Monday, January 19, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of January 19, 2015





Cyber Crime

Park ‘N Fly, OneStopParking Confirm Breaches: Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach. KrebsOnSecurity, January 14, 2015

Cyber Attack

In Wake Of Violence, France Reports Spike In Cyberattacks: Since the deadly shootings in Paris Jan. 7, cyber attackers have hit 19,000 French websites, mostly with denials of service. Admiral Arnaud Coustilliere, head of cyberdefense for France’s military, said today “that’s never been seen before. This is the first time that a country has been faced with such a large wave.” DarkReading, January 15, 2015
Pro-ISIS Hackers Hit U.S. Military Twitter, YouTube: Video segment featuring Dr. Stahl – Federal agents are investigating a hack attack on the Twitter and YouTube accounts for the US Central Command. The hackers claim they’re working on behalf of the terrorist group ISIS. Mekahlo Medina reports for the NBC4 News at 5 Monday, Jan. 12, 2015. NBC4, January 12, 2015

Cyber Underworld

Need Some Espionage Done? Hackers Are for Hire Online:A man in Sweden says he will pay up to $2,000 to anyone who can break into his landlord’s website. A woman in California says she will pay $500 for someone to hack into her boyfriend’s Facebook and Gmail accounts to see if he is cheating on her. … The business of hacking is no longer just the domain of intelligence agencies, international criminal gangs, shadowy political operatives and disgruntled “hacktivists” taking aim at big targets. Rather, it is an increasingly personal enterprise. New York Times, January 15, 2015

Cyber Privacy

David Cameron’s plan to ban end-to-end encryption is catastrophic for Internet freedom: Earlier today, British Prime Minister David Cameron announced his plan to revive legislation that would allow the UK government to ban applications that use end-to-end encryption to ensure user security. TheNextWeb, January 13, 2015

Financial Cyber Security

Bank Fraud Toolkit Circumvents 2FA & Device Identification: Another user-friendly attack toolkit is on the market, and it’s perfect for the budding Brazilian banking fraudster. It’s got an attractive, user-friendly interface that includes a “start phishing” button. And it effectively circumvents both two-factor authentication and device identification protections. Dark Reading, January 14, 2015

Cyber Warning

How Hackers Are Using #JeSuisCharlie To Spread Malware: In the wake of the tragic shootings at the Charlie Hebdo offices in Paris last week, #JeSuisCharlie soon became a trending message of solidarity. But journalists aren’t the only ones following these viral news events with interest. Malware organizations are quick to latch onto tragedy to to spread malware, and they’re getting better at it with each new disaster, according to research from Blue Coat security firm. Forbes, January 15, 2015
‘Skeleton Key’ malware unlocks corporate networks: The newly-discovered “Skeleton Key” malware is able to circumvent authentication on Active Directory systems, according to Dell researchers. ZDNet, January 13, 2015

Cyber Security Management

Cyber-crime and business: Think of a number and double it:  CHICK-FIL-A, a fast-food chain, and Morgan Stanley, a bank, have in recent days joined a long list of big American companies to admit that their systems have been hacked into, putting customers’ financial information at risk. But how many businesses suffer from cyber-crime, and how much it ultimately costs them, are huge unknowns. In part this is because much hacking goes undetected, and partly it is because businesses sometimes try to cover up breaches of data security, to avoid embarrassment. The Economist, January 17, 2015
New report: DHS is a mess of cybersecurity incompetence: A large, embarrassing, and alarming Federal oversight report finds major problems and grave shortcomings with Department of Homeland Security cybersecurity programs and practices which are “unlikely to protect us”. ZDNet, January 14, 2015

Cyber Security Management – Cyber Update

Adobe, Microsoft Push Critical Security Fixes: Microsoft on Tuesday posted eight security updates to fix serious security vulnerabilities in computers powered by its Windows operating system. Separately, Adobe pushed out a patch to plug at least nine holes in its Flash Player software. KrebsOnSecurity, January 14, 2015
OpenSSL release patches 8 vulnerabilities: The OpenSSL Project has released updates for the popular eponymous open-source library that implements the SSL and TLS protocols. Help Net-Security, January 9, 2015

Securing the Village

Early Bird Registration for Summit7 is open: Take advantage of special Early Bird savings of 40% off the standard fee when you register by February 15. And if you are an ISSA-LA member, we are proud to offer you an additional 30%. Check your e-mail for details soon! Not a member yet? Join today and receive this additional Summit discount, as well as the many other benefits of ISSA-LA membership. ISSA-LA, January 15, 2015
ISSA-LA Donates to ISSA Educational Foundation For Its Information Security Scholarship Programs: Dr. Stan Stahl, president of the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA), presented a check for $3,000 to the ISSA Education Foundation (ISSAEF) in support of its scholarship program. Foundation Board Chair Sandra Lambert accepted the donation on behalf of the Foundation. PRLog, January 7, 2015

National Cyber Security

Secret US cybersecurity report: encryption vital to protect private data: Newly uncovered Snowden document contrasts with British PM’s vow to crack down on encrypted messaging after Paris attacks. The Guardian, January 15, 2015

Cyber Law

Obama: Fighting cybercrime is ‘shared mission': President Obama renewed long-standing efforts Tuesday for legislation to improve the sharing of cyber information between the government and the private sector, and to shield businesses from lawsuits over revealing cybercrimes. USA Today, January 13, 2015
Toward Better Privacy, Data Breach Laws: President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches. KrebsOnSecurity, January 13, 2015
Why tort liability for data breaches won’t improve cybersecurity: Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability. That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy. The Washington Post, January 11, 2015

Cyber Sunshine

Another Lizard Arrested, Lizard Lair Hacked: Several media outlets are reporting that authorities in the United Kingdom early this morning arrested an 18-year-old in connection with the denial-of-service attacks on Sony Playstation and Microsoft Xbox systems over Christmas. The arrest is one of several tied to a joint U.K. and U.S. law enforcement investigation into a group calling itself the “Lizard Squad,” and comes as the group’s attack-for-hire online service was completely compromised and leaked to investigators. KrebsOnSecurity, January 16, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Adobe Flash Player: Adobe has released version to fix at least 9 highly critical vulnerabilities reported in previous versions. Updates are available from Adobe’s website.
Adobe Shockwave Player: Adobe has released version of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Google Chrome: Google has released Google Chrome version 39.0.2171.99 to fix at least 9 highly critical vulnerabilities reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 8 updates to address at least 24 vulnerabilities, some of which are highly critical within Windows, Internet Explorer, Office, Word, Windows Flash Player, and other Microsoft products.
Mozilla Firefox: Mozilla has released version 35 to fix at least 9 highly critical unpatched vulnerabilities reported in previous versions. Updates are available within the browser or from Mozilla’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.5 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 35
Google Chrome 39.0.2171.99
Internet Explorer 11.0.9600.17501
Java SE 8 Update 25 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for its Adaptive Security Appliance (ASA), TelePresence VCS and Cisco Expressway Series, IronPort AsyncOS, WebEx Meetings Server, MDS 9000 Series and others. Apply updates. Secunia reports unpatched vulnerabilities in Cisco’s Unified Communications Domain Manager (CUCDM) and ACNS (Application and Content Networking System). No official solution is available.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.

Get in touch
323 428 0441
info@citadel-information.comCitadel Information Group


About Us

Citadel Information Group is a full service integrated cyber security management firm. We work either consultatively or as part of a client’s senior management team, assisting our clients cost-effectively manage the confidentiality, privacy, integrity and availability of their information. Learn more.
The post Weekend Vulnerability and Patch Report, January 18, 2015 appeared first on Citadel Information Group.'s Security Recruiter Blog