Monday, March 03, 2014

Cyber Security News and Education for the Week of March 3, 2014

Cyber Security News and Vulnerability Patch Report 

 From our friends at Citadel Information Group

Cyber Crime

360 million newly stolen credentials on black market: cybersecurity firm: (Reuters) – A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access. Reuters, February 25, 2014
Bitcoin Exchange Mt. Gox Goes Offline Amid Allegations of $350 Million Hack: Bitcoin Exchange Mt. Gox Goes Offline Amid Allegations of $350 Million Hack. Wired, February 24, 2014
Embassy Suites Acknowledges Data Breach: Credit card information was illegally obtained ‘with a manual device,’ according to the hotel. eSecurity Planet, February 12, 2014
Bank of the West has data breach in online job-application system: Bank of the West job applicants are scrambling for answers regarding a recent data breach that may have involved stolen personal information such as Social Security and driver’s-license numbers. The Denver Post, February 11, 2014

Cyber Privacy

British Spies Said to Intercept Yahoo Webcam Images: SAN FRANCISCO — A British intelligence agency collected video webcam images — many of them sexually explicit — from millions of Yahoo users, regardless of whether they were suspected of illegal activity, according to accounts of documents leaked by Edward J. Snowden. The New York Times, February 27, 2014
Bush cyberczar: NSA created ‘the potential for a police state’: Richard Clarke, the former cyber advisor under President George W. Bush had some harsh words for the United States National Security Agency during an address in California on Monday: “get out of the business of fucking with encryption standards.” RT, February 25, 2014

Identity Theft – HIPAA

The Rise of Medical Identity Theft: If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft. Government Technology, February 10, 2014

Cyber Warning

Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks: Apple on Tuesday made it clear that it will no longer patch OS X 10.6, aka Snow Leopard, when it again declined to offer a security update for the four-and-a-half-year-old operating system. ComputerWorld, February 26, 2014
iOS 7: Even if you don’t jailbreak your iPhone, bugs STILL CREEP IN: The comforting notion that unmodified iOS phones are more or less immune to security threats has been shaken to the core with the release of new research that shows mobile monitoring applications can bypass Apple’s app review process and successfully exploit non-jailbroken iOS 7 kit. The Register, February 25, 2014
IRS Releases the “Dirty Dozen” Tax Scams for 2014; Identity Theft, Phone Scams Lead List: The Internal Revenue Service today issued its annual “Dirty Dozen” list of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of schemes ranging from identity theft to return preparer fraud. IRS, February 19, 2014

Cyber Security Management

How Well Do We Really Understand Information Security?: Information security is very important, but most people think they know it and that’s half the problem. Wall Street & Technology, February 21, 2014

Cyber Security Management – Cyber Update

OS X 10.9.2 arrives to fix SSL vulnerability, Mail problems, and more: What do fixes for critical security vulnerabilities, improvements to mail delivery, and new FaceTime features have in common? Well, they’re all in OS X 10.9.2, which arrived on Tuesday. It’s available in the Updates tab of the Mac App Store, and even if you’re among those who usually take a wait-and-see approach to system updates, this particular release is worth an expedient installation. MacWorld, February 25, 2014
iOS Update Quashes Dangerous SSL Bug: Apple on Friday released a software update to fix a serious security weakness in its iOS mobile operating system that allows attackers to read and modify encrypted communications on iPhones, iPads and other iOS devices. The company says it is working to produce a patch for the same flaw in desktop and laptop computers powered by its OS X operating system. KrebsOnSecurity, February 23, 2014

Cyber Security Management – Cyber Defense

Apple’s SSL iPhone vulnerability: how did it happen, and what next?: SSL vulnerability in iPhone, iPad and on Mac OS X appeared in September 2012 – but cause remains mysterious as former staffer calls lack of testing ‘shameful’. The Guardian, February 25, 2014
Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data: The hackers who raided the credit-card payment system of Neiman Marcus Group set off alerts on the company’s security systems about 60,000 times as they slunk through the network, according to an internal company investigation. BusinessWeek, February 21, 2014

National Cyber Security

Syria War Stirs New U.S. Debate on Cyberattacks: WASHINGTON — Not long after the uprising in Syria turned bloody, late in the spring of 2011, the Pentagon and the National Security Agency developed a battle plan that featured a sophisticated cyberattack on the Syrian military and President Bashar al-Assad’s command structure. The New York Times, February 24, 2014

Cyber Misc

Card Backlog Extends Pain from Target Breach: Last week’s story about steeply falling prices on credit and debit card data stolen from Target mentioned several reasons why many banks may not have already reissued all of their cards impacted by the breach. But it left out one other key reason: A huge backlog of orders at companies that manufacture credit and debit cards on behalf of financial institutions. KrebsOnSecurity, February 25, 2014
Comment: RSA Conference 2014 – Information Security’s Civil War Takes Center Stage: Brian Honan, security consultant and RSA Conference presenter, explains why he has chosen to remain on the event’s speaking roster despite the withdrawal of some peers. InfoSecurity, February 24, 2014
The anti-RSA conference: More security, less NSA: TrustyCon sets up shop across from the RSA Conference, with hopes of opening a debate on the state of security. InfoWorld, February 21, 2014


ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.

share on TwitterLike Weekend Vulnerability and Patch Report, March 2, 2014 on Facebook

Weekend Vulnerability and Patch Report, March 2, 2014

Important Security Updates

Apple iOS Multiple Devices: Apple has released updates for its iOS to fix a vulnerability in the iPhone 3GS and later, iPod touch, iPhone 4 and later,  and iPad. Updates are available through the device or Apple’s website.
Apple iTunes: Apple has released version 11.1.5 for iTunes. Updates are available through the program or from Apple’s website.
Apple Safari: Apple has released updates to Safari to fix at least 4 highly critical vulnerabilities reported in versions prior to 6.1.2 and 7.0.2. Updates are available through the program or from Apple’s website.
Apple OS X: Apple has released updates for OS X to fix at least 22 vulnerabilities, some of which are highly critical. Update to version 10.9.2 or apply Security Update 2014-001. Updates are available through Apple’s website.
Apple QuickTime: Apple has released version 7.7.5 of QuickTime to fix vulnerabilities.  Updates are available from within the program or Apple’s website.
Apple TV: Apple has released version 6.0.2 for Apple TV to fix a vulnerability. Updates are available from within the program or Apple’s website.
Google Chrome: Google has released version 33.0.1750.124 of Chrome for Windows, Mac, Linux and Chrome Frame to fix highly critical unpatched vulnerabilities in previous versions. Updates are available through the program.
Piriform CCleaner: Piriform has released version 4.11.4619 for CCleaner. Download is available from Piriform’s website.
Siber Systems RoboForm: Siber Systems has released version 7.9.5 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.13 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 27.0.1
Google Chrome 33.0.1750.124
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 7 Update 51 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.2 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

Linksys E-Series Wireless Router: Secunia reports unpatched highly critical vulnerabilities in  Linksys’ E-Series Routers including E4200, EA3500, EA2700, and EA4500. Other versions may also be affected. No official solution is currently available.
Linksys WRT120N Wireless Router: Secunia reports a moderately critical unpatched vulnerability in  Linksys’ WRT120N Wireless Router reported in firmware version 1.0.07. Other versions may also be affected. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Intrusion Prevention Software (IPS), Unified Communications Domain Manager (CUCDM), Prime Infrastructure, Unified Communications Manager, Unified Contact Center Express and others. Apply updates.
McAfee ePolicy Orchestrator: Secunia reports that McAfee has released a hotfix for its ePolicy Orchestrator to fix a vulnerability reported in versions 4.6.7 and prior. Apply Hotfix 940148.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog