Sunday, April 12, 2015

Cyber Security News, Education and Vulnerability Patch Report for the Week of April 12, 2015





Securing the Village

ISSA-LA Seventh Annual Information Security Summit at the Los Angeles Convention Center.
The Summit on June 4, 2015.
  • Keynotes from Bruce Schneier and Dave Kennedy
  • Summit Tracks include Security Management. AppSec. Digital Forensics. Emerging Issues and Technology.
  • Special Forums: The Executive Forum for Board, C-Suite and Trusted Advisors. Healthcare Privacy and Security Forum. CISO Executive Forum.
Summit Training on June 5, 2015.
  • IT Security Management Bootcamp for IT Professionals with Ed Pagett and Mikhael Felker
  • Secure Coding Boot Camp with Jim Manico
  • Build Your Own Cyber Range with Kevin Cardwell

Cyber Crime

Hackers break into Lufthansa customer database: Cyber-attackers have obtained info on a number of passengers using the Lufthansa website. The hackers used frequent-flyers miles to obtain vouchers and redeem rewards. DW, April 10, 2015

Cyber Attack

Hackers black out French TV5, hijack websites to back Islamic State: Hackers acting in support of Islamic State extremists knocked out the global broadcast network of France’s TV5 early Thursday, then hijacked its website and social media to post warnings against French participation in air strikes against the militants in Iraq and Syria. Los Angeles Times, April 9, 2015

Cyber Privacy

As encryption spreads, U.S. grapples with clash between privacy, security: For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers? The Washington Post, April 10, 2015

Financial Cyber Security

Sneaky ‘Dyre’ Malware Bilks Corporate Bank Accounts: Fraudsters are using a clever piece of malicious software called Dyre to steal from corporate bank accounts, security experts say. American Banker, April 6, 2015
BOOM: Along the western coast of England, under a half-moon hidden by clouds, a dark Audi sports car with fabricated plates followed an empty road toward a Barclays bank. Inside were five men, dressed all in black, and their gear: crowbars, power tools, coils of flexible tubing, and two large tanks of explosive gas. It was 1:51 a.m. The job would take just under seven minutes. Bloomberg, January 27, 2015

Identity Theft

Why Identity Theft Victims Wait 9 Months for Their Tax Refund: Hundreds of thousands of taxpayers experience significantly delayed refunds every year because of tax-related identity theft. That delay lasted an average of 278 days — more than nine months — according to a new audit of tax accounts resolved in fiscal year 2013 (Oct. 1, 2012 through Sept. 30, 2013) by the Treasury Inspector General for Tax Administration. The audit was intended as a follow-up on a previous review to see if the IRS had improved its dealings with identity theft victims. April 10, 2015

Cyber Warning

Don’t Be Fodder for China’s ‘Great Cannon’: China has been actively diverting unencrypted Web traffic destined for its top online search service — — so that some visitors from outside of the country were unwittingly enlisted in a novel and unsettling series of denial-of-service attacks aimed at sidelining sites that distribute anti-censorship tools, according to research released this week. KrebsOnSecurity, April 10, 2015
FBI Warns of Fake Govt Sites, ISIS Defacements: The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers. KrebsOnSecurity, April 7, 2015
Popular mobile security app uses worthless encryption method: New information has shown that one of the more popular security suites available for Android and iOS is so fundamentally compromised, its claims constitute false advertising. That software suite, NQ Vault, promises, “All files will be encrypted into a private place and can only be viewed in Vault after entering the correct password (iOS version).” The Android version, available in the Google Play Store, states, “Vault hides and encrypts all incoming message alerts and text messages from those contacts for maximum privacy.” ExtremeTech, April 6, 2015

Cyber Security Management

Insider Threats: Focus On The User, Not The Data: Global cybersecurity spending will hit almost $77 billion in 2015, so why are there more high-profile leaks than ever? DarkReading, April 10, 2015
Utilities And Education The Most Bot-Infested Sectors: The more bots in-house, the more a company is likely to have reported a data breach, BitSight report finds. DarkReading, April 9, 2015

Cyber Security Management – Cyber Defense

Another Reason For Ubiquitous Web Encryption: To Neuter China’s ‘Great Cannon': China’s web censorship machine, the Great Firewall, has a more offensive brother, researchers have declared today. Called the Great Cannon by Citizen Lab, a research body based at the University of Toronto, it can intercept traffic and manipulate it to do evil things. Forbes, April 10, 2015
Podcast: Yahoo’s Alex Stamos on e-mail encryption and keeping 1 billion customers secure: Yahoo’s chief information security officer joins Passcode and New America for their monthly podcast about cybersecurity. Christian Science Monitor, April 10, 2015
Bad news everyone: Cybercrime is getting even easier: The volume of malware threats is actually on the decline despite the increase in breaches, according to a study from Websense Security Labs. The Register, April 9, 2015 

Cyber Security Management – Cyber Update

Apple Fixes Proxy Manipulating Phantom Attack in iOS 8.3: If left unpatched, one of the vulnerabilities fixed in this week’s iOS update could render an iPhone near useless. If triggered, it could cause networking apps to quit, the system to grind to a halt. In some cases, the device wouldn’t even be able to be rebooted. ThreatPost, April 10, 2015
Apple Patches ‘Darwin Nuke,’ Other Security Flaws With New OS Releases: Denial-of-service flaw discovered by researchers at Kaspersky Lab could affect Apple users’ corporate networks. DarkReading, April 10, 2015

National Cyber Security

How the U.S. thinks Russians hacked the White House: Washington (CNN)Russian hackers behind the damaging cyber intrusion of the State Department in recent months used that perch to penetrate sensitive parts of the White House computer system, according to U.S. officials briefed on the investigation. CNN, April 8, 2015
White House Email Hacked: A top aide to President Barack Obama says the White House’s classified computer systems are secure while acknowledging vulnerabilities in its unclassified system. The comments come in response to a CNN report that Russian hackers got access to sensitive White House information such as the president’s private schedule. The White House says suspicious activity was detected in October on its unclassified network. NBC4 News, April 7, 2015

Cyber Law

Data breach: The new normal – Mitigating risk and how government policy makers approach this critical issue: Featuring Citadel’s Stan Stahl and Kimberly Pease – Once a rarity and major news event, corporate data breaches are becoming a dime a dozen. Yet, the rules of the road governing data breaches and consumer notification are anything but clear. Join our highly regarded panel of experts for the latest on how to navigate the murky federal and state regulatory landscapes and listen to what the future holds with regards to potential new legislative reforms. Event Date: April 14, 2015

Cyber Misc

Hackers Leak Messages ‘Between Kremlin and France’s Front National': French media site Mediapart has reported that hackers have leaked thousands of texts and emails sent between the Kremlin and the French far-right party, the National Front. NewsWeek, April 3, 2015

Cyber Sunshine

US, European Law Enforcement Carry Out Beebone Botnet Takedown: A relatively small yet troublesome botnet has been shut down in a joint operation between U.S. and European law enforcement and a number of private security companies, including Kaspersky Lab. ThreatPost, April 10, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Apple iOS: Apple has released version 8.3 of its iOS to fix at least 19  vulnerabilities, some of which are highly critical, reported in previous versions. Updates are available through the device or through Apple’s website.
Apple iTunes: Apple has released version 12.1.2 (64-bit and 32-bit) of iTunes. Updates are available from Apple’s website.
Apple OS X: Apple has released updates for OS X to fix at least 66 vulnerabilities, some of which are highly critical, reported in previous versions. Update to version 10.10.3 or Security Update 2015-004. Updates are available from Apple’s website.
Apple Safari: Apple has released updates for Safari 8.0.5 for OS X Yosemite v10.10.2, Safari 7.1.5 for OS X Mavericks v10.9.5, Safari 6.2.5 for OS X Mountain Lion v10.8.5. Updates are available from Apple’s website.
Apple TV: Apple has released version 7.2 for Apple TV to fix at least 24 vulnerabilities, some of which are highly critical, reported in previous versions. Updates are available through the device or Apple’s website.
Google Earth: Google has released version for Google Earth. Updates are available from Google’s website.
KeePass: KeePass has released version 1.29 of its open source password manager. Updates are available from the KeePass website.
Opera: Opera has released version 28.9.1750.51 to fix multiple  vulnerabilities. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash [Windows 7: IE, Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.10
Dropbox 3.4.3 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 37.0.1
Google Chrome 41.0.2272.118
Internet Explorer 11.0.9600.17633
Java SE 8 Update 40 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.5 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports Cisco has released updates and partial fixes for its Intrusion Prevention System, IOS XR, MDS 9000 Series, Network Convergence System 6000 Series Routers, Nexus 7000 Series Switches, Prime Collaboration, Nexus 1000V, UCS Center Software, WebEx Meetings Server, Prime License Manager, Aggregation Services Router 9000, Adaptive Security Appliances, ASR 1000 and others. Apply updates.
McAfee Advanced Threat Defense: Secunia reports McAfee has released updates for its Advanced Threat Defense (ATD) to fix vulnerabilities. Update to version
Novell Open Enterprise Server: Secunia reports Novell has released an update to fix multiple vulnerabilities in its Open Enterprise Server. Apply patch oes11sp2-March-2015-Scheduled-Maintenance-10332.
 If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog