Sunday, March 08, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of March 8, 2015





Cyber Crime

Credit Card Breach at Mandarin Oriental: In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach. KrebsOnSecurity, March 4, 2015
Hospital Sues Bank of America Over Million-Dollar Cyberheist: A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013. KrebsOnSecurity, March 3, 2015
Natural Grocers Investigating Card Breach: Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country. The grocery chain says it is investigating “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.” KrebsOnSecurity, March 2, 2015

Financial Cyber Security

Apple Pay Sign-Ups Get Tougher as Banks Respond to Fraud: The Apple AAPL +0.15% Pay service makes it easy for consumers to pay for purchases with an Apple iPhone 6. But some banks are now making it tougher for customers to set up an Apple Pay account. Wall Street Journal, March 6, 2015

Identity Theft

Intuit Failed at ‘Know Your Customer’ Basics: Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes don’t go far enough. Here’s a look at some of the missteps that precipitated this mess, and what the company can do differently going forward. KrebsOnSecurity, March 5, 2015

Cyber Warning

Microsoft Windows vulnerable to ‘FREAK’ encryption flaw too: Previously thought limited to Apple and Google browsers, the flaw leaves communications between affected users and websites open to interception. CNet, March 5, 2015
Apple and Google ‘FREAK attack’ leaves millions of users vulnerable to hackers: Technology giants hurrying to fix a longstanding security flaw caused by US companies being forced to sell weakened encryption software to overseas customers. TheGuardian, March 4, 2015
How a Blu-ray disc could install malware on your computer: A pair of vulnerabilities found in hardware and software for playing Blu-ray discs might come in handy for secret snooping by the U.S. National Security Agency. PCWorld, March 1, 2015

Cyber Security Management

Cyber crime: What every business needs to know: Ask anyone involved in fighting cyber crime on a daily basis about what businesses should know, and the first thing they will say is that no organisation is immune. ComputerWeekly, March 4, 2015

Cyber Security Management – Cyber Defense

Google reverses its promise to enable encryption by default in Android Lollipop: Phones and tablets running Android “Lollipop” will not have device encryption switched on by default, despite an earlier promise by the software maker. ZDNet, March 2, 2015
Tracking the FREAK Attack: On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This site is dedicated to tracking the impact of the attack and helping users test whether they’re vulnerable.

Securing the Village

Could Costs Impede Info-Sharing Plan?: Small and mid-size businesses might not be able to afford participating in voluntary programs to share and receive cyberthreat information, as President Obama has proposed, industry representatives told Congress at a March 4 hearing. BankInfoSecurity, March 4, 2015
Why companies have little incentive to invest in cybersecurity: Another month, another data breach, and another set of proposals for what is seemingly an intensifying cyberattack problem. The Conversation, March 4, 2015
With Cybersecurity Summit Over, What’s Next?: The one-day White House Summit on Cybersecurity and Consumer Protection, held in California on Feb. 13, holds out the promise that government and business will collaborate on battling cyberthreats. Now, the hard part begins: getting it done. BankInfoSecurity, February 16, 2015

National Cyber Security

FAA computers vulnerable to hackers, GAO report says: The Federal Aviation Administration has fallen short in its efforts to protect the national air traffic control system from terrorists or others who might try to hack into the computers used to direct planes in flight, according to a government report released Monday. The Washington Post, March 2, 2015

Cyber Espionage

France fingered as source of Syria-spying Babar malware: France’s spy agency has been fingered as the likely author of complex reconnaissance malware, researchers say. The Register, March 6, 2015

Cyber Misc

A new breed of startups is helping hackers make millions — legally: Shashank Kumar was in seventh grade when he was introduced to computer hacking. At first he had fun breaking in and defacing web sites, something he says he now regrets, but then he learned that he can get paid for reporting the weaknesses he was exploiting. Under the handle @cyberboyIndia, he says he has earned around $30,000 in so called bug bounties, enough to pay for a good portion of his college education. TheVerge, March 4, 2015

Cyber Sunshine

Dozens arrested in cybercrime ‘strike week': The UK’s National Crime Agency has arrested 56 suspected hackers as part of a “strike week” against cybercrime. BBC, March 6, 2015
Feds Indict Three in 2011 Epsilon Hack: U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what’s being called “one of the largest reported data breaches in U.S. history.” The government isn’t naming the victims in this case, but all signs point to the 2011 hack of Texas-based email marketing giant Epsilon. KrebsOnSecurity, March 6, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Avast: Avast! Free Antivirus has released version 10.2.2214. Updates are available on Avast’s website.
Dropbox: Dropbox has released version 3.2.9 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Evernote: Evernote has released version Updates are available on Evernote’s website.
Google Chrome: Google has released Google Chrome version 41.0.2272.76 to fix at least 20 unpatched vulnerabilities, some of which are highly critical. Updates are available from within the browser or from Google Chrome’s website.
Mozilla Firefox: Mozilla has released version 36.0.1 to fix at least 11 highly critical vulnerabilities. Updates are available within the browser or from Mozilla’s website.
Oracle Java: Oracle has released versions Java SE 8 Update 40. The update is available through Windows Control Panel or Java’s website. [See Citadel’s recommendation below]
Skype: Skype has released Skype Updates are available from the program or Skype’s website.
VLC Media Player: VLC has released version 2.2.0 (32-bit and 64-bit) of its Media Player. Download from the VLC website.

Current Software Versions

Adobe Flash [Windows 7: IE]
Adobe Flash [Windows 7: Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.2.9 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 36.0.1
Google Chrome 41.0.2272.76
Internet Explorer 11.0.9600.17633
Java SE 8 Update 40 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.3 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates and partial fixes for its Cisco IOS and IOS XR, Unified Web Interaction Manager, Content Delivery Engine Series, Digital Media Manager, Edge 300 Digital Media Player, Nexus 9000 Series Switches, TelePresence Conductor, UCS Invicta Series Solid State Systems, Unified Communications System, Virtual Security Gateway (VSG), Mobility Services Engine, Nexus 1000V, Unified Communications Manager, Unified Contact Center Express, Application Control Engine (ACE) Appliance, and others. Apply updates.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog