Sunday, February 22, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of February 22, 2015






Cyber Crime

The Rise in State Tax Refund Fraud: Scam artists stole billions of dollars last year from the U.S. Treasury by filing phony federal tax refund requests on millions of Americans. But as Uncle Sam has made this type of fraud harder for thieves to profit from, the crooks have massively shifted their focus to conducting refund fraud at the state level. Or at least according to Intuit Inc., the makers of TurboTax: The company says it believes that shift is responsible for a whopping 3700 percent increase in fraudulent state tax refund filings this year in some states. KrebsOnSecurity, February 17, 2015
The Great Bank Heist, or Death by 1,000 Cuts?: I received a number of media requests and emails from readers over the weekend to comment on a front-page New York Times story about an organized gang of cybercriminals pulling off “one of the largest bank heists ever.” Turns out, I reported on this gang’s activities in December 2014, although my story ran minus many of the superlatives in the Times piece. KrebsOnSecurity, February 16, 2015

Cyber Privacy

The NSA Reportedly Stole Millions Of SIM Encryption Keys To Gather Private Data: The American National Security Agency (NSA), and the British Government Communications Headquarters (GCHQ), similar clandestine intelligence agencies, stole SIM card encryption keys from a manufacturer, allowing the groups to decrypt global cellular communications data. TechCrunch, February 19, 2015
Russian Researchers Uncover Sophisticated NSA Malware: Over the weekend Russian IT security vendor Kaspersky Lab released a report about a new family of malware dubbed “The Equation Family”. The software appears, from Kaspersky’s description, to be some of the most advanced malware ever seen. It is composed of several different pieces of software, which Kaspersky Lab reports work together and have been infecting computer users around the world for over a decade. It appears that specific techniques and exploits developed by the Equation Group were later used by the authors of Stuxnet, Flame, and Regin. The report alleges that the malware has significant commonalities with other programs that have been attributed to Western intelligence agencies; Reuters subsequently released an article about the report in which an anonymous former NSA employee claims that the malware was directly developed by the NSA. EFF, February 19, 2015

Cyber Warning

Until Superfish fix, Lenovo devices can’t be trusted for secure work: Millions of Lenovo owners are being warned to not use their desktops and laptops for “any kind of secure transaction,” amid concerns that the company installed adware on their machines. ZDNet, February 19, 2015
Cybercrime moving to the cloud in a big way: Report: About 16 million mobile devices have been infected by malicious software globally in 2014, according to the latest report by Alcatel-Lucent’s security arm Motive Security Labs. Such malware is used by “cybercriminals for corporate and personal espionage, information theft, denial of service attacks on business and governments, and banking and advertising scams,” the report said. FirstPost, February 16, 2015

Cyber Security Management

How corporate America can fight cybersecurity threats: Last week, President Obama, business leaders, consumer and privacy advocates, and law enforcement officials gathered for a summit at Stanford University to talk about cybersecurity. This conversation is long overdue. By any measure, cybersecurity is the biggest common threat organizations face. It is also the one where we see the largest gap between threat and preparedness. While companies are devoting significant resources to the problem, they must recognize that playing catch-up is inherent to tackling the problem. Fortune, February 17, 2015

Cyber Security Management – Cyber Update

Microsoft Updates Windows Defender to Fry Superfish: If you’re a Lenovo laptop owner, then you’ve probably heard about the Superfish adware the company added to its consumer PCs last fall. PC Magazine, February 20, 2015

Cyber Security Management – HIPAA

HIPAA and “Meaningful Use” Audits: Issues to Consider and How to Prepare: As more and more providers adopt electronic health records (“EHRs”) systems (and with new regulations concerning their required use for purposes of Medicare billing for chronic care management, their popularity can only continue to grow), a myriad of compliance issues continue to surround them. To that end, the federal government has stepped up auditing programs to ensure compliance with HIPAA/HITECH as well as making sure taxpayer money has been invested wisely through the Meaningful Use program. The bent of these audit programs is clearly along the lines that applicable covered entities and business associates should be preparing with a “when” mindset, rather than “if,” as these audits are going to happen. JDSupra, February 20, 2015

Securing the Village

Why Everyone’s to Blame for Identity Theft: The other day a reporter asked me who’s to blame for the growing epidemic of identity-related tax fraud. I almost replied, “the government and the bad guys,” but I caught myself before committing to that inaccuracy. “We’re all to blame,” I said. ABC News, February 15, 2015
2 North Hollywood High teams compete for national cyber security title: Defense will be the game next month when two teams from North Hollywood High School travel to Washington, D.C., to compete in a prestigious national championship. DailyNews, February 15, 2015

National Cyber Security

Hackers Said to Remain Active in U.S. State Department E-Mails: (Bloomberg) — U.S. and private security specialists are trying to expel unidentified hackers from the unclassified portion of the U.S. State Department’s e-mail system, two officials familiar with the investigation said Thursday. Bloomberg, February 19, 2015
U.S. Embedded Spyware Overseas, Report Claims: SAN FRANCISCO — The United States has found a way to permanently embed surveillance and sabotage tools in computers and networks it has targeted in Iran, Russia, Pakistan, China, Afghanistan and other countries closely watched by American intelligence agencies, according to a Russian cybersecurity firm. The New York Times, February 16, 2015
Obama Calls for Public Debate Over Encryption: SAN FRANCISCO — President Barack Obama said Friday that he probably leans more toward strong computer data encryption than many in law enforcement, but added that he understands investigators’ concerns over the matter because of their need to protect people from attacks. The New York Times, February 13, 2015

Cyber Misc

Cellphone Start-Ups Use Wi-Fi First to Handle Calls and Take On Rivals: SAN FRANCISCO — It would not be an insult to say Republic Wireless and FreedomPop are obscure little companies. But they dream big. The two companies are at the forefront of a tantalizing wireless communications concept that has proved hard to produce on a big scale: Reduce cellphone costs by relying on strategically placed Wi-Fi routers. And when there are no routers available, fall back on the traditional cellular network. The New York Times, February 16, 2015

Weekend Vulnerability and Patch Report, February 22, 2015

Important Security Updates

Apple iTunes: Apple has released version 12.1.1 (64-bit and 32-bit) of iTunes. Updates are available from Apple’s website.
Google Chrome: Google has released Google Chrome version 40.0.2214.115. Updates are available from within the browser or from Google Chrome’s website.
Google Picasa: Google has released version 3.9 Build 139.161. Updates are available at the Picasa website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.2.6 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 35.0.1
Google Chrome 40.0.2214.115
Internet Explorer 11.0.9600.17633
Java SE 8 Update 31 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.3 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates and partial fixes for its Adaptive Security Appliance (ASA), Aggregation Services Routers (ASR), TelePresence Management Suite, TelePresence MCU 4500 Series, Wireless LAN Controller and others. Apply updates. Secunia reports unpatched vulnerabilities in Cisco’s Web Security Appliance, Hosted Collaboration Solution (HCS), Web Security Appliance, and others. No official solutions are available.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog