Monday, August 25, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of August 25, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

Hackers Compromise 51 UPS Stores Across the United States: A gang of cybercriminals from Eastern Europe, which is believed to be behind this year’s high profile breaches of Target, P.F. Chang’s, Neiman Marcus and other retailers has also compromised 51 UPS Stores across the United States. Mashable, August 21, 2014
Chinese Hackers Hit Community Health System: Hackers who broke into network hospital group Community Health Systems stole non-medical customer data including credit cards, says new report. InformationWeek, August 18, 2014
Community Health says data stolen in cyber attack from China: (Reuters) – Community Health Systems Inc (CYH.N), one of the biggest U.S. hospital groups, said on Monday it was the victim of a cyber attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients. Reuters, August 18, 2014
Hacked: Data breach in Star, Shaw and Jewel-Osco Stores: A massive data breach has been suffered by Jewel-Osco through which information of millions of customers may have been exposed. Wall Street OTC, August 17, 2014
Why So Many Card Breaches? A Q&A: The news wires today are buzzing with stories about another potentially major credit/debit card breach at yet another retail chain: This time, the apparent victim is AB Acquisition, which operates Albertsons stores under a number of brands, including ACME Markets, Jewel-Osco, Shaw’s and Star Markets. Today’s post includes no special insight into this particular retail breach, but rather seeks to offer answers to some common questions regarding why we keep hearing about them. KrebsOnSecurity, August 15, 2014

Cyber Privacy

As governments invade privacy, tools for encryption grow more popular: In the wake of Edward Snowden’s revelations about the NSA collecting massive amounts of user meta-data, many people went in search of safer, more secure ways to use the internet anonymously. Once thought to be something only used by the tech-savvy, increased interest in end-to-end e-mail encryption has prompted both Google and Yahoo to develop user-friendly versions of the protocol that would, in theory, make personal messages exceedingly difficult to intercept. PBS, August 22, 2014
New Search Engine Promises to Keep Your Data Private: Privacy-minded Internet users gained a new search option Tuesday with the debut of US News and World Report, August 19, 2014
The Internet’s Original Sin: It’s not too late to ditch the ad-based business model and build a better web. The Atlantic, August 14, 2014
Foursquare Now Tracks Users Even When the App Is Closed: Hiding in Foursquare’s revamped mobile app is a feature some users might find creepy: It tracks your every movement, even when the app is closed. The Wall Street Journal, August 6, 2014
The Internet With a Human Face: Marc emailed me a few weeks ago to ask if I thought my talk would be appropriate to close the conference. “Marc,” I told him, “my talk is perfect for closing the conference! The first half is this incredibly dark rant about how the Internet is alienating and inhuman, how it’s turning us all into lonely monsters.” Maciej CegÅ‚owski Lecture, May 2014

Financial Cyber Security

CRIDEX MALWARE TAKES LESSON FROM GAMEOVER ZEUS: The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day. ThreatPost, August 22, 2014

Cyber Threat

How Hackers Could Mess With 911 Systems and Put You at Risk: The female caller was frantic. Why, she asked 911 dispatchers, hadn’t paramedics arrived to her home? She’d already called once to say her husband was writhing on the floor in pain. “Hurry up!,” she’d pleaded, as she gave the operator her address. And then she hung up and waited for help to arrive, but it never did. By the time she called back, her husband had turned blue. “He’s dying!” she cried helplessly into the phone. Wired, August 21, 2014

Cyber Warning

US warns ‘significant number’ of major businesses hit by Backoff malware: Over a thousand major enterprise networks and small and medium businesses in the U.S. have been compromised by a recently discovered malware package called “Backoff” and are probably unaware of it, the U.S. Department of Homeland Security (DHS) said in a cybersecurity alert on Friday. PCWorld, August 22, 2014
JPMorgan Chase customers targeted in massive phishing campaign: Customers of JPMorgan Chase are the target of a massive multifaceted phishing campaign impacting mostly people in the U.S., according to security firm Proofpoint. SC Magazine, August 22, 2014
FBI warns healthcare firms they are targeted by hackers: (Reuters) – The FBI has warned that healthcare industry companies are being targeted by hackers, publicizing the issue following an attack on U.S. hospital group Community Health Systems Inc that resulted in the theft of millions of patient records. Reuters, August 20, 2014

Cyber Security Management

BlackHat 2014: Businesses Look to NIST Risk Management Framework in Bid to Improve Security Posture: The recently released Risk Management Framework from the National Institute for Standards and Technology outlines what organizations need to do to improve their information security posture against serious attacks. The roundtable discussion at Black Hat last week focused on the Framework’s elements, what some of the issues are, and how organizations can apply these guidelines to protect their networks and data. InfoSecurity, August 13, 2014
5 Ways Boards Could Tackle Cybersecurity: A new handbook from National Association of Corporate Directors, titled Cyber-Risk Oversight, offers five principles to guide boards of directors in helping their organizations address IT security threats. HealthCare Info Security, July 29, 2014
The 5 Biggest Cybersecurity Myths, Debunked: “A domain for the nerds.” That is how the Internet used to be viewed back in the early 1990s, until all the rest of us began to use and depend on it. But this quote is from a White House official earlier this year describing how cybersecurity is too often viewed today. And therein lies the problem, and the needed solution. Wired, July 2, 2014

Securing the Village

How to Save the Net: A CDC for Cybercrime: The Internet may be made up of software and hardware, but it is an ecosystem that depends on a key human value: trust. The networks and systems must be able to trust the information we are sending, and in turn we have to be able to trust the information we receive. Wired, August 19, 2014

Critical Infrasturcture

Infographic: 70 Percent of World’s Critical Utilities Breached: New research from Unisys and Ponemon Institute finds alarming security gaps in worldwide ICS and SCADA systems within the last 12 months. DarkReading, August 15, 2014

Cyber Research

Technology Can Make Lawful Surveillance Both Open and Effective: With cryptography, surveillance processes could be open and preserve privacy without undermining their investigative power. MIT Technology Review, August 18, 2014

Cyber Misc

Worldwide Spending On Information Security To Surpass $70B By End Of 2014: Report: Worldwide spending on information security is estimated to reach $71.1 billion in 2014, representing an increase of 7.9 percent over 2013, as organizations adapt to the growing threat of cyber crime, according to a new report from Gartner. International Business Times, August 22, 2014
If a Self-Driving Car Gets in an Accident, Who—or What—Is Liable?: On first contact with the idea that robots should be extended legal personhood, it sounds crazy. The Atlantic, August 13, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, August 24, 2014 on Facebook

Weekend Vulnerability and Patch Report, August 24, 2014

Important Security Updates

AVG Free Edition: AVG has released version 2014.0.4745 of its 32 bit Free Edition. Updates are available on AVG’s website.
Avira Antivirus: Avira has released version of its free Antivirus. Updates are available from Avira’s website.
Foxit Reader: Foxit has released version of its Reader. Updates are available through the program or from Foxit’s website.
Opera: Opera has released version 23.0.1522.77 to fix moderately critical vulnerabilities. Updates are available from within the browser or from Opera’s website
Siber Systems RoboForm: Siber Systems has released version 7.9.9 of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.08
Dropbox 2.10.28 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 31.0
Google Chrome 36.0.1985.143
Internet Explorer 11.0.9600.17126
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Packet Data Network Gateway: Secunia reports that Cisco has released updates for its Packet Data Network Gateway (PGW). Apply updates.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog