Monday, August 04, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of August 4, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

Sandwich Chain Jimmy John’s Investigating Breach Claims: Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John’s may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation. KrebsOnSecurity, July 31, 2014
Hackers stealing more sexual photos for extortion: The e-mail terrified the young mother. “What if I told you I had pics of you?” the writer asked. “Like a lot. Would you send me more?” SFGate, July 27, 2014
‘The Expendables 3’ Pirated by Hackers Three Weeks Before its Release: The action movie The Expendables 3, which officially premieres on August 15, has been pirated by hackers three weeks before its release. The film somehow leaked online and it has been downloaded over 189,000 times in just 24 hours through piracy websites. The lead cast members of the film include Wesley Snipes, Mel Gibson, Sylvester Stallone, Kelsey Grammer, Ronda Rousey, Jet Li, Jason Statham, Arnold Schwarzenegger, Antonio Banderas, Dolph Lundgren and Harrison Ford. Liberty Voice, July 26, 2014

Cyber Privacy

How to Invent a Person Online: On April 8, 2013, I received an envelope in the mail from a nonexistent return address in Toledo, Ohio. Inside was a blank thank-you note and an Ohio state driver’s license. The ID belonged to a 28-year-old man called Aaron Brown—6 feet tall and 160 pounds with a round face, scruffy brown hair, a thin beard, and green eyes. His most defining feature, however, was that he didn’t exist. TheAtlantic, July 23, 2014
3 Projects Prove Privacy Is Not Dead: Web and mobile phone users willingly share personal data in exchange for free stuff, but not everyone is ready to throw in the towel on privacy. Scientific American, July 22, 2014

Financial Cyber Security

Source code for tiny ‘Tinba’ banking malware leaked: The source code for an impressively small but capable malware program that targets online bank accounts has been leaked, according to CSIS Security Group of Denmark. PC World, July 10, 2014

Cyber Warning

Every USB Device Under Threat. New Hack Is Undetectable And Unfixable: It is well known that USB drives can be dangerous. Companies run strict screening policies and it has long been known that running unknown ‘exe’ files is a bad idea. But what if the threat was undetectable, unfixable and could be planted into any USB device be it a USB drive, keyboard, mouse, web camera, printer, even smartphone or tablet? Well this nightmare scenario just became reality. Forbes, August 1, 2014
Checking In From Home Leaves Entry for Hackers: SAN FRANCISCO — The same tools that help millions of Americans work from home are being exploited by cybercriminals to break into the computer networks of retailers like Target and Neiman Marcus. The New York Times, July 31, 2014
Zero-day flaws found in Symantec’s Endpoint Protection: Symantec’s Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company. PCWorld, July 29, 2014
Critical Android vulnerability lets malware compromise most devices and apps: The majority of Android devices currently in use contain a vulnerability that allows malware to completely hijack installed apps and their data or even the entire device.PCWorld, July 29, 2014
The Internet of Things Is the Hackers’ New Playground: Excited about the promise of the shiny new Internet of Things? Good. Because hackers are too. Or at least they should be, according to a study by computing giant Hewlett-Packard. Recode, July 29, 2014

Cyber Security Management

Board interest in information security principles growing: Corporate boards have increased their awareness of security issues, but experts say they still lack information security principles. SearchSecurity, July 29, 2014
Five Tips for Preventing Cyber-Security Breaches: Before looking at vendor solutions to protecting data, CFOs need to put some thought into which information to safeguard. CFO, July 28, 2014
Cyber-Risk Oversight Handbook: Leading companies view cyber risks in the same way they do other critical risks—in terms of a risk-reward trade off. This is especially challenging in the cyber arena for two reasons. First, the complexity of cyber threats has grown dramatically. Corporations now face increasingly sophisticated events that outstrip traditional defenses. As the complexity of these attacks increases, so does the risk they pose to corporations. As noted above, the potential effects of a data breach are expanding well beyond information loss to include significant damage in other areas. Second, competitive pressures to deploy increasingly cost-effective business technologies often affect resource investment calculations. These two competing pressures on corporate staff and business leaders mean that conscientious and comprehensive oversight at the board level is essential. NACD, June 10, 2014
The Many Lives of PII: How many definitions could there be for one short phrase? I am not talking about Pi, the mathematical term and lead character in Yann Martel’s imaginative novel (which Ang Lee made into a movie), but “PII,” an acronym for the legal concept of “personally identifiable information.”, 2014

Cyber Security Management – Cyber Defense

‘Backoff’ Malware: Time To Step Up Remote Access Security: DHS issues advisory about remote desktop access tools associated with recent point-of-sale breaches.DarkReading, August 1, 2014

Cyber Espionage

Canada: Chinese Hackers Infiltrated Government Org: Chinese hackers infiltrated the computer systems of Canada’s top research and development organization, the Canadian government said Tuesday. ABC News, July 29, 2014

Cyber Law

Massachusetts Continues Aggressive Information Security Enforcement Agenda: On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with Women & Infant’s Hospital of Rhode Island (“WIH”) to resolve allegations that it violated federal and state information security laws when it lost backup tapes. The backup tapes, allegedly containing sensitive personal information and protected health information of 12,127 Massachusetts residents, were not encrypted. As a result of the consent judgment, WIH will pay a civil penalty of $110,000, attorney fees of $25,000, and contribute $15,000 to funds organized by the Attorney General to support data security enforcement actions and education on the protection of sensitive personal information. Information Lawgroup, July 25, 2014
SECURITY BREACH NOTIFICATION CHART: Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification. The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements. Lawyers, compliance professionals, and business owners have told us that the chart has been helpful when preparing for and responding to data breaches. PerkinsCole, June 2014

Cyber Misc

Service Drains Competitors’ Online Ad Budget: The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality that for nearly every legitimate online business there is a cybercrime-oriented anti-business. Case in point: Today’s post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of their competitors. KrebsOnSecurity, July 25, 2014

share on Twitter Like Weekend Vulnerability and Patch Report, August 3, 2014 on Facebook

Weekend Vulnerability and Patch Report, August 3, 2014

Important Security Updates

Apple MacBook Air: Apple has released firmware update 2.9.1 for its MacBook Air. The update is available from Apple’s website.
Avira Antivirus: Avira has released version of its free Antivirus. Updates are available from Avira’s website.
Check Point Technologies Zone Alarm: Check Point has released version of the Free version of Zone Alarm. Updates are available fromCheck Point’s website.
Skype: Skype has released Skype Updates are available from the program or Skype’s website.
VLC Media Player: VLC has released version 2.1.5 (32-bit) of its Media Player. Download from the VLC website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.07
Dropbox 2.10.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 31.0
Google Chrome 36.0.1985.125
Internet Explorer 11.0.9600.17126
Java SE 7 Update 65 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

Apple QuickTime: Secunia reports an unpatched moderately critical vulnerability in version 7.7.4 of Apple’s QuickTime. No official solution is currently available.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its Unified Customer Voice Portal (CVP), Cisco Unified Communications Manager IM and Presence Service, and others. Apply updates. Secunia reports that Cisco has released a partial fix for its Prime Data Center Network Manager to fix a vulnerability reported in versions 6.3(0.9) and 6.2(1) running on Cisco MDS 9500 Series. Upgrade to a fixed version. Secunia reports unpatched vulnerabilities in WebEx Meetings Server report in versions 1.5,, and No official solution is available.
Novell eDirectory: Secunia reports that Novell has released an update for its eDirectory to fix a security issue. Apply 8.8 SP8 Patch 2 Hotfix 1.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and applicationprograms (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.

Jeff Snyder’s,, Security Recruiter Blog, 719.686.8810's Security Recruiter Blog