Monday, September 15, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of September 15, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

Home Depot Malware Hints at Different Hackers Than Target’s: Home Depot (HD) was hacked with a malicious software program that plunders store registers while disguising itself as antivirus software, according to two security researchers. Bloomberg BusinessWeek, Septemeber 11, 2014
Home Depot Data Breach Could Be the Largest Yet: Home Depot confirmed on Monday that hackers had broken into its in-store payments systems, in what could be the largest known breach of a retail company’s computer network. The New York Times, Septemner 8, 2014
Home Depot Hit By Same Malware as Target: The apparent credit and debit card breach uncovered last week at Home Depot was aided in part by a new variant of the malicious software program that stole card account data from cash registers at Target last December, according to sources close to the investigation. KrebsOnSecurity, September 7, 2014
Hacked Is The New Black For Retailers. Here’s What You Need To Know: It has not been a pretty week for Home Depot HD -0.58%. Last Tuesday security researcher Brian Krebs reported that there were signs of a massive breach at the retailer and then later, that the breach looked to be especially large, impacting just about all of the retailer’s stores across the country. Forbes, September 7, 2014

Cyber Privacy

Government’s Threat of Daily Fine for Yahoo Shows Aggressive Push for Data: The federal government was so determined to collect the Internet communications of foreign Yahoo customers in 2008 that it threatened the company with fines of $250,000 a day if it did not immediately comply with a secret court order to turn over the data. The New York Times, September 11, 2014
With Apple Pay and Smartwatch, a Privacy Challenge: No one has considered Apple a serious data company, until now. The New York Times, September 10, 2014
Facebook Generation Rekindles Expectation of Privacy Online: Mark Zuckerberg said in 2010 that privacy was no longer a “social norm.” But four years later, the pendulum might be ready to swing the other way. The New York Times, September 7, 2014

Financial Cyber Security

In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud: Nearly a week after this blog first reported signs that Home Depot was battling a major security incident, the company has acknowledged that it suffered a credit and debit card breach involving its U.S. and Canadian stores dating back to April 2014. Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts. KrebsOnSecurity, September 8, 2014

Cyber Warning

Salesforce warns customers of malware attack: users are being targeted by a new version of a computer Trojan that has typically attacked online banking customers until now. PCWorld, September 9, 2014
Hackers launch Apple ID phishing campaign playing on iCloud security worries: The hackers behind the Kelihos botnet are trying to capitalize on users’ increased awareness about the security of Apple online accounts through a new phishing campaign. PCWorld, September 8, 2014
New Mac Malware Used in Cyberespionage Campaign: A dangerous new type of Mac malware has been discovered, and the criminals behind it appear to be a group known for targeting United States industrial companies. Experts say the malware proves that cybercriminals are increasingly targeting Macs as well as PCs. Tom’s Guide, September 5, 2014
‘Your Money or Your Files’ as Threat of Online Stickups Grows: You’re an entrepreneur, managing the business from your PC. You’re a doting mother, with hundreds of photos of your children on your laptop. Now, if someone seized all those files, how much would you pay to get them back? Bloomberg BusinessWeek, August 29, 2014

Cyber Security Management

Cyber Risk Series: Wilson Elser attorney on crisis management, data privacy/security and (re)insurance coverage: Featuring Dr. Stahl Stan Stahl, President of Citadel Information Group, Inc. sat down with attorney Melissa Ventrone who is the chair of the law firm of Wilson Elser’s Data Privacy & Security practice to discuss the legal aspects of cyber crime. Ms. Ventrone practice focuses on Crisis Management, Data Privacy and Security and Insurance and Reinsurance Coverage. World Risk and Insurance News, September 2014

Cyber Security Management – Cyber Defense

When It’s A Good Idea To Invite An Army Of Hackers To Attack You: Last month, Wired had a disturbing scoop for anyone who has posted an embarrassing revelation on the app Secret: a hacker named Benjamin Caudill had come up with a way to identify Secret’s anonymous users. The fear and thrill of learning about the hack was short-lived though. Readers couldn’t rush to their smartphones and start pulling the digital masks off those whose lips had been loosened by the promise of anonymity. The hole had already been patched. Before Rhino Security Lab’s Caudill went to the press, he had disclosed the vulnerability to Secret through its six-month old bug bounty program on HackerOne. It was resolved before the Wired story was published. Forbes, Septemeber 10, 2014
A List of 5 Million ‘Gmail Passwords’ Leaked, But There’s No Need to Panic: It might be time to change some of your passwords — again. But if you’ve used a Gmail password that’s unique from other accounts, you might not have to worry. Mashable, September 10, 2014

Cyber Security Management – Cyber Update

US-CERT Warns of Vulnerability in Cisco Baseboard Controller: US-CERT today released an advisory warning of a vulnerability in Cisco’s Integrated Management Controller (IMC). Cisco released an update that patches the security hole. ThreatPost, September 11, 2014
Critical Fixes for Adobe, Microsoft Software: Adobe today released updates to fix at least a dozen critical security problems in its Flash Player and AIR software. Separately, Microsoft pushed four update bundles to address at least 42 vulnerabilities in Windows, Internet Explorer, Lync and .NET Framework. If you use any of these, it’s time to update! KrebsOnSecurity, September 9, 2014

Cyber Awareness

Best Practices for Employees to Protect the Company From Hackers: In today’s online world, technology users are essentially in a state of near-constant attack. Almost every day there’s a new data breach in the news involving a well-known company and quite often fresh rules for protecting personal information are circulated. Because of malware in email, phishing messages and malicious websites with URLs that are one letter different from popular sites, employees need to maintain a high level of awareness and diligence to protect themselves and their organizations. Entreprenuer, September 8, 2014

Securing the Village

Developers, Academia Team Up on Manual for Secure Software Design: Google, Twitter and Harvard University are cooperating with other businesses and schools to create a manual to help developers design more secure software.eWeek, August 27, 2014
Government launches information sharing partnership on cyber security: New cyber partnership launched to help government and industry share information and intelligence on cyber security threats., March 27, 2013

National Cyber Security

The Unlikely Alliance of Hackers Fighting the Islamic State: A motley crew of unlikely allies are taking on the Islamic State online, taunting them, taking down Twitter accounts and allegedly jamming the group’s communications, among other things. Mashable, September 9, 2014

Cyber Underworld

5 gangs in Nigeria are behind most Craigslist buyer scams: Five Nigerian criminal gangs are behind most scams targeting sellers on Craigslist, and they’ve taken new measures to make their swindles appear legitimate, according to a new study. ComputerWorld, September 8, 2014

Dread Pirate Sunk By Leaky CAPTCHA: Ever since October 2013, when the FBI took down the online black market and drug bazaar known as the Silk Road, privacy activists and security experts have traded conspiracy theories about how the U.S. government managed to discover the geographic location of the Silk Road Web servers. Those systems were supposed to be obscured behind the anonymity service Tor, but as court documents released Friday explain, that wasn’t entirely true: Turns out, the login page for the Silk Road employed an anti-abuse CAPTCHA service that pulled content from the open Internet, thus leaking the site’s true location. KrebsOnSecurity, September 6, 2014

Profits, falling crimeware prices driving Chinese cybercrime: Trend Micro report finds that the economic and technical barriers to becoming a cybercriminal are much lower today than in the past. CSO, September 5, 2014

Weekend Vulnerability and Patch Report, September 14, 2014

Important Security Updates

Adobe Flash Player: Adobe has released version to fix at least 12 unpatched vulnerabilities, some of which are highly critical, in its Flash Player for the Windows and Mac versions. Updates are available from Adobe’s website. Updates are also available for AIR.

Apple iTunes: Apple has released version 11.4 of iTunes for Windows (64-bit). Updates are available from Apple’s website.

AVG Free Edition: AVG has released version 2015.0.5315 of its 32 bit Free Edition. Updates are available on AVG’s website.

D-Link DIR-626L/DIR-836L/826L: D-Link has released updates for its DIR-626L, DIR-826L and DIR-836L wireless cloud routers to fix moderately critical vulnerabilities reported in previous firmware versions. Update to a fixed version. Updates are available from D-Link’s website.

Google Chrome: Google has released Google Chrome version 37.0.2062.120 for Windows, Mac, and Linux to fix at least 14 vulnerabilities, some of which are highly critical, reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.

Malwarebytes Anti-Exploit: Malwarebytes has released version of its free Malwarebytes Anti-Exploit. Updates are available from Malwarebytes’ website.

Microsoft Internet Explorer: Microsoft has released updates for all versions of Internet Explorer to fix at least 37 vulnerabilities, some of which are highly critical. Updates are available from within Windows Control Panel or from Microsoft’s website.

Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 9 updates to address at least 37 vulnerabilities, some of which are highly critical within Windows, Internet Explorer, Office, Windows Media Center, One Note, SQL Server, SharePoint and other Microsoft products.

Mozilla Firefox: Mozilla has released version 32.0.1. Updates are available within the browser or from Mozilla’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.08
Dropbox 2.10.29 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 32.0.1
Google Chrome 37.0.2062.120
Internet Explorer 11.0.9600.17280
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

Adobe Reader/Acrobat: Secunia reports moderately critical unpatched vulnerabilities in Adobe Reader XI and Acrobat XI versions 11.0.08 and prior for Windows, Adobe Reader XI and Acrobat XI versions 11.0.07 and prior for Macintosh, Adobe Reader X and Acrobat X versions 10.1.11 and prior for Windows, Adobe Reader X and Acrobat X versions 10.1.10 and prior for Macintosh. Other versions may also be affected. No solution is currently available. The vendor is planning to release an update within the week of September 15th, 2014.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for IOSXR and Unified Computing System (UCS). Apply available updates. Secunia reports unpatched vulnerabilities in Unified Communications Manager, Intelligent Automation for Cloud, UCS Director, Cloud Portal, TelePresence System MXP Series, Unified Computing System (UCS), Unified Communications Manager and others. No official solutions is currently available.

VMware ESXi: Secunia reports VMware has released a partial fix for ESXi to address 2 vulnerabilities reported in versions 5.0, 5.1 and 5.5. Apply update if available.

VMware NSX/vCloud Networking and Security: Secunia reports VMware has released an update for NSX / vCloud Networking and Security to fix a vulnerability reported in VMware NSX Edge 
versions prior to 6.0.6 and VMware vCloud Networking and Security (vCNS) Edge versions prior to 5.5.3 and prior to Update to a fixed version.

VMware vCenter Server: Secunia reports VMware has released updates for its vCenter Server to fix at least 41 unpatched vulnerabilities, some of which are moderately critical, reported in previous versions. Update to version 5.5 Update 2.

VMware vSphere Update Manager: Secunia reports VMware has released updates for its vSphere Update Manager to fix at least 36 vulnerabilities, some of which are moderately critical, reported in previous versions. Update to version 5.5 Update 2.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog