Monday, September 29, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of September 29, 2014

Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

Jimmy John’s Confirms Breach at 216 Stores: More than seven weeks after this publication broke the news of a possible credit card breach at nationwide sandwich chain Jimmy John’s, the company now confirms that a break-in at one of its payment vendors jeopardized customer credit and debit card information at 216 stores. KrebsOnSecurity, September 24, 2014
Home Depot: 56M Cards Impacted, Malware Contained: Home Depot said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers from its customers between April and September 2014. That disclosure officially makes the incident the largest retail card breach on record. KrebsOnSecurity, Septemebr 18, 2014
In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes: The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding could mean thieves stole far fewer cards during the almost five-month breach than they might have otherwise. KrebsOnSecurity, September 18, 2014

Cyber Privacy’s Dr. Stan Stahl Talks Secure Internet Browsing, Usage; Possible Tor Alternative And The Privacy Culture Shift: Tuesday I got a chance to interview Dr. Stan Stahl, Chief Information Security Officer of Right now it’s an anonymous internet search browser, similar to DuckDuckGo in most ways, except that it requires users to create an account. This seems counter-intuitive but says that it allows users to stay in control of their data by controlling settings and restricting access by search providers. encrypts the data, slices it up and stores it in multiple non-profits for added security. iDigitalTimes, September 24, 2014

Identity Theft

Your medical record is worth more to hackers than your credit card: (Reuters) – Your medical information is worth 10 times more than your credit card number on the black market. Reuters, September 24, 2014
Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm: How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach. KrebsOnSecurity, September 18, 2014

Financial Cyber Security

$1.66M in Limbo After FBI Seizes Funds from Cyberheist: A Texas bank that’s suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that’s been frozen by the federal government as part of an FBI cybercrime investigation. KrebsOnSecurity, September 25, 2014

Cyber Warning

Shellshock: ‘Deadly serious’ new vulnerability found: A “deadly serious” bug potentially affecting hundreds of millions of computers, servers and devices has been discovered. BBC, September 25, 2014

National Cyber Security

Steptoe Cyberlaw Podcast – Interview with Phyllis Schneck: Our guest this week is Dr. Phyllis Schneck, the Deputy Undersecretary for Cybersecurity for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD). She and Marc Frey, Senior Director in Steptoe’s DC office and former Chief of Staff at DHS’s Office of Policy Development, discuss the status of cybersecurity legislation and DHS’s highest cybersecurity priorities. Steptoe Cyberblog, September 16, 2014

Cyber Underworld

Who’s Behind the Bogus $49.95 Charges?: Hardly a week goes by when I don’t hear from a reader wondering about the origins of a bogus credit card charge for $49.95 or some similar amount for a product they never ordered. As this post will explain, such charges appear to be the result of crooks trying to game various online affiliate programs by using stolen credit cards. KrebsOnSecurity, September 22, 2014

Cyber Misc

Home Depot’s Former Lead Security Engineer Had a Legacy of Sabotage: Information continues to trickle in on the Home Depot data breach, and it’s an ugly one. Last week, the company confirmed that its security lapse—the biggest ever for a retailer—had compromised the credit cards of 56 million customers from April to September. The data now being sold on black markets could contribute to an estimated $3 billion in illegal purchases. Slate, September 23, 2014

Weekend Vulnerability and Patch Report, September 28, 2014

Important Security Updates

Apple iOS: Apple has released version 8.0.2 of its iOS for iPhone 4 and later, iPad and iPod touch. The update is available through the devices or through Apple’s website.
Foxit Reader: Foxit has released version of its Reader. Updates are available through the program or from Foxit’s website.
Google Chrome: Google has released Google Chrome version 37.0.2062.124 for Windows, Mac, and Linux to fix a moderately critical vulnerability reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Mozilla Firefox: Mozilla has released version 32.0.3 for Firefox to fix a moderately critical vulnerability. Updates are available within the browser or from Mozilla’s website. Updates are also available for Thunderbird and SeaMonkey.
Opera: Opera has released version 24.0.1558.64. Updates are available from within the browser or from Opera’s website.
Piriform CCleaner: Piriform has released version 4.18.4842 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.30 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 32.0.3
Google Chrome 37.0.2062.124
Internet Explorer 11.0.9600.17280
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Nexus 1000V: Secunia reports an unpatched vulnerability in Cisco’s Nexus 1000V InterCloud for VMware versions 5.2(1)IC1 (1.1) and (1.2), Nexus 1000V Switch versions 6.3(2) Base and 7.0(2) Base, Nexus 1000V Switch for VMware vSphere version 9.2(1)SP1(4.8). No official solution is currently available.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog