Monday, April 06, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of April 6, 2015



CYBER SECURITY NEWS

OF THE WEEK

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


 Securing the Village

ISSA-LA Seventh Annual Information Security Summit at the Los Angeles Convention Center.
The Summit on June 4, 2015.
  • Keynotes from Bruce Schneier and Dave Kennedy
  • Summit Tracks include Security Management. AppSec. Digital Forensics. Emerging Issues and Technology.
  • Special Forums: The Executive Forum for Board, C-Suite and Trusted Advisors. Healthcare Privacy and Security Forum. CISO Executive Forum.
Summit Training on June 5, 2015.
  • IT Security Management Bootcamp for IT Professionals with Ed Pagett and Mikhael Felker
  • Secure Coding Boot Camp with Jim Manico
  • Build Your Own Cyber Range with Kevin Cardwell

Cyber Attack

GitHub may have been targeted by Chinese hackers in DDoS attack: Code management platform GitHub has been fending off a distributed denial of service (DDoS) attack since last Thursday. Security experts say the attack may have originated in China, reports The Wall Street Journal. TheNextWeb, March 30, 2015

Financial Cyber Security

‘Revolution’ Crimeware & EMV Replay Attacks: In October 2014, KrebsOnSecurity examined a novel “replay” attack that sought to exploit implementation weaknesses at U.S. financial institutions that were in the process of transitioning to more secure chip-based credit and debit cards. Today’s post looks at one service offered in the cybercrime underground to help thieves perpetrate this type of fraud. KrebsOnSecurity, April 1, 2015
2014 UK ONLINE BANKING FRAUD HIT $89M: Online banking fraud in the U.K. continues to be on the rise, and at a sharp rate, according to a new report from the Financial Fraud Action UK (FFA). PYMNTS.com, March 30, 2015

Identity Theft

Sign Up at irs.gov Before Crooks Do It For You: If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process. KrebsOnSecurity, March 30, 2015

Cyber Warning

​Puush calls for password change after malware hit: Users of the Puush screenshot-sharing platform are being told to change any passwords stored on their PCs or browsers after the service was hit by malware. ZDNet, March 30, 2015

Cyber Security Management

Sustainable Cybersecurity: The environmental situation facing many nations in the mid-to-late 20th century was bleak. Industrial waste caused the Cuyahoga River in Cleveland to catch fire in 1969. The Rhine River was long one of the most polluted waterways in Europe, similarly catching fire in 1986. School children in Japan were dying from Mercury poisoning. Problems associated with drought and desertification were already underway in China; a process that has only quickened in the early 21st century. Into this world stepped seminal figures including the marine biologist Rachel Carson whose 1962 book, Silent Spring, documented the effects of widespread pesticide use in the United States and is credited with jumpstarting the modern environmental movement. Much like that time, the 21st century cybersecurity landscape is littered with failed attempts to manage the various facets of cyber attacks, from cybercrime and espionage, to nascent threats introduced below including cyber war and terrorism. But we are still waiting for our cyber Silent Spring. HuffingtonPost, April 2, 2015
Security crashes the boardroom party: Given the recent spate of headline-grabbing data breaches, CIOs need to be prepared to answer a lot of board questions about risk. CIO, March 30, 2015
Citigroup Report Chides Law Firms for Silence on Hackings: Every month it seems another American company reports being a victim of a hacking that results in the theft of internal or customer information. But the legal profession almost never publicly discloses a breach. The New York Times, March 26, 2015
Security Rises to a CEO-Level Priority: The State of the CIO research shows that cybersecurity and enterprise risk are zooming up the charts as high-profile topics on the CIO and CEO agendas, says CIO Publisher Adam Dennison. CIO, February 19, 2015

Cyber Security Management – Cyber Defense

Firefox 37 supports easier encryption option than HTTPS: The latest version of Firefox has a new security feature that aims to put a band-aid over unencrypted website connections. Firefox 37 rolled out earlier this week with support for opportunistic encryption, or OE. You can consider OE sort of halfway point between no encryption (known as clear text) and full HTTPS encryption that’s simpler to implement. PCWorld, April 2, 2015
Google says it cut Android malware in half in 2014: Google has been cracking down on Android malware, and according to a new Android State of the Union report, it’s starting to see real progress in the fight against harmful software. The new report says that the global rate of harmful software installs fell by 50 percent over the course of 2014. By Google’s accounting, only 1 percent of Android devices had a harmful application installed in 2014, and for when devices only installed applications from the Google Play store, that number fell to .15 percent. TheVerge, April 2, 2015

National Cyber Security

New Obama Order Allows Sanctions Against Foreign Hackers: IN AN EFFORT to deter and punish hackers and cyberspies who have until now been outside the reach of U.S. law enforcement, President Barack Obama signed an executive order today allowing the government to levy economic sanctions against individuals overseas who engage in destructive cyberattacks or commercial espionage. Wired, March 30, 2015

Critical Infrastructure

Hackers attack the energy industry with malware designed for snooping: A malware attack against oil and gas companies aims to get sensitive corporate information, according to software security firm Symantec. Fortune, March 31, 2015

Cyber Misc

Smart home hacking is easier than you think: Scary stories of hacking Internet of Things devices are emerging, but how realistic is the threat? NetworkWorld, April 2, 2015
Like Google, Mozilla set to punish Chinese agency for certificate debacle: The Mozilla Foundation plans to reject new digital certificates issued by the China Internet Network Information Center (CNNIC) in its products, but will continue to trust certificates that already exist. PCWorld, April 2, 2015
Google fixed a vulnerability that allowed any YouTube user to delete any video: Everybody makes mistakes. Google caught a big one before it was too late. The tech giant fixed a giant vulnerability in YouTube that allowed any user to delete any video from the site by making the right request to the right URL. And yes, that really means any clip on YouTube—from viral-pop music videos to internet legends like “Charlie bit my finger.” Quartz, April 2, 2015
Secrecy on the Set: Hollywood Embraces Digital Security: SAN FRANCISCO — For years, Lulu Zezza has played one of the toughest roles in Hollywood. Ms. Zezza, who has managed physical production on movies like “The Reader” and “Nine,” also oversees the digital security of everything that goes into the making of a film on set, including budgets, casting, shooting schedules and scripts. The New York Times, March 30, 2015
Inquiry of Silk Road Website Spurred Agents’ Own Illegal Acts, Officials Say: On the so-called dark web, drug dealing and other illicit sales have thrived in recent years, the authorities have said, through hidden websites like Silk Road and hard-to-trace digital currencies like Bitcoins. The New York Times, March 30, 2015

Weekend Vulnerability and Patch Report, April 5, 2015


Important Security Updates

Dropbox: Dropbox has released version 3.4.3 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Google Chrome: Google has released Google Chrome version 41.0.2272.118 to fix multiple highly critical vulnerabilities. Updates are available from within the browser or from Google Chrome’s website.
Mozilla Firefox: Mozilla has released version 37.0.1 to fix at least 14 unpatched vulnerabilities, some of which are highly critical. Updates are available within the browser or from Mozilla’s website.
Skype: Skype has released Skype 7.3.0.101. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash  17.0.0.134 [Windows 7: IE, Firefox, Mozilla]
Adobe Flash  17.0.0.134 [Windows 8: IE]
Adobe Flash  17.0.0.134 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.4.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 37.0.1
Google Chrome 41.0.2272.118
Internet Explorer 11.0.9600.17633
Java SE 8 Update 40 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.76.80.95
Safari 5.1.7 
Safari 7.1.3 [Mac OS X]
Skype 7.3.0.101

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates and partial fixes for its Unified Communications manager, Unified Communications Domain Manager (CUCDM), Catalyst 4500 Switches, Nexus 9000 Series Switches, Prime Data Center Network Manager, Unity Connection, ASR1000, VideoScape Delivery System for Internet Streamer (VDS-IS), NX-OS, and others. Apply updates.
McAfee Multiple Products: Secunia reports McAfee has released updates and partial fixes for its Data Loss Prevention Endpoint, Asset Manager, Email Gateway, Firewall Enterprise (formely Sidewinder Firewall), Firewall Enterprise, Next Generation Firewall (NGFW), SSL VPN (formerly Stonesoft SSL VPN), Web Gateway, Agent, Endpoint Intelligence Agent, ePO Deep Command, ePolicy Orchestrator, Firewall Enterprise Control Center, Quarantine Manager, Security Information and Event Management (SIEM), VirusScan Enterprise for Linux, Vulnerability Manager, and others. Apply updates.
Novell eDirectory: Secunia reports Novell has released an update to fix multiple vulnerabilities for its eDirectory. Update to version 8.8 SP8 Patch 5.
Novell iManager: Secunia reports Novell has released an update to fix multiple vulnerabilities for its iManager. Update to version 2.7 SP7 Patch 4.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.


SecurityRecruiter.com's Security Recruiter Blog