Monday, August 18, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of August 18, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

Albertson’s stores hacked for credit card data: Hackers have broken into the credit and debit card payment networks at two of the nation’s most popular supermarket store chains: Albertson’s and SuperValu. CNN, August 15, 2014
THE LIE BEHIND 1.2 BILLION STOLEN PASSWORDS: Or: How Alex Holden Spends Most of the Day Chillaxing on TOR and Lurking Russian Hack Boards. You Are Not Paying Attention, August 8, 2014
Five unanswered questions about massive Russian hacker database: Lots of questions follow Tuesday’s revelation of the amassing of 1.2 billion credentials by Russian hackers. ComputerWorld, August 6, 2014

Cyber Attack

Malware Traffic Spikes Preceded Russian and Israeli Conflicts: Government hackers apparently went to work as Israel and Russia ramped up military action this year. MIT Technology Review, August 8, 2014

Cyber Warning

How Secure is Your Security Badge?: Security conferences are a great place to learn about the latest hacking tricks, tools and exploits, but they also remind us of important stuff that was shown to be hackable in previous years yet never really got fixed. Perhaps the best example of this at last week’s annual DefCon security conference in Las Vegas came from hackers who built on research first released in 2010 to show just how trivial it still is to read, modify and clone most HID cards — the rectangular white plastic “smart” cards that organizations worldwide distribute to employees for security badges. KrebsOnSecurity, August 15, 2014
Stuxnet Exploits Still Alive & Well: Exploits continue abusing a four-year-old bug used in the Stuxnet attack, Kaspersky Lab says. Dark Reading, August 14, 2014
Malware no longer avoiding virtual machines: Symantec finds most malware these days doesn’t quit on VMs, which used to be a tactic to avoid security checks. InfoWorld, August 13, 2014

Financial Cyber Security

Tenn. Firm Sues Bank Over $327K Cyberheist: An industrial maintenance and construction firm in Tennessee that was hit by a $327,000 cyberheist is suing its financial institution to recover the stolen funds, charging the bank with negligence and breach of contract. Court-watchers say the lawsuit — if it proceeds to trial — could make it easier and cheaper for cyberheist victims to recover losses. KrebsOnSecurity, August 13, 2014
Fed Issues New Study of Payments Fraud: Congress, banking regulators and the payments industry have spent the past six months debating the strengths and weaknesses within the payments infrastructure (see Retail Breaches: Congress Wants Answers). BankInfoSecurity, August 11, 2014

Cyber Security Management

Study: CISO leadership capacity undervalued by most C-level execs: A recent poll of C-level executives revealed that most doubt CISOs’ organizational leadership abilities. SCMagazine, August 1, 2014

Cyber Security Management – Cyber Defense

Facebook Malware: Protect Your Profile: Malicious “Color Change” app has resurfaced on Facebook, compromising thousands of profiles. Here’s what to do if you’re infected. Information Week, August 8, 2014
A Two-Step Plan to Stop Hackers: There are a number of ways that consumers could react to the news this week that Russian hackers got their hands on 1.2 billion username and password combinations. The New York Times, August 8, 2014
Citadel Guide: Three Rules for Password Sanity: Let’s start with the obvious. We all hate passwords.Users hate passwords because they are hard to remember and they slow you down, getting in the way of the computing experience. IT staff hate passwords because they’re just one more critical thing that needs to be managed, taking valuable time away from keeping computer systems running and users happy. Citadel Information Group, April 11, 2013

Cyber Security Management – Cyber Update

GOOGLE FIXES 12 VULNERABILITIES IN CHROME 36: Google patched its Chrome browser this week, fixing 12 vulnerabilities, including both a serious information disclosure bug and a use-after-free vulnerability that could let users obtain potentially sensitive information and execute arbitrary code. ThreatPost, August 15, 2014
Adobe, Microsoft Push Critical Security Fixes: Adobe and Microsoft today each independently released security updates to fix critical problems with their products. Adobe issued patches for Adobe Reader/Acrobat, Flash Player and AIR, while Microsoft pushed nine security updates to address at least 37 security holes in Windows and related software. KrebsOnSecurity, August 12, 2014

National Cyber Security

Report: NSA eyed preset strikes in cyberattacks: WASHINGTON (AP) — The National Security Agency secretly planned a cyberwarfare program that could automatically fire back at cyberattacks from foreign countries without any human involvement, creating the risk of accidentally starting a war, according to a new report based on interviews with former NSA contractor Edward Snowden. SFGate, August 14, 2014

Critical Infrastructure

Cybersecurity Among Top Energy Industry Concerns: Attacks on an electric facility and increased attention from regulators has fueled concern about safeguarding facilities. US News and World Report, August 12, 2014

Cyber Law

Need Data Breach Statute Compliance? There’s an App for That: Data breaches are the top concern for C-level executives today, and one of the most costly reputational issue their company could face. Recent news of Russian hacker crime rings, and attacks on a variety of organizations (Target, eBay, Michaels, P.F. Changs, etc) have cyber-thieves targeting more than financial and banking information. Keeping up with the threats is now a priority for many business, but doing so is easier said than done. However, there’s an app for that. InfoSecurity Magazine, August 11, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, August 17, 2014 on Facebook

Weekend Vulnerability and Patch Report, August 17, 2014

Important Security Updates

Adobe Flash Player: Adobe has released version to fix at least 3 highly critical vulnerabilities in its Flash Player for the Windows and Mac versions. Updates are available from Adobe’s website.
Adobe Reader: Adobe has released version 11.0.08 to fix at least 11 highly critical vulnerabilities reported in previous versions. Updates are available from Adobe’s website. Updates are also available for Acrobat and AIR.
Apple Safari: Apple has released updates for Safari to fix at least 11 vulnerabilities, some of which are highly critical, reported in previous versions. Update to Safari 6.1.6 and Safari 7.0.6 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.4. Updates are available from Apple’s website.
Dropbox: Dropbox has released version 2.10.28 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Google Chrome: Google has released Google Chrome version 36.0.1985.143 for Windows, Mac, and Linux to fix at least 5 highly critical vulnerabilities reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Google Chrome for Android: Google has released Google Chrome for Android version 36.0.1985.135 to fix a moderately critical vulnerability reported in previous versions. Updates are available through the device.
Google Chrome for iOS: Google has released Google Chrome for iOS version 36.0.1985.57 to fix a moderately critical vulnerability reported in previous versions. Updates are available from the Apple App Store or from the device.
Google Picasa: Google has released version 3.9 Build 138.151. Updates are available at the Picasa website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 9 updates to address at least 37 vulnerabilities, some of which are highly critical within Windows, Internet Explorer, Office, Windows Media Center, One Note, SQL Server, SharePoint and other Microsoft products.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.08
Dropbox 2.10.28 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 31.0
Google Chrome 36.0.1985.143
Internet Explorer 11.0.9600.17126
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Apple Safari WebKit: Secunia reports that Apple has released updates for its Safari WebKit to fix at least 7 highly critical vulnerabilities reported in previous versions. Update to version 6.1.6 or 7.0.6.
BlackBerry Multiple Products: Secunia reports that BlackBerry has released updates for its BlackBerry OS, Enterprise Server and Enterprise Service, and others. Apply updates.
Cisco Multiple Products: Secunia reports that Cisco has released updates for its Unified Communications Manager and others. Apply updates.
D-Link Multiple Products: Secunia reports that D-Link has released firmware updates for its DNR-322L and D-Link DNR-326 to fix 2 moderately critical vulnerabilities. Update to versions 2.00b07 or 2.10b02..
Novell Open Enterprise Server: Secunia reports that Novell has released updates to fix a moderately critical update for its Open Enterprise Server. Apply oes11sp2-August-2014-Scheduled-Maintenance-9413.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog