Tuesday, September 02, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of September 1, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

JPMorgan Hackers Came In the Front Door — in June. Two Months of Mayhem: Hackers burrowed into the databanks of JPMorgan Chase & Co. and deftly dodged one of the world’s largest arrays of sophisticated detection systems for months. Bloomberg, August 29, 2014
JPMorgan and Other Banks Struck by Hackers: A number of United States banks, including JPMorgan Chase and at least four others, were struck by hackers in a series of coordinated attacks this month, according to four people briefed on a continuing investigation into the crimes. The New York Times, August 27, 2014
DQ Breach? HQ Says No, But Would it Know?: Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters. KrebsOnSecurity, August 26, 2014

Cyber Attack

FBI-Hunted Hacking Group Continues Attacks, Targets Twitch: Despite tweeting out a bomb threat to ground a Sony executive’s flight this Sunday and landing themselves on the radar of the FBI, hacking group “Lizard Squad” remains unmolested and continues to orchestrate attacks on various gaming services. Forbes, August 27, 2014

Financial Cyber Security

The Cyber-Terror Bank Bailout: They’re Already Talking About It, and You May Be on the Hook: Bankers and U.S. officials have warned that cyber-terrorists will try to wreck the financial system’s computer networks. What they aren’t saying publicly is that taxpayers will probably have to cover much of the damage. Bloomberg, August 30, 2014

Cyber Threat

BACKOFF SINKHOLE REVEALS SORRY POINT-OF-SALE SECURITY: Kaspersky Lab researchers say that a recent analysis of two Backoff malware command and control servers paints “a very bleak picture of the state of point-of-sale security.” ThreatPost, August 29, 2014

Cyber Security Management

People, Process, Technology: How Good Information Security Can Grow Your Business: Companies must strike a balance between being able to share information and protect it, in order to support business growth. BAE Systems’ Malcolm Carrie explains where the answer lies… InfoSecurity Magazine, August 29, 2014
From IT Security to Information Security — How Technology Is Not The Greatest Challenge in Protecting Your Information Online: Michael Rothery, First Assistance Secretary for National Security Resilience Policy at Department of the Attorney General says that in order to deliver effective security and risk management the key question is “Who owns the risk?”. CSO, August 27, 2014

Securing the Village

It Does Matter That The White House Cybersecurity Czar Lacks Technical Chops: Michael Daniel, the White House cybersecurity coordinator or “cyber czar”, made comments recently that being a coder or “being too down in the weeds at the technical level could actually be a little bit of a distraction.” This statement raised concerns in the cybersecurity community. A quick examination of his background elevated those concerns. Mr. Daniel has never been involved with cybersecurity before; he has a strong background in policy and budgeting but nothing in even the basics of cybersecurity. This seems to be a problem just for the government cybersecurity community, but it has farther reaching impacts. Forbes, August 25, 2014

Critical Infrastructure

Green Lights Forever: Analyzing the Security of Traffic Infrastructure: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. USENIX Workshop on Offensive Technologies, August 2014

share on TwitterLike Weekend Vulnerability and Patch Report, August 31, 2014 on Facebook


Weekend Vulnerability and Patch Report, August 31, 2014

Important Security Updates

AVG Free Edition: AVG has released version 2014.0.4765 of its 32 bit Free Edition. Updates are available on AVG’s website.
Evernote: Evernote has released version Updates are available on Evernote’s website.
Google Chrome: Google has released Google Chrome version 37.0.2062.102 for Windows, Mac, and Linux to fix at least 10 highly critical vulnerabilities reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Lavasoft Ad_Aware Free Edition: Lavasoft has released version 11.3.6321.0 of its free Ad_Aware edition. Updates are available on Lavasoft’s website.
Mozy Free Edition: Mozy has released version 2.26.7. Updates are available on Mozy’s website.
Piriform CCleaner: Piriform has released version 4.17.4808 for CCleaner. Updates are available from Piriform’s website.
TechSmith Corporation SnagIt: TechSmith has released version for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.08
Dropbox 2.10.28 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 31.0
Google Chrome 36.0.1985.143
Internet Explorer 11.0.9600.17126
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports several unpatched vulnerabilities, some of which are moderately critical, for IOS XR, Quantum Policy Suite, Transport Gateway for Smart Call Home and others. No official solution is currently available.
Citrix CloudPlatform: Secunia reports Citrix has released updates for CloudPlatform to fix a moderately critical vulnerability reported in versions prior to and 3.0.7 Patch D. Update to a fixed version.
Novell File Reporter: Secunia reports Novell has released updates for File Reporter to fix 5 moderately critical vulnerabilities reported in previous versions. Update to version
Novell Kanaka for Mac: Secunia reports Novell has released updates for Kanaka for Mac to fix 5 moderately critical vulnerabilities reported in previous versions. Update to versions or
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.

SecurityRecruiter.com's Security Recruiter Blog