Monday, July 28, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of July 28, 2014


Cyber Security News of the Week

 From our friends at Citadel Information Group

Cyber Crime

Hackers steal user data from the European Central Bank website, ask for money: Hackers have stolen user contact information, including email addresses and phone numbers, from the website of the European Central Bank and attempted to extort money from the institution. PCWorld, July 24, 2014
Feds: Hackers Ran Concert Ticket Racket: A Russian man detained in Spain is facing extradition to the United States on charges of running an international cyber crime ring that allegedly stole more than $10 million in electronic tickets from e-tickets vendor StubHub. KrebsOnSecurity, July 23, 2014
Banks: Card Breach at Goodwill Industries: Heads up, bargain shoppers: Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports. KrebsOnSecurity, July 21, 2014

Financial Cyber Security

Hackers Find Way to Outwit Tough Security at Banking Sites: Researchers at the computer security company Trend Micro have named a new attack on online banking Emmental. Why? Like the Swiss cheese, the researchers said, online banking protections may be “full of holes.” The New York Times, July 22, 2014

Cyber Warning

50,000 sites hacked through WordPress plug-in vulnerability: A critical vulnerability found recently in a popular newsletter plug-in for WordPress is actively being targeted by hackers and was used to compromise an estimated 50,000 sites so far. PCWorld, July 24, 2014
Nigerian 419 Scammers Evolving Into Malware Pushers (But Not Very Good Ones): “Silver Spaniel” attacks use commodity malware to damage others’ security, but they aren’t very good at protecting their own. DarkReading, July 22, 2014
Forensic scientist identifies suspicious ‘back doors’ running on every iOS device: Forensic scientist and author Jonathan Zdziarski has posted the slides (PDF) from his talk at the Hackers On Planet Earth (HOPE/X) conference in New York called Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices. ZDNet, July 21, 2014

Cyber Security Management – Cyber Update

FIREFOX 31 PATCHES 11 SECURITY FLAWS: Mozilla has released a new version of Firefox, which includes patches for 11 security vulnerabilities. Three of the bugs fixed in Firefox 31 are critical, including a use-after-free vulnerability and a handful of memory safety issues. ThreatPost, July 23, 2014

Cyber Underworld

Even Script Kids Have a Right to Be Forgotten: Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches, has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business. KrebsOnSecuriy, July 18, 2014

Cyber Research

How Hackers Hid a Money-Mining Botnet in the Clouds of Amazon and Others: Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing resources from innocent victims when there’s so much free processing power out there for the taking? Wired, July 24, 2014
7 Black Hat Sessions Sure To Cause A Stir: At Black Hat, researchers will point out the weaknesses in everything from the satellites in outer space to the thermostat in your home. DarkReading, July 22, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, July 27, 2014 on Facebook

Weekend Vulnerability and Patch Report, July 27, 2014

Important Security Updates

Dropbox: Dropbox has released version 2.10.3 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Mozilla Firefox: Mozilla has released version 31 to fix at least 11 highly critical unpatched vulnerabilities. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 23.0.1522.60 to fix moderately critical vulnerabilities. Updates are available from within the browser or from Opera’s website.
Piriform CCleaner: Piriform has released version 4.16.4736 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.07
Dropbox 2.10.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 31.0
Google Chrome 36.0.1985.125
Internet Explorer 11.0.9600.17126
Java SE 7 Update 65 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Unified Attendant Console, Unified Attendant Console Advanced, Unified Communications Manager, Desktop Collaboration Experience DX650, Expressway Series and TelePresence Video Communication Server, Prime Data Center Network Manager, and others. Apply updates.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog