Monday, June 02, 2014

Cyber Security News, Education, Vulnerability and Patch Report for the Week of June 2, 2014

Cyber Security News of the Week


From our friends at Citadel Information Group


Thieves Planted Malware to Hack ATMs: A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come. KrebsOnSecuritry, May 30, 2014

Cyber Attack

Complexity as the Enemy of Security: Late last month, hackers allied with the Syrian Electronic Army (SEA) compromised the Web site for the RSA Conference, the world’s largest computer security gathering. The attack, while unremarkable in many ways, illustrates the continued success of phishing attacks that spoof top executives within targeted organizations. It’s also a textbook example of how third-party content providers can be leveraged to break into high-profile Web sites. KrebsOnSecurity, May 27, 2014

Cyber Privacy

AS SNOWDEN ANNIVERSARY NEARS, EFF URGES USERS TO RAMP UP PRIVACY AND SECURITY: Time flies when you’re having fun. But it apparently also flies when there’s a new story every other day about NSA surveillance. It’s been nearly one year since the first story sourced from the documents Edward Snowden stole from the agency appeared, and with that in mind, the EFF is encouraging people to commemorate the day by installing privacy and security tools to protect their communications. ThreatPost, May 30, 2014
Some Privacy, Please? Facebook, Under Pressure, Gets the Message: SAN FRANCISCO — Do you know who can see what you are posting on Facebook, including your photos, birthday and personal cellphone number? The New York Times, May 23, 2014

Cyber Threat

Researchers: Recent Zero-Day Attacks Linked Via Common Exploit Package: Elderwood Platform, a two-year-old package of exploits, has been used to create multiple zero-day threats, Symantec researchers said. DarkReading, May 19, 2014

Cyber Warning

Backdoor in Call Monitoring, Surveillance Gear: If your company’s core business is making software designed to help first responders and police record and intercept phone calls, it’s probably a good idea to ensure the product isn’t so full of security holes that it allows trivial access by unauthorized users. Unfortunately, even companies working in this sensitive space fall victim to the classic blunder that eventually turns most software into Swiss Cheese: Trying to bolt on security only after the product has shipped. KrebsOnSecurity, May 28, 2014
Hackers use ‘Find My iPhone’ to lockout, ransom Mac and iOS device owners in Australia: Owners of Macs and iOS devices in Australia woke up on Tuesday to find their machines locked by Find My iPhone, with the nefarious hackers responsible demanding payment via PayPal before they return control. AppInsider, May 26, 2014

Cyber Security Management

Keeping Up with Cybersecurity Framework: The folks at PricewaterhouseCoopers, after surveying 500 U.S. business, law enforcement and government executives, conclude that the vast majority of cybersecurity programs fall very short of the federal government’s cybersecurity framework goals. BankInfoSecuriy, May 30, 2014
Why are Chief Information Security Officers Critical?: In some corporations, the role of the Chief Information Security Officer (CISO) is becoming as important or even more important than the functions of the once-revered Chief Information Officer (CIO). PaymentWeek, May 29, 2014

Cyber Security Management – Cyber Awareness

How to Avoid Cyberspies on Facebook, LinkedIn: The first line of defense against a social media-related attack recently perpetrated by a suspected Iranian hacker group is to teach employees how to spot cyberspies, experts say. CIO, May 30, 2014

Cyber Security Management – Cyber Defense

A beginner’s guide to BitLocker, Windows’ built-in encryption tool: The creators of TrueCrypt shocked the computer security world this week when they seemingly ended development of the popular open source encryption tool. Even more surprising, the creators said TrueCrypt could be insecure and that Windows users should migrate to Microsoft’s BitLocker. Conspiracy theories immediately began to swirl around the surprise announcement. PCWorld, May 30, 2014
The Mystery Of The TrueCrypt Encryption Software Shutdown: Developers of the open-source software call it quits, saying software “may contain unfixed security issues.” DarkReading, May 30, 2014
True Goodbye: ‘Using TrueCrypt Is Not Secure’: The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP. KrebsOnSecurity, May 29, 2014

Cyber Security Management – Cyber Update

APACHE PATCHES DOS, INFORMATION DISCLOSURE BUGS IN TOMCAT: Apache recently patched Tomcat, fixing a trio of information disclosure bugs and a denial of service bug in the open source web server and servlet container. ThreatPost, May 30, 2014

Securing the Village

Richard Clarke calls for Information Security Manifesto during Keynote Address at ISSA-LA Summit VI: Clarke is Chairman & CEO, Good Harbor and former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States. May 16, 2014.
RETAILERS FORM ISAC TO SHARE THREAT DATA: From the beginning of the cybercrime epidemic, retailers have been among the most frequent targets, and the last year has seen some of the larger compromises in history. The Target data breach is at the top of that list, involving more than 100 million customers, and after years of increasingly serious compromises the retail industry is finally getting together to share information about attacks, threats and vulnerabilities. ThreatPost, May 19, 2014

Financial Cyber Security

Banks Challenged By Cybersecurity Threats, State Regulators Acting: A new report concludes that while financial institutions have taken significant steps to bolster cyber security efforts, they will continue to be challenged by the speed of technological change and the increasingly sophisticated nature of threats. Forbes, May 26, 2014

National Cyber Security

Report: Hackers in Iran use social media to target senior U.S., Israeli officials: Hackers based in Iran used social networks to spy on high-ranking U.S. and Israeli officials, a new report by a cybersecurity firm claims. CNN, May 30, 2014
Daily Report: U.S. Indictments Shed Some Light on China’s Hacker Army: One man accused of being a hacker for the Chinese military, Wang Dong, better known as UglyGorilla, wrote in a social media profile that he did not “have much ambition” but wanted “to wander the world with a sword, an idiot,” Edward Wong reports. The New York Times, May 23, 2014

Critical Infrastructure

Large Electric Utilities Earn High Security Scores: Critical infrastructure is a big target for attack, but new data shows some operators in that industry suffer fewer security incidents than other industries. DarkReading, May 29, 2014

Cyber Law

House Panel Investigating FTC Data Breach Enforcement: IDG News Service (Washington, D.C., Bureau) — A U.S. House of Representatives committee has reportedly launched an investigation into the Federal Trade Commission’s use of information from a peer-to-peer security vendor to bring a data breach complaint against a medical testing laboratory. CIO, May 30, 2014

Cyber Sunshine

Hacker Helped Disrupt 300 Web Attacks, Prosecutors Say: A prominent hacker set to be sentenced in federal court this week for breaking into numerous computer systems worldwide has provided a trove of information to the authorities, allowing them to disrupt at least 300 cyberattacks on targets that included the United States military, Congress, the federal courts, NASA and private companies, according to a newly filed government court document. The New York Times, May 24, 2014

Cyber Misc

Investors Couldn’t Care Less About Data Breaches: On May 21, EBay (EBAY) revealed that it had suffered a cyber attack and data security breach, and users’ information—names, account passwords, e-mail addresses, physical addresses, phone numbers, and birth dates—was exposed to hackers. While security experts, the news media, and actual EBay users may have all been alarmed, the stock investors weren’t. EBay’s stock finished trading virtually unchanged that day, dropping all of 8 pennies to $51.88. Bloomberg, May 23, 2014

Weekend Vulnerability and Patch Report, June 1, 2014

Important Security Updates

Apple iTunes: Apple has released version 11.2.2 for iTunes versions in Windows 8, 7, Vista, and XP SP3 or later. Updates are available through the program or from Apple’s website.
Apple OS X Java: Apple has released an update to Java for OS X 2014-001. Updates are available from Apple’s website. [See Citadel's warning below]
Dropbox: Dropbox has released version 2.8.3 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.07
Dropbox 2.8.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 29.0.1
Google Chrome 35.0.1916.114
Internet Explorer 11.0.9600.17105
Java SE 7 Update 60 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

D-Link N300 Wireless Router: Secunia reports an unpatched vulnerability in D-Link’s N300 Wireless Router reported in version 1.14 (HW version Ax) and prior. No official solution is currently available.
Microsoft Windows 8:  Secunia reports two unpatched vulnerabilities in Windows 8 and Windows 8.1. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Cisco Unified Communications Domain Manager (CUCDM), Wide Area Application Services (WAAS), IOS XE, Tidal Enterprise Scheduler, and others. Apply updates.
VMware Multiple Products: Secunia reports that Cisco has released updates for its VMware Workstation, VMware Player, VMware Fusion, and VMware ESXi. Apply updates.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog