Monday, July 14, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of July 14, 2014

Cyber Security News of the Week


From our friends at Citadel Information Group

Cyber Crime

BitBeat: Phishing Scam Tries to Lure In Bitcoin Bidders: – A scam artist tried to swindle a group of potential bidders in the June auction of 30,000 bitcoins by the U.S. Marshals Service, and appears to have scored a small win with at least one of them. The Wall Street Journal, July 3, 2014

Cyber Privacy

Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee: The Senate Select Committee on Intelligence voted Tuesday to approve a controversial cybersecurity bill known as the Cyber Information Sharing Act (CISA). The bill is intended to help companies and the government thwart hackers and other cyber-intrusions. The bill passed by a 12-3 vote, moving it one step closer to a floor debate. Forbes, July 9, 2014

Financial Cyber Security

Why Information Sharing Isn’t Working: Tim Pawlenty, CEO of the Financial Services Roundtable, says the only way to ensure adequate cyberthreat information sharing is through federal legislation that would furnish liability protection and other incentives. BankInfoSecurity, June 25, 2014
FFIEC Launches Cybersecurity Web Page, Promotes Awareness of Cybersecurity Activities: WASHINGTON –The Federal Financial Institutions Examination Council (FFIEC) today launched a Web page on cybersecurity ( Web page is a central repository for current and future FFIEC-related materials on cybersecurity. FFIEC, June 24, 2014

Cyber Warning

Crooks Seek Revival of ‘Gameover Zeus’ Botnet: Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it. KrebsOnSecurity, July 10, 2014
HARD-CODED PASSWORD VULNERABILITY PLAGUES SOME NETGEAR SWITCHES: A vulnerability in Netgear-branded ethernet switches could give an attacker full access to the hardware, including the ability to log into the device and execute arbitrary code. ThreatPost, July 7, 2014
The Rise of Thin, Mini and Insert Skimmers: Like most electronic gadgets these days, ATM skimmers are getting smaller and thinner, with extended battery life. Here’s a look at several miniaturized fraud devices that were pulled from compromised cash machines at various ATMs in Europe so far this year. KrebsOnSecurity, July 7, 2014
Funeral Announcement: Origins: In January 2014, Internet users began receiving e-mails from various funeral homes with attention-getting subject lines such as “Passing of your friend,” messages that informed recipients a “dear friend” had passed away and invited them to attend that person’s upcoming funeral or memorial service. The messages provided a hyperlink (on the word “here”) for readers to click in order to obtain detailed information about the date and location of the service. Snopes, January 24, 2014

Cyber Security Management

Strategic Security: Begin With The End In Mind: The trouble with traditional infosec methodology is that it doesn’t show us how to implement a strategic security plan in the real world. DarkReading, July 11, 2014
The CISO-centric Information Security Triad: What is the information security triad? Just about everyone knows the answer to this question is CIA – Confidentiality, Integrity, and Availability. Security professionals, service providers, and technology vendors are responsible for these three infosec pillars in one way or another. NetworkWorld, July 10, 2014
Managing Cyber Risk: Job #1 for Directors and General Counsel: Each year, FTI Consulting and NYSE Governance Services survey public company directors and general counsel about the legal and governance issues that concern them the most. FTI Journal, July 2014
Rogers: Cybersecurity is the ‘ultimate team sport’: Thank you very much for taking the time from your very busy days to focus on a topic that I think is of critical importance to us as a nation: this idea of how do we maintain security in a cyber arena in a world where cyber continues to grow in importance and, at the same time, the level of vulnerability that is present within our cyber systems has probably never been greater. So that’s quite a challenge for anybody. Federal Times, July 8, 2014
Ponemon: Data Breach Costs Rising: On the day Target’s CEO resigned in the aftermath of a massive data breach, the Ponemon Institute issued its 2014 Cost of Data Breach Study, which Chairman Larry Ponemon says helps explain why CEOs should be more involved in breach preparedness and response. BankInfoSecurity, May 5, 2014

Cyber Security Management – Cyber Defense

Black Hat USA 2014: Third-Party Vulns Spread Like Diseases: Understanding the impact of vulnerabilities in libraries and other components. DarkReading, July 7, 2014

Cyber Security Management – Cyber Update

APPLE UPDATES OSX BLACKLIST FOLLOWING FLASH VULNERABILITY: Apple acknowledged on Thursday that it has updated its OSX plugin blacklist to reflect a critical vulnerability in Adobe Flash made public earlier this week. ThreatPost, July 11, 2014
Microsoft, Adobe Push Critical Fixes: If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer. KrebsOnSecuriy, July 8, 2014

Cyber Underworld

The Hazards Of Probing The Internet’s Dark Side: Late last year, hackers breached Target’s data security and stole information from millions of credit cards. Brian Krebs, who writes about cybercrime and computer security for his blog, Krebs on Security, broke the story. A few days later, he broke the story of a credit card breach at Neiman Marcus. NPR, July 8, 2014

Cyber Espionage

Chinese Hackers Pursue Key Data on U.S. Workers: WASHINGTON — Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances. The New York Times, July 9, 2014
Chinese Attackers Targeting U.S. Think Tanks, Researchers Say: Government-backed group “Deep Panda” compromised “several” nonprofit national security policy research organizations, CrowdStrike says. DarkReading, July 7, 2014

Critical Infrastructure

Study: Most Critical Infrastructure Firms Have Been Breached: A new Ponemon Institute study finds 70% of critical infrastructure companies have been hit by security breaches in the last year, but cyber security programs are still a low priority. DarkReading, July 10, 2014

Cyber Misc

Scammers, hackers and spies hit campaign trail: Political campaigns are hotbeds of criminal activity and mischief — just not in the way you think. Politico, July 7, 2014

Cyber Sunshine

Global Law Enforcement, Security Firms Team Up, Take Down Shylock: A la GOZeuS, an international, public-private collaboration seizes a banking Trojan’s command and control servers. DarkReading, July 10, 2014
Feds Charge Carding Kingpin in Retail Hacks: The U.S. Justice Department on Monday announced the arrest of a Russian hacker accused of running a network of online crime shops that sold credit and debit card data stolen in breaches at restaurants and retailers throughout the United States. KrebsOnSecurity, July 8, 2014

Cyber Calender

ISSA-LA July Lunch Meeting: Attack Trends, the Need for Intelligence. Integration and a Prevent-Based Security Posture: This presentation will review recent trends associated with malware, advanced threats and risky applications. It will also highlight security administrator views toward their ability to identify, analyze and prevent security breaches. The data points associated with these findings identify a clear need for information security intelligence that is rich in content and also actionable. Security administrators must be able to integrate intelligence into their security controls in near real-time to prevent evolving attacks. The session will also raise the need for security practitioners to consider switching their security postures from detect to prevent. ISSA-LA, Event Date: July 16, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, July 13, 2014 on Facebook

Weekend Vulnerability and Patch Report, July 13, 2014

Important Security Updates

Adobe Flash Player: Adobe has released version to fix at least 3 moderately critical vulnerabilities in its Flash Player for the Windows and Mac versions. Updates are available from Adobe’s website. Updates are also available for Adobe AIR.
Apple iTunes: Apple has released version 11.3 of iTunes for Windows (32-bit). Updates are available from Apple’s website.
Avira Antivirus: Avira has released version of its free Antivirus. Updates are available from Avira’s website.
Malwarebytes Anti-Exploit: Malwarebytes has released version of its free Malwarebytes Anti-Exploit. Updates are available from Malwarebytes’ website.
Microsoft Patch Tuesday: Microsoft released several updates addressing at least 29 security vulnerabilities, some of which are highly critical, in Windows, Office, Internet Explorer, and more. This release of updates specifically fixes at least 24 highly critical vulnerabilities in Internet Explorer. Updates are available via Windows Update or from Automatic Update.
Skype: Skype has released Skype Updates are available from the program or Skype’s website.
TechSmith Corporation SnagIt: TechSmith has released version for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.07
Dropbox 2.8.4 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 30
Google Chrome 35.0.1916.153
Internet Explorer 11.0.9600.17126
Java SE 7 Update 60 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco IOS XR: Secunia reports that Cisco has released updates for its IOS XR to fix a vulnerability. Update to version or
Novell iManager: Secunia reports that Novell has released updates for its iManager to fix reported vulnerabilities in previous versions.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog