Monday, March 24, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of Mark 24, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group


Cyber Crime

California Leads The Nation In Cybercrime: The same high-profile assets that make California an engine for America’s creativity and economy – think Silicon Valley and Hollywood – have made it a magnet for international criminal enterprises. If that sounds like a cover story for “Duh Magazine,” the first comprehensive report about it was released here Thursday, and it backs up the assertions with data and investigative evidence – and recommends what to do next. Business Insider, March 20, 2014
Citroen becomes the latest victim of Adobe ColdFusion hackers: One of the carmaker’s German websites hacked to include a backdoor last year, following similar cases elsewhere. The Guardian, March 17, 2014
The Long Tail of ColdFusion Fail: Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Today’s post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions. KrebsOnSecurity, March 17, 2014
Sally Beauty Confirms Card Data Breach: Nationwide cosmetics and beauty retailer Sally Beauty today confirmed that hackers had broken into its networks and stolen credit card data from stores. The admission comes nearly two weeks after KrebsOnSecurity first reported that the company had likely been compromised by the same criminal hacking gang that stole 40 million credit and debit cards from Target. KrebsOnSecurity, March 17, 2014
Bitcoin-stealing malware hidden in Mt. Gox data dump, researcher says: An archive containing transaction records from Mt. Gox that was released on the Internet last week by the hackers who compromised the blog of Mt. Gox CEO Mark Karpeles also contains bitcoin-stealing malware for Windows and Mac. PCWorld, March 17, 2014

Cyber Attack

NATO websites attacked by hackers: (CNN) — Hackers apparently attacked several NATO websites Saturday, but they did not interrupt operations nor was the integrity of NATO’s systems affected, NATO spokeswoman Oana Lungescu said on Twitter. CNN, March 16, 2014

Cyber Privacy

Microsoft Software Leak Inquiry Raises Privacy Issues: SEATTLE — Technology companies have spent months denying they know anything about broad government spying on people who use their Internet services. The New York Times, March 20, 2014
FORMER CHURCH COMMITTEE MEMBERS SEE NEED FOR NEW GROUP TO INVESTIGATE NSA: In a letter sent to President Obama and members of Congress, former members and staff of the Church Committee on intelligence said that the revelations of the NSA activities have caused “a crisis of public confidence” and encouraged the formation of a new committee to undertake “significant and public reexamination of intelligence community practices”. ThreatPost, March 20, 2014

Identity Theft

Are Credit Monitoring Services Worth It?: In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America. KrebsOnSecurity, March 19, 2014
Consumers Union’s Guide to Security Freeze Protection: There are more than eight million new victims of identity theft each year in the U.S. Many of these victims find that crooks have used stolen personal information like Social Security numbers to open new accounts in their victim’s name. A security freeze gives consumers the choice to “freeze” or lock access to their credit file against anyone trying to open up a new account or to get new credit in their name.When a security freeze is in place at all three major credit bureaus, an identity thief cannot open a new account because the potential creditor or seller of services will not be able to check the credit file. When the consumer is applying for credit, he or she can lift the freeze temporarily using a PIN so legitimate applications for credit or services can be processed. DefendYourDollars, February 5, 2014

Cyber Warning

EA Games hackers get Apple ID, Origin passwords and payment info: If you’ve been prompted to enter your Apple ID login, payment and security credentials via an EA Games subdomain recently, change your passwords immediately. ZDNet, March 20, 2014
Android Upgrades Open A Backdoor To Malware, Researchers Show: Updating software is to malware as flossing is to gingivitis: a basic practice meant to minimize the risk of infection. But a team of researchers has found that for Google’s Android platform, operating system upgrades can also serve as a stealthy new method for malware to sneak its tricks past Android’s security measures. Forbes, March 19, 2014
Botnet of thousands of Linux servers pumps Windows desktop malware onto web: As many as 25,000 web servers infected with Linux malware have been used in the past two years to hit website visitors with two variants of Windows malware. ZDNet, March 19, 2014
Hackers Use Missing Malaysia Airlines Flight to Bait Users: Cyber scammers are exploiting intense interest in missing Malaysia Airlines Flight 370 to spread malicious malware aimed at attacking users, according to a new warning from security software company Trend Micro. FoxBusiness, March 19, 2014

Cyber Security Management

6 greatest cybersecurity myths and why you should not trust them: Cybersecurity is, without a doubt, becoming one of the dominant security topics (and concerns), not only for security professionals, but also for any executives or managers who want to protect their organizations. Defense Systems, March 17, 2014

Cyber Security Management – Cyber Update

Windows XP Holdouts: 6 Top Excuses: Microsoft cuts support for Windows XP in less than a month, but millions still use the OS. Are these rationales worth the risk? InformationWeek, March 17, 2014
GOOGLE PATCHES FOUR PWN2OWN BUGS IN CHROME 33: Now that the dust has settled after the Pwn2Own contest, the browser manufacturers are beginning to roll out patches for the vulnerabilities exploited by contestants. Google on Monday released fixes for a number of bugs in Chrome discovered and exploited during Pwn2Own, releasing new versions of the browser for Windows, Mac and Linux. ThreatPost, March 17, 2014
Government computers running Windows XP will be vulnerable to hackers after April 8: The deadline for installing secure operating systems on federal government computers will pass next month with the job incomplete, leaving hundreds of thousands of machines running outdated software and unusually vulnerable to hackers. The Washington Post, March 16, 2014

Cyber Security Management – Cyber Defense

FULL DISCLOSURE SECURITY MAILING LIST SHUTS DOWN: The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said. ThreatPost, March 20, 2014
The Year of Encryption: Government spying gives a giant push to data scrambling on the Web. MIT Technology Review, March 18, 2014

Cyber Underworld

Cyber Criminals Using Online Attack Kits to Steal Data: Cyber criminals are now using online attack kits to steal data. The cyber criminal does not need to have advanced hacking skills today to steal someone’s personal banking information. In a few simple steps, they can download a so-called “attack kit” and online theft is just a matter of a few clicks away. LibertyVoice, MArch 16, 2014


ISSA-LA Donates $25,000 for Nonprofits to Attend the Sixth Annual Information Security Summit on Cybercrime Solutions: The Los Angeles Chapter of the Information Systems Security Association has created a donation fund of up to $25,000 for 100 free registrations to Executives and IT personnel of nonprofits to attend the Sixth Annual Information Security Summit. PRWeb, March 19, 2014

Cyber Sunshine

Men from Ukraine and New York indicted in U.S. cybercrime case: (Reuters) – Federal prosecutors on Monday announced the indictment of three men they accuse of being members of an international cybercrime ring that tried to steal at least $15 million by hacking into U.S. customer accounts at 14 financial institutions and the Department of Defense’s payroll service. Reuters, March 18, 2014

Cyber Calander

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney; Roland Cloutier, CSO of ADP. For more information and to register, visit ISSA-LA.

share on TwitterLike Weekend Vulnerability and Patch Report, March 23, 2014 on Facebook

Weekend Vulnerability and Patch Report, March 23, 2014

Important Security Updates

D-Link DIR-615: D-Link has released version 8.05b06 to fix a vulnerability in its DIR-615 wireless router. Updates are available from D-Link’s website.
Google Chrome: Google has released version 33.0.1750.154 of Chrome for Windows and Mac to fix 7 highly critical vulnerabilities. Updates are available through the program.
Google Chrome for Android: Google has released version 33.0.1750.166 of Chrome for Android to fix at least 3 highly critical vulnerabilities. Updates are available through the program or device.
Mozilla Firefox: Mozilla has released version 28.0 of Firefox to fix at least 11 highly critical vulnerabilities. Updates are available within the browser or from Mozilla’s website. There are also updates for Thunderbird and SeaMonkey.
Opera: Opera has released version 20.0.1387.82. Updates are available from within the browser or from Opera’s website.
Oracle Java: Oracle has released Java SE 8. The update is available through Windows Control Panel or Java’s website. [See Citadel's recommendation below]

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 28.0
Google Chrome 33.0.1750.154
Internet Explorer 11.0.9600.16518 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 8 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.2 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

D-Link DIR-615 Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s DIR-615 Wireless Router reported in revision Ex firmware version 5.10 and prior. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Adaptive Security Appliance (ASA), IOS and others. Apply updates.
IBM OS/400 Java: Secunia reports that IBM has released updates for its OS/400 to fix at least 25 vulnerabilities, some of which are highly critical, which is due to a bundled version of IBM Java. Apply PTF or APARs.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog