Monday, September 22, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of September 22, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

Breach at Goodwill Vendor Lasted 18 Months: C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations. KrebsOnSecurity, September 16, 2014
Decade-long cybercrime ring hacked European banks and labs: A 12-year-long European cybercrime operation targeting more than 300 banks, governments, research labs, critical infrastructure facilities and more has finally been discovered and scuppered. Wired, September 16, 2014
After Breach, JPMorgan Still Seeks to Determine Extent of Attack: The headache caused by the attack on JPMorgan Chase’s computer network this summer may not go away anytime soon. The New York Times, September 12, 2014

Cyber Privacy

New Apple encryption locks out police from iPhones, iPads: Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user data. The Boston Globe, September 18, 2014
California Breaks New Ground in Education Privacy Law with K-12 Student Data Privacy Bill: A substantial rise in schools’ use of online educational technology products has caused educators to become increasingly reliant on these products to develop their curricula, deliver materials to students in real time, and monitor students’ progress and learning habits through the collection of data by third-party cloud computing service providers. Unfortunately, with these advances come the data security concerns that go hand-in-hand with cloud computing—such as data breaches, hacking, spyware, and the potential misappropriation or misuse of sensitive personal information. The National Law Review, September 17, 2014
Yelp pays $450,000 to settle FTC’s child privacy violation charges: Yelp has agreed to pay $450,000 to the U.S. Federal Trade Commission to settle charges that the company accepted registrations to its services from children under 13 through its apps. PCWorld, September 17, 2014

Cyber Warning

Kindle security vulnerability can ‘compromise’ Amazon accounts: A security vulnerability exists in Amazon’s Kindle Library, which can be used to “compromise” an entire account, according to the researcher who found the flaw. ZDNet, September 16, 2014
WikiLeaks releases FinFisher ‘weaponized malware’ to help people build defenses: WikiLeaks has today released copies of ‘weaponized malware’ used by various governments around the world to snoop on individuals. TheNextWeb, September 15, 2014
Your adviser could be an easy target for cyber crooks: At a time when security experts, regulators and law enforcement are warning of attacks on the financial sector, more than one-third of registered investment adviser firms don’t do risk assessments for cyber threats, vulnerabilities or potential consequences, new data finds. MarketWatch, September 15, 2014

Cyber Security Management

Did Home Depot’s Outdated Software Help Hackers?: Former staffers allege management’s aversion to spending money on state-of-the-art security could have been a factor in the recent breach. CFO, September 16, 2014
Here’s What Hackers Can Do With Your CRM Data: It is clear why malware writers target such retailers as Home Depot HD +0.27% and Target. It is obvious, if not pathetic, why hackers break into the cloud to find and publish private nude photos of celebrities. … But a company’s customer relationship management data? Well, yes. … Even the CRM systems that don’t store end customer payment account information? Yes, again. Forbes, September 14, 2014
Former Home Depot Managers Depict ‘C-Level’ Security Before the Hack: Home Depot’s (HD) in-store payment system wasn’t set up to encrypt customers’ credit- and debit-card data, a gap in its defenses that gave potential hackers a wider window to exploit, according to interviews with former members of the retailer’s security team. Bloomberg, September 12, 2014

Cyber Security Management – Cyber Defense

8 Security Tips for a Safe iOS 8 Upgrade: Apple’s iOS 8 is here. If you’ve got an iPhone, you’re probably champing at the bit to download Apple’s latest and greatest OS. Or perhaps you’ve already pre-ordered an iPhone 6 or 6 Plus and are ready to party with a totally new handset. Either way, now is a great time to spruce up the security of your iOS device. PCMag, September 17, 2014
Apple Expands Two-Factor Authentication to iCloud Backups: Apple has extended two-factor authentication to iCloud, which – if activated – would make it much harder for scammers to gain unauthorized access to iOS data that has been backed up to the cloud. PCMag, September 17, 2014

Cyber Security Management – Cyber Update

Critical Update for Adobe Reader & Acrobat: Adobe has released a security update for its Acrobat and PDF Reader products that fixes at least eight critical vulnerabilities in Mac and Windows versions of the software. If you use either of these programs, please take a minute to update now. KrebsOnSecurity, September 17, 2014


Internationally Renowned Security Expert Bruce Schneier to Keynote the 2015 ISSA-LA Information Security Summit on Cybercrime Solutions: One of the world’s leading experts on computer security and privacy issues will deliver the keynote address on June 4, 2015, at the Hilton Universal City Hotel in Los Angeles. PRWeb, September 15, 2014

National Cyber Security

Chinese Hackers Infiltrated U.S. Defense Contractors, Senate Report Says: Hackers staged at least 20 attacks on private firms involved in the movement of U.S. troops and equipment. Time, September 17, 2014

Weekend Vulnerability and Patch Report

Important Security Updates

Adobe Reader: Adobe has released version 11.0.09 to fix at least 8 highly critical vulnerabilities reported in previous versions. Updates are available through the program’s Help menu/Check for Updates or from Adobe’s website. Updates are also available for Adobe Acrobat.
Apple iCloud: Apple has released an update for iCloud for Windows. The update is available through Apple’s website.
Apple iOS: Apple has released version 8 of its iOS for iPhone 4 and later, iPad and iPod touch to fix at least 19 unpatched vulnerabilities, some of which are highly critical, in previous versions. The update is available through the devices or through Apple’s website.
Apple OS X: Apple has released updates for its OS X to fix at least 37 vulnerabilities, some of which are highly critical, reported in previous versions. Update to version 10.9.5 or apply Security Update 2014-004.
Apple Safari: Apple has released updates for Safari to fix at least 8 vulnerabilities, some of which are highly critical, reported in previous versions. Update to version 6.2 or 7.1. Updates are available from Apple’s website.
Apple TV: Apple has released version 7 for Apple TV to fix at least 14 unpatched vulnerabilities, some of which are highly critical, in previous versions. Updates are available through the device or Apple’s website.
Dropbox: Dropbox has released version 2.10.30 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Mozilla Firefox: Mozilla has released version 32.0.2. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 24.0.1558.61 to fix multiple moderately critical unpatched vulnerabilities reported in previous versions. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.30 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 32.0.2
Google Chrome 37.0.2062.120
Internet Explorer 11.0.9600.17280
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for IOSXR and others. Apply available updates.
Apple OS X Server: Apple has released updates for its OS X Server to fix at least 7 moderately critical vulnerabilities, reported in previous versions. Update to version 3.2.1.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog