Monday, May 12, 2014

Cyber Security News, Education and Cyber Security Vulnerability and Patch Report for the Week of May 12, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

The Target Breach, By the Numbers: News that Target’s CEO Gregg Steinhafle is stepping down has prompted a flurry of reports from media outlets trying to recap events since the company announced a data breach on Dec. 19, 2013. Sprinkled throughout those reports were lots of numbers, which got me to thinking about synthesizing them with some of the less-reported numbers associated with this epic breach. KrebsOnSecuriy, May 6, 2014
Target CEO Gregg Steinhafel Resigns In Data Breach Fallout: Target’s TGT +1.39% CEO is the latest casualty of the widespread data breach that saw hackers steal personal data and credit card information from millions of customers. Forbes, May 5, 2014

Cyber Privacy

My Experiment Opting Out of Big Data Made Me Look Like a Criminal: Here’s what happened when I tried to hide my pregnancy from the Internet and marketing companies. Time, May 1, 2014

Cyber Security Management

Are rogue employees the biggest threat to information security?: Rogue employees continue to be the biggest threat to information security, according to 37% of IT professionals polled by BSI at Infosecurity Europe 2014. Help Net Security, May 9, 2014
The rising strategic risks of cyberattacks: More and more business value and personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become increasingly daunting. Criminals pursue financial gain through fraud and identity theft; competitors steal intellectual property or disrupt business to grab advantage; “hacktivists” pierce online firewalls to make political statements. McKinsey&Company, May 2014

Cyber Security Management – Cyber Defense

Accidental Heartbleed Vulnerabilities Undercut Recovery Effort: Scans find 300,000 affected servers, but a surprising number of newly vulnerable servers have surfaced since Heartbleed warning was first sounded. Dark Reading, May 9, 2014
Antivirus is Dead: Long Live Antivirus!: An article in The Wall Street Journal this week quoted executives from antivirus pioneer Symantec uttering words that would have been industry heresy a few years ago, declaring antivirus software “dead” and stating that the company is focusing on developing technologies that attack online threats from a different angle. KrebsOnSecurity, May 7, 2014

Cyber Warning

Google blocks filesharing website Demonoid over malware downloads: Google is warning users of its search engine that if they visit filesharing website Demonoid, they could find malicious software being downloaded and installed on their computers. The Guardian, May 9, 2014

Cyber Law

DOJ Asks for New Authority to Hack and Search Remote Computers: IDG News Service (Washington, D.C., Bureau) — The U.S. Department of Justice wants new authority to hack and search remote computers during investigations, saying the new rules are needed because of complex criminal schemes sometimes using millions of machines spread across the country. CIO, May 9, 2014
FTC Must Disclose Consumer Data Security Standards: A company accused by the FTC of failing to provide adequate data security has the right to know the required security standards, administrative judge rules. InformationWeek, May 8, 2014

Cyber Misc

When Hitting ‘Find My iPhone’ Takes You to a Thief’s Doorstep: WEST COVINA, Calif. — After a boozy Saturday night, Sarah Maguire awoke the next morning to find that her iPhone was gone. Her roommate’s phone was gone, too. Were they at the bar, she wondered, or in the cab? The New York Times, May 3, 2014
Can Hackers Really Manipulate Traffic Lights Like You’ve Seen in the Movies?: The hacker in The Italian Job did it spectacularly. So did the fire-sale team in Live Free or Die Hard. But can hackers really hijack traffic lights to cause gridlock and redirect cars? Yahoo, May 2, 2014
Bitcoin Vies with New Cryptocurrencies as Coin of the Cyber Realm: As hundreds of “altcoin” knockoffs are minted online, bitcoins no longer dominate as the principal form of digital currency. Scientific American, April 29, 2014

Cyber Calendar

ISSA-LA Sixth Annual Information Security Summit, May 16, Universal City Hilton. Speakers include Richard Clarke, former Assistant to the President; Jackie Lacey, Los Angeles County District Attorney;Jeremiah Grossman,Founder & iCEO, WhiteHat Security; Marcus Ranum, CSO, Tenable; Marc Maiffret, CTO, Beyond Trust; Jim Manico, Secure Coding Instructor and Author, Global OWASP Board of Directors; Ira Winkler, ISSA International President; Andrea Hoy, ISSA International Vice-President. For more information and to register, visit ISSA-LA.
EFF at ISSA-LA Information Security Summit: Join EFF at the 6th annual ISSA-LA Information Security Summit! The Los Angeles Chapter Information Systems Security Association presents this event to provide a unique opportunity to learn from leading cyber security experts like Former White House cyber security czar Richard A. Clarke and Los Angeles County District Attorney Jackie Lacey. Electronic Frontier Foundation at ISSA-LA Information Security Summit, Event Date: May 16, 2014
BeyondTrust Chief Technology Officer Marc Maiffret to Speak at ISSA-LA Sixth Annual Information Security Summit on Cybercrime Solutions: Marc Maiffret, Chief Technology Officer of BeyondTrust, is one of the outstanding speakers at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) Sixth Annual Information Security Summit on May 16, 2014, at Hilton Universal City Hotel in Los Angeles. The theme of the Summit, The Growing Cyber Threat: Protect Your Business, emphasizes the financial impact of cybercrime on all organizations, and it highlights finding solutions to protecting and securing private information on the Internet. MarketMen, April 4, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, May 11, 2014 on Facebook

Weekend Vulnerability and Patch Report, May 11, 2014

Important Security Updates

Dropbox: Dropbox has released version 2.6.33 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Foxit Reader: Foxit has released version to fix a moderately critical vulnerability. Updates are available through the program or from Foxit’s website.
Mozilla Firefox: Mozilla has released version 29.0.1. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 21.0.1432.57. Updates are available from within the browser or from Opera’s website.
Siber Systems RoboForm: Siber Systems has released version 7.9.6 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.
WinZip: Winzip has released version 18.5. Updates are available from within the program, look for “Check for Updates” on the Help menu, or download from the WinZip website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.06
Dropbox 2.6.33 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 29.0.1
Google Chrome 34.0.1847.131
Internet Explorer 11.0.9600.17105
Java SE 8 Update 5 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.2 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its WebEx Meetings Server, WebEx Recording Format Player, WebEx Advanced Recording Format Player, Adaptive Security Appliance (ASA), Broadband Access Center Telco Wireless (BAC-TW), Nexus 1000V Series Switches, and others. Apply updates.
Citrix Multiple Products: Secunia reports that Citrix has released updates for its CloudPlatform, Licensing, Usage Collector, XenClient Enterprise, XenClient XT, Desktop Player for Mac, Receiver, Worx Home for iOS, XenClient Enterprise, XenMobile MDX Toolkit & SDK, NetScaler and others. Apply updates.
Kaspersky Internet Security: Secunia reports that Kasperksky has released updates for its Internet Security to fix a moderately critical vulnerability in previous versions. Apply patch G.
Kaspersky PURE: Secunia reports that Kasperksky has released updates for its PURE RPC Server to fix a moderately critical vulnerability in previous versions. Apply patch E.
McAfee Firewall Enterprise: Secunia reports that McAfee has released updates for its Firewall Enterprise to fix a highly critical vulnerability reported in previous versions. Update to version,, 8.2.1P01, or 8.3.0.
Novell Open Enterprise Server: Secunia reports that Novell has released updates to fix a vulnerability in its Open Enterprise Server (OES) reported in 11 (OES 11) Linux Support Pack 2 prior to oes11sp2-March-2014-Scheduled-Maintenance-8934. Apply oes11sp2-March-2014-Scheduled-Maintenance-8934.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog