Sunday, March 22, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of March 23, 2015






Cyber Crime

Authorities Closing In on Hackers Who Stole Data From JPMorgan Chase: It has become a familiar pattern: The computer system of a big American company is breached, the personal information of tens of millions of customers is stolen and a public outcry ensues. Rarely are the thieves caught. The New York Times, March 16, 2015

Cyber Privacy

How Two Obscure Court Verdicts In Europe Could Impact Americans’ Privacy, Cybersecurity, and Taxes: Two recent court verdicts in Europe, barely covered by American media, could have serious – if not outright scary – consequences for Americans and American businesses. Forbes, March 15, 2015
A Police Gadget Tracks Phones? Shhh! It’s Secret: A powerful new surveillance tool being adopted by police departments across the country comes with an unusual requirement: To buy it, law enforcement officials must sign a nondisclosure agreement preventing them from saying almost anything about the technology. The New York Times, March 15, 2015

Financial Cyber Security

Pointing Fingers in Apple Pay Fraud: When Apple was planning its Apple Pay electronic payment system last summer for its iPhones, the nation’s banks raced to be included among the first credit card issuers associated with the new technology. The New York Times, March 17, 2015
Mobile Threat Monday: Android Malware Breaks Banking Security: If you use the Internet, you have probably had to prove your identity by jumping through an extra hoop. Perhaps it was entering the code from a special app, or copying the code from a text message. But if that information were intercepted, an attacker could gain access to your account. That’s exactly the scenario we look at this week. SecurityWatch, March 16, 2015

Identity Theft

Premera Blue Cross Breach Exposes Financial, Medical Records: Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are indicators that this intrusion is once again the work of state-sponsored espionage groups based in China. KrebsOnSecurity, March 17, 2015

Cyber Warning

Why Yahoo’s new on-demand password system is no two-factor authentication killer: In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones. PCWorld, March 16, 2015

Cyber Security Management

IT Professionals Think Information Security And Disaster Recovery Should Be Last To Get Budget Cuts: This year, we can expect presidential campaign promotion to slowly kick into gear. Early next year, advertising will pick up, and by summer there will be so much media hype that we will be colossally sick of it long before the actual November 8 election. Then, in 2017, all will be silent. Why? Because, for obvious reasons, spending on presidential campaigns runs on a four-year cycle. Information security and disaster recovery budgets run on cycles too, but IT professional may be surprised at how budget cuts and other factors drive them. CIO, March 19, 2015

Cyber Security Management – Cyber Defense

OpenSSL Patch to Plug Severe Security Holes: The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity. KrebsOnSecurity, March 18, 2015
Google adds evil-code scanning to Play Store: Google is cleaning up its app store to limit the amount of malware and age-inappropriate content. The Register, March 17, 2015
OpenSSL team warns of major vulnerability: The team behind the popular OpenSSL cryptographic library has warned of an impending patch, due for release this Thursday, which fixes an as-yet unreleased serious security vulnerability. Bit Tech, March 17, 2015
Patch Tuesday: KB3002657 Causing Authentication Problems with Exchange Other Apps: For the first couple days after March’s Patch Tuesday, things were pretty quiet. For some this tends to indicate that Microsoft could have been moderately successful in delivering updates without problems for the first time in years. But, the first couple days have now become test and patch for companies with policies and procedures in place and patch and pray for the others. WindowsITPro, March 16, 2015

Securing the Village

FICO: INDUSTRY NEEDS MORE DATA TO STOP CYBERCRIME: As lawmakers consider measures for fighting payment data breaches, they need to consult with the people who are already in the fraud-fighting loop — and make sure they get the data they need, according to FICO VP of product management Doug Clare in a post on the credit-scoring company’s blog. PYMNTS, March 18, 2015

National Cyber Security

Steptoe Cyberlaw Podcast, Episode #58: An Interview with Andy Ozment: In episode 58 of the Cyberlaw Podcast, our guest is Andy Ozment, who heads the DHS cybersecurity unit charged with helping improve cybersecurity in the private sector and the civilian agencies of the federal government. We ask how his agency’s responsibilities differ from NSA’s and FBI’s, quote scripture to question his pronunciation of ISAO, dig into the question whether sharing countermeasures is a prelude to cybervigilantism, and address the crucial question of how lawyers should organize cybersecurity information sharing organizations (hint: the fewer lawyers and the more clients the better). In the news roundup, we revisit the cybersecurity implications of net neutrality, and Stephanie Roy finds evidence that leads me to conclude that the FCC has stolen the FTC’s playbook (and, for all we know, deflated the FTC’s football). This ought to at least help AT&T in its fight with the FTC over throttling, but that’s no sure bet. Lawfare, March 18, 2015

Cyber Underground

Dark Web’s ‘Evolution Market’ Vanishes: The Evolution Market, an online black market that sells everything contraband — from marijuana, heroin and ecstasy to stolen identities and malicious hacking services — appears to have vanished in the last 24 hours with little warning. Much to the chagrin of countless merchants hawking their wares in the underground market, the curators of the project have reportedly absconded with the community’s bitcoins — a stash that some Evolution merchants reckon is worth more than USD $12 million. KrebsOnSecurity, March 18, 2015
‘AntiDetect’ Helps Thieves Hide Digital Fingerprints: As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies. KrebsOnSecurity, March 16, 2015

Cyber Law

Few Target victims to benefit from settlement: Few Target data breach victims will likely get anything, and even fewer will get the maximum $10,000 they’re eligible for as part of a $10 million settlement granted preliminary approval on Thursday. USA Today, March 20, 2015

Cyber Misc

QR Codes Engineered into Cybersecurity Protection: QR, or Quick Response, codes – those commonly black and white boxes that people scan with a smartphone to learn more about something – have been used to convey information about everything from cereals to cars and new homes. UCONN Today, February 26, 2015
Anonymous hackers list 9,200 ISIS Twitter accounts, enlist other hackers in cyberwar: The hacker group Anonymous released the biggest list of social media accounts affiliated with the Islamic State, in an unprecedented collaborative effort with two other hacking groups, GhostSec and Ctrlsec. WashingtonTimes, March 17, 2015

Cyber Sunshine

Convicted Tax Fraudster & Fugitive Caught: Lance Ealy, an Ohio man who fled home confinement last year just prior to his conviction on charges of filing phony tax refund requests on more than 150 Americans, was apprehended in a pre-dawn raid by federal marshals in Atlanta on Wednesday. KrebsOnSecurity, March 19, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Apple OS X: Apple has released updates for OS X Yosemite v10.10.2 to fix at least 2 moderately critical vulnerabilities. Apply Security Update 2015-03. Updates are available from Apple’s website.
Apple Safari: Apple has released updates for Safari 8.0.4 for OS X Yosemite v10.10.2, Safari 7.1.4 for OS X Mavericks v10.9.5, Safari 6.2.4 for OS X Mountain Lion v10.8.5. Updates are available from Apple’s website.
Avira Free Antivirus: Avira has released version of its free Antivirus. Updates are available from Avira’s website.
Google Chrome: Google has released Google Chrome version 41.0.2272.101. Updates are available from within the browser or from Google Chrome’s website.
Malwarebytes Anti-Malware: Malwarebytes has released version 2.1.4 of its free Malwarebytes Anti-Malware. Updates are available from Malwarebytes’ website.
Mozilla Firefox: Mozilla has released version 36.0.4 to fix 2 highly critical vulnerabilities. Updates are available within the browser or from Mozilla’s website.
TechSmith Corporation SnagIt: TechSmith has released version for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash [Windows 7: IE, Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.2.9 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 36.0.4
Google Chrome 41.0.2272.101
Internet Explorer 11.0.9600.17633
Java SE 8 Update 40 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.4 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Moodle: Secunia reports that Moodle has released updates to address at least 4 vulnerabilities reported in versions 2.8 through 2.8.3, 2.7 through 2.7.5, and 2.6 through 2.6.8. Update to version 2.8.4, 2.7.6, or 2.6.9.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog