Monday, March 31, 2014

Cyber Security News, Education and Cyber Security Vulnerability Report for the Week of March 31, 2014

Cyber Security News of the Week

From Dr. Stan Stahl and our friends at Citadel Information Group

Cyber Crime

Target Had Chance to Stop Breach, Senators Say: WASHINGTON — Two Democratic senators on Wednesday criticized Target’s management for not stopping a huge data breach of its systems, citing several missed opportunities to thwart the attack and protect customer data. The New York Times, March 26, 2014
ZIP Codes Show Extent of Sally Beauty Breach: Earlier this month, beauty products chain Sally Beauty acknowledged that a hacker break-in compromised fewer than 25,000 customer credit and debit cards. My previous reporting indicated that the true size of the breach was at least ten times larger. The analysis published in this post suggests that the Sally Beauty breach may have impacted virtually all 2,600+ Sally Beauty locations nationwide. KrebsOnSecurity, March 25, 2014

Cyber Attack

Basecamp falls to blackmail-fueled denial of service attack: Users of the popular web-based project management app Basecamp may have a hard time loggoing on the service Monday morning. The company behind the app, also named Basecamp (formerly 37Signals), says it is under a distributed denial of service (DDoS) attack from extortionists hoping to make a quick buck. PCWorld, March 24, 2014
HOOTSUITE BACK ONLINE FOLLOWING DENIAL OF SERVICE ATTACK: Social media management system Hootsuite recovered rapidly from a denial of service (DoS) attack late last week, bouncing back after being offline for a few hours Thursday morning. ThreatPost, March 24, 2014

Cyber Privacy

Microsoft to Stop Inspecting Private Emails in Investigations: SEATTLE — Microsoft will no longer snoop on customers’ private communications during investigations of stolen property, the company’s general counsel said on Friday. The New York Times, March 28, 2014
Obama to Call for End to N.S.A.’s Bulk Data Collection: WASHINGTON — The Obama administration is preparing to unveil a legislative proposal for a far-reaching overhaul of the National Security Agency’s once-secret bulk phone records program in a way that — if approved by Congress — would end the aspect that has most alarmed privacy advocates since its existence was leaked last year, according to senior administration officials. The New York Times, March 24, 2014

Cyber Warning

Forget Stealing Credit Cards, Now Hackers Just Straight-Up Blackmail You: While hackers tried to get rich by stealing millions of credit cards from Target, other cybercriminals have quietly tried another method to make a quick buck: Asking companies to pay them to go away. Huffington Post, March 29, 2014
Watch out, journalists: Hackers are after you: Google security experts say that many of the world’s largest news organizations are being targeted by hackers that are likely state-sponsored. CNet, March 28, 2014
IRS Warns of Email Scam Impersonating Taxpayer Advocate Service: The Internal Revenue Service is warning consumers to beware of a new email phishing scam in which fraudulent emails purport to come from the IRS Taxpayer Advocate Service, complete with a bogus case number. AccountingToday, March 28, 2014
Law Firms Are Pressed on Security for Data: A growing number of big corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount. The New York Times, March 26, 2014
Microsoft: 0Day Exploit Targeting Word, Outlook: Microsoft warned today that attackers are exploiting a previously unknown security hole in Microsoft Word that can be used to foist malicious code if users open a specially crafted text file, or merely preview the message in Microsoft Outlook. KrebsOnSecurity, March 24, 2014
TARGETED ATTACKS EXPLOIT MICROSOFT WORD ZERO DAY: Targeted attacks have been spotted against a zero-day vulnerability in Microsoft Word 2010, leading Microsoft to issue a special security advisory and produce a Fix-it solution for users until a patch is ready. ThreatPost, March 24, 2014

Cyber Security Management – Cyber Update

CISCO PATCHES DENIAL-OF-SERVICE VULNERABILITIES IN IOS: Cisco this week patched a handful of denial-of-service vulnerabilities in its IOS software. The security updates are part of a biannual release from Cisco; the next one is due in September. ThreatPost, March 28, 2014

Cyber Security Management – Cyber Defense

The new security perimeter: Human Sensors: Security Manager George Grachis discusses the current cyber threat landscape and why Human Sensors, our users, are our most underutilized resource that can make all the difference. CSO, March 13, 2014

Cyber Underworld

Who Built the ID Theft Service Previous stories on this blog have highlighted the damage wrought by an identity theft service marketed in the underground called ssndobru, which sold Social Security numbers, credit reports, drivers licenses and other sensitive information on more than four million Americans. Today’s post looks at a real-life identity behind the man likely responsible for building this service. KrebsOnSecurity, March 27, 2014

National Cyber Security

Cybercrime could be ‘next black swan event’: ASIC chief: Australian Securities and Investment Commission chairperson Greg Medcraft has used the ASIC Annual Forum to issue a warning about the potential for poor information security to destabilise financial markets. ComputerWorld, March 24, 2014

Cyber Lawsuit

FTC SETTLES WITH FANDANGO, CREDIT KARMA OVER SSL ISSUES IN MOBILE APPS: The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process. ThreatPost, March 28, 2014

Cyber Misc

How does the FBI Know Your Network has been Breached before You Do?: Many of the massive data breaches in the news these days are first revealed to the victims by law enforcement, the Secret Service and Federal Bureau of Investigation. [Dr. Stahl is quoted.] ComputerWorld, March 27, 2014
Markets for Cybercrime Tools and Stolen Data: Criminal activities in cyberspace are increasingly facilitated by burgeoning black markets for both tools (e.g., exploit kits) and take (e.g., credit card information). This report, part of a multiphase study on the future security environment, describes the fundamental characteristics of these markets and how they have grown into their current state to explain how their existence can harm the information security environment. Rand Corporation, 2014

Cyber Calendar

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman, Founder & iCEO, WhiteHat Security; Marcus Ranum, CSO, Tenable; Marc Maiffret, CTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira Winkler, ISSA International President; Andrea Hoy, ISSA International Vice-President. For more information and to register, visit ISSA-LA.

share on TwitterLike Weekend Vulnerability and Patch Report, March 30, 2014 on Facebook

Weekend Vulnerability and Patch Report, March 30, 2014

Important Security Updates

AVG Antivirus Free Edition: AVG has released version 2014.0.4354 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.
Check Point Technologies Zone Alarm: Check Point has released version of the Free version of Zone Alarm. Updates are available from Check Point’s website.
Piriform CCleaner: Piriform has released version 4.12.4657 for CCleaner. Download is available from Piriform’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 28.0
Google Chrome 33.0.1750.154
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 8 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.2 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

D-Link DIR-600L Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-600L Wireless Router reported in revision A1 firmware version 1.0 and revision B1 firmware version 2.0. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its IOS 7600 Series Route Switch, Prime Security Manager (PRSM), IOS SSL VPN, IOS and IOS XE, IOS Network Address Translation, SocialMiner, Unified Contact Center Express, Video Surveillance Manager (VSM), Unified Intelligence Center, Finesse and others. Apply updates.
IBM OS/400: Secunia reports that IBM has released updates for its OS/400 to fix a moderately critical vulnerability reported in version 6.1. Apply APAR SE58604.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog