Tuesday, May 27, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of May 25, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

U.S. states probe eBay cyber attack as customers complain: (Reuters) – EBay Inc came under pressure on Thursday over a massive hacking of customer data as three U.S. states began investigating the e-commerce company’s security practices. Reuters, May 22, 2014
Experian Breach Tied to NY-NJ ID Theft Ring: Last year, a top official from big-three credit bureau Experian told Congress that the firm was not aware of any consumers that had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months. Today’s post presents evidence that among the ID theft service’s clients was an identity theft and credit card fraud ring of at least 32 people who were arrested last year for allegedly using the information to steal millions from more than 1,000 victims across the country. KrebsOnSecurity, May 19, 2014

Cyber Attack

Hackers attack games-for-troops charity drive: Less than half an hour after beginning, the third annual 8-Bit Salute of Operation Supply Drop — a fund drive to send video games to U.S. troops serving abroad — was beset by hackers. Polygon, May 17, 2014

Identity Theft

3 Ways to Protect Your Child From Identity Theft: Identity theft is becoming a bigger problem in the United States. As technology becomes more sophisticated, hackers are finding more and better ways to steal our identities. And the theft isn’t limited to adults. CNN, May 19, 2014

Cyber Warning

Expert: Fake eBay Customer List is Bitcoin Bait: In the wake of eBay’s disclosure that a breach may have exposed the personal data on tens of millions of users, several readers have written in to point out an advertisement that is offering to sell the full leaked user database for 1.4 bitcoins (roughly USD $772 at today’s exchange rates). The ad has even prompted some media outlets to pile on that the stolen eBay data is now for sale. But a cursory examination of the information suggests that it is almost certainly little more than a bid to separate the unwary from their funds. KrebsOnSecurity, May 22, 2014
Why You Should Ditch Adobe Shockwave: This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it. KrebsOnSecurity, May 21, 2014
EMBEDDED DEVICES LEAK AUTHENTICATION DATA VIA SNMP COMMUNITY STRING: Researchers have discovered previously unreported problems in SNMP on embedded devices where devices such as secondary market home routers and a popular enterprise-grade load balancer are leaking authentication details in plain text. ThreatPost, May 16, 2014

Cyber Security Management

When a CEO Takes the Fall (Over Information Security): What’s the biggest perk a Fortune 500 CEO gets? Sure, it’s typically a high-profile position and good compensation, but how about job security? Could it all go away? InnovationInsights, May 21, 2014

Cyber Security Management – Cyber Defense

eBay Urges Password Changes After Breach: eBay is asking users to pick new passwords following a data breach earlier this year that exposed the personal information of an untold number of the auction giant’s 145 million customers. KrebsOnSecurity, May 21, 2014
PAYPAL FIXES SERIOUS ACCOUNT HIJACKING BUG IN MANAGER: PayPal patched a hole in its Manager portal this week that could have made it easy for an attacker to hijack an admin’s account, change their password and steal their personal information — not to mention their savings. ThreatPost, May 16, 2014

National Cyber Security

Indictment of PLA hackers is part of broad U.S. strategy to curb Chinese cyberspying: Two years ago, a senior official from the State Department and one from the Pentagon held an extraordinary four-hour meeting with their counterparts in Beijing. For the first time, the U.S. government confronted the Chinese government with proof that American companies were being hacked by the People’s Liberation Army to benefit Chinese firms. Washington Post, May 22, 2014
U.S. Case Offers Glimpse Into China’s Hacker Army: BEIJING — One man accused of being a hacker for the Chinese military, Wang Dong, better known as UglyGorilla, wrote in a social media profile that he did not “have much ambition” but wanted “to wander the world with a sword, an idiot.” The New York Times, May 22, 2014
5 in China Army Face U.S. Charges of Cyberattacks: WASHINGTON — In the Obama administration’s most direct confrontation with China over its theft of corporate secrets, the Justice Department on Monday unsealed an indictment of five members of the Chinese People’s Liberation Army and charged them with hacking into the networks of Westinghouse Electric, the United States Steel Corporation and other companies. The New York Times, May 19, 2014

Cyber Misc

Hackers can ‘un-brick’ stolen iPhones: Two hackers have figured out a way to unlock lost Apple devices — a boon for criminals with stolen iPhones and iPads. CNN, May 21, 2014

Cyber Sunshine

‘Blackshades’ Trojan Users Had It Coming: The U.S. Justice Department today announced a series of actions against more than 100 people accused of purchasing and using “Blackshades,” a password-stealing Trojan horse program designed to infect computers throughout the world to spy on victims through their web cameras, steal files and account information, and log victims’ key strokes. While any effort that discourages the use of point-and-click tools for ill-gotten gains is a welcome development, the most remarkable aspect of this crackdown is that those who were targeted in this operation lacked any clue that it was forthcoming. KrebsOnSecurity, May 19, 2014
Europe leads global raids on BlackShades malware: AMSTERDAM — Acting on an FBI tipoff, police worldwide have arrested 97 people in 16 countries suspected of developing, distributing or using malicious software called BlackShades that allows criminals to gain surreptitious control of personal computers, European law enforcement officials announced Monday. The Washington Post, May 19, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, May 25, 2014 on Facebook

Weekend Vulnerability and Patch Report, May 25, 2014

Important Security Updates

Apple OS X: Apple has released updates for its OS X Mavericks to fix a highly critical vulnerability in previous versions. Update to version 3.1.2 for Apple OS X Mavericks versions 10.9.3 or later.
Apple Safari: Apple has released updates for Safari to fix at least 22 vulnerabilities, some of which are highly critical, reported in previous versions. Update to Safari 7.0.4 for OS X Mavericks and Safari 6.1.4 for OS X Mountain Lion and Lion. Updates are available from Apple’s website.
AVG Antivirus Free Edition: AVG has released version 2014.0.4592 (32-bit) of its Free Edition Antivirus. Updates are available through the program or from AVG’s website.
D-Link DSP-W215:  D-Link has released updates for its DSP-W215 to fix a moderately critical vulnerability in previous versions. Update to version 1.02b05. Updates are available from D-Link’s website.
Dropbox: Dropbox has released version 2.8.0 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Google Chrome: Google has released Google Chrome 35.0.1916.114 for Windows, Mac, Linux, and Chrome Frame to fix at least 8 highly critical vulnerabilities. Updates are available from within the browser or from Google Chrome’s website.
Malwarebytes: Malwarebytes has released version 2.02. Updates are available from Malwarebytes website.
Piriform CCleaner: Piriform has released version 4.14.4707 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.07
Dropbox 2.6.33 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 29.0.1
Google Chrome 35.0.1916.114
Internet Explorer 11.0.9600.17105
Java SE 8 Update 5 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

Microsoft Internet Explorer:  Secunia reports an unpatched highly critical vulnerability in Internet Explorer version 8. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Cisco Security Manager (CSM), Wide Area Application Services (WAAS), Cisco TelePresence Systems (CTS), Identity Services Engine (ISE), NX-OS, IOS, IOS XE Email Security Appliance and Content Security Management Appliance, IOS XR, Unified Web and E-Mail Interaction Manager and others. Apply updates.
McAfee ePolicy Orchestrator: Secunia reports that McAfee has released updates to fix at least 6 moderately critical vulnerabilities for its ePolicy Orchestrator due to a bundled version of Java. Apply hotfix or update to version 4.6.8 or 5.1.1 when available.
Moodle: Secunia reports that Moodle has released updates to address at least 5 security issues and vulnerabilities reported in versions 2.6 through 2.6.2, 2.5 through 2.5.5, and 2.4 through 2.4.9. Update to version 2.7, 2.6.3, 2.5.6, or 2.4.10.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.

SecurityRecruiter.com's Security Recruiter Blog