Zone Alarm. Updates are available from Check Point’s website.
Dropbox: Dropbox has released version 2.6.10 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Microsoft Patch Tuesday: Microsoft released several updates addressing at least 31 security vulnerabilities, some of which are highly critical, in Microsoft Office, Internet Explorer, and more. Updates are available via Windows Update or from Automatic Update.
Mozilla Firefox: Mozilla has released version 27.0.1 of Firefox. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 19.0.1326.63. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash  12.0.0.44 [Windows 7: IE]
Adobe Flash  12.0.0.44 [Windows 7: Firefox, Mozilla]
Adobe Flash  12.0.0.44 [Windows 8: IE]
Adobe Flash  12.0.0.44 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.10 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0.1
Google Chrome 32.0.1700.107
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7 
Safari 7.0.1 [Mac OS X]
Skype 6.13.0.104

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for it Unified Communications Manager. Apply updates.
McAfee Firewall Enterprise: McAfee has released version 8.2.1 to its Firewall Enterprise (formerly Sidewinder Firewall) to fix an unpatched vulnerability in previous versions.
SonicWALL UMA EM5000: SonicWALL has released updates for its UMA EM5000 to fix a vulnerability reported in previous versions. Apply 7.1 SP2 or update to version 7.2.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.


SecurityRecruiter.com's Security Recruiter Blog