Monday, May 05, 2014

Cyber Security News, Education and Cyber Vulnerability Patch Report for the Week of May 5, 2014


Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime
Tax Fraud Gang Targeted Healthcare Firms: Earlier this month, I wrote about an organized cybercrime gang that has been hacking into HR departments at organizations across the country and filing fraudulent tax refund requests with the IRS on employees of those victim firms. Today, we’ll look a bit closer at the activities of this crime gang, which appears to have targeted a large number of healthcare and senior living organizations that were all using the same third-party payroll and HR services provider. KrebsOnSecurity, April 30, 2014

Identity Theft
California Bills Would Address Consumer Financial Information Security: Two bills dealing with credit card security will be taken up over the next week in California legislative committees. Recent data security breaches at Target and other big retailers prompted the legislation. Capital Public Radio, May 2, 2014

Do Identity Theft Protection Services Work?: With more and more major retailers being hit by hackers and major security flaws on the Internet like Heartbleed, identity theft is becoming more and more of a threat. Huffington Post, May 1, 2014

Susan Tompor: Time to get a ‘little paranoid’ after credit, debit card breaches: Mike Rosinski, 51, doesn’t really know how a string of fraudulent charges ranging from as little as $3.19 for some odd outfit in Missouri to $434.10 at a Fry’s Electronics in another state ended up hitting his Visa credit card in mid-April. Detroit Free Press, May 1, 2014
AOL asking users to change passwords after discovering breach: AOL is asking potentially millions of its email users to change their passwords and security questions after discovering a cyber attack that potentially comprised the accounts of a small portion of its user base. ZDNet, April 28, 2014
Cyber Threat
Europol Cybercrime Chief Believes Cyber Threat Will ‘Change the World’: According to the man tasked with tackling online crime across the European Union, the continent’s reliance on the internet to do business makes it the perfect target for cybercriminals, who don’t even have to leave their armchairs to commit crimes. IBTimes, April 29, 2014

Cyber Warning
Homeland Security: Don’t use IE due to bug: SAN FRANCISCO — The U.S. Department of Homeland security is advising Americans not to use the Internet Explorer Web browser until a fix is found for a serious security flaw that came to light over the weekend. USA Today, April 29, 2014

Officials Say Russian Hackers May Retaliate for Sanctions: U.S. officials and security specialists are warning that Russian hackers may respond to new sanctions by attacking the computer networks of U.S. banks and other companies. Bloomberg, April 27, 2014

Cyber Security Management
Microsoft sharpens encryption management tools: Microsoft is giving the IT admin crowd an updated toolset for managing encryption with the latest release of its Desktop Optimization Pack, better known as MDOP. PCWorld, May 2, 2014

How to protect your supply chain from cybercrime: As companies start to work with more clients, they run the risk of cybercrime through a whole network of collaborating businesses. Here’s tips on how to protect yourself from an online attack. The Guardian, April 28, 2014

Applying ‘big data’ principles reveals three main types of cyber crime per industry – Verizon report: The overwhelming majority of data breaches tracked by security researchers last year fell into one of nine categories, while three of those categories dominated recorded attacks in any given industry, according to a new report. Out-Law.com, April 24, 2014

Cyber Security Management – Cyber Defense
John Pescatore: BYOIT, IoT among top information security trends: BOSTON — There’s no board game that can help enterprise information security managers win in their jobs, but one of the industry’s most respected security analysts believes identifying key changes in IT and getting the resources to secure them can often seem like a game of “Chutes and Ladders.” SearchSecurity, May 2, 2014

Cyber Security Management – Cyber Update
Microsoft Issues Fix for IE Zero-Day, Includes XP Users: Microsoft has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited. In an unexpected twist, the company says Windows XP users also will get the update, even though Microsoft officially ceased supporting XP last month. KrebsOnSecurity, May 1, 2014

Adobe Update Nixes Flash Player Zero Day: Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.KrebsOnSecurity, April 28, 2014

Securing the Village
Good information security leadership demands focus on shared knowledge: BOSTON — One of information security’s most venerable thought leaders believes the evolution of leadership in the industry has reached a turning point and without a disciplined, holistic approach emphasizing shared knowledge, enterprise security programs will never achieve their desired results. SearchSecurity, May 1, 2014

Today on CLBR: The State of Cyber Security with Stan Stahl: Dr. Stan Stahl, President of Citadel Information Group, returns to discuss the latest Cyber Security issues and the upcoming ISSA-LA Information Security Summit VI which is the premier information security event in Los Angeles. CyberLawRadio, April 23, 2014

National Cyber Security
White House Details Thinking on Cybersecurity Flaws: WASHINGTON — In a rare insight into the government’s thinking on the use of cyberweapons, the White House on Monday published a series of questions it asks in deciding when to make public the discovery of major flaws in computer security or whether to keep them secret so that American intelligence agencies can use them to enable surveillance or an attack. The New York Times, April 28, 2014

Cyber Underworld
EU Cybercrime Officials Blame TOR for Difficulty in Catching Criminals: EU Cybercrime Officials Blame TOR for Difficulty in Catching Criminals: CoinReport, April 20, 2014

Cyber Espionage
F.B.I. Informant Is Tied to Cyberattacks Abroad: WASHINGTON — An informant working for the F.B.I. coordinated a 2012 campaign of hundreds of cyberattacks on foreign websites, including some operated by the governments of Iran, Syria, Brazil and Pakistan, according to documents and interviews with people involved in the attacks.The New York Times, April 23, 2014

Cyber Calendar
ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman, Founder & iCEO, WhiteHat SecurityMarcus RanumCSO, Tenable; Marc MaiffretCTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira WinklerISSA International PresidentAndrea HoyISSA International Vice-President. For more information and to register, visit ISSA-LA.




Weekend Vulnerability and Patch Report, May 4, 2014

Important Security Updates

Adobe Flash Player: Adobe has released version 13.0.0.206 for its Flash Player to fix an extremely critical vulnerability. Updates are available through the program or fromAdobe’s Flash Web Site. 

Check Point Technologies Zone Alarm: Check Point has released version 13.1.211.000 of the Free version of Zone Alarm. Updates are available fromCheck Point’s website.

Dropbox: Dropbox has released version 2.6.31 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]

Google Chrome: Google has released version 34.0.1847.131 of Chrome for Windows and Mac to fix 8 highly critical vulnerabilities. Updates are available through the program.

Microsoft Internet Explorer: Microsoft has released an emergency security update to fix a zero-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited. The company says Windows XP users also will get the update, even though Microsoft officially ceased supporting XP last month. Updates are available from the Windows Control Panel.

Mozilla Firefox: Mozilla has released version 29.0 of Firefox to fix at least 13 highly critical vulnerabilities. Updates are available within the browser or from Mozilla’s website. There are also updates for Thunderbird and SeaMonkey.

Mozilla Firefox for Android: Mozilla has released version 29.0 of Firefox for Android to fix an unpatched vulnerability in previous versions. Updates are available through the device.

TechSmith Corporation SnagIt: TechSmith has released updates for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash  13.0.0.206 [Windows 7: IE]
Adobe Flash  13.0.0.206 [Windows 7: Firefox, Mozilla]
Adobe Flash  13.0.0.206 [Windows 8: IE]
Adobe Flash  13.0.0.206 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.31 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 29.0
Google Chrome 34.0.1847.131
Internet Explorer 11.0.9600.17105
Java SE 8 Update 5 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.2 [Mac OS X]
Skype 6.14.0.104

Newly Announced Unpatched Vulnerabilities

None

For an updated list of previously announced Unpatched Vulnerabilities, please see theresources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its TelePresence System MXP Series, Unified Communications Manager, IOS XE, Adaptive Security Appliance (ASA), and others. Apply updates. 

Cisco TelePresence TC and TE: Secunia reports that Cisco has released a partial fix for its TelePresence TC and TE to address at least 11 moderately critical vulnerabilities. Update or upgrade to a fixed version.
Microsoft Windows Flash Player: Secunia reports that Microsoft has released updates to fix a highly critical vulnerability in Windows Flash Player for Windows 8 and 8.1, Windows RT 8.1, and Server 2012. Apply updates.

Novell Open Enterprise Server (OES): Secunia reports that Novell has released updates to fix a security issue in its Open Enterprise Server (OES) reported in Novell Client for Linux shipped within the Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2. Apply “April 2014 OES11SP2 Hot Patch for NCL”.
Novell Storage Manager: Secunia reports that Novell has released updates to fix two vulnerabilities in previous versions of its Storage Manager caused by a bundled vulnerable version of OpenSSL. Update to version 3.1.1.1.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.  If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2014 Citadel Information Group. All rights reserved.


SecurityRecruiter.com's Security Recruiter Blog