Monday, April 21, 2014

Cyber Security News, Education and Cyber Vulnerability Report for the Week of April 21, 2014

Cyber Security News of the Week

 From our friends at Citadel Information Group

Cyber Crime

Heartbleed Internet Security Flaw Used in Attack: Within 24 hours of the Heartbleed bug’s disclosure last week, an attacker used it to break into a major corporation, security experts said Friday. The New York Times, April 18, 2014
Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach: Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity. KrebsOnSecurity, April 15, 2014

Cyber Privacy

Google Revises Terms of Its Scans of Gmail: Google updated its terms of service on Monday, informing users that their incoming and outgoing emails are automatically analyzed by software to create targeted ads. The New York Times, April 14, 2014

Identity Theft

1 in 5 Web users report personal info theft, study says: Nearly 1 in 5 Internet users say they’ve had their personal information stolen as a result of online activities, according to a Pew Research Center study. Detroit Free Press, April 15, 2014

Cyber Warning

Heartbleed Hackers Steal Encryption Keys in Threat Test: The crown jewel of secure websites is a single string of data – a very long jumble of letters and numbers and symbols that looks like gibberish. The Heartbleed bug allows hackers to crack it. Bloomberg, April 15, 2014
Fingerprint lock in Samsung Galaxy 5 easily defeated by whitehat hackers: The heavily marketed fingerprint sensor in Samsung’s new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset. ars technica, April 15, 2014

Cyber Security Management

SEC to Launch Cybersecurity Exams of Investment Firms, Offers Sample Document Requests: On April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations quietly disclosed its examination module pertaining to cybersecurity. The disclosure came in the form of a Risk Alert providing “additional information concerning [OCIE's] initiative to assess cybersecurity preparedness in the securities industry.” Compliance Week, April 18, 2014
The Board’s Role in Cybersecurity: The costs of cyber attack can be significant. To protect finances, liability, reputation, and future growth, corporate boards must ensure that their companies have appropriate processes in place to manage cyber risk in the context of their business. Richard Clarke and Jacob Olcott, The Conference Board. Good Harbor, March 2014

Cyber Security Management – Cyber Defense

Three Rules for Password Sanity: Let’s start with the obvious. We all hate passwords. Users hate passwords because they are hard to remember and they slow you down, getting in the way of the computing experience. IT staff hate passwords because they’re just one more critical thing that needs to be managed, taking valuable time away from keeping computer systems running and users happy. [We originally published this in April 2013. We are reprinting it to guide users as they change passwords in light of Heartbleed.] Citadel Information Group, April 11, 2013

Cyber Security Management – Cyber Update

Critical Java Update Plugs 37 Security Holes: Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all). KrebsOnSecurity, April 16, 2014

Securing the Village

Public-private shield needed against hackers, Tom Ridge says: April 16–The threat cyberwarfare poses to the American economy demands a far more coordinated response from government and the private sector, former Homeland Security Secretary Tom Ridge said Tuesday. SecurityInfoWatch, April 16, 2014

National Cyber Security

Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say: WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday. The New York Times, April 12, 2014
US government denies being aware of Heartbleed internet bug: The White House and US intelligence agencies said on Friday that neither the National Security Agency nor any other part of the government were aware before this month of the “Heartbleed” bug, denying a report that the spy agency exploited the glitch in widely used web encryption technology to gather intelligence. The Guardian, April 12, 2014

Cyber Misc

OpenSSL and Linux: A Tale of Two Open-Source Projects: The Heartbleed bug has cast a bright and not entirely flattering light on the open-source movement’s incentive model. The New York Times, April 18, 2014
Heartbleed Highlights a Contradiction in the Web: SAN FRANCISCO — The Heartbleed bug that made news last week drew attention to one of the least understood elements of the Internet: Much of the invisible backbone of websites from Google to Amazon to the Federal Bureau of Investigation was built by volunteer programmers in what is known as the open-source community. The New York Times, April 18, 2014
GAO Scolds SEC for Ongoing Cyber-Security Deficiencies: The message is increasingly common: “Information security is a critical consideration.” But this time the cyber-security warning wasn’t handed down by a regulator – it was the Securities and Exchange Commission being scolded for its own security gaps and lapses. Compliance Week, April 17, 2014

Cyber Sunshine

U.S. Agent Lures Romanian Hackers in Subway Data Heist: U.S. Secret Service Agent Matt O’Neill was growing nervous. For three months, he’d been surreptitiously monitoring hackers’ communications and watching as they siphoned thousands of credit card numbers from scores of U.S. retailers. Bloomberg, April 17, 2014

Cyber Calendar

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman, Founder & iCEO, WhiteHat Security; Marcus Ranum, CSO, Tenable; Marc Maiffret, CTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira Winkler, ISSA International President; Andrea Hoy, ISSA International Vice-President. For more information and to register, visit ISSA-LA.

share on TwitterLike Weekend Vulnerability and Patch Report, April 20, 2014 on Facebook

Weekend Vulnerability and Patch Report, April 20, 2014

Important Security Updates

Adobe Reader for Android: Adobe has released an update for Reader for Android to fix a highly critical vulnerability reported in prior versions. Update to version 11.2. Updates are available through the device.
Dropbox: Dropbox has released version 2.6.30 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Google Chrome: Google has released version 34.0.1847.120 of Chrome for Windows and Mac. Updates are available through the program.
Oracle Java: Oracle has released Java SE 8 Update 5 to fix at least 37 vulnerabilities, some of which are highly critical. The update is available through Windows Control Panel or Java’s website. [See Citadel's recommendation below]

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.30 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 28.0
Google Chrome 34.0.1847.120
Internet Explorer 11.0.9600.17031 [Windows 7: IE]
Internet Explorer 11.0.9600.16384 [Windows 8: IE]
Java SE 8 Update 5 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.2 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Network Registrar: Secunia reports that Cisco has released updates for its Network Registrar. Upgrade to version 8.1(3.1) or 8.2(0.2).
Google Search Appliance: Secunia reports that Google has released updates for its Search Appliance to fix two vulnerabilities due to a bundled vulnerable version of Open SSL. Apply patch. Please consult the Google Enterprise Support Portal for further details.
Heartbleed: Most of the attention surrounding the Heartbeat Vulnerability has focused on web servers that utilize OpenSSL. However, many other types of services utilize OpenSSL to encrypt sensitive communication including mail, instant messaging, VPNs and voice-over-IP (VoIP). See, e.g., this analysis from The University of Michigan. The analysis includes a list of popular mail servers that are vulnerable.
McAfee Email Gateway: Secunia reports that McAfee has released updates for its Email Gateway to fix multiple moderately critical vulnerabilities.  Apply 7.5h960401 hotfix 2846.114 or MEG 7.6h960405 hotfix 2810.114.
Oracle Multiple Products: Secunia reports that Oracle has acknowledged a weakness, security issues and unpatched vulnerabilities and released updates for its Network Registrar,  MySQL Connector/C, Connector/ODBC, Enterprise Backup, Workbench, Secure Global Desktop, Agile Product Lifecycle Management for Process, Agile PLM Framework, WebCenter Portal, Data Integrator, Hyperion Common Admin, Solaris FreeType,  GnuTLS, XScreenSaver, Solaris, VM VirtualBox, Containers for J2EE, Endeca Server, Event Processing, Access Manager, WebLogic Server, JavaFX and others. Apply updates where available.
VMware Multiple Products: Secunia reports that VMware has released updates for its ESXi, NSX, vCloud Automation Center (vCAC), Fusion, Horizon Mirage, Horizon View, Horizon Workspace, OVF Tool, Player, vCenter Server and others to fix moderately critical vulnerabilities. Apply update or patch if available. Patches are pending for the some products.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog