Monday, May 19, 2014

Cyber Security News, Education and Cyber Vulnerability Patch Report for the Week of May 19, 2014


Cyber Security News of the Week

From our friends at Citadel Information Group


Cyber Crime

Breach At Bit.ly Blamed On Offsite Backup Storage Provider: URL shortening service says user database may have been compromised through backup data. DarkReading, May 13, 2014

Cyber Attack

Iranian Hackers Targeted Defense Workers and Political Dissidents: There’s a new politically motivated hacker gang to keep track of, one that started out defacing websites but which has progressed more recently into conducting full-blown campaigns of cyber espionage abroad and political oppression at home. And it is based in Iran. Re/code, May 13, 2014

Cyber Privacy

NSA reform: lawmakers aim to bar agency from weakening encryption: Concerned about weaknesses in USA Freedom Act, Zoe Lofgren and colleagues pushing to prevent NSA from weakening online encryption with new amendment. The Guardian, May 13, 2014
Is the EU compelling Google to become about.me?: Today the EU’s highest court interpreted the EU’s 1995 Data Protection Directive to mean that individuals should have a shot at insisting that Google and other search engines remove certain search results found upon a search for their names, not because they are false, or infringe copyright, but because they violate a “respect for private life” or a “right to protection of personal data.” What does that mean specifically? Not easy to say. Neither the opinion nor the Court’s press release is clear on that. Among the many cases pending about it, the one that the Court heard involved a Spanish citizen who did not like that people could find the public records of a foreclosure sale of one of his properties. So that’s not personal, secret information that was somehow uncovered; it’s a public record or fact made more searchable. And it’s not in the narrow category of things like social security numbers that might be in public documents, but for which Google and other search engines have taken some steps to make them not work as search terms. (Same with credit card numbers.) Jonathan Zittrain, May 13, 2014
Europe’s Top Court Orders Google to Forget: Google and other search engine providers can be ordered to delete links to outdated information about a person published on the Internet, the Court of Justice of the European Union ruled Tuesday. CIO, May 13, 2014

Identity Theft

Here’s How You Protect Your Kids From Identity Theft: Child identity theft cases sometimes continue for years before they’re discovered. Adam Levin, of Identity Theft 911, explains how this happens, and what to do about it. NPR, May 13, 2014

Cyber Warning

Windows users warned over spammed-out gadget malware attack: Windows users are at risk of having their computers infected, after a malware attack posing as an “important company update” was spammed out. Graham Cluley, May 16, 2014
Hackers ramp up computer attacks, demand ‘ransom’: On a bitter cold Friday in January, an ominous warning popped up on a computer screen at the Chamber of Commerce in Bennington, Vt. Detroit Free Press, May 15, 2014
Postal Service: Beware Stamp Kiosk Skimmers: The United States Postal Inspection Service is investigating reports that fraudsters are installing skimming devices on automated stamp vending machines at Post Office locations across the United States, KrebsOnSecurity has learned. KrebsOnSecurity, May 13, 2014

Cyber Security Management

Infographic: The Story Of A Phish: Are your employees like Troy, blissfully unaware of the dangers of spear phishing? DarkReading, May 13, 2014
Cybersecurity options lag behind hackers’ abilities: A computer hacker once told a congressional committee that he could take out the entire Internet in a half-hour. That was back when the World Wide Web was in its infancy and Google didn’t even exist yet. Stars and Stripes, May 13, 2014
Your Cybersecurity: Don’t Count On The Government: Last week I attended the United States Cybercrime conference outside of Washington, D.C. For the past eleven of twelve years, the Department of Defense organized this gathering, but this year it was privately funded due to budget constraints. This was a five-day event with six hundred cybersecurity experts, government agents, intelligence officers, and private sector IT professionals. There were more than 170 speakers, sixty exhibitors, and in-depth hands-on training courses in digital forensic investigations, decryption techniques, malware smartphone analysis, and covert exploration of digital services. Forbes, May 12, 2014

Cyber Security Management – Cyber Update

Adobe, Microsoft Issue Critical Security Fixes: Adobe and Microsoft today each released software updates to plug dangerous security holes in their products. Adobe pushed patches to fix holes in Adobe Acrobat/Reader as well as Flash Player. Microsoft issued eight update bundles to nix at least 13 security vulnerabilities in Windows and software that runs on top of the operating system. KrebsOnSecurity, May 13, 2014

Cyber Security Management – Cyber Defense

Rush to defend against Heartbleed leads to mistakes with certificates, patches: Despite taking prompt action to defend against the Heartbleed attack, some sites are no better off than before — and in some cases, they are much worse off. NetworkWorld, May 9, 2014


Weekend Vulnerability and Patch Report, May 18, 2014


Important Security Updates

Adobe Flash Player: Adobe has released version 13.0.0.214 to fix at least 6 highly critical vulnerabilities in its Flash Player for the Windows, Mac, Linux and versions. Updates are available from Adobe’s website.
Adobe Reader: Adobe has released version 11.0.07 to fix at least 11 highly critical vulnerabilities reported in previous versions. Updates are available from Adobe’s website. Updates are also available for Acrobat and Illustrator.
Apple iTunes: Apple has released version 11.2 for iTunes versions in Windows 8, 7, Vista, and XP SP3 or later. Updates are available through the program or from Apple’s website.
Apple OS X: Apple has released updates for OS X to fix at least 22 vulnerabilities, some of which are highly critical. Update to version 10.9.3 or apply Security Update 2014-001. Updates are available through Apple’s website.
Foxit Reader: Foxit has released version 6.2.0.0429 to fix a moderately critical vulnerability. Updates are available through the program or from Foxit’s website.
Google Chrome: Google has released Google Chrome 34.0.1847.137 for Windows, Mac, Linux, and Chrome Frame to fix at least 9 highly critical vulnerabilities. Updates are available from within the browser or from Google Chrome’s website.
Microsoft Internet Explorer: Microsoft released updates to fix two extremely critical vulnerabilities in all versions of Internet Explorer. Apply updates.
Microsoft Patch Tuesday: Microsoft released several updates addressing at least 13 security vulnerabilities, some of which are highly critical, in Windows, Office, Internet Explorer, and more. Updates are available via Windows Update or from Automatic Update.
Opera: Opera has released version 21.0.1432.67. Updates are available from within the browser or from Opera’s website.
Skype: Skype has released Skype 6.16.0.105. Updates are available from the program or Skype’s website.
TechSmith Corporation SnagIt: TechSmith has released updates for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash  13.0.0.214 [Windows 7: IE]
Adobe Flash  13.0.0.214 [Windows 7: Firefox, Mozilla]
Adobe Flash  13.0.0.214 [Windows 8: IE]
Adobe Flash  13.0.0.214 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.07
Dropbox 2.6.33 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 29.0.1
Google Chrome 34.0.1847.137
Internet Explorer 11.0.9600.17105
Java SE 8 Update 5 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.2 [Mac OS X]
Skype 6.16.0.105

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

BlackBerry OS: Secunia reports that BlackBerry has released updates for its OS to fix 17 vulnerabilities, some of which are highly critical, due to a bundled version of Adobe Flash Player. Update to version 10.2.0.1443. 
Cisco Multiple Products: Secunia reports that Cisco has released updates for its IOS and IOS XE, , and others. Apply updates.
RSA NetWitness / Security Analytics: Secunia reports that RSA has released an update to fix a security issue in its NetWitness and Security Analytics. Update to a fixed version.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.


SecurityRecruiter.com's Security Recruiter Blog