Monday, January 26, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of January 26, 2015






Identity Theft

How Was Your Credit Card Stolen?: Almost once a week, I receive an email from a reader who has suffered credit card fraud and is seeking help figuring out which hacked merchant was responsible. I generally reply that this is a fruitless pursuit, and instead encourage readers to keep a close eye on their card statements and report any fraud. But it occurred to me recently that I’ve never published a primer on the types of card fraud and the likelihood with each of the cardholder ever learning how their account was compromised. This post is an effort to remedy that. KrebsOnSecurity, January 19, 2015

Cyber Warning

Password Re-use Fuels Starwood Fraud Spike: Two different readers have written in this past week to complain about having their Starwood Preferred Guest loyalty accounts hijacked by scammers. The spike in fraud appears to be tied to a combination of password re-use and the release of a tool that automates the checking of account credentials at the Web site for the popular travel rewards program. KrebsOnSecurity, January 22, 2015
How to avoid the Android Jellybean Webview vulnerability: Android 4.3 and earlier suffers from a vulnerability Google doesn’t plan on patching itself. Jack Wallen tells you what you can do to avoid possible exploits on your aging Android device. TechRepublic, January 19, 2015

Cyber Security Management

OAIC updates information security guide: The Office of the Australian Information Commissioner (OAIC) has released an updated information security guide with tips on stopping rogue employees and advice on using cloud storage offerings. ComputerWorld, January 20, 2015

Cyber Security Management – Cyber Update

Flash Patch Targets Zero-Day Exploit: Adobe today released an important security update for its Flash Player software that fixes a vulnerability which is already being exploited in active attacks. Compounding the threat, the company said it is investigating reports that crooks may have developed a separate exploit that gets around the protections in this latest update. KrebsOnSecurity, January 22, 2015
Java Patch Plugs 19 Security Holes: Oracle this week released its quarterly patch update for Java, a widely-installed program that for most casual users has probably introduced more vulnerability than utility. If you have Java installed and require it for some application or Web site, it’s time to update it. If you’re not sure you have Java on your computer or are unsure why you still have it, read on for advice that could save you some security headaches down the road. KrebsOnSecurity, January 21, 2015

Securing the Village

Seventh Annual ISSA-LA Information Security Summit Special Early Bird Registration Starts January 15: Starting January 15 the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) is offering a special early bird price to its Seventh Annual Information Security Summit on June 4, 2015, at the Los Angeles Convention Center. This special offer will be available through February 15, 2015. The Summit’s theme is The Growing Cyber Threat: Protect Your Business, reflecting the growing need organizations have for information systems security solutions in the battle against cybercrime. Virtual-Strategy, January 16, 2015

National Cyber Security

The Flaws in Obama’s Cybersecurity Initiative: President Obama’s new raft of proposals aim to address the growing concern that America is not taking tough-enough action against the increasing cybersecurity problem of nation-states and criminals (usually criminal gangs) attacking U.S. consumers and organizations. The evildoers’ motivation for doing so is most often money, but intellectual property is also being filched, and the internet is also being used for anything from identity theft to illicit political objectives. HBR, January 20, 2015
Report: NSA not only creates, but also hijacks, malware: In addition to having its own arsenal of digital weapons, the U.S. National Security Agency reportedly hijacks and repurposes third-party malware. PCWorld, January 19, 2015
OBAMA’S CYBER PROPOSALS SOUND GOOD, BUT ERODE INFORMATION SECURITY: The State of the Union address President Obama delivers tonight will include a slate of cyber proposals crafted to sound like timely government protections in an era beset by villainous hackers. The Intercept, January 19, 2015
N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say: WASHINGTON — The trail that led American officials to blame North Korea for the destructive cyberattack on Sony Pictures Entertainment in November winds back to 2010, when the National Security Agency scrambled to break into the computer systems of a country considered one of the most impenetrable targets on earth. The New York Times, January 18, 2015
Securing Our Cyberspace: President Obama’s New Steps to Strengthen America’s Cybersecurity: We live in a digitally connected world. Almost all business transactions, public utilities, or security measures rely on networks that are connected to the Internet. That is why cyber threats pose an enormous challenge to our country. Whether it’s rogue hackers, organized criminals, or state actors, our public and private networks are facing an unprecedented level of cybersecurity threats. The White House, January 20, 2015

Cyber Survey

Rule of law on internet cracks down on cybercrime: Cisco: The Cisco 2015 annual security report has revealed that as attackers have become more proficient in taking advantage of security gaps and concealing malicious activity, governments worldwide are getting better at enforcing the rule of law on the internet. ZDNet, January 20, 2015

Cyber Misc

Marriott removes ban on personal Wi-Fi networks in hotels: The “Windows Phone” OS will be no more, as the version of Windows 10 tailored for smaller devices will be called simply Windows 10. Will that help improve Microsoft’s lot in the smartphone market? CNet, January 22, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Adobe Flash Player: Adobe has released version to fix a highly critical vulnerability reported in previous versions. Updates are available from Adobe’s website. [See Newly Announced Unpatched Vulnerabilities]
Google Chrome: Google has released Google Chrome version 40.0.2214.91 to fix at least 26 unpatched vulnerabilities some of which are highly critical reported in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Oracle Java: Oracle has released versions Java SE 8 Update 31 to fix at least 19 vulnerabilities, some of which are highly critical. The update is available through Windows Control Panel or Java’s website. [See Citadel’s recommendation below]
Siber Systems RoboForm: Siber Systems has released version of Roboform. Updates are available from within the program, look for the “Check New Version” button on the Options menu or download from the Roboform website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.5 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 35.0
Google Chrome 40.0.2214.91
Internet Explorer 11.0.9600.17501
Java SE 8 Update 31 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.1 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

Adobe Flash: Secunia reports an extremely critical unpatched vulnerability in the most recent version of Adobe Flash Player, version referenced above. No official solution is currently available. Adobe is currently planning to release an update on January 26, 2015.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for its Adaptive Security Appliance (ASA), TelePresence VCS and Cisco Expressway Series, IronPort AsyncOS, WebEx Meetings Server, MDS 9000 Series and others. Apply updates. Secunia reports unpatched vulnerabilities in Cisco’s Unified Communications Domain Manager (CUCDM) and ACNS (Application and Content Networking System). No official solution is available.
HP Systems Insight Manager: Secunia reports HP has released updates for its Systems Insight Manager. Apply hot fix.
McAfee Multiple Products: Secunia reports McAfee has released updates for its Data Loss Prevention Endpoint, Email Gateway and others. Apply updates.
Oracle Multiple Products: US-CERT reports Oracle has released updates to fix hundreds of vulnerabilities in its Database Server, Fusion Middleware, Enterprise Manager Grid Control, E-Business Suite, Supply Chain Products Suite, PeopleSoft Products, JD Edwards Products, Siebel CRM, iLearning, Communications Applications, Retail Applications, Health Sciences Applications, Sun Systems Products Suite, Linux and Virtualization, and MySQL and others.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog