Sunday, February 15, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of February 16, 2015

 


CYBER SECURITY NEWS

OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

 

Cyber Crime

Bank Hackers Steal Millions via Malware: In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment. New York Times, February 14, 2915
Defense Contract Management Agency Probes Hack: The Defense Contract Management Agency, the U.S. federal government entity responsible for performing contract administration services for the Department of Defense, is responding to a suspected cybersecurity breach and has pulled a number of its servers offline while the investigation continues, KrebsOnSecurity has learned. KrebsOnSecurity, February 10, 2015
Anthem Breach May Have Started in April 2014: Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion. KrebsOnSecurity, February 9, 2015

Cyber Attack

Operation Isis: Anonymous takes down Twitter and Facebook accounts associated with extremist group: Anonymous has vowed fresh attacks against social media accounts affiliated with Isis, warning its supporters: “We will hunt you down and expose you.” The Independent, February 10, 2015

Cyber Privacy

Report Sees Weak Security in Cars’ Wireless Systems: WASHINGTON — Serious gaps in security and customer privacy affect nearly every vehicle that uses wireless technology, according to a report set to be released on Monday by a senator’s office. The Washington Post, February 8, 2015
Uncovering Security Flaws in Digital Education Products for Schoolchildren: When Tony Porterfield’s two sons came home from elementary school with an assignment to use a reading assessment site called Raz-Kids.com, he was curious, as a parent, to see how it worked. As a software engineer, he was also curious about the site’s data security practices. The New York Times, February 8, 2015
Ads can spoil your Valentine’s Day gift surprise: Featuring David Lam – (NBC) People will be spending more this year on Valentine’s Day and many will be buying gifts online, according to the National Retail Federation. WPTV, February 6, 2015
Banning Secure Apps Won’t Increase Information Security: Criminals aren’t the only ones who want to keep their information secure online. Lawmakers should consider that as they also consider banning encrypted communications apps. The Federalist, February 5, 2015
SECURE MESSAGING SCORECARD: In the face of widespread Internet surveillance, we need a secure and practical means of talking to each other from our phones and computers. Many companies offer “secure messaging” products—but are these systems actually secure? We decided to find out, in the first phase of a new EFF Campaign for Secure & Usable Crypto. Electronic Frontier Foundation, 2015

Identity Theft

Year of the hack? A billion records compromised in 2014: Over a billion personal data records were compromised by cyberattacks in 2014, a new report has revealed, driven by high-profile breaches on Home Depot, JPMorgan and eBay.
CNBC, February 12, 2015
Anthem says hackers got customer data back to 2004: Insurance giant Anthem Inc. said Thursday that hackers had access to customer data going back to 2004 as investigations continue into the massive breach. SFGate, February 12, 2015

Cyber Warning

Pwned in 7 seconds: Hackers use Flash and IE to target Forbes visitors: Talk about determination. Hackers strung together zero-day vulnerabilities in Flash and Internet Explorer and then compromised Forbes.com so that the attacks would compromise financial services and defense contractor employees visiting the site, researchers said. ars technica, February 11, 2015
Phishers Pounce on Anthem Breach: Phishers and phone fraudsters are capitalizing on public concern over a massive data breach announced this week at health insurance provider Anthem in a bid to steal financial and personal data from consumers. KrebsOnSecurity, February 7, 2015

Cyber Security Management – Cyber Defense

Security survey shows Exchange as a sitting duck for attacks: Securing your Exchange setup is vital to keep your business up and running. However, recent security reviews show there’s room for improvement. SearchExchange, February 13, 2015
Hackers Don’t Need Sophisticated Attacks If You Leave Your Door Unlocked: Major security breaches have been a mainstay in the headlines over the last year and security is a topic making its way more and more to the worry list of top executives . However, with the flood of ”Sorry, we’ve been compromised” announcements some interesting patterns have emerged. One of the staple phrases you can expect to read in the mea culpa ramblings of the afflicted is “this was a sophisticated attack” or “an APT, or Advanced Persistent Threat compromised us” (there are multiple things wrong with this statement, but I’ll come back to that another time). Indeed, a couple of the monster data breaches this week conform to this profile. In many cases this boiler plate language is an attempt to pass the blame but it certainly sounds better than “we got hacked, we had a file called passwords.txt. Oops” . Forbes, February 5, 2015

Securing the Village

Obama signs new executive order promoting cyberthreat information sharing: President Obama signed new executive actions Friday that usher in a new phase of private industry collaboration with government entities when it comes to cybersecurity responses. CBS News, February 13, 2015

National Cyber Security

New agency to sniff out threats in cyberspace: The Obama administration is establishing a new agency to combat the deepening threat from cyberattacks, and its mission will be to fuse intelligence from around the government when a crisis occurs. The Washington Post, February 10, 2015

Cyber Insurance

Report: Anthem may have up to $200M in cyber insurance: In the wake of its massive data breach, Anthem may have a substantial safety net in the form of cyber coverage from insurers. According to a recent report in Business Insurance, Anthem has $150 million to $200 million in cyber insurance, including excess layers of cyber coverage, insurance market sources told the publication. SC Magazine, February 10, 2015

Cyber Misc

Fuel Station Skimmers: Primed at the Pump: I recall the first time I encountered an armed security guard at a local store. I remember feeling a bit concerned about the safety of the place because I made a snap (and correct) assumption that it must have been robbed recently. I get a similar feeling each time I fuel up my car at a filling station and notice the pump and credit card reader festooned with security tape that conjures up images of police tape around a crime scene. KrebsOnSecurity, February 15, 2015

Cyber Sunshine

Private Eye Is Said to Face Prosecution in a Hacking: Private investigators may be the newest front for federal prosecutors in cracking down on the hacker-for-hire business. The New York Times, February 12, 2015


Weekend Vulnerability and Patch Report



Important Security Updates

Adobe Shockwave Player: Adobe has released version 12.1.7.157 of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.
Avira Free Antivirus: Avira has released version 15.0.8.624 of its free Antivirus. Updates are available from Avira’s website.
Dropbox: Dropbox has released version 3.2.6 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 9 updates to address at least 55 vulnerabilities, some of which are highly critical within Windows operating systems, Windows Group Policy, Internet Explorer, Office, Word, Windows Flash Player, and other Microsoft products.
Opera: Opera has released version 27.0.1689.69 to fix multiple moderately critical unpatched vulnerabilities reported in previous versions. Updates are available from within the browser or from Opera’s website.
Skype: Skype has released Skype 7.1.60.105. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash  16.0.0.305 [Windows 7: IE]
Adobe Flash  16.0.0.305 [Windows 7: Firefox, Mozilla]
Adobe Flash  16.0.0.305 [Windows 8: IE]
Adobe Flash  16.0.0.305 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.2.6 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 35.0.1
Google Chrome 40.0.2214.111
Internet Explorer 11.0.9600.17633
Java SE 8 Update 31 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76.80.95
Safari 5.1.7 
Safari 7.1.3 [Mac OS X]
Skype 7.1.60.105

Newly Announced Unpatched Vulnerabilities

Adobe Reader: Secunia reports a highly critical unpatched vulnerability reported in version 11.0.10 of Adobe Reader running on OS X. Other versions may also be affected. No official solution is currently available. The vendor is planning to release a fix within the week of the 10th February, 2015.
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates for its Adaptive Security Appliance (ASA), Email Security Appliance, Secure Access Control System (ACS), Cisco Prime Infrastructure, Prime Security Manager (PRSM), IOS,  and others. Apply updates.
Novel ZENworks: Secunia reports Novell has released updates for its ZENworks to fix at least 8 moderately critical vulnerabilities. Apply Security Patch 01.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.


SecurityRecruiter.com's Security Recruiter Blog