Monday, May 11, 2015

Cyber Security News and Education for the Week of May 11, 2015





Securing the Village

ISSA-LA Seventh Annual Information Security Summit at the Los Angeles Convention Center.
The Summit on June 4, 2015.
  • Keynotes from Bruce Schneier and Dave Kennedy
  • Summit Tracks include Security Management. AppSec. Digital Forensics. Emerging Issues and Technology.
  • Special Forums: The Executive Forum for Board, C-Suite and Trusted Advisors. Healthcare Privacy and Security Forum. CISO Executive Forum.
Summit Training on June 5, 2015.
  • IT Security Management Bootcamp for IT Professionals with Ed Pagett and Mikhael Felker
  • Secure Coding Boot Camp with Jim Manico
  • Build Your Own Cyber Range with Kevin Cardwell

Cyber Crime

Are Sally Beauty, Harbortouch Breaches Linked?: It’s unlikely that the same hackers that hit Sally Beauty Supply in 2014 struck the retailer a second time this year, several threat intelligence experts now say. BankInfoSecurity, May 7, 2015
Deconstructing the 2014 Sally Beauty Breach: This week, nationwide beauty products chain Sally Beauty disclosed that, for the second time in a year, it was investigating reports that hackers had broken into its networks and stolen customer credit card data. That investigation is ongoing, but I recently had an opportunity to interview a former Sally Beauty IT technician who provided a first-hand look at how the first breach in 2014 went down. KrebsOnSecurity, May 7, 2015
Sally Beauty Card Breach, Part Deux?: For the second time in a year, nationwide beauty products chain Sally Beauty Holdings Inc. says it is investigating reports of unusual credit and debit card activity at some of its U.S. stores. KrebsOnSecurity, May 4, 2015

Cyber Privacy

White House Evaluating New Court Ruling Declaring NSA Data-Collection Program Illegal: Administration will continue to work with Congress to reform surveillance laws, NSC spokesman says. Dark Reading, May 7, 2015
The Implications of Court’s NSA Ruling: A federal appellate court decision that the National Security Agency’s bulk data collection program is illegal could have sweeping ramifications beyond derailing the initiative to amass the metadata of Americans’ telephone calls. BankInfoSecurity, May 7, 2015
US Appeals Court: NSA Phone Record Collection Is Illegal: NEW YORK — The unprecedented and unwarranted bulk collection of the entire U.S. population’s phone records by the government is illegal because it wasn’t authorized by Congress, a federal appeals court said Thursday as it asked legislators to balance national security and privacy interests. The New York Times, May 7, 2015
RadioShack Is A Reminder That Old Data Don’t Die, Or Fade Away: A Delaware judge just gave RadioShack approval to consider bids for its customer data as part of its bankruptcy proceedings. Texas leads a list of states opposing the auction, citing the retailer’s own privacy policies (which say that personally identifiable information, or “PII,” will never be sold or rented to anyone), just as it is trying to discover the details of the offer (which could involve as many as 117 million customers). The legal case is just a hint of the immense communications issue that haunts every customer relationship, regardless of the specific case’s outcome. Forbes, April 30, 2015

Financial Cyber Security

Wells Fargo customers: Here’s what to look for if you’re concerned: City officials and former Wells Fargo employees are asking consumers to scrutinize their bank statements and pay extra attention to online accounts after a lawsuit Monday accused bank employees of opening unauthorized accounts and moving clients’ money around to meet corporate sales quotas. The LA Times, May 5, 2015

Cyber Warning

Ex-NSA security bod fanboi: Apple Macs are wide open to malware: A former NSA staffer turned security researcher is warning that bypassing typical OS X security tools is trivial. TheRegister, May 7, 2015
This terrifying malware destroys your PC if detected: A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims. PCWorld, May 5, 2015
Dyre Malware Developers Add Code to Elude Detection by Analysis Tools: As more companies deploy sandbox technology to catch advanced malware, many attackers are adding code to their programs to detect if the attack is running in a virtual machine. eWeek, May 3, 2015

Cyber Security Management – Cyber Defense

Microsoft bangs the cybersecurity drum with Advanced Threat Analytics: Microsoft announced a raft of security and data protection software on the first day of its Ignite conference. The company said that attacks on companies were increasingly using legitimate tools: organizations are being compromised through access made with valid (albeit stolen or otherwise compromised) user credentials, rather than malware, with a Verizon report saying that more than 75 percent of breaches occur this way. ars technica, May 4, 2015

Cyber Security Management – HIPAA

Healthcare Data Breaches From Cyberattacks, Criminals Eclipse Employee Error For The First Time: New Ponemon Report reveals just how hot healthcare data is for hackers. The Ponemon Institute’s new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published today, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. DarkReading, May 7, 2015

National Cyber Security

Internal Revenue Service Joins Cybercrime Hunt With New Investigation Team: WASHINGTON—The Internal Revenue Service is getting in on the hunt for cybercrime. The Wall Street Journal, May 5, 2015
Greater Cooperation Among Public, Private Entities Urged to Fight Cybercrime: Attorney General Loretta Lynch urged greater cooperation between the government and private industry to combat computer hackers, a key component of a new cyberattack playbook released by the Justice Department. ClaimsJournal, May 4, 2015

Critical Infrastructure

Weak Homegrown Crypto Dooms Open Smart Grid Protocol: In the three years since its inception, the Open Smart Grid Protocol has found its way into more than four million smart meters and similar devices worldwide. ThreatPost, May 8, 2015

Cyber Underworld

PayIvy Sells Your Online Accounts Via PayPal: Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBox Live or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivycom, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts. KrebsOnSecurity, May 6, 2015

Cyber Law

Legal landscape for cybersecurity risk is changing as federal government and SEC take action: In 2014, many of the most recognizable companies in America fell prey to cyber attacks. The list of victims is a veritable who’s who of corporate America: Target, J.P. Morgan Chase, Home Depot, Staples, AT&T, Sony, eBay, Yahoo and Google. In the face of the clear threat posed by these attacks, the federal government has taken steps to respond. Inside Counsel, May 8, 2015
SEC: CCO Should Have Active Role in Cybersecurity: The chief compliance officer should have an “active role” in discussing a firm’s cybersecurity threats not only with technology personnel but also with management, outside vendors and even fund boards, David Joire, senior counsel in the Securities and Exchange Commission’s Division of Investment Management, said Thursday. ThinkAdvisor, May 7, 2015

Cyber Misc

A cybersecurity firm is being accused of extorting clients: A bombshell lawsuit is raising eyebrows in the cybersecurity industry. Business Insider, May 7, 2015

Cyber Sunshine

Foiling Pump Skimmers With GPS: Credit and debit card skimmers secretly attached to gas pumps are an increasingly common scourge throughout the United States. But the tables can be turned when these fraud devices are discovered, as evidenced by one California police department that has eschewed costly and time-consuming stakeouts in favor of affixing GPS tracking devices to the skimmers and then waiting for thieves to come collect their bounty. KrebsOnSecurity, May 4, 2015

Weekend Vulnerability and Patch Report

Important Security Updates

Apple Safari: Apple has released updates for Safari 8.0.6 for OS X Yosemite v10.10.3, 7.1.6 for OS X Mavericks v10.9.5, 6.2.6 for OS X Mountain Lion v10.8.5 to fix at least 5 highly critical vulnerabilities. Updates are available from Apple’s website.
Avira Free Antivirus: Avira has released version of its free Antivirus. Updates are available from Avira’s website.
Dropbox: Dropbox has released version 3.4.6 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
WinZip: Winzip has released version 19.0.11475. Updates are available from within the program, look for “Check for Updates” on the Help menu, or download from the WinZip website.
WordPress: WordPress has released version 4.2.2. Updates are available from within the application or from the WordPress website.

Current Software Versions

Adobe Flash [Windows 7: IE, Firefox, Mozilla]
Adobe Flash [Windows 8: IE]
Adobe Flash [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader DC 2015.007.20033
Dropbox 3.4.6 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 37.0.2
Google Chrome 42.0.2311.135
Internet Explorer 11.0.9600.17728
Java SE 8 Update 45 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
Safari 5.1.7 
Safari 7.1.6 [Mac OS X]

Newly Announced Unpatched Vulnerabilities

For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: US-Cert and Secunia report Cisco has released updates and partial fixes for its UCS Central Software, Unity Connection, Unified Communications Manager, Finesse Server, and others. Apply updates.
Citrix NetScaler Application Delivery Controller: Secunia reports Citrix has released an update for NetScaler Application Delivery Controller (ADC) to fix a vulnerability reported in previous versions. Update to version 10.5 Build 56.15 or later or 10.5.e Build 54.9009.e or later.
Citrix VDI-in-a-Box: Secunia reports Citrix has released a partial fix for its VDI-in-a-Box to fix moderately critical vulnerabilities reported in versions 5.4.x and 5.3.x. Update to a fixed version if available.
McAfee Firewall Enterprise: Secunia reports McAfee has released an update to its Firewall Enterprise to fix a vulnerability reported in previous versions. Update to version 8.3.2P07.
SonicWALL SSL-VPN SRA: Secunia reports SonicWALL has released an update to its SSL-VPN SRA to fix a vulnerability reported in previous versions. Update to version
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2015 Citadel Information Group. All rights reserved.'s Security Recruiter Blog