Monday, November 03, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of November 3, 2014




Cyber Crime

Maker of Apple Pay Competitor Has Already Been Hacked: MCX, the retailer consortium behind Apple Pay competitor CurrentC, has already been hacked, according to an email sent out to those people who have signed up for, or downloaded, the CurrentC app. Recode, October 29, 2014
Data breaches jump in California and are expected to keep climbing: Data breaches soared last year in California as cybercriminals leaped over digital security gates to endanger the personal data of millions of consumers, California Atty. Gen. Kamala Harris said. The Los Angeles Times, October 28, 2014
Online Security Experts Link More Breaches to Russian Government: SAN FRANCISCO — For the second time in four months, researchers at a computer security company are connecting the Russian government to electronic espionage efforts around the world. The New York Times, October 28, 2014
Hacked: The escalating arms race against cybercrime: Martin Knuth is one of Home Depot’s most loyal customers. But after the home improvement giant revealed last month that hackers had accessed the confidential credit card information of 56 million North American customers, the Regina retiree became concerned enough to help launch a class action lawsuit against the retailer. The Globe and Mail, October 24, 2014

Cyber Privacy

You Are Responsible for Your Own Internet Privacy: Interview with Dr. Stahl. Stan Stahl knows about the shady world of high-tech security and false privacy. Dr. Stahl helped secure teleconferencing at the White House and the communications network controlling the country’s nuclear weapons arsenal. talks to Dr. Stahl about whether Internet privacy is even possible. CIO, October 23, 2014

Cyber Warning

Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data: In his career-ending extramarital affair that came to light in 2012, General David Petraeus used a stealthy technique to communicate with his lover Paula Broadwell: the pair left messages for each other in the drafts folder of a shared Gmail account. Now hackers have learned the same trick. Only instead of a mistress, they’re sharing their love letters with data-stealing malware buried deep on a victim’s computer. Wired, October 29, 2014
Hackers can use the Samsung Find My Mobile feature to attack phones: Most smartphones now come with built-in tracking systems that allow users to remotely lock or wipe their phones if they’re misplaced or stolen. Mashable, October 28, 2014
Purchase Order Scam Leaves a Trail of Victims: What began as a scheme to defraud office supply stores has evolved into more ambitious crimes that have cost retailers around the country millions of dollars—and the Nigerian cyber criminals behind the fraud have also turned at-home Internet users into unsuspecting accomplices. FBI, October 27, 2014
Beware Microsoft Office! Software contains dangerous bug that could let hackers take over your computer: Many of us know not to click random links that are sent in emails or on Facebook, but now we’re being warned to be on our guard against dangerous files, too. DailyMail, October 27, 2014
CryptoWall ransom infections spike to 830,000 in matter of weeks: Dell SecureWorks has updated its figures on the number of PCs infected by the awful CryptoWall ransom malware and the news isn’t good – the number of systems has spiked suddenly to 830,000. TechWorld, October 23, 2014

Cyber Misc

How to Tell Data Leaks from Publicity Stunts: In an era when new consumer data breaches are disclosed daily, fake claims about data leaks are sadly becoming more common. These claims typically come from fame-seeking youngsters who enjoy trolling journalists and corporations, and otherwise wasting everyone’s time. Fortunately, a new analysis of recent bogus breach claims provides some simple tools that anyone can use to quickly identify fake data leak claims. KrebsOnSecurity, October 29, 2014

Weekend Vulnerability and Patch Report, November 2, 2014

Important Security Updates

Apple QuickTime: Apple has released version 7.7.6 of QuickTime for Windows 7, Vista, XP SP2 or later.  Updates are available from within the program or Apple’s website.
Dropbox: Dropbox has released version 2.10.44 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Google Chrome: Google has released Google Chrome version 38.0.2125.111. Updates are available from within the browser or from Google Chrome’s website.
Mozilla Firefox: Mozilla has released version 33.0.2 for Firefox. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 25.0.1614.63 to fix moderately critical unpatched vulnerabilities. Updates are available from within the browser or from Opera’s website.
Skype: Skype has released Skype Updates are available from the program or Skype’s website.
TechSmith Corporation SnagIt: TechSmith has released version for SnagIt. Updates are available from TechSmith’s website.
WinZip: Winzip has released version 19.0.11293. Updates are available from within the program, look for “Check for Updates” on the Help menu, or download from the WinZip website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.09
Dropbox 2.10.44 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 33.0.2
Google Chrome 38.0.2125.111
Internet Explorer 11.0.9600.17280
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.6
Safari 5.1.7 
Safari 7.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for Aggregation Services Router ASR901, IOS / IOS XE, Expressway Series, and Unified Communications Manager and others. Apply available updates.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.'s Security Recruiter Blog