Monday, October 27, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of October 27, 2014




Cyber Crime

‘Spam Nation’ Publisher Discloses Card Breach: In the interests of full disclosure: Sourcebooks – the company that on Nov. 18 is publishing my upcoming book about organized cybercrime — disclosed last week that a breach of its Web site shopping cart software may have exposed customer credit card and personal information. KrebsOnSecurity, October 23, 2014
Hackers Ran Loose Inside JPMorgan For 2 Months Before Getting Caught: It’s as if a robber were to break into a bank today and stay there until Christmas before someone noticed. HuffingtonPost, October 23, 2014
Banks: Credit Card Breach at Staples Stores: Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach. Staples says it is investigating “a potential issue” and has contacted law enforcement. KrebsOnSecurity, October 20, 2014

Cyber Privacy

China-backed hackers target Apple’s iCloud users: blog: (Reuters) – Apple Inc’s (AAPL.O) iCloud storage service in China was attacked by hackers trying to steal user credentials, a Chinese web monitoring group said, adding that it believes the Beijing government is behind the campaign. Reuters, October 21, 2014

Financial Cyber Security

DTCC urges greater collaboration on cyber-crime threats: A white paper published by the Depository Trust & Clearing Corporation (DTCC) has urged regulators and financial institutions to collaborate more on the increasing threats posed by cyber-crime. COO Connect, October 23, 2014
Financial Services Ranks Cyberattacks Top Industry Worry: Depository Trust & Clearing Corporation (DTCC) survey says cyberrisk is one of the top five concerns for financial services firms. DarkReading, October 23, 2014
How to Combat Online Fraud: How Consumers and Banks Can Work Together: Last month, industry watchdog, Financial Fraud Action UK released some worrying figures about how online banking fraud has increased by 71% over the past year. IBTimes, October 20, 2014
Spike in Malware Attacks on Aging ATMs: This author has long been fascinated with ATM skimmers, custom-made fraud devices designed to steal card data and PINs from unsuspecting users of compromised cash machines. But a recent spike in malicious software capable of infecting and jackpotting ATMs is shifting the focus away from innovative, high-tech skimming devices toward the rapidly aging ATM infrastructure in the United States and abroad. KrebsOnSecurity, October 20, 2014
Wall Street Urges U.S. Regulators’ Joint Cybersecurity Approach: Wall Street’s top trade group is calling for the creation of a new inter-agency working group of regulators and the White House that would be tasked with developing consistent cybersecurity rules for the financial industry. FoxBusiness, October 20, 2014

Identity Theft

What’s behind the dramatic rise in medical identity theft?: A decentralized U.S. health system, increasing digitization of records, and demand in the black market are fueling a surge in thefts. Fortune, October 19, 2014
We’re Getting Too Blase About Identity Theft, Data Breaches: The world is a risky place, and it’s getting riskier. According to a poll by The Travelers Cos. (TRV), 63 percent of American consumers (801 of them, age 18 to 69, were surveyed in July for this annual survey) say they believe the world is getting riskier. DailyFinance, October 15, 2014
Keeping Credit Cards and Bank Account Data from Hackers: JPMorgan Chase has disclosed that the accounts of 83 million households and businesses were compromised this summer in a cyberattack. Nine other financial institutions were also infiltrated by the same group of overseas hackers. The New York Times, October 4, 2014

Cyber Warning

Hackers Are Exploiting Microsoft PowerPoint to Hijack Computers: Hackers are exploiting a security flaw in Microsoft Office by using PowerPoint to attack Windows users and gain control of computer systems. Mashable, October 24, 2014
The ‘Backoff’ malware used in retail data breaches is spreading: The number of computers in North America infected by the Backoff malware, which is blamed for a string of payment card breaches, has risen sharply, according to research from network security company Damballa. PCWorld, October 24, 2014
Malvertising Campaign on Yahoo, AOL, Triggers CryptoWall Infections: Attackers have been leveraging the FlashPack Exploit Kit to peddle the CryptoWall 2.0 ransomware on unsuspecting visitors to sites such as Yahoo, The Atlantic and AOL. Researchers believe that for about a month the malvertising campaign hit up to 3 million visitors and netted the attackers $25,000 daily. ThreatPost, October 23, 2014
Attacks On Patched Sandworm Flaw Force Microsoft To Issue Fix It: More than a week after Microsoft fixed a flaw affecting almost all Windows versions, attackers are continuing to exploit it. DarkReading, October 23, 2014
Terrible People Prey On Ebola Fears In New Email Scam: If you get an email from a seemingly trustworthy organization about the Ebola virus in the coming days, beware. It could very well be a scam to obtain your personal info. HuffingtonPost, October 22, 2014
Phone Hackers Dial and Redial to Steal Billions: SAN FRANCISCO — Bob Foreman’s architecture firm ran up a $166,000 phone bill in a single weekend last March. But neither Mr. Foreman nor anyone else at his seven-person company was in the office at the time. The New York Times, October 19, 2014

Cyber Security Management

Cybersecurity help coming for franchises: Two industry groups are teaming up to help franchise businesses learn about cybersecurity. The Hill, October 23, 2014
Your business can’t afford the cost of cyber crime: It’s not a surprise that cyber crime is costly for organizations. The cost of any lost productivity, combined with the fallout of any compromised data, the impact to the organization’s reputation, and the cost to clean up and recover from an attack all add up. CSO, October 23, 2014

Cyber Security Management – Cyber Defense

Google Accounts Now Support Security Keys: People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site. KrebsOnSecurity, October 22, 2014

National Cyber Security

Report: Russia, China near cybersecurity deal: Russian President Vladimir Putin is close to finalizing a cybersecurity cooperation agreement with China, according to Russian media reports. The Hill, October 23, 2014
Steptoe Cyberlaw Podcast, Episode #39: An Interview with Tom Finan: Our guest today is Tom Finan, Senior Cybersecurity Strategist and Counsel at DHS’s National Protection and Programs Directorate (NPPD), where he is currently working on policy issues related to cybersecurity insurance and cybersecurity legislation. Marc Frey asks him why DHS, specifically NPPD, is interested in cybersecurity insurance, what trends they are seeing in this space for carriers and other stakeholders, and what is next for their role in this space. He is incredibly forthcoming in his responses and even asks listeners to email him with their feedback. LawFare, October 23, 2014

Weekend Vulnerability and Patch Report, October 26, 2014

Important Security Updates

Apple iOS: Apple has released version 8.1 of its iOS. The update is available through the devices or through Apple’s website.
Apple TV: Apple has released version 7.0.1 for Apple TV to fix a security issues in previous versions. Updates are available through the device or Apple’s website.
Avast: Avast! Free Antivirus has released version 10.0.2206. Updates are available on Avast’s website.
AVG Free Edition: AVG has released version 2015.0.5557 of its 32 bit Free Edition. Updates are available on AVG’s website.
Mozilla Firefox: Mozilla has released version 33.0.1 for Firefox. Updates are available within the browser or from Mozilla’s website.
Piriform CCleaner: Piriform has released version 4.19.4867 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.39 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 33.0.1
Google Chrome 38.0.2125.104
Internet Explorer 11.0.9600.17280
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for Email Security Appliance, TelePresence MCU 4200 Series versions prior to 4.3(2.30), TelePresence MCU 4500 Series versions prior to 4.3(2.30), TelePresence MCU MSE 8420 versions prior to 4.3(2.30), Adaptive Security Security Appliance (ASA), and others. Apply available updates.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog