Sunday, March 15, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of March 15, 2015





Cyber Crime

Verizon PCI DSS report a wake-up call, says PCI Security Standards Council: The latest Verizon report on compliance with the payment card industry data security standard (PCI DSS) should be a wake-up call for businesses, said the body that administers the standard. ComputerWeekly, March 13, 2015
Verizon: Breaches Under-Reported Globally: Although breaches of U.S. retailers are widely reported, a new study shows that increases in the theft of payment card data and other personal information span numerous industries in all international markets. BankInfoSecurity, March 12, 2015
Point-of-Sale Vendor NEXTEP Probes Breach: NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, KrebsOnSecurity has learned. KrebsOnSecurity, March 9, 2015

Cyber Privacy

Stop Spying on Wikipedia Users: SAN FRANCISCO — TODAY, we’re filing a lawsuit against the National Security Agency to protect the rights of the 500 million people who use Wikipedia every month. We’re doing so because a fundamental pillar of democracy is at stake: the free exchange of knowledge and ideas. The New York Times, March 10, 2015
Push Back at Government and Corporate Personal Privacy Incursions: [Excerpt from Bruce Schneier’s new book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.] If you need to be convinced that you’re living in a science-fiction world, look at your cell phone. This cute, sleek, incredibly powerful tool has become so central to our lives that we take it for granted. It seems perfectly normal to pull this device out of your pocket, no matter where you are on the planet, and use it to talk to someone else, no matter where they are on the planet. Scientific America, March 2, 2015. Hear Bruce Schneier Keynote at ISSA-LA 7th Annual Information Security Summit, June 4, Los Angeles Convention Center.

Cyber Warning

Fake IRS Agent Scam Targets Public, Even Feds, While Identity Theft Tax Fraud Is Rampant: Senate testimony shows just how serious fraudsters are at tax time, and just how easy it is for them to get your tax refund. The plan is frighteningly simple. Steal Social Security numbers, file tax returns showing false refund claims, and have the refunds electronically deposited. Alternatively, send the refund check to an address the fraudster can access. In many cases, the taxpayer whose Social Security number has been compromised will face difficulties when filing a real tax return. Forbes, March 13, 2015
Malware targets gamers, holds high scores hostage: A new type of malware is playing with gamers. The ransomware, described by a researcher at cybersecurity company Bromium, affects at least two dozen popular games, locking players out until they pay to open up their saved games, add-ons and scores. CBS, March 13, 2015
Hackers Breaking New Ground With Ransomware: The tools and tactics being used to go after victims reveal growing sophistication, and gamers need to look out, security researchers say. DarkReading, March 13, 2015
Spoofing the Boss Turns Thieves a Tidy Profit: Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials. The boss, who was traveling abroad at the time, had requested such transfers before — at even higher amounts to manufacturers in China and elsewhere — so the request didn’t seem unusual or suspicious. KrebsOnSecurity, March 10, 2015

Cyber Security Management

Hackers trigger panic, missteps when advisers fail to plan: (Reuters) – Financial advisory firms are so busy trying to prevent computer hacking that they sometimes neglect an equally vital issue: what to do when hackers succeed. Reuters, March 13, 2015
Business demand for information security set to grow in 2015: Businesses expect the pressure to secure their organisations to increase even further, according to the 2015 Security Pressures Report from security firm Trustwave. ComputerWeekly, March 11, 2015
What does the collaborative economy mean for information security?: Most employers allow their staff reasonable use of office products such as telephones, copy machines, coffee and the like. For the most part, employees won’t be using the copy machines to compete with Kinko’s or a company car to compete with black car limousine services. Well, at least not until now. CSO, March 9, 2015

Cyber Security Management – Cyber Defense

D’oh! Panda Security mistakes itself for malware, quarantines crucial files: Antivirus provider Panda Security was left scrambling for a solution on Wednesday after it mistakenly flagged itself as malware. PCWorld, March 13, 2015

Cyber Security Management – Cyber Update

IBM uncovers severe vulnerability in Dropbox SDK for Android: IBM’s X-Force Application Security Reseach Team revealed the existence of a severe vulnerability in the Dropbox SDK for Android. ZDNet, March 11, 2015
Apple patches FREAK vulnerability on Mountain Lion, Mavericks, Yosemite: Apple has published its second major security roll-up package of the year, Security Update 2015-002, which contains fixes for multiple versions of OS X stretching from Mountain Lion 10.8.5 to Yosemite 10.10.2. These updates mitigate threats from several different vulnerabilities, but the most notable is a fix that will inoculate Safari users against the so-called “FREAK” SSL/TLS exploit (CVE-2015-0204, although at publication time the Apple page shows CVE-2015-0167 as the CVE ID for FREAK). ars technica, March 10, 2015
Microsoft Fixes Stuxnet Bug, Again: Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time. KrebsOnSecurity, March 10, 2015

Securing the Village

CISA CYBERSECURITY BILL ADVANCES DESPITE PRIVACY CONCERNS: FOR MONTHS, PRIVACY advocates have been pointing to flaws in CISA, the new reincarnation of the cybersecurity bill known as CISPA that Congress has been kicking around since 2013. But today that zombie bill lurched one step closer to becoming law. Wired, March 12, 2015
New model of cybercrime factors in perishability of stolen data: A new model examining cybercrimes adds an important way of examining the perishable value of stolen data so policy makers can plan against future hacks like the recent Anthem data breach, according to a study in the Articles in Advance section of Service Science, a journal published by the Institute for Operations Research and the Management Sciences (INFORMS)., March 10, 2015

National Cyber Security

State Department Finally Cleans Malware From Emails Four Months After Hack: The move is an effort to sweep out the last traces of malware left over from a hack last fall with suspected Russian ties. BuzzFeed, March 13, 2015
Report says strong authentication use lagging in federal agencies: An annual government report shows that nearly a third of 70,000 reported information security incidents reported by U.S. federal agencies were related to or could potentially have been prevented by the use of strong authentication. ZDNet, March 13, 2015
For 3 months Hillary Clinton’s email access was unencrypted, vulnerable to spies: Security firm Venafi has found that Clinton’s email server may have been open to foreign intelligence snoops when traveling abroad. Fortune, March 11, 2015
Security of Hillary Clinton’s private e-mail server comes under scrutiny: The private e-mail server used by Hillary Rodham Clinton all but certainly lacked the level of security employed by the government and could have been breached fairly easily by determined foreign intelligence services, national security and cyber experts said. The Washington Post, March 10, 2015
Cybersecurity And The Future Digital Economy: Director of National Intelligence James Clapper recently testified before Congress that his fundamental concern focuses on the “moderate, iterative and constant barrage of cyber attacks on U.S. infrastructure” that will “impose cumulative costs on U.S. economic competitiveness and national security.” Whether one agrees or not, Clapper’s comment led me to consider what an economy-threatening cyber attack really means. TechCrunch, March 10, 2015

Cyber Research

MIT launches a trio of new cybersecurity initiatives: To prepare for a future in which the watches on our wrists and the locks on our doors are all trading electronic information, MIT has launched a 200-person cybersecurity research initiative that will tackle tech security problems both big and small. The initiative has three parts, each approaching the problem from a different angle. BetaBoston, March 12, 2015

Cyber Misc

Politics intrude as cybersecurity firms hunt foreign spies: (Reuters) – The $71 billion cybersecurity industry is fragmenting along geopolitical lines as firms chase after government contracts, share information with spy agencies, and market themselves as protectors against attacks by other nations. Reuters, March 12, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Adobe Flash Player: Adobe has released version to fix at least 11 unpatched vulnerabilities, some of which are highly critical, reported in previous versions. Updates are available from Adobe’s website.
Apple iOS: Apple has released version 8.2 of its iOS to fix multiple moderately critical vulnerabilities reported in previous versions. The update is available through the devices or through Apple’s website.
Apple OS X: Apple has released updates for OS X to fix at least 5 moderately critical vulnerabilities. Apply Security Update 2015-02. Updates are available from Apple’s website.
Apple TV: Apple has released version 7.1 for Apple TV to fix a vulnerability. Updates are available through the device or Apple’s website.
AVG Free Edition: AVG has released version 2015.0.5856 of its 64 and 32 bit Free Edition. Updates are available on AVG’s website.
Avira Free Antivirus: Avira has released version of its free Antivirus. Updates are available from Avira’s website.
Foxit Reader: Foxit has released version of its Reader. Updates are available through the program or from Foxit’s website.
Google Chrome: Google has released Google Chrome version 41.0.2272.89 to fix at least 20 unpatched vulnerabilities, some of which are highly critical. Updates are available from within the browser or from Google Chrome’s website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 14 updates to address at least 43 vulnerabilities, some of which are highly critical within Windows operating systems, Internet Explorer, Exchange, Office, and other Microsoft products. reports Windows 7 users are already reporting problems with a specific patch.
Opera: Opera has released version 28 to fix multiple moderately critical unpatched vulnerabilities. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash [Windows 7: IE, Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.2.9 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 36.0.1
Google Chrome 41.0.2272.89
Internet Explorer 11.0.9600.17633
Java SE 8 Update 40 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.3 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates and partial fixes for its 5500 Series Wireless Controllers, ACE Application Control Engine Appliance, ACE Application Control Engine Module, Adaptive Security Appliance (ASA), AnyRes Live, ASA 5500-X Series Adaptive Security Appliances, ATA 180 Series Analog Telephone Adaptors, ATA 190 Series Analog Telephone Adapters, Content Delivery Engine Series, Edge 300 Digital Media Player, Edge 340 Digital Media Player, Email Security Appliance, Enterprise Content Delivery System (ECDS), Expressway Series, Identity Services Engine (ISE), Intrusion Prevention System (IPS), IOS, IOS XE 3.6.x, IPS 4200 Series Sensor, MediaSense, MPEG-4 Encoders, AC Appliance, NAC Guest Server, Nexus 3000 Series Switches, Nexus 9000 Series Switches, PowerVu Network Centre Management, rime Collaboration, Prime Performance Manager for SPs, Secure Access Control System (ACS), Secure ACS Solution Engine, TelePresence Advanced Media Gateway Series, TelePresence Conductor, TelePresence EX Series, Telepresence Integrator C Series, TelePresence ISDN Gateway, TelePresence MCU 4500 Series, TelePresence MCU MSE 8510, TelePresence MX Series, TelePresence Profile Series, TelePresence Serial Gateway Series, TelePresence Server, TelePresence Supervisor MSE 8050, TelePresence SX Series, Unified Communications System, Unified IP Phones 6900 Series, Video Surveillance 3000 Series, 4000 Series, 6000 Series, 7000 Series IP Cameras, Video Surveillance PTZ IP Cameras, Videoscape Distribution Suite Service Broker (VDS-SB), Web Security Appliance, Web Security Appliance, Sourcefire Defense Center, Agent Desktop, AnyConnect for Android, AnyConnect for Android, AnyConnect for iOS, AnyConnect Secure Mobility Client, AnyConnect Secure Mobility Client, Hosted Collaboration Solution (HCS), Intelligent Automation for Cloud, Jabber IM for Android, Jabber Software Development Kit, Jabber Video for TelePresence (Movi), Jabber Voice for Android, Mobile Wireless Transport Manager (MWTM), NAC Appliance (formerly Clean Access (CCA)), Network Registrar, Prime LAN Management Solution (LMS), Secure Access Control System (ACS), Security Manager (CSM), SocialMiner, Support Tools, TelePresence TC and TE, TelePresence Video Communication Server (VCS), UCS Central Software, Unified Communications Domain Manager (CUCDM), Unified Communications, Unified Communications Manager IM and Presence Service, Unified MeetingPlace, Video Surveillance Manager (VSM), WAAS (Wide Area Application Services), WebEx Meetings Server, Wireless LAN Controller (WLC), and others. Apply updates.
Citrix CloudPlatform: Secunia reports Citrix has released updates for its CloudPlatform. Update the system and router virtual machine templates.
Citrix XenServer: Secunia reports Citrix has released updates for its XenServer to fix vulnerabilities reported in versions 6.2 Service Pack 1 and prior. Apply hotfix.
RSA Certificate Manager: Secunia reports RSA has released an update for its Certificate Manager and Registration Manager. Update to version 6.9 Build 558.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog