Monday, September 08, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of September 8, 2014


Cyber Security News of the Week

From our friends at Citadel Information Group

Cyber Crime

Hackers Breach Security of Test Site: WASHINGTON — Hackers breached security at the website of the government’s health insurance marketplace,, but did not steal any personal information on consumers, Obama administration officials said Thursday. The New York Times, September 4, 2014
Data: Nearly All U.S. Home Depot Stores Hit: New data gathered from the cybercrime underground suggests that the apparent credit and debit card breach at Home Depot involves nearly all of the company’s stores across the nation. KrebsOnSecurity, September 3, 2014

Financial Cyber Security

Fighting Cybercrime in Canada: Canada is considering adopting tougher data security and cybercrime legislation that could serve as a model for other nations, says Claudiu Popa, an information security expert who’ll be a panelist at Information Security Media Group’s Fraud Summit Toronto. BankInfoSecurity, August 27, 2014

Cyber Warning

Hackers exploit critical vulnerability in popular WordPress theme component: Attackers are actively exploiting a critical vulnerability in a WordPress plug-in that’s used by a large number of themes, researchers from two security companies warned Wednesday. PCWorld, September 4, 2014

Cyber Security Management

Growing security threats put focus on CISO role: This week Home Depot became the latest in the growing list of major organizations that are the apparent targets of cybercriminals. Indeed, cybercrime seems rampart and cyberdefenses appear woefully inadequate. Both of these place greater focus on the need for chief information security officers. While most companies still do not have such a professional on payroll, the ranks are growing. Jamey Cummings, principal and co-leader of Korn Ferry’s Cybersecurity Center of Expertise, spoke with FierceCIO about the need for CISOs, they skills they should have, and the value they can bring to an organization. FierceCIO, September 4, 2014
Cyber Crime Means Business- Potentially Yours: MacDonnell Ulsch is Managing Director of Cybercrime and Breach Response at PricewaterhouseCoopers LLP. He served on the United States Secrecy Commission and is the author of two books, Cyber Threat! How to Manage the Growing Risk of Cyber Attacks (Wiley, 2014) and THREAT! Managing Risk in a Hostile World (The IIA Research Foundation, 2008). Ulsch has advised a variety of private sector and federal agency clients and has led many complex breach investigations. Forbes, September 4, 2014
Cyber Risk Series: The Threat…The Response: Featuring Dr. Stahl – Stan Stahl, President Citadel Information Group, Inc. sat down with Marc Maiffret, who is the Chief Technology Officer at BeyondTrust, a leading security and compliance management company to discuss the evolution of cyber crime and what companies should do to protect themselves. Mr. Maiffret a security research pioneer is credited with discovering some of the first major vulnerability discoveries in Microsoft software. 8 minute video on WRIN.TV. World Risk and Insurance News, September, 2014
10 Ways To Strengthen Healthcare Security: As recent hacks show, keeping a healthcare organization safe from security threats takes planning, technical expertise, and business knowledge. Has your team taken these 10 steps? InformationWeek, August 26, 2014

Cyber Security Management – Cyber Defense

Apple Plans to Extend 2FA to iCloud: In the wake of the iCloud photo theft scandal, Apple’s CEO said the company plans to extend its two-factor authentication system to logins to the iCloud service from mobile device. The change will come when iOS 8.0 comes out later this month. ThreatPost, September 5, 2014
Europol launches international cybercrime task force: Europol launched a cybercrime task force Monday to fight online crime in the EU and other countries. PCWorld, September 1, 2014
After alleged iCloud breach, here’s how to secure your personal cloud: A hacker may have been responsible for leaking explicit photos of celebrities due to a weak link in their Apple iCloud accounts. Here’s what you can do to keep your embarrassing selfies (and company secrets) out of the public eye. ZDNet, September 1, 2014
PCI SECURITY STANDARDS COUNCIL PUBLISHES GUIDANCE FOR MAINTAINING PCI: Today, the PCI Security Standards Council, an open global forum for the development of payment card security standards, published guidance on building PCI Data Security Standard (PCI DSS) practices into daily business processes. Developed by a PCI SSC Special Interest Group (SIG) including merchants, banks and security assessors, the Best Practices for Maintaining PCI DSS Compliance Information Supplement will help organizations ensure ongoing security for cardholder data. PCI Security Standards Council, August 28, 2014


Medical identity theft: How the health care industry is failing us: Unlike the financial services industry, health care companies lack measures to adequately prevent identity theft, even as they continue to digitize medical records and other sensitive information. Fortune, August 31, 2014

Cyber Awareness

Bank hack attack: What you should do: With the FBI investigating a cyberattack that hit at least five banks, including JPMorgan Chase, many consumers are wondering what they can do to protect themselves if their accounts have been compromised. USA Today, August 28, 2014

Cyber Underworld

Inside the strange and seedy world where hackers trade celebrity nudes: When nude photos of more than 100 prominent celebrities began appearing on the internet over Labor Day weekend, people assumed that the leak was intentional: there was a hacker, or hackers, who were posting these images for fun or profit, and they had used recently discovered security flaws in Apple’s iCloud system to break into accounts and make off with these pictures. The Verge, September 4, 2014
A Google Site Meant to Protect You Is Helping Hackers Attack You: Before companies like Microsoft and Apple release new software, the code is reviewed and tested to ensure it works as planned and to find any bugs. Wired, September 2, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, September 7, 2014 on Facebook

Weekend Vulnerability and Patch Report, September 7, 2014

Important Security Updates

Dropbox: Dropbox has released version 2.10.29 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Google Chrome: Google has released Google Chrome version 37.0.2062.103 for Windows, Mac, and Linux to fix at least 10 highly critical vulnerabilities reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Mozilla Firefox: Mozilla has released version 32 to fix at least 7 highly critical unpatched vulnerabilities reported in previous versions. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 24.0.1558.53 to fix multiple moderately critical unpatched vulnerabilities reported in previous versions. Updates are available from within the browser or from Opera’s website.
Skype: Skype has released Skype Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.08
Dropbox 2.10.29 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 32.0
Google Chrome 37.0.2062.103
Internet Explorer 11.0.9600.17126
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released an update to fix an unpatched vulnerability in its IOS XR. Upgrade to version or later. Secunia reports an unpatched vulnerability in Cisco’s Transport Gateway for Small Call Home reported in versions 3.6 and 4.0. Other versions may also be affected. No official solution is currently available.
McAfee Multiple Products: Secunia reports McAfee has released an update to fix multiple vulnerabilities reported in previous versions. Apply hotfixes HF988208 and HF983758 or update to version 5.1.2 when available (Scheduled to be released Q1 2015). Secunia reports McAffee has released an update to fix multiple vulnerabilities reported in previous versions. Apply hotfix HF983759 or update to version 4.6.9 when available (Scheduled to be released Q1 2015).
Novell Groupwise: Secunia reports Novell has released an update to Groupwise to fix a security bypass vulnerability reported in previous versions. Apply Support Pack 1 (SP1) or later.
WordPress: US-Cert reports WordPress has released an update to address multiple vulnerabilities. WordPress 3.7.3 or 3.8.3 users will be updated to 3.7.4 or 3.8.4. Users operating older, unsupported versions of WordPress are encouraged to upgrade to 3.9.2.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog