Monday, October 20, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of October 20, 2014



Cyber Crime

Oregon Employment Department data breach: more than 851,000 people could be at risk: Hackers may have obtained the personal information of more than 851,300 people after tapping into an Oregon Employment Department database, agency officials announced Monday. OregonLive, October 13, 2014

Cyber Attack

Russian Hackers Used Bug in Microsoft Windows for Spying, Report Says: LONDON — Russian hackers used a bug in Microsoft Windows to spy on several Western governments, NATO and the Ukrainian government, according to a report released Tuesday by iSight Partners, a computer security firm in Dallas. The New York Times, October 14, 2014

Cyber Privacy

Apple defies FBI and offers encryption by default on new operating system: The latest version of Apple’s operating system for desktop and laptop computers, Mac OS X 10.10 “Yosemite”, encourages users to turn on the company’s FileVault disk encryption, as the company hardens its pro-security stance. The Guardian, October 17, 2014
App Behind The Snapchat Leak Admits It Was Hacked, Apologizes: A website that allowed Snapchat users to save images that were supposed to disappear said it was hacked and apologized for allowing thousands of private photos to be leaked online. HuffingtonPost, October 13, 2014

Cyber Warning

In Plain Sight: How Cyber Criminals Exfiltrate Data Via Video: Just like Fortune 500 companies, attackers are investing in sophisticated measures that let them fly beneath the radar of conventional security. DarkReading, October 17, 2014
New attack hides stealthy Android malware in images: A new technique that allows attackers to hide encrypted malicious Android applications inside images could be used to evade detection by antivirus products and possibly Google Play’s own malware scanner. PC World, October 17, 2014
Google reveals major flaw in outdated, but widely-used SSL protocol: Google’s Security Team revealed on Tuesday that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol has a major security flaw. ZDNet, October 15, 2014
Hackers Have A Really Simple Way Of Getting Your Passwords To Sites Like Dropbox And Snapchat: Last night an anonymous hacker claimed to be in possession of 7 million passwords to Dropbox accounts. While that claim was probably false, it demonstrates the increasingly common way that hackers are using to gain access to your passwords. Business Insider, October 14, 2014
Who’s Watching Your WebEx?: KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies — many of them household names — about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in. KrebsOnSecurity, October 13, 2014

Cyber Security Management

Cyber Risk Series: Board and C-Suite responsible for data breach preparedness: Stan Stahl, President of Citadel Information Group, welcomes Melissa Ventrone, chair of the Data Privacy & Security Practice at the law firm of Wilson Elser, and Worldwide Facilities VP Steve Vallone, to discuss the responsibility of the Board and senior management regarding company preparedness for cyber liability and data breaches. World Risk Insurance News, October 2014
Cybercrime Costs Have Doubled in Last Five Years, Ponemon Report Says: The average annual cost of cybercrime to companies has nearly doubled in the last five years, a new report from a cybersecurity research firm says. American Banker, October 16, 2014

Cyber Security Management – Cyber Defense

‘Silent’ Fix For Windows USB Bug?: Researchers say a newly patched Microsoft USB flaw in older versions of Windows had at some time previously been fixed in newer versions of the OS. DarkReading, October 16, 2014

Cyber Security Management – Cyber Update

Microsoft, Adobe Push Critical Security Fixes: Adobe, Microsoft and Oracle each released updates today to plug critical security holes in their products. Adobe released patches for its Flash Player and Adobe AIR software. A patch from Oracle fixes at least 25 flaws in Java. And Microsoft pushed patches to fix at least two-dozen vulnerabilities in a number of Windows components, including Office, Internet Explorer and .NET. One of the updates addresses a zero-day flaw that reportedly is already being exploited in active cyber espionage attacks. KrebsOnSecurity, October 14, 2014

Financial Cyber Security

Obama signs order to tighten security for federal credit cards: (Reuters) – U.S. President Barack Obama signed an executive order on Friday to beef up security measures for federal credit cards, and urged banks and retailers to follow suit in an effort to combat the growing threat of identity fraud. Reuters, October 17, 2014
N.Y.’s Lawsky Considering Strict Cybersecurity Regime for Banks: Banks chartered in New York could soon be required to appoint chief information security officers and submit to quarterly tests of their systems’ vulnerabilities under a cybersecurity regime being considered by state regulator Benjamin Lawsky. American Banker, October 17, 2014
Can Apple Pay Do to Your Wallet What iTunes Did for Music?: With added security, better design, and improved convenience, Apple Pay hopes to finally make mobile payments commonplace at the register. MIT Technology Review, October 15, 2014
Millions vulnerable to scams as banks launch Know Fraud, No Fraud campaign: Poll finds millions leave themselves open to scams as banks launch campaign The BBA is launching a fraud awareness campaign as YouGov polling reveals that millions of people in Great Britain are unwittingly leaving themselves vulnerable to scams perpetrated by fraudsters posing as their bank. Banking Business Review, October 14, 2014

National Cyber Security

9/11 Commission Urges Senate to Pass Cybersecurity Bill: The 9/11 Commission is calling on Sen. Majority Leader Harry Reed (D-Nev.) to get cybersecurity legislation passed before the end of this Congress. MultiChannel News, October 17, 2014
Steptoe Cyberlaw Podcast, Episode #38: An Interview with Shaun Waterman: Our guest for the podcast is Shaun Waterman, editor of POLITICO Pro Cybersecurity. Shaun is an award-winning journalist who has worked for the BBC and United Press International; and an expert on counterterrorism and cybersecurity. LawFare, October 16, 2014
FBI Director Urges New Encryption Legislation: Encryption algorithms do not acknowledge “lawful access.” DarkReading, October 16, 2014

Cyber Insurance

5 Reasons You Should Have Cyber Liability Insurance: It’s not just for big companies. Cyber insurance can make the difference between staying in business or shutting your doors after an attack., March 18, 2013

Cyber Sunshine

Seleznev Arrest Explains ‘2Pac’ Downtime: The U.S. Justice Department has piled on more charges against alleged cybercrime kingpin Roman Seleznev, a Russian national who made headlines in July when it emerged that he’d been whisked away to Guam by U.S. federal agents while vacationing in the Maldives. The additional charges against Seleznev may help explain the extended downtime at an extremely popular credit card fraud shop in the cybercrime underground. KrebsOnSecurity, October 15, 2014

Weekend Vulnerability and Patch Report, October 20, 2014

Important Security Updates

Adobe Flash Player: Adobe has released version to fix at least 3 highly critical vulnerabilities reported in previous versions. Updates are available from Adobe’s website. Updates are also available for AIR.
Apple iTunes: Apple has released version 12.0.1 of iTunes for Windows (64-bit) to fix at least 82 unpatched vulnerabilities, some of which are highly critical. Updates are available from Apple’s website.
Apple OS X: Apple has released updates for OS X to fix 32 vulnerabilities, some of which are highly critical. Update to version 10.10. Updates are available from Apple’s website.
D-Link Multiple Products: D-Link has released updates for its DSR-500, DSR-500N, DSR-1000, and DSR-1000N wireless routers to a security issues reported in previous firmware versions. Update to firmware version 1.09.b61. Updates are available from D-Link’s website.
Google Chrome: Google has released Google Chrome version 38.0.2125.104 for Windows, Mac, and Linux to fix at least 13 unpatched vulnerabilities, some of which are highly critical, reported in previous versions and versions bundled with Flash Player. Updates are available from within the browser or from Google Chrome’s website.
Malwarebytes Anti-Exploit: Malwarebytes has released version 2.0.3 of its free Malwarebytes Anti-Exploit. Updates are available from Malwarebytes’ website.
Microsoft Internet Explorer: Microsoft has released updates for all versions of Internet Explorer to fix at least 14 highly critical vulnerabilities. Updates are available through the program or from Microsoft’s website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 9 updates to address at least 24 vulnerabilities, some of which are highly critical within Windows, Internet Explorer, Office, Word, .NET and other Microsoft products.
Mozilla Firefox: Mozilla has released version 33.0 for Firefox to fix at least 9 highly critical unpatched vulnerabilities in previous versions. Updates are available within the browser or from Mozilla’s website. Updates are also available for Thunderbird and SeaMonkey.
Opera: Opera has released version 25 to fix moderately critical unpatched vulnerabilities. Updates are available from within the browser or from Opera’s website.
Oracle Java: Oracle has released versions Java SE 7 Update 72 and Java SE 8 Update 25 to fix at least 25 vulnerabilities, some of which are highly critical. The update is available through Windows Control Panel or Java’s website. [See Citadel's recommendation below]
TechSmith Corporation SnagIt: TechSmith has released version for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.39 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 33.0
Google Chrome 38.0.2125.104
Internet Explorer 11.0.9600.17280
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Apple OS X Server: Secunia reports Apple has released version 4.0 of OS X Server to fix at least 7 unpatched moderately critical vulnerabilities, a weakness and a security issue. Apply update.
BlackBerry OS: Secunia reports Blackberry has released an update to fix a security issue. Apply update.
Cisco Multiple Products: Secunia reports Cisco has released updates for Intrusion Prevention System (IPS), Adaptive Security Security Appliance, (ASA), 5500 Series, 5500-X Series, IOS XE, and others. Apply available updates.
Citrix XenServer: Secunia reports Citrix has released updates for its XenServer to address at least 6 moderately critical vulnerabilities in versions 6.2 Service Pack 1 and prior. Apply hotfix.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog