Monday, February 02, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of February 2, 2015





Cyber Crime

FBI: Businesses Lost $215M to Email Scams: It’s time once again to update my Value of a Hacked Email Account graphic: According to a recent alert from the FBI, cyber thieves stole nearly $215 million from businesses in the last 14 months using a scam that starts when business executives or employees have their email accounts hijacked. KrebsOnSecurity, January 15, 2015

Cyber Attack

The Internet of Dangerous Things: Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year. KrebsOnSecurity, January 29, 2015

Cyber Privacy

Is Your Data Safe at If you’re concerned about online privacy, you’ve likely read a lot about what happens to the information you enter into sites like Facebook or Google. But now another website is generating privacy worries: The New York Times, January 23, 2015
Brit Proves Google’s Eric Schmidt Totally Wrong: Super Cookies Can Track Users Even When In Incognito Mode: It was either ignorance or disingenuousness. Or it could have just been a stupid mistake. In mid-December, Google GOOGL +4.85% chairman Eric Schmidt gave some unsound advice during an interview at the Cato CATO -2.97% Institute in Washington D.C, upon being quizzed about the potential for his employer to pass on information to intelligence agencies. “If you’re concerned, for whatever reason, you do not wish to be tracked by federal and state authorities, my strong recommendation is to use [Google Chrome’s] incognito mode, and that’s what people do,” he said. Many a facepalm was landed soon after his comments were transmitted to the wider world over Twitter. Forbes, January 5, 2015

Financial Cyber Security

Choice Escrow Fraud Case Settled: The long legal battle between Choice Escrow and Land Title LLC and Mississippi-based BancorpSouth over a $440,000 account takeover case dating back to 2010 is finally over. BankInfoSecurity, September 10, 2014
Account Takeover: Utility Sues Bank: A Tennessee utility has sued its bank after a $327,000 account takeover incident. This new case shows why institutions must go above and beyond when it comes to detecting and thwarting fraud losses. BankInfoSecurity, August 14, 2014
Fed Issues New Study of Payments Fraud: Congress, banking regulators and the payments industry have spent the past six months debating the strengths and weaknesses within the payments infrastructure (see Retail Breaches: Congress Wants Answers). BankInfoSecurity, August 11, 2014

Identity Theft

Medical identity theft: Why you should worry: A woman we’ll call “Jane” found herself listed as the mother of a baby whose drug-addicted birth mother abandoned the child at the hospital and stole Jane’s health insurance information. The ensuing nightmare scenario — in which Jane was threatened with the removal of her real children from her home and faced financial and legal hardships — is an extreme example of the danger of medical identity theft. Bankrate, January 30, 2015

Cyber Warning

Beware: Porn-Based Malware Is Sweeping Across Facebook: Don’t click any porn links on Facebook. Just don’t. It’s a good rule of thumb, but there’s an extra good reason right now. There’s a troubling type of porn-based malware that’s apparently infected over 110,000 Facebook users in two days. And you could get the same Click Transmitted Disease. Gizmodo, January 30, 2015
Cracking Dildos And Dollies: Hackers Expose Vulnerabilities In Connected Toys: For whatever reason, someone thought it wise to manufacture sex toys that connect to the internet. To Ken Munro, who heads up security firm Pen Test Partners, this has provided an opportunity to flex his own penetration prowess. Of the digital, not the physical, kind. Forbes, January 30, 2015
Scary ‘Ghost’ vulnerability leaves Linux systems vulnerable to possession: A fault in a widely used component of most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email. PCWorld, January 28, 2015
Malware makers try to cash in with fake YouTube views: Programmers of malware software have found a new way of making their exploits pay: A newly-discovered scam downloads malware to unsuspecting users’ computers and then makes those machines watch YouTube videos to cash in on the video service’s partner program. The malware, dubbed Trojan.Tubrosa, was able to generate more than two million views for videos uploaded by the malware makers, according to security researchers at Symantec. GigaOm, January 26, 2015
​Google leaves most Android users exposed to hackers: An executive confirms Google has no plans to fix a security hole in the default browser for older versions of Android, which around 60 percent of all Android users rely on. CNet, January 24, 2015
‘Masquerading': New Wire Fraud Scheme: A new impersonation scheme is taking aim at business executives to perpetuate ACH and wire fraud, says Bank of the West’s David Pollino, who explains steps institutions should take now to protect their customers. BankInfoSecurity, July 28, 2014

Cyber Security Management

How The Skills Shortage Is Killing Defense in Depth: It used to be easy to sell specialized security gizmos but these days when a point product gets pitched to a CSO, the response is likely “looks nifty, but I don’t have the staff to deploy it.” DarkReading, January 30. 2015
CLBR #168: Stan Stahl Returns to Discuss the State of Cyber Security from Sony to DC to Sacto: Stan Stahl returns for the 7th Time to give us an update of the state of cyber security today from Sony to Washington and even Sacramento where he is part of the Cyber Security Task Force. CyberLawRadio, January 28, 2015

Cyber Security Management – Cyber Defense

Google Paid Over $1.5 Million In Bug Bounties In 2014: Google last year doled out more than $1.5 million to security researchers who rooted out vulnerabilities in its open-source software and web services. DarkReading, January 30, 2015

Cyber Security Management – Cyber Update

Yet Another Emergency Flash Player Patch: For the second time in a week, Adobe has issued an emergency update to fix a critical security flaw that crooks are actively exploiting in its Flash Player software. Updates are available for Flash Player on Windows and Mac OS X.KrebsOnSecurity, January 27, 2015

Securing the Village

Pointing the Finger: President Obama mentioned cybersecurity only briefly during last week’s State of the Union. The four vague sentences tucked in between discussions of Iran and Ebola touched on a variety of different issues and didn’t offer many clues as to how the president plans to ensure that no one can “shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.” But in the buildup to the address, the White House made much of its new cybersecurity initiatives. Those proposals offer a glimpse into the administration’s perspective on one of the more divisive areas of computer security policy: defender liability. Slate, January 26, 2015
California must lead on cybersecurity: No state has more at stake on cybersecurity than California. From Hollywood’s intellectual property to the Central Valley’s water reserves to Silicon Valley’s cloud services, the Golden State is at singular risk. But, as the world’s innovation capital, California also has a unique opportunity to advance cybersecurity. Sacramento Bee, January 25, 2015
Cybersecurity Non-Profits Should Be America’s Secret Weapon in Obama’s Cyberwar Plan: It is inevitable that the United States government will fund a cyberwarfare capability, as discussed in President Obama’s State of the Union Address. Other nations have already begun preparing for cyberwarfare, and the United States is no exception. With the number of cyberattacks growing and their impact widening in the last three years, President Obama is wisely looking for ways to fortify cybersecurity in the United States. Forbes, January 25, 2015

Cyber Underworld

Spreading the Disease and Selling the Cure: When Karim Rattani isn’t manning the till at the local Subway franchise in his adopted hometown of Cartersville, Ga., he’s usually tinkering with code. The 21-year-old Pakistani native is the lead programmer for two very different yet complementary online services: One lets people launch powerful attacks that can knock Web sites, businesses and other targets offline for hours at a time; the other is a Web hosting service designed to help companies weather such assaults. KrebsOnSecurity, January 26, 2015

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #51: A Debate with Thomas Rid and Jeffrey Carr: Episode 51 of the podcast features a debate on attributing cyberattacks. Our two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed. Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done. Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years. Lawfare, January 28, 2015
The Next Step in the Cybersecurity Plan: Speaking at the National Cybersecurity and Communications Integration Center in Arlington, Virginia, Obama said since much of the nation’s critical infrastructure – financial systems, power grids, pipelines, health care systems – runs on networks connected to the Internet, cybersecurity is a matter of public safety and of public health. US Defense Department, January 28, 2015
Source code reveals link between NSA and Regin cyberespionage malware: Keylogging malware that may have been used by the NSA shares signficant portions of code with a component of Regin, a sophisticated platform that has been used to spy on businesses, government institutions and private individuals for years. PCWorld, January 27, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Adobe Flash Player: Adobe has released version to fix an extremely critical vulnerability reported in previous versions. Updates are available from Adobe’s website.
Apple iOS: Apple has released version 8.1.3 of its iOS to fix at least 23 highly critical vulnerabilities reported in previous versions. The update is available through the devices or through Apple’s website.
Apple iTunes: Apple has released version 12.1.0 (32-bit) of iTunes. Updates are available from Apple’s website.
Apple OS X: Apple has released updates for OS X to fix at least 45 highly critical vulnerabilities. Apply Security Update 2015-001 or update to version 10.10.2. Updates are available from Apple’s website.
Apple Safari: Apple has released updates for Safari to fix at least 4 highly critical vulnerabilities reported in previous versions. Update to version 6.2.3, 7.1.3, or 8.0.3. Updates are available from Apple’s website.
Apple TV: Apple has released version 7.0.3 for Apple TV to fix at least 20 highly critical vulnerabilities. Updates are available through the device or Apple’s website.
Google Chrome: Google has released Google Chrome version 40.0.2214.93. Updates are available from within the browser or from Google Chrome’s website.
Mozilla Firefox: Mozilla has released version 35.0.1. Updates are available within the browser or from Mozilla’s website.
Opera: Opera has released version 27 to fix multiple moderately critical unpatched vulnerabilities reported in previous versions. Updates are available from within the browser or from Opera’s website.
Piriform CCleaner: Piriform has released version 5.02.5101 for CCleaner. Updates are available from Piriform’s website.
Skype: Skype has released Skype Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.0.5 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 35.0.1
Google Chrome 40.0.2214.93
Internet Explorer 11.0.9600.17501
Java SE 8 Update 31 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.3 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for its Identity Services Engine (ISE), Unified Computing System (UCS),  and others. Apply updates. Secunia reports unpatched vulnerabilities in Cisco’s Unified Communications Domain Manager (CUCDM) and ACNS (Application and Content Networking System). No official solution is available.
VMware Multiple Products: Secunia reports McAfee has released updates for its vCenter Server, Fusion, ESXi, Workstation and Player, vSphere Data Protection, and others. Apply updates.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog