Monday, February 03, 2014

Cyber Security News and Education for the Week of February 2, 2014

Cyber Security News of the Week, February 2, 2014

Shared with permission.  From our friends at Citadel Information Group

Cyber Crime

Point-Of-Sale System Attack Campaign Hits More Than 40 Retailers: Another day, another point-of-sale (POS) breach revelation: Dozens of retailers have been infected with a family of malware that stole payment card and personal information from some 50,000 customers. DarkReading, January 30, 2014
Target traces security breach to stolen vendor credentials: Target’s investigation of the massive security breach which allowed hackers to take millions of credit and debit card numbers has revealed a stolen vendor’s credentials as a source of access. ZDNet, January 30, 2014
New Clues in the Target Breach: An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internalb network. KrebsOnSecurity, January 29, 2014
Microsoft Says Law Enforcement Documents Likely Stolen By Hackers:Social media and email accounts of some Microsoft employees were hit by phishing attacks, the company said. CIO, January 26, 2014
Sources: Card Breach at Michaels Stores: Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States. KrebsOnSecurity, January 25, 2014

Cyber Attack

Hackers attack Yahoo Mail accounts: Yahoo Mail was recently the target of a cyber-attack, the company revealed in a blog post Thursday. CNN, January 30, 2014
Hackers break into Israeli defence computers, says security company: Palestinians are suspected of being behind email attack on civil administration machines that monitor Israeli-occupied territory. The Guardian, January 27, 2014
EFF ACTIVISTS, JOURNALISTS HIT BY TARGETED MALWARE ATTACK: Phishing and malware attacks are among the more democratic and populist threats on the Internet. You don’t have to stand in the crowd in order to be targeted; the attackers will get to you sooner or later. But while most malware campaigns are aimed at the masses, attackers often save their best stuff for high-value targets, as a recent campaign targeting American journalists and activists from the EFF shows. ThreatPost, January 20, 2014

Cyber Privacy

Businesses gather more information than they need from consumers: Moira Hahn, like many consumers, always took it for granted that businesses wanted as much of her personal information as they could get. LA Times, January 30, 2014
Flipping the Switches on Facebook’s Privacy Controls: FACEBOOK is all about sharing. But if you value your privacy, using the service means deciding not only what you want to share, but also who gets to see it. The New York Times, January 29, 2014
U.S. Relaxes Some Data Disclosure Rules: WASHINGTON — The Obama administration says it will allow Internet companies to give customers a better idea of how often the government demands their information, but will not allow companies to disclose what is being collected or how much. The New York Times, January 27, 2014
Spy Agencies Tap Data Streaming From Phone Apps: When a smartphone user opens Angry Birds, the popular game application, and starts slinging birds at chortling green pigs, spies could be lurking in the background to snatch data revealing the player’s location, age, sex and other personal information, according to secret British intelligence documents. The New York Times, January 27, 2014

Cyber Warning

DAILYMOTION STILL INFECTED, SERVING FAKE AV MALWARE: More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is still infected. Threatpost, January 31, 2014
Careful! Malicious FileZilla FTP Client Circulating Steals FTP Login Credentials: Looking for a solid and feature rich FTP client? FileZilla is one of the better ones out there, but surfer beware, malware writers have taken notice of the popular program and have decided to prey on individuals who aren’t super diligent with their downloading habits. In other words, be real careful when downloading the FileZilla FTP client because there are fake copies making the rounds that are coded to steal your FTP login credentials. Hot HardWare, January 28, 2014
Sync’n'steal: Hackers brew Android-targeting Windows malware: Internet Igors have stitched together the first strain of Windows malware that can hop over and infect Android smartphones and tablets. The Register, January 27, 2014

Cyber Security Management

Lack of stronger cyber security may cost world economy $3 trillion: Failure to boost cyber security could cost the world economy a staggering $3 trillion as new regulations and approaches to deal with destructive attacks would stifle innovation, says a report. Economic Times, January 20, 2014

Cyber Security Management – Cyber Defense

Chip-and-PIN Security Push To Pit Retailers Against Banks: While the cost of breaches typically falls on the merchants, card issuers and banks would foot much of the bill for improving the security of the payment-card system. DarkReading, January 30, 2014 does more to protect your password, study of top 100 sites finds: Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding customer passwords, according to a comprehensive study of the top 100 e-commerce websites that also ranked Major League Baseball, Karmaloop, Dick’s Sporting Goods, Toys R Us, and Aeropostale as performing the worst. ars technica, January 24, 2014
The 25 worst passwords of 2013: “password” gets dethroned:“123456″ is finally getting some time in the spotlight as the world’s worst password, after spending years in the shadow of “password.” CSO, January 20, 2014

National Cyber Security

N.S.A. Choice Is Navy Expert on Cyberwar: WASHINGTON — In nominating Vice Adm. Michael S. Rogers as the new director of the National Security Agency on Thursday, President Obama chose a recognized expert in the new art of designing cyberweapons, but someone with no public track record in addressing the kinds of privacy concerns that have put the agency under a harsh spotlight. The New York Times, January 30, 2014
Pentagon, GSA map out acquisition cybersecurity; tester finds issues remain: (Reuters) – The U.S. Defense Department and General Services Administration on Wednesday mapped out six broad reforms to improve the cybersecurity of more than $500 billion in goods and services acquired by the U.S. federal government each year. Reuters, January 29, 2014

Cyber Career

Information security salaries set to rise in 2014: Salaries for information security professionals are set to rise across the board in the coming year as demand for people with skills in this sector increases. ComputerWeekly, January 30, 2014

Cyber Survey

Microsoft Maps Out Malware Haves And Have-Nots: Some countries suffer disproportionately from malware infections and cybercrime, and Windows XP could exacerbate the problem. Dark Reading, January 22, 2014

Cyber Sunshine

Feds to Charge Alleged SpyEye Trojan Author: Federal authorities in Atlanta today are expected to announce the arrest and charging of a 24-year-old Russian man who allegedly created and maintained the SpyEye Trojan, a sophisticated botnet creation kit that has been implicated in a number of costly online banking thefts against businesses and consumers. KrebsOnSecurity, January 28, 2014
Suspected email hackers for hire charged in four countries: Eleven people were charged in the U.S., India, China and Romania for their suspected involvement with websites offering email hacking services. PC World, January 27, 2014
Revenge-porn king Hunter Moore indicted on 7 counts of aggravated identity theft: Hunter Moore, king of revenge porn, aka “the most hated man on the internet”, he who claims to have slept well in spite of posting nude or sexually explicit photos without victims’ permission, was indicted on Thursday by a federal grand jury. NakedSecurity, January 27, 2014

Cyber Calender

“Lunch Meeting – It Takes the Village to Secure the Village”: Dr. Stan Stahl, President of the Los Angeles Chapter of the Information Systems Security Association and President of Citadel Information Group presents. SOCALAFP, Event Date: February 14, 2014
Cybersecurity Essentials for Business Professionals: Please join us in this free presentation where we will discuss essential issues that every entrepreneur and business professional must know about cybersecurity laws, guidelines, and protocols. This event will be moderated and conducted by Salar Atrizadeh, Esq., principal and founder of the Law Offices of Salar Atrizadeh. Also, Stan Stahl, Ph.D., President of Citadel Information Group and ISSA-LA, Brad Maryman, and Howard Miller will serve as panelists Law Offices of Salar Atrizadeh, Event Date: February 21, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, February 2, 2014 on Facebook

Weekend Vulnerability and Patch Report, February 2, 2014

Important Security Updates

Google Chrome: Google has released version 32.0.1700.102 of Chrome for Windows, Mac, Linux and Chrome Frame to fix multiple highly critical vulnerabilities in previous versions. Updates are available through the program.
Opera: Opera has released version 19.00 to fix unpatched moderately critical vulnerabilities reported in a previously bundled version of Chromium. Updates are available from within the browser or from Opera’s website.
VLC Media Player: VLC has released version 2.1.2 (32-bit) of its Media Player to fix a highly critical vulnerability. Download from the VLC website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 26
Google Chrome 32.0.1700.102
Internet Explorer 11.0.9600.16476 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7 
Safari 7.0.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released many updates for multiple products, including Cisco TelePresence Systems (CTS), Secure Access Control System (ACS), NX-OS, Video Surveillance 5000 Series,  Identity Services Engine (ISE), WebEx Meeting and others. 
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog