Monday, February 24, 2014

Cyber Security News and Education for the Week of February 24, 2014

Cyber Security News of the Week

Shared with permission from our friends at Citadel Information Group

Cyber Crime

Fire Sale on Cards Stolen in Target Breach: Last year’s breach at Target Corp. flooded underground markets with millions of stolen credit and debit cards. In the days surrounding the breach disclosure, the cards carried unusually high price tags — in large part because few banks had gotten around to canceling any of them yet. Today, two months after the breach, the number of unsold stolen cards that haven’t been cancelled by issuing banks is rapidly shrinking, forcing the miscreants behind this historic heist to unload huge volumes of cards onto underground markets and at cut-rate prices. KrebsOnSecurity, February 19, 2014
Database Attack Exposes Personal Data At University of Maryland: IDG News Service — Personal records for more than 309,000 students and staff were exposed this week in a “sophisticated” database attack at the University of Maryland, the university said Wednesday. CIO, February 19, 2014
Kickstarter hacked, user data stolen:The crowd-funding site says hackers broke into its systems and made off with data. Apparently credit card numbers escaped the attack. Cnet, February 15, 2014

Cyber Privacy

Facebook Deal on Privacy Is Under Attack: SAN FRANCISCO — Despite a class-action settlement in August that was supposed to ensure that Facebook users clearly consent to their comments, images and “likes” being used in ads, it has been business as usual on the service. The New York Times, February 13, 2014

Cyber Warning

70 PERCENT OF ANDROID DEVICES EXPOSED FOR 93 WEEKS TO SIMPLE ATTACK: Android devices prior to version 4.2.1 of the operating system—70 percent of the phones and tablets in circulation—have been vulnerable to a serious and simple remote code execution vulnerability in the Android browser for more than 93 weeks. ThreatPost, February 18, 2014
TWO-FACTOR AUTHENTICATION VULNERABILITY IDENTIFIED IN WORDPRESS PLUGINS: Hosted two-factor authentication firm Duo Security acknowledged late last week that it discovered a vulnerability in its WordPress plugin (duo_wordpress plugin) that could allow a user to bypass two-factor authentication (2FA) on a multisite network. ThreatPost, February 19, 2014
Security message from FORBES: was targeted in a digital attack and our publishing platform was compromised. Forbes, February 2014
The New Normal: 200-400 Gbps DDoS Attacks: Over the past four years, KrebsOnSecurity has been targeted by countless denial-of-service attacks intended to knock it offline. Earlier this week, KrebsOnSecurity was hit by easily the most massive and intense such attack yet — a nearly 200 Gbps assault leveraging a simple attack method that industry experts say is becoming alarmingly common. KrebsOnSecurity, February 14, 2014

Cyber Security Management

How CFOs Can Face The Threat Of Cyber Crime: Cyber threats are a serious problem for businesses, and boards, investors and finance executives are sitting up and taking notice. Forbes, February 6, 2014

Cyber Security Management – Cyber Update

Adobe, Microsoft Push Fixes For 0-Day Threats: For the second time this month, Adobe has issued an emergency software update to fix a critical security flaw in its Flash Player software that attackers are already exploiting. Separately, Microsoft released a stopgap fix to address a critical bug in Internet Explorer versions 9 and 10 that is actively being exploited in the wild. KrebsOnSecurity, February 20, 2014

Cyber Security Management – Cyber Defense

Time to Harden Your Hardware?: Most Internet users are familiar with the concept of updating software that resides on their computers. But this past week has seen alerts about an unusual number of vulnerabilities and attacks against some important and ubiquitous hardware devices, from consumer-grade Internet routers, data storage and home automation products to enterprise-class security solutions. KrebsOnSecurity, February 18, 2014

Cyber Security Management – HIPAA

HEALTH CARE SYSTEMS POORLY PROTECTED, MANY ALREADY COMPROMISED: A new report from the SANS Institute warns that the push to digitize all health care records along with the emergence of and the general proliferation of electronic protected health information (ePHI) online will only exacerbate the security problems faced by those that store sensitive health care data. In other words, the report says, health care critical information assets are poorly protected and already compromised in many cases. ThreatPost, February 18, 2014

Securing the Village

Closing the cyber security threat intelligence gap: It’s no secret that one of the effects of the Edward Snowden revelations has been a slowdown in the effort to pass new cyber security legislation that facilitates information sharing between the government and the private sector. However, the need for cyber threat intelligence sharing is still vital, and with Congress sidelined, it’s going to take leadership from the nation’s corporate executives to make progress on this issue within the framework of our current laws. SC Magazine, February 18, 2014

National Cyber Security

Spy Chief Says Snowden Took Advantage of ‘Perfect Storm’ of Security Lapses: WASHINGTON — The director of national intelligence acknowledged Tuesday that nearly a year after the contractor Edward J. Snowden “scraped” highly classified documents from the National Security Agency’s networks, the technology was not yet fully in place to prevent another insider from stealing top-secret data on a similarly large scale. The New York Times, February 11, 2014

Cyber Law

The Year Ahead in Privacy and Data Security: 2014 promises to be another eventful year in the privacy and data security fields. Although predictions are necessarily risky, there is little sign that the revelations regarding government surveillance will cease, that cyber criminals and insiders will stop hacking into personal and proprietary data and that the FTC and other regulatory authorities will stop focusing on companies’ privacy and security policies and practices. [Author Tim Toohey is a member of ISSA-LA Community Outreach Advisory Board.] Morris, Pollich & Purdy, January 27, 2014

Cyber Misc

Reporting From the Web’s Underbelly: SAN FRANCISCO — In the last year, Eastern European cybercriminals have stolen Brian Krebs’ identity a half dozen times, brought down his website, included his name and some unpleasant epithets in their malware code, sent fecal matter and heroin to his doorstep, and called a SWAT team to his home just as his mother was arriving for dinner. The New York Times, February 17, 2014


ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.

Weekend Vulnerability and Patch Report, February 23, 2014

Important Security Updates

Adobe Flash Player: Adobe has released version for its Flash Player to fix an extremely critical vulnerability. Updates are available through the program or from Adobe’s Flash Web Site. Updates are also available for Adobe AIR.
Adobe Shockwave Player: Adobe has released version to fix two highly critical vulnerabilities reported in previous versions of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Apple iOS Multiple Devices: Apple has released updates for its iOS to fix a critical vulnerability in the iPhone 3GS, iPod touch 4th generation, iPhone 4, iPod touch 5th generation, iPad 2 and later, Apple TV 2nd generation and later. Updates are available through the device or Apple’s website.
Dropbox: Dropbox has released version 2.6.13 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Foxit Reader: Foxit has released version 6.1.4 to fix a moderately critical vulnerability. Updates are available through the program or from Foxit’s website.
Google Chrome: Google has released version 33.0.1750.117 of Chrome for Windows, Mac, Linux and Chrome Frame to fix highly critical unpatched vulnerabilities in previous versions. Updates are available through the program.
Microsoft Internet Explorer: Microsoft has released an update to versions 9 and 10 of Internet Explorer to fix an extremely critical vulnerability. Updates are available through Windows Updates in the Control Panel. US-CERT recommends upgrading to Internet Explorer 11.
Microsoft Windows: Microsoft has released an update to several versions of Windows, including Windows 8, 8.1 and Server 2012, to fix a highly critical vulnerability caused by the bundling of Adobe Flash Player within Internet Explorer. Updates are available through Windows Updates in the Control Panel.
Siber Systems RoboForm: Siber Systems has released version 7.9.2 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.
Skype: Skype has released Skype Updates are available from the program.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.13 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0.1
Google Chrome 33.0.1750.117
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.4
Safari 5.1.7 
Safari 7.0.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

Netgear D6300B: Secunia reports moderately critical security issues in firmware versions and Other versions may also be affected. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Unified Communications Manager, Intrusion Prevention Software (IPS), Adaptive Security Appliance (ASA), Unified SIP Phone 3905, Unified Computing System (UCS), Firewall Services Module (FWSM), Email Security Appliance, Videoscape Distribution Suite Transparent Caching (VDS-TC) and others. Apply updates.
Citrix ShareFile for Android: Secunia reports that Citrix has released an update to fix a security issue reported in previous versions of Citrix ShareFile Mobile Application for Android and Citrix ShareFile Mobile for Tablets Application for Android. Update to version 2.4.4.
Symantec Endpoint Protection Manager: Secunia reports that Symantec has released updates for its Endpoint Protection Manager to fix a vulnerability in versions prior to 11.0.7405.1424 and 12.1.4023.4080. Update to a fixed version.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog