Cyber Security Vulnerability and Patch Report, July 16, 2017

Cybersecurity Vulnerability and Patch Report

 

From our friends at

 Citadel Information Group

 

Weekend Vulnerability and Patch Report, July 16, 2017

 

Important Security Updates

Adobe Flash Player: Adobe has released version 26.0.0.137. Updates are available from Adobe’s website. To see which version you have, go to Adobe’s web page.

Avira Antivirus: Avira has released version 15.0.28.28 of its free Antivirus and Pro. Updates are available from Avira’s website.

Dropbox: Dropbox has released version 30.4.22 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Google Drive: Google has released version 3.35.5978.2967 of its Google Drive. Updates are available from Google’s website.

LastPass: LastPass has released version 4.1.60 for its Free Password Manager. Updates are available from LastPass’ website.

Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released updates to address almost a hundred vulnerabilities, some of which are highly critical within Windows operating systems, Microsoft Edge, Internet Explorer, Office, and other Microsoft products. Additional details are available at Microsoft’s website.

Opera: Opera has released version 46.0.2597.46. Updates are available from within the browser or from Opera’s website.

Piriform CCleaner: Piriform has released version 5.32.6129 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash 26.0.0.137

Adobe Reader DC 17.009.20044

Dropbox 30.4.22 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 54.0.1 [Windows]

Google Chrome 59.0.3071.115

Internet Explorer 11.0.9600.18739

Java SE 8 Update 131 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.1 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.38.0.101

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in SNMP, Samba Affecting Cisco Products and others. Apply updates. Additional details are available at Cisco’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, July 16, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security News for the Week, July 16, 2017

Cyber Security News

Cyber Security News

from our friends at Citadel Information Group

 

Individuals at Risk

Cyber Privacy

White House releases sensitive personal information of voters worried about their sensitive personal information: The White House on Thursday made public a trove of emails it received from voters offering comment on its Election Integrity Commission. The commission drew widespread criticism when it emerged into public view by asking for personal information, including addresses, partial social security numbers and party affiliation, on every voter in the country. The Washington Post, July 14, 2017

Cyber Update

Adobe, Microsoft Push Critical Security Fixes: It’s Patch Tuesday, again. That is, if you run Microsoft Windows or Adobe products. Microsoft issued a dozen patch bundles to fix at least 54 security flaws in Windows and associated software. Separately, Adobe’s got a new version of its Flash Player available that addresses at least three vulnerabilities. KrebsOnSecurity, July 11, 2017

Cyber Defense

Keep security in mind on your summer vacation: When you travel, there probably are a few must-haves in your suitcase: your toothbrush, deodorant, socks, shoes – you get the idea. But one travel must-have we don’t always think about is security. While you’re away from home, you might be using public Wi-Fi, tagging your locations (whether or not you realize it), carrying around your passport, and using your credit card more often. Those things could put you at a higher risk of identity theft. Federal Trade Commission, Consumer Information, July 13, 2017

Cyber Warning

macOS users beware: A new and nearly undetectable malware is on the rise: Often thought of as impenetrable, macOS is falling prey to a sneaky malware that’s stealing bank credentials, bypassing Gatekeeper, and disabling attempts to remove it. Find out more here. TechRepublic, July 14, 2017

Watch out for this money stealing macOS malware which mimics your online bank: OSX Dok now attempts to steal money from Apple Mac users — and could be being prepared for use in further attacks. ZDNet, July 14, 2017

Information Security Management in the Organization

Information Security Management and Governance

Beyond Breach Notification: Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach. California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”). As these laws developed, a tandem requirement has emerged: the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data. Robert Braun, SecureTheVillage Leadership Council, Jeffer Mangels Butler & Mitchell Cybersecurity Lawyer Forum, July 7, 2017

Cyber Awareness

How to Avoid Being the Weakest Link in Your Company’s Information Security: When you think of hackers, you probably think of some spy movie where they come down from the ceiling to steal a computer off of a desk and then whisk it away to their laboratory where they input lines of code to crack the encryption. In reality, hacking is often as simple as learning about a user and then guessing their password or even asking them for it: a process called social engineering. INC, July 13, 2017

Why your company needs clear security policies: A cautionary tale: An IT employee was recently almost fired for storing documents on Dropbox. Here’s how the employee and the company could have prevented that situation. TechRepublic, July 13, 2017

Using Feedback Loops to Enhance End User Security: The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines. SecurityIntellegicen, August 9, 2017

Cyber Warning

Darkweb Hackers Begin Offering Functional Mac Malware and Ransomware as a Service: With the popularity of both ransomware and the creation of macOS malware on the rise with hackers, Apple users face a growing number of threats. It now appears that others have turned their attention to the creation of new malware to spy on Mac users — but these programmers have gone a step further. Rather than developing a tool and deploying it personally, they have taken to the dark web to offer their products for sale. Known respectively as MacSpy and MacRansom, the hackers provide the malware to users while operating a centralized web portal. The authors’ continued involvement is why this threat is often called malware- or “ransomware-as-a-service.” SecureMac, June 29, 2017

Cyber Defense

To update or not to update: There is no question: Updating software has become one of the many keys to data security. Jack Wallen explains why the excuses for failing to update must become a thing of the past. TechRepublic, July 13, 2017

IT is NOT Cybersecurity: Having IT isn’t enough anymore, businesses need a separate security team also. Policemen and firefighters are a good examples of this, both of them will help you in your time of need, but each of them has very specific training for specific functions. CSO, July 11, 2017

Cyber Security in Society

Cyber Crime

Half-Year Roundup: The Top Five Data Breaches of 2017 — So Far: Data breaches aren’t slowing down. If anything, they’re set to break last year’s record pace. As noted by 24/7 Wall Street, the 758 breaches reported this year mark nearly a 30 percent increase from 2016. If cybercriminals keep it up, the total number of attacks could break 1,500 by the end of 2017. SecurityIntelligence, July 13, 2017

Self-Service Food Kiosk Vendor Avanti Hacked: Avanti Markets, a company whose self-service payment kiosks sit beside shelves of snacks and drinks in thousands of corporate breakrooms across America, has suffered of breach of its internal networks in which hackers were able to push malicious software out to those payment devices, the company has acknowledged. The breach may have jeopardized customer credit card accounts as well as biometric data, Avanti warned. KrebsOnSecurity, July 8, 2017

Cyber Espionage

Vault 7 reports new WikiLeaks dump details CIA’s Android SMS snooping malware: Since launching its Vault 7 project in March, WikiLeaks has dumped documents outlining the CIA’s efforts to exploit Microsoft and Apple technology. In this week’s latest release, it focuses on malware called HighRise, which the agency used to target Android devices. Naked Security, July 14, 2017

Know Your Enemy

With this $7 malware, anyone can be a hacker for cheap: Proofpoint security researchers examined the Ovidiy Stealer malware, which steals credentials and operates primarily in Russian-speaking regions. TechRepublic, July 14, 2017

National Cyber Security

Private Email of Top U.S. Russia Intelligence Official Hacked: On Tuesday morning, a hacker going by the name Johnnie Walker sent a group email to an unknown number of recipients claiming to have a trove of emails from the private account of a U.S. intelligence official. Foriegn Policy, July 14, 2017

Governors ask Congress to create cybersecurity committee: The leadership of the National Governors Association, including incoming chairman Gov. Brian Sandoval, repeated a plea to Congress on Friday to create a national committee to address cybersecurity threats. Las Vegas Review Journal, July 14, 2017

States Pledge to Meet Cyber Threats; Publish Resource Guide: National Governors Association (NGA) Chair Virginia Gov. Terry McAuliffe kicked off the 2017 NGA Summer Meeting with a discussion on how states continue to develop strategies to thwart cyber threats. Dark Reading, July 14, 2017

Stewart Baker interviews DSB’s Jim Miller re cyber conflict & deterrence: In this episode, we interview Jim Miller, co-chair of a Defense Science Board panel that reported on how the US is postured for cyberconflict and the importance of deterrence. The short answer: deterring cyberconflict is important because our strategic cyberconflict posture sucks. The DSB report is thoughtful, detailed, and troubling. Jim Miller manages to convey its message with grace, good humor, and clarity. Steptoe Cyberblog, July 10, 2017

Stewart Baker interviews ex-NSA Deputy Director Richard Ledgett: Today we deliver the second half of our bifurcated holiday podcast with an interview of Richard Ledgett, recently retired from his tour as NSA’s deputy director. We cover much recent history, from Putin’s election adventurism to questions about whether NSA can keep control of the cyberweapons it develops. Along the way, Rick talks about the difference between CIA and NSA approaches to hacking, the rise of NSA as an intelligence analysis force, the growing effort to keep Kaspersky products out of sensitive systems, and the divergence among intel agencies about whether Putin’s attack on the American election was intended mainly to hurt Hillary Clinton or to help Donald Trump. Steptoe Cyberblog, July 5, 2017

Financial Cyber Security

Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’: A greater number of ATM skimming incidents now involve so-called “insert skimmers,” wafer-thin fraud devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. New evidence suggests that at least some of these insert skimmers — which record card data and store it on a tiny embedded flash drive — are equipped with technology allowing them to transmit stolen card data wirelessly via infrared, the same communications technology that powers a TV remote control. KrebsOnSecurity, July 13, 2017

HIPAA

HIPAA: Five Steps to Ensuring Your Risk Assessment Complies with OCR Guidelines: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and healthcare technology have changed significantly over the past 20 years. Covered entities and their business associates face an ever-evolving risk environment in which they must protect electronic protected health information (ePHI). Although healthcare security budgets may increase this year, the cost of implementing and maintaining adequate security controls to protect an entity’s ePHI far exceeds what is often budgeted. As a result, some ePHI may be under-protected and vulnerable to data breach. A long-term, consistent and cost-conscious approach to HIPAA compliance is needed. healthcare informatics, July 14, 2017

Critical Infrastructure

Your Guide to Russia’s Infrastructure Hacking Teams: Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits. Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cybercriminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years. WIRED, July 12, 2017

U.S. officials say Russian government hackers have penetrated energy and nuclear company business networks: Russian government hackers were behind recent cyber-intrusions into the business systems of U.S. nuclear power and other energy companies in what appears to be an effort to assess their networks, according to U.S. government officials. The Washington Post, July 8, 2017

Combating a Real Threat to Election Integrity: Russia’s meddling in the 2016 election may not have altered the outcome of any races, but it showed that America’s voting system is far more vulnerable to attack than most people realized. Whether the attackers are hostile nations like Russia (which could well try it again even though President Trump has raised the issue with President Vladimir Putin of Russia) or hostile groups like ISIS, the threat is very real. The New York Times, July 8, 2017

Internet of Things

The Threat From Weaponized IoT Devices: It’s Bigger Than You Think!: IoT devices, such as smart meters, smart watches and building automation systems, are prolific. You may think that compromised IoT devices pose a danger only to the devices’ owners — for example, it’s easy to understand the privacy violation of an attacker viewing a web camera feed without the owner’s permission. SecurityIntelligence, July 20, 2016

Cyber Sunshine

Darknet Marketplace AlphaBay Offline Following Raids: A joint law enforcement investigation involving the United States, Canada and Thailand appears to have resulted in the takedown of the world’s largest darknet marketplace, called AlphaBay. Meanwhile, one of its alleged operators has been found dead in a Bangkok jail cell. BankInfoSecurity, July 14, 2017

Cyber Miscellany

Pew Report: Whose job is it to keep us safe from online harassment?: A new report has found that 41% of Americans have personally experienced online harassment, 66% have seen it directed to others, and 62% consider it a major problem. Naked Security, July 14, 2017

The post Cyber Security News of the Week, July 16, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security News for the Week, July 2, 2017

Cyber Security News

Cyber Security News

from our friends at Citadel Information Group

Individuals at Risk

Cyber Update

Make sure your Skype is up to date because there’s a nasty hole in it: Infosec researchers have discovered a nasty and exploitable security vulnerability in older versions of Skype on Windows. The Register, June 27, 2017

Information Security Management in the Organization

Information Security Management and Governance

Middle-Market Companies Require a Customized Approach for Successful Cybersecurity:Middle-market companies have cultures, goals and business needs that are distinct from larger firms, and nowhere is that more true than with cybersecurity. Michael Gold, Jeffer Mangels Butler & Mitchell and SecureTheVillage Leadership Council,  Cybersecurity Lawyer Forum, June 26, 2017

Cyber Warning

A Cyberattack ‘the World Isn’t Ready For’: NEWARK — There have been times over the last two months when Golan Ben-Oni has felt like a voice in the wilderness. The New York Times, June 22, 2017

Cyber Defense

Wannacry Attack: Enterprise Security Focus Must Include Rapid Threat Detection & Culture Change: The WannaCry ransomware attack shows patching and perimeter defenses aren’t enough. Enterprises should combine preventative measures with threat detection tactics. DarkReading, June 29, 2017

10 Immutable Laws of Security Administration – Originally Published November 2000. Still Accurate: We recently published the 10 Immutable Laws of Security, a listing of ten facts of life regarding computer security. We realized that administrators have their own set of immutable laws, one that’s entirely separate from the list for users. So, we canvassed the network administrators, security gurus, and other folks here at Microsoft, and developed the list that follows, which encapsulates literally hundreds of years of hard-earned experience. Microsoft Technet, November 2000

Cyber Update

Microsoft Issues ‘Important’ Security Fix for Azure AD Connect: Microsoft is warning customers of a bug in its Azure Active Directory Connect product that could allow an adversary to escalate privileges and reset passwords and gain unauthorized access to user accounts. ThreatPost, June 28, 2017

Cyber Law

New Chinese Cybersecurity Law and Regulations Advisory: On Monday, June 26, 2017, Alston & Bird’s Kim Peretti, Justin Hemmings, and Emily Poole issued an advisory on recent changes in Chinese Cybersecurity Law. The new law asserts greater control over all data collection and generation in China, as well as the processing of data from Chinese data subjects. While the law entered into force on June 1, 2017, there is still uncertainty as to how the law will be interpreted and enforced, including which companies are subject to the law. Alston & Bird, June 26, 2017

$115 Million Settlement in Massive Anthem Breach Case: Health insurer Anthem has agreed to a proposed $115 million deal to settle a class action lawsuit over a 2015 cyberattack that resulted in a breach affecting nearly 78.9 million individuals. HealthcareInfo Security, June 23, 2017

Cyber Security in Society

Cyber Crime

How Hollywood Got Hacked: Studio at Center of Netflix Leak Breaks Silence: Larson Studios president Rick Larson and his wife and business partner, Jill Larson, didn’t recognize the number that sent them these two short text messages via their personal cell phones two days before Christmas last year, so they simply ignored them. “We didn’t really think much of them,” said Jill Larson. Variety, June 20, 2017

Cyber Privacy

Should Vault 7 and the Shadow Brokers End the Encryption Debate?: When law enforcement argues it needs a “backdoor” into encryption services, the counterargument has typically been that it would be impossible to limit such access to one person or organization. If you leave a key under the doormat, a seminal 2015 paper argues, a burglar eventually finds it. And now recent events suggest an even simpler rebuttal: Why entrust a key to someone who gets robbed frequently? Wired, June 30, 2017

Who’s watching? Face recognition means goodbye to hiding in crowds: Governments, retailers and social networks are driving multiple-use scenarios toward ubiquitous facial recognition capability, a technology that’s moved out of the realm of fiction and Hollywood (George Orwell’s novels, or Mission Impossible, Bourne Ultimatum, Minority Report or Matrix Reloaded) into the realm of everyday acceptance. NakedSecurity, June 29, 2017

Cyber Attack

Malware attack mangles Monticello operations: Thomas Jefferson’s Monticello was hit by a ransomware attack this week that hampered the historic home’s electronic systems. The Daily Progress, June 29, 2017

Law Firm DLA Piper Reels Under Cyber Attack, Fate of Files Unclear: A prominent global law firm, which has touted its expertise on cybersecurity, is still struggling to recover from vicious computer attacks unleashed on Tuesday by hackers. Fortune, June 29, 2017

Tuesday’s massive ransomware outbreak was, in fact, something much worse: Tuesday’s massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying data. ars technica, June 28, 2017f

Massive cyberattack hits Europe with widespread ransom demands: MOSCOW — A new wave of powerful cyberattacks hit Europe and beyond on Tuesday in a possible reprise of a widespread ransomware assault in May. Affected were a Russian oil giant, a Danish shipping and energy conglomerate, and Ukrainian government ministries, which were brought to a standstill in a wave of ransom demands. The virus even downed systems at the site of the former Chernobyl nuclear power plant, forcing scientists to monitor radiation levels manually. The Washington Post, June 27, 2017

Several Ohio government websites hacked Sunday afternoon apparently by supporters of Islamic state: DAYTON, Ohio (WDTN) – An investigation is underway Sunday after seven Ohio government websites were hacked. Now, officials are trying to figure who exactly is behind it. WDTN, June 25, 2017

National Cyber Security

Questions re WSJ Story That GOP Operative Sought Clinton Emails From Hackers, Implying Flynn Connection: You’ve no doubt seen the Wall Street Journal article about the GOP operative and money man who assembled a team to get a hold of Russia-hacked Clinton emails and claimed he was working in concert with disgraced Trump advisor Mike Flynn. From my read, this is one of those articles which is as interesting for what it doesn’t say as what it does. It raises all sorts of questions, a number of which the Investigations Desk will be digging into today. TalkingPointsMemo, June 30, 2017

Despite Hacking Charges, U.S. Tech Industry Fought to Keep Ties to Russia Spy Service:WASHINGTON/MOSCOW — As U.S. officials investigated in January the FSB’s alleged role in election cyber attacks, U.S. technology firms were quietly lobbying the government to soften a ban on dealing with the Russian spy agency, people with direct knowledge of the effort told Reuters. The New York Times, June 30, 2017

Kaspersky Lab Faces More U.S. Scrutiny Over Potential Russian Govt. Influence: Lawmaker proposes ban on DoD use of Moscow-based security vendor’s products. DarkReading, June 29, 2017

Stewart Baker Discusses Russia Election Cyberattack w Washington Post’s Ellen Nakashima:Our guest, Ellen Nakashima, was coauthor of a Washington Post article that truly is a first draft of history, though not a chapter the Obama administration is likely to be proud of. She and Greg Miller and Adam Entous chronicle the story of Russia’s information operations attack on the 2016 presidential election. Steptoe Cyberblog, June 26, 2017

Cyber Liberty

‘Our Phones Are Being Monitored’: How a Hacking Story Unfurled: Azam Ahmed: One morning earlier this year, I got a call from Mario E. Patrón, a prominent human rights lawyer in Mexico. He wanted to talk in person. When he arrived at The New York Times’s Mexico bureau, he took a seat in the conference room and asked me for my phone. He then collected the phones of everyone else in the room, walked them outside and placed them in our lobby. Out of earshot. “Our phones are being monitored,” he told me. The New York Times, June 19, 2017

Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families:MEXICO CITY — Mexico’s most prominent human rights lawyers, journalists and anti-corruption activists have been targeted by advanced spyware sold to the Mexican government on the condition that it be used only to investigate criminals and terrorists. The New York Times, June 19, 2017

Cyber Medical

Fears of hackers targeting US hospitals, medical devices for cyber attacks: Cybersecurity experts are rushing to analyze the new ransomware known by some as “Petya” that quickly spread to countries around the world Tuesday, including the United States, with hackers holding computers hostage for ransom payouts. ABC News, June 29, 2017

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security Vulnerability and Patch Report, July 2, 2017

Cyber Security Vulnerability and Patch Report

From our friends at Citadel Information Group

Important Security Updates

Avast: Avast! Free Antivirus has released version 17.5.2302. Updates are available on Avast’s website. Avast! has also released updates for Premier Antivirus, Pro Antivirus and Internet Security.

AxCrypt: AxCrypt has released version 2.1.1513.0. Updates are available from AxCrypt’s website.

Dropbox: Dropbox has released version 29.4.20 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Google Chrome: Google has released Google Chrome version 59.0.3071.115. Updates are available from within the browser or from Google Chrome’s website.

Mozilla Firefox: Mozilla has released version 54.0.1. Updates are available within the browser or from Mozilla’s website.

Opera: Opera has released version 46.0.2597.32. Updates are available from within the browser or from Opera’s website.

Skype: Skype has released Skype 7.38.0.101. Updates are available from the program or Skype’s website.

Viber: Viber has released version 6.8.5.1318 for Windows. Updates are available on Viber’s website.

Current Software Versions

Adobe Flash 26.0.0.131

Adobe Reader DC 17.009.20044

Dropbox 29.4.20 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 54.0.1 [Windows]

Google Chrome 59.0.3071.115

Internet Explorer 11.0.9600.18639

Java SE 8 Update 131 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.1 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.38.0.101

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in SNMP, Firepower Management Center, WebEx Network Recording Player, IOS XR Software and others. Apply updates. Additional details are available at Cisco’s website.

TeamViewer: TeamViewer has released version 12.1.13180.0. Updates are available from TeamViewer’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security Vulnerability and Patch Report, June 25, 2017

Cybersecurity Vulnerability and Patch Report

 

From our friends at Citadel Information Group

Weekend Vulnerability and Patch Report, June 25, 2017

 

Important Security Updates

Apple Remote Desktop: Apple has has released Apple Remote Desktop 3.9.3. Updates are available from within the browser or from Apple’s website.

Google Chrome: Google has released Google Chrome version 59.0.3071.100. Updates are available from within the browser or from Google Chrome’s website.

LastPass: LastPass has released version 4.1.55 for its Free Password Manager. Updates are available from LastPass’ website.

Opera: Opera has released version 46.0.2597.26. Updates are available from within the browser or from Opera’s website.

RoboForm: Siber Systems has released Version 8.3.7. Updates are available from within the program or from RoboForm’s website.

Current Software Versions

Adobe Flash 26.0.0.131

Adobe Reader DC 2017.009.20044

Dropbox 28.4.14 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 54.0 [Windows]

Google Chrome 59.0.3071.109

Internet Explorer 11.0.9600.18639

Java SE 8 Update 131 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.1 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.37.0.103

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Virtualized Packet Core-Distributed Instance (VPC-DI), WebEx Network Recording Player, Prime Infrastructure and Evolved Programmable Network Manager, Wide Area Application Services, Unified Contact Center Express, Primte Infrastructure Web Framework, Prime Collaboration Provisioning Tool, Identity Services Engine, IOS XR, Firepower Management Center, SocialMiner, StarOS for ASR 5000 Series Routers, OpenSSL Affecting Cisco Products and others. Apply updates. Additional details are available at Cisco’s website.

McAfee: McAfee has released updates to address vulnerabilities in Web Gateway, Data Loss Prevention and others. Additional details are available on McAfee’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security News of the Week, June 25, 2017

Cyber Security News

 

Cyber Security News

from our friends at Citadel Information Group

 

Individuals at Risk

Identity Theft

Employment-related identity theft much bigger than previously thought: The number of victims of employment-related identity theft is far larger than previously estimated and the Internal Revenue Service’s processes aren’t able to keep up, according to a new report. AccountingToday, June 22, 2017

Cyber Privacy

Republican Data Broker Exposes 198M Voter Records: Name, Address, Religion, TV Habits, Politics, etc: In what is the largest known data exposure of its kind, UpGuard’s Cyber Risk Team can now confirm that a misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC) in their efforts to elect Donald Trump. The data, which was stored in a publicly accessible cloud server owned by Republican data firm Deep Root Analytics, included 1.1 terabytes of entirely unsecured personal information compiled by DRA and at least two other Republican contractors, TargetPoint Consulting, Inc. and Data Trust. In total, the personal information of potentially near all of America’s 200 million registered voters was exposed, including names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as “modeled” voter ethnicities and religions. UpGuard, June 23, 2017

Cyber Warning

Beware this Android banking malware posing as a software update: Latest version of the mobile malware can steal login credentials from at least 40 banking, retail and social media apps. ZDNet, June 23, 2017

More Android apps from dangerous Ztorg family sneak into Google Play: For the second time this month, Google has removed Android apps from its Google Play marketplace. Google did so after a security researcher found the apps contained code that laid the groundwork for attackers to take administrative “root” control of infected devices. ars technica, June 20, 2017

Information Security Management in the Organization

Information Security Management and Governance

Talking Cyber-Risk with Executives: Explaining risk can be difficult since CISOs and execs don’t speak the same language. The key is to tailor your message for the audience. DarkReading, June 23, 2017

Wells Fargo CISO describes risk-managed approach to 4 types of cybersecurity threats: Banks have long been forced to the front lines of cybersecurity and at the 2017 Borderless Cyber event, the CISO of Wells Fargo explained how to pick your battles. TechRepublic, June 22,2017

Cybersecurity: How Business Is Protecting Itself: Business is under assault from cybercriminals like never before, and the cost to companies is exploding. Here’s what you need to know about safeguarding your digital assets. Fortune, June 22, 2017

IBM’s Etay Maor: Information security strategies to keep up with Cybercrime: IBM’s Etay Maor believes businesses must rethink their approach to cybercrime and offers suggestions for how they can protect themselves. TechRepublic, June 21, 2017

The Chief Information Security Officer: Traditionally, CPAs have considered the chief financial officer (CFO) as the guardian of a business’s organizational data. It was and remains the CFO’s responsibility to maintain a system of internal controls that provides reliance for the accuracy and integrity needed to prepare and attest to the financial statements. These statements and the accompanying opinion continue to be relied on by stakeholders when making financial decisions. The increasing use of rapidly developing technology, software obsolescence, and the change in user preference from desktop to mobile computing platforms have created the need for a new type of data guardian responsible for protecting all types of information in a digital world. The chief information security officer (CISO) is the person performing this role in many organizations and has become an important consideration for CPAs, both in traditional auditing and advisory services. CPA Journal, June 2017

Cyber Defense

Defenders use bugs in Remote Admin Trojans to hack attackers: A small number of Remote Administration Tools have vulnerabilities which can enable attack targets to turn the tables on threat actors. DarkReading, June 23, 2017

Different sites need different passwords. Hackers still sell passwords from 2012 LinkedIn breach: Thousands of passwords belonging to British officials are being traded among Russian hackers, according to a report. CNet, June 22, 2017

Ready To Connect, But Is Your IP PBX Secure?: With the emergence of IP telephony in recent years, VoIP in the workplace is becoming something of the norm. Unified communications can be found in use throughout the business world, uniting branch offices across the globe, creating consolidated business platforms. ITSP Magazine, June 2017

Cyber Talent

Cybersecurity job market to suffer severe workforce shortage: The global cybercrime epidemic – predicted to cost the world $6 trillion annually by 2021 – is creating an unprecedented shortage of cybersecurity workers. CSO, June 22, 2017

Cyber Security in Society

Cyber Attack

Cyber-attack on parliament leaves MPs unable to access emails: Parliament has been hit by a “sustained and determined” cyber-attack by hackers attempting to gain access to MPs’ and their staffers’ email accounts. Both houses of parliament were targeted on Friday in an attack that sought to gain access to accounts protected by weak passwords.The Guardian, June 25, 2017

Cyber Crime

New FBI Online Crime Report Indicates Few Victims Report Ransomware Attacks to FBI: Ransomware may have been the most prevalent internet threat of 2016, and WannaCry certainly made it a mainstream conversation, but that doesn’t mean people are reporting incidents to law enforcement. Threatpost, June 23, 2017

FBI: Extortion, CEO Fraud Among Top Online Fraud Complaints in 2016: Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBI’s Internet Crime Complaint Center (IC3). KrebsOnSecurity, June 23, 2017

Web host agrees to pay $1m after it’s hit by Linux-targeting ransomware: A Web-hosting service recently agreed to pay $1 million to a ransomware operation that encrypted data stored on 153 Linux servers and 3,400 customer websites, the company said recently. ars technica, June 19, 2017

Cyber Espionage

WikiLeaks: How the CIA infects air-gapped networks: Documents published Thursday purport to show how the Central Intelligence Agency has used USB drives to infiltrate computers so sensitive they are severed from the Internet to prevent them from being infected. ars technica, June 22, 2017

Know Your Enemy

Threat Intelligence Identifies Social Engineering, Malicious Spam, and Malvertising as Major Threats: Good news: Exploits kits remain in decline, thanks in large part to concerted efforts to disrupt their efficacy. Unfortunately, criminals are focusing instead on social engineering attacks – including tech-support scams – and malicious spam campaigns as malware distribution mechanisms, as noted by Brad Duncan, a threat intelligence analyst for the Unit 42 security research group at Palo Alto Networks, in a Wednesday blog post. BankInfoSecurity, June 22, 2017

Explainer: How malware gets inside your apps: Malicious software on popular mobile platforms such as iOS and Android is at best a nuisance and at worst a security threat to individuals and businesses. GCN, June 22, 2017

Why So Many Top Hackers Hail from Russia: Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information technology in middle and high schools, and yet they lack a Silicon Valley-like pipeline to help talented IT experts channel their skills into high-paying jobs. This post explores the first part of that assumption by examining a breadth of open-source data. KrebsOnSecurity, June 22, 2017

National Cyber Security

Former Obama intelligence official: Russian hack ‘the political equivalent of 9/11’: Former President Barack Obama’s top intelligence official at the Pentagon said Saturday that the Russian interference in the 2016 elections was “the political equivalent of 9/11.”  Michael Vickers, who served as Obama’s undersecretary of defense, said in an interview with NBC News that there’s little evidence of a response from the Trump administration to protect the next election. The Hill, June 24, 2017

Homeland Security official: Russian government actors tried to hack election systems in 21 states: People connected to the Russian government tried to hack election-related computer systems in 21 states, a Department of Homeland Security official testified Wednesday. The Washington Post, June 21, 2017

Cyber Law

Appellate Court to Rule on FTC’s Case vs. LabMD: The long-running data security dispute between cancer testing laboratory LabMD and the Federal Trade Commission is now in the hands of a panel of three federal appellate court judges who heard oral arguments this week. They will make a ruling later this year in the case, which dates back to 2013. BankInfoSecurity, June 22, 2017

Critical Infrastructure

Senators Push Trump for Answers on Power Grid Malware Attack: In one of his first public statements on his priorities as president, Donald Trump promised to develop a “comprehensive plan to protect America’s vital infrastructure from cyberattacks.” That has not yet materialized. And as new evidence has emerged that a piece of sophisticated malware caused a blackout in the Ukrainian capital last December, one group of senators wants answers now about the threat of Russian grid-hacking. Wired, June 22, 2017

The post Cyber Security News of the Week, June 25, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security Vulnerability and Patch Report, June 18, 2017

 

Weekend Vulnerability and Patch Report, June 11, 2017

From our friends at Citadel Information Group

 

Important Security Updates

Adobe Flash Player: Adobe has released version 26.0.0.131. Updates are available from Adobe’s website. To see which version you have, go to Adobe’s web page.

Adobe Shockwave Player: Adobe has released version 12.2.9.199 of Shockwave Player running on Windows and Macintosh. Updates are available through the program or from Adobe’s Shockwave Web Site.

Avira Free Antivirus: Avira has released version 15.0.27.34 of its free Antivirus. Updates are available from Avira’s website.

AxCrypt: AxCrypt has released version 2.1.1509.0. Updates are available from AxCrypt’s website.

Comodo Free Firewall: Comodo has released version 10.0.1.6246 of its free firewall and antivirus. Updates are available from Comodo’s website.

Dropbox: Dropbox has released version 28.4.14 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Google Chrome: Google has released Google Chrome version 59.0.3071.104. Updates are available from within the browser or from Google Chrome’s website.

Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released updates to address almost a hundred vulnerabilities, some of which are highly critical within Windows operating systems, Microsoft Edge, Internet Explorer, Office, and other Microsoft products. Additional details are available at Microsoft’s website.

Mozilla Firefox: Mozilla has released version 54.0. Updates are available within the browser or from Mozilla’s website.

Opera: Opera has released version 45.0.2552.898. Updates are available from within the browser or from Opera’s website.

Piriform CCleaner: Piriform has released version 5.31.6105 for CCleaner. Updates are available from Piriform’s website.

Viber: Viber has released version 6.8.2.878 for Windows. Updates are available on Viber’s website.

Current Software Versions

Adobe Flash 26.0.0.131

Adobe Reader DC 2017.009.20044

Dropbox 28.4.14 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 54.0 [Windows]

Google Chrome 59.0.3071.104

Internet Explorer 11.0.9600.18639

Java SE 8 Update 131 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.1 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.37.0.103

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Samba which is affecting Cisco Products and others. Apply updates. Additional details are available at Cisco’s website.

WordPress: WordPress has released version 4.8. Apply updates. Additional details are available on WordPress’ website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserve

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security News of the Week, June 18, 2017

Cyber Security News

 

Cyber Security News

from our friends at Citadel Information Group

 

Individuals at Risk

Cyber Update

Microsoft, Adobe Ship Critical Fixes: Microsoft today released security updates to fix almost a hundred flaws in its various Windows operating systems and related software. One bug is so serious that Microsoft is issuing patches for it on Windows XP and other operating systems the company no longer officially supports. Separately, Adobe has pushed critical updates for its Flash and Shockwave players, two programs most users would probably be better off without. KrebsOnSecurity, June 13, 2017

Cyber Defense

Victims of Jaff and EncrypTile ransomware: New decryptors can get your files back:Ransomware victims can take advantage of two new tools released by security firms that can recover data for free. As a result, victims won’t even have to consider whether they should pay criminals a ransom in an attempt to recover their forcibly encrypted data. BankInfoSecurity, June 15, 2017

Cyber Warning

New Android malware Xavier quietly steals your data: Trend Micro has discovered a new Trojan malware that is pretty nasty. The security analysts identified the malware as “ANDROIDOS_XAVIER.AXM” or Xavier for short. It is an ad library that quietly sends user data to a remote server. What makes it so nasty is the methods it uses to cover its tracks and disguise its activities. Techspot, June 16, 2017

Login-stealing phishing sites targeting Android users conceal their evil with lots of hyphens in URL: Researchers at PhishLabs recently spotted a trend emerging in malicious websites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers. ars technica, June 15, 2017

Information Security Management in the Organization

Cyber Warning

Fileless malware targeting US restaurants undetected by anti-virus programs: Researchers have detected a brazen attack on restaurants across the United States that uses a relatively new technique to keep its malware undetected by virtually all antivirus products on the market. ars technica, June 14, 2017

Cyber Defense

Three Key Factors in Building a Strong Application Security Program: Organizations need to put more time, resources, and care into building and implementing their application security programs. In a recent survey we conducted of 28 large, mostly North American financial institutions, 75% of respondents stated that they regarded application security as a high or critical priority.. DarkReading, June 16, 2017

Cyber Career

Lack of Experience Biggest Obstacle for InfoSec Career: A majority of wanna-be infosec professionals find they need more experience to be a contender to enter this career, according to a recent Tripwire poll. DarkReading, June 16, 2017

Want a career in cybersecurity? Here are 10 jobs to explore: There are currently 1 million open cybersecurity jobs worldwide. Here are 10 different career options to investigate in the field. TechRepublic, June 15, 2017

Cyber Security in Society

Cyber Crime

Credit Card Breach at Buckle Stores: The Buckle Inc., a clothier that operates more than 450 stores in 44 U.S. states, disclosed Friday that its retail locations were hit by malicious software designed to steal customer credit card data. The disclosure came hours after KrebsOnSecurity contacted the company regarding reports from sources in the financial sector about a possible breach at the retailer. KrebsOnSecurity, June 17, 2017

Canadian Mining & Casino Industries Extortion Victims of Newly Identified Cybercrime Gang, FIN10: Previously unknown threat actor has extracted hundreds of thousands of dollars from Canadian companies in a vicious cyberattack campaign that dates back to 2013, FireEye says. DarkReading, June 16, 2017

Cyber Privacy

Backlash emerges against changed ISP privacy rules as states & some in Congress fight back: Since Congress voted to prevent the implementation of new ISP privacy protections there has been a committed and sometimes loud call for new rules. The fear is, without adequate safeguards in place, ISPs will be free to build detailed customer profiles that include names, addresses and online activities. That data can then be sold to, or used by, an advertiser without the user’s consent. ThreatPost, June 16, 2017

Cyber Attack

WannaCry severely flawed, made little money for hackers. Was it released prematurely?:Coding and implementation mistakes made by the WannaCry developers may have spared a good chunk of the world some grief on May 12, but they also lend credence to the theory that the ransomware wasn’t contained properly and spread before it was meant to be unleashed. ThreatPost, June 16, 2017

Cyber Defense

Essential Security Hygiene for a Technology Craving Society: For almost 30 years, I’ve had the privilege to defend some of the most important critical infrastructure organizations in the communications, critical manufacturing, information technology, and financial services sectors that touch people’s daily lives in some way. ITSP Magazine, June 2016

Raising Security Awareness Essential for a Technology Craving Society: Even if you’re not a big fan of government being too heavily involved, think about food safety. When you go to a restaurant, you know that the Department of Health has assessed it by their grading report, which is posted in the front window, and if you go to a restaurant that has failed, you’ll know it because they’ll be closed. If you look at public health and safety on a larger scale, there are global organizations like the Center of Disease Control that support worldwide health needs. ITSP Magazine, June 2016

Know Your Enemy

Inside a Porn-Pimping Spam Botnet: For several months I’ve been poking at a decent-sized spam botnet that appears to be used mainly for promoting adult dating sites. Having hit a wall in my research, I decided it might be good to publish what I’ve unearthed so far to see if this dovetails with any other research out there. KrebsOnSecurity, June 15, 2017

National Cyber Security

Wikileaks Alleges Years of CIA D-Link and Linksys Router Hacking Via ‘Cherry Blossom’ Program: Wikileaks released details of what it claims is a CIA-developed wireless router hacking program targeting home wireless routers and business wireless networks. The program is called Cherry Blossom and leverages custom router firmware called FlyTrap, according to the organization’s latest leak posted Thursday. ThreatPost, June 16, 2017

North Korea’s Sloppy, Chaotic Cyberattacks Also Make Perfect Sense: North Korea is arguably the least-understood nation on the planet. And that also applies to its state-sponsored hackers whose global cyberattacks have been almost as erratic and inscrutable as the government they work for. They hide behind strange front groups and fake extortion schemes. They steal tens of millions of dollars, a kind of digital profiteering more common among organized criminals than government cyberspies. And they’re now believed to have launched WannaCry, the ransomware that sparked an indiscriminate global crisis, with almost no apparent benefit to themselves. Wired, June 16, 2017

US Government issues detailed advisory, warns of North Korean Hacking: The U.S. government on Wednesday issued its most direct and technically detailed advisory about North Korea’s hacking activity to date, warning that the country continues to target U.S. media, aerospace, financial and critical infrastructure sectors. BankInfoSecurity, June 15, 2017

Georgia election system found rife with vulnerabilities weeks before crucial special election: To understand why many computer scientists and voting rights advocates don’t trust the security of many US election systems, consider the experience of Georgia-based researcher Logan Lamb. Last August, after the FBI reported hackers were probing voter registration systems in more than a dozen states, Lamb decided to assess the security of voting systems in his state. What he found should make you very concerned about the integrity of the Georgia election systemars technica, June 14, 2017

US Cybersecurity in Need of Rapid Repair, Senators Told: Cybersecurity in the United States is in a severe state of disrepair, leaving the country vulnerable to attack from hacking groups backed by its opponents, two witnesses testified in a Senate subcommittee hearing Tuesday. Rollcall, June 14, 2017

Washington Post reports NSA has linked the WannaCry computer worm to North Korea:The National Security Agency has linked the North Korean government to the creation of the WannaCry computer worm that affected more than 300,000 people in some 150 countries last month, according to U.S. intelligence officials. The Washington Post, June 14, 2017

Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known: Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported. Bloomberg, June 13, 2017

Trump-Comey Feud Eclipses a Warning on Russia: ‘They Will Be Back’: WASHINGTON — Lost in the showdown between President Trump and James B. Comey that played out this past week was a chilling threat to the United States. Mr. Comey, the former director of the F.B.I., testified that the Russians had not only intervened in last year’s election, but would try to do it again. The New York Times, June 10, 2017

Stewart Baker Discusses Online Censorship w NY Times David Sanger: Episode 168 features the Tinkers-to-Evers-to-Chance of global censorship, as Filipino contractors earning minimum wage delete posts in order to satisfy US tech companies who are trying to satisfy European governments. In addition to Maury Shenk, our panel of interlocutors includes David Sanger, Chief Washington Correspondent for the New York Times, and Karen Eltis, Professor of Law at the University of Ottawa. Even if you think that reducing Islamic extremist proselytizing on line is a good idea, I conclude, that’s not likely to be where the debate over online content ends up. Indeed, even today, controls on hate speech are aimed more at tweets that sound like President Trump than at extremist recruiting. Bottom line: no matter how you slice it, the first amendment is in deep trouble.Steptoe Cyberblog, June 5, 2017

Cyber Medical

Now doctors need to be hackers, too: As far as anyone knows, there hasn’t been a real-life hack attack on someone’s pacemaker. Which is surprising. Security researchers have shown us that it’s a very real possibility. Even the FTC has been urging connected-medical-device makers to adopt security best practices, with multiple 2017 reports stressing the issue. engadget, June 16, 2017

Cybersecurity for healthcare a “public health concern,” task force says: A federal task force called healthcare cybersecurity a “public health concern” that needs “immediate and aggressive attention,” and said increased digital connectivity places a greater responsibility on healthcare organizations to secure their equipment and patient data. HealthITPulse, June 16, 2017

Critical Infrastructure

Cyber crime: a ticking time bomb for municipalities & muni bond market: A rise in cyber attacks on U.S. public sector targets so far has had little impact in the $3.8 trillion municipal debt market, but interested parties are started to take notice of the possible financial risks associated with an attack. Reuters, June 14, 2017

‘Crash Override’: The Malware That Took Down a Power Grid: At midnight, a week before last Christmas, hackers struck an electric transmission station north of the city of Kiev, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. The outage lasted about an hour—hardly a catastrophe. But now cybersecurity researchers have found disturbing evidence that the blackout may have only been a dry run. The hackers appear to have been testing the most evolved specimen of grid-sabotaging malware ever observed in the wild. Wired, June 12, 2017

Cyber Education

Girl Scouts to add a cybersecurity badge in partnership with Palo Alto Networks.: Your favorite cookie sellers are in training to become white hat hackers. Fortune, June 16, 2017

Internet of Things

IoTs Pose A Threat To Anything And Everyone Connected: A primer on challenges & defenses: Loosely defined, the Internet of Things (IoT) refers to the general idea of things that are readable, recognizable, locatable, addressable, and/or controllable via the Internet. It encompasses devices, sensors, people, data, and machines. As broad as the definition of IoT are the cybersecurity challenges that pose a threat to anything and everyone connected. A well thought out risk-management security posture for the evolving cybersecurity threats to IoT is an imperative. ITSP Magazine, June 2017

Cyber Sunshine

Engineer Sentenced to Prison for Hacking Utility, Disabling Water Meter-Readers: A Pennsylvania man is sentenced to more than a year in prison after hacking into a remote water meter reading system run by his former employer. Dark Reading, June 16, 2017

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

They Didn't Teach You These Skills Through Your Math, Computer Science or Engineering Degree

EQ vs IQ

Psychological research suggests that +-60% of a person's career success is connected to their Emotional Intelligence or Emotional Quotient (EI or EQ).  The same research suggests that +-10% of a person's career success is connected to their Cognitive Intelligence or IQ. 

In order to progress in any career, what initially gets you going and what gets you to a certain level of success is frequently going to be a different skill set than the skill set you need to continue progressing.

The skill set required to progress in any career

Here are some specific examples. This is what the business is currently asking for from the Director to the “C” Suite in technology job descriptions. Every trait or skill mentioned below that can be measured can be improved upon if a person is naturally gifted with a specific trait.

For some skills or traits, you either have them or you don't. We're all wired differently and we all have potential to deliver a great performance. It's simply a matter of figuring out how a person is uniquely wired and then aligning them with the right work to maximize their performance.

Notice that most of the traits or skills mentioned below are people skills or soft skills.

  • Leadership Presence (can be developed)
  • Leadership that is both Visionary and Strategic (can be measured)
  • Leadership that inspires people (influencing skills can be measured)
  • Thought Leadership (can be measured)
  • Deep Problem Solving Skills (can be measured)
  • Complex Analysis Skills (can be measured)
  • Excellent Verbal Communication Skills (can be learned)
  • Excellent Written Communication Skills (can be learned)
  • Excellent Collaboration and Partnering Skills
  • Superior Presentation Delivery Skills
  • Integrator of People, Process and Technology
  • Change Management Skills
  • Consensus Building Skills
  • Budgeting Skills
  • Business Analysis Skills
  • Contract Negotiation Skills
  • Vendor Management Skills
  • There's more...this list just gets the discussion started!

It is a person’s cognitive skills that gets them into an engineering degree program. It is their cognitive skill set that gets their technology career started. Cognitive skills are the skills the brain uses to think, read, learn, remember, reason, calculate and pay attention.

What you see in the list of employer requirements above require some cognitive skills. Most of what is required to move beyond leaning almost purely on cognitive skills are emotional intelligence skills, soft skills or people skills. 

These are the skills that when developed, enable us to lead, influence, persuade, mentor, manage, collaborate, build partnerships, negotiate contracts, manage vendor relationships and more.  Additionally, beyond what a person learns in engineering school, the further up the ladder one wishes to climb, roles require much more emphasis on business skills than on technical skills.

It's okay to not aspire to be in charge

At the Analyst, Engineer or Architect levels, development of the soft skills mentioned above will provide exponential return on investment to your career. Not everybody is built to lead, guide, mentor and grow other people and you shouldn't feel as if you have to move in a managerial direction in order to progress in your own career development.

In addition to people skills, there are also business skills mentioned above. Business skills in this case include the ability to read and interpret financial statements. The ability to present one’s case for technology in terms that a business audience can clearly understand without having to bring in an interpreter. The ability to speak to a CEO, COO, CFO, etc. in their language rather than your technology focused language.

When you invest in yourself to master skills that go above and beyond your IQ or cognitive skills alone, your career progression will go places.

Jeff Snyder’s, SecurityRecruiter.com, Security Recruiter Blog, 719.686.8810

 

The Art To Mastering An Interview

Interview Coaching

Interviewing is an art versus a science. There are no gimmicks. There are no tricks.

You have control over some of this communication but you’ll never have control over all the communication that occurs in an interview. Mastering an interviewing comes down to pure communication.

While you can prepare for an interviewer’s questions, you’ll never know exactly what will be asked of you in an interview. 

What you have 100% control over is what you choose to say during your interview.

  • You have complete control over knowing how to articulate what it is that you bring to the table in terms of skills.  Focus on skills that matter most to your interviewing audience.
  • You have control over the questions you ask in an interview. Ask questions about the company. Ask questions about the job itself. Ask the hiring manager to articulate his / her management style. Research shows that people leave bad manager relationships far more often than they leave because of larger company issues.
  • You have control over how you choose to articulate your past stories of accomplishment, contribution and value delivered to previous employers.
  • You have control over how you talk about past successes and past failures. You should use both successes and failures as opportunities for learning and growing. How you express what you’ve learned and how you’ve grown makes all the difference in an interview.
  • Those who strategically take interviewing to the next level invest in learning their unique personal strengths. They know how to articulate what they have potential to be great at and they know how to articulate what they should say “NO” to based on how they are wired.

Those who approach interviews with extreme Clarity, Confidence and Direction are the ones who get offers for the best jobs.

Jeff Snyder’s, SecurityRecruiter.com, Security Recruiter Blog, 719.686.8810

Cyber Security Vulnerability and Task Report, June 11, 2017

Cyber Security Vulnerability and Patch Report

Weekend Vulnerability and Patch Report, June 11, 2017

From our friends at Citadel Information Group

Important Security Updates

Google Chrome: Google has released Google Chrome version 59.0.3071.86. Updates are available from within the browser or from Google Chrome’s website.

KeePass: KeePass has released version 1.33 of its open source password manager. Updates are available from the KeePass website.

Apple Multiple Products: Apple has released updates to address vulnerabilities in macOS Sierra, MacBook Pro with Touch Bar Update, and others. Additional details are available on Apple’s website.

Skype: Skype has released Skype 7.37.0.103. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash 25.0.0.171

Adobe Reader DC 2017.009.20044

Dropbox 27.4.22 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 53.0.3 [Windows]

Google Chrome 59.0.3071.86

Internet Explorer 11.0.9600.18639

Java SE 8 Update 131 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.1 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.37.0.103

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in FirePOWER System Software, NX-OS, Prime Data Center Network Manager, TelePresence Endpoint, AnyConnect, Ultra Services Platform, Ultra Services Framework, StarOS, IP Phone 8800 Series, Prime Collaboration Assurance, Network Convergence System 5500 Series Routers, Industrial Network Director, Firepower Management Center, Elastic Services Controller, Email Security Appliance, Email Security and Content Security Management Appliance, Unified Communications Domain Manager, Context Service and others. Apply updates. Additional details are available at Cisco’s website.

VMware: VMware has released updates for vSphere Data Protection (VDP). Updates are available from VMware’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved

The post Weekend Vulnerability and Patch Report, June 11, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.com, Security Recruiter Blog, 719.686.8810

Cyber Security News for the Week of June 11, 2017

Cyber Security News

 

Cyber Security News

from our friends at Citadel Information Group

Individuals at Risk

Cyber Defense

Google game teaches kids about online safety: Talking to kids about online safety is a difficult undertaking for many adults, and making the lessons stick is even harder. HelpNetSecurity, June 9, 2017

Cyber Warning

Say hello to Dvmap: The first Android malware with code injection: A powerful Android trojan with novel code injection features that posed as a game was distributed through the Google Play Store before its recent removal. The Register, June 9, 2017

Hackers exploit Intel chip management ‘feature’ to bypass security & install malware onto computers: Advanced attackers operating in Southeast Asia are abusing a feature in Intel chips to quietly load malware and exploits onto compromised machines. ThreatPost, June 9, 2017

Novel ‘mouse hovering’ malware delivery scheme in PowerPoint identified: Cybercriminals have started using a new technique to infect computers that only requires a victim place their cursor over a malicious hyperlink for the malware to be injected. SCMagazine, June 8, 2017

Information Security Management in the Organization

Information Security Management and Governance

Are Businesses Shortchanging Cybersecurity Or Shortchanging Change Itself?: At a recent private gathering of cybersecurity professionals, I watched how the conversation gravitated toward an analysis of two interesting facts: First, according to a survey commissioned by Gartner (paywall), businesses are increasing their cybersecurity budgets at a rate of 18%; second, data breaches increased at a rate of more than 40% from 2015 to 2016, based on a Bloomberg report. Forbes, June 9, 2017

Ponemon Study: While data breach has significant brand impact, 66% of IT says “not our responsibility”: Centrify, the leader in securing hybrid enterprises through the power of identity services, commissioned a new Ponemon research study that revealed data security breaches can negatively impact an entire organization — including sales, marketing and IT — and have a significant negative impact on company finances and shareholder value. Specifically, the study found that the stock value index of 113 companies declined an average of five percent the day the breach was disclosed and experienced up to a seven percent customer churn. What’s more, thirty-one percent of consumers impacted by a breach stated they discontinued their relationship with an organization that experienced a data breach. And while the study found a data breach has a significant impact on brand reputation, a surprising 66 percent of IT practitioners don’t believe their company’s brand is their responsibility. Centrify, May 15, 2017

Cyber Awareness

Successful Security? Stop Blaming Users: To encourage individuals to improve their security practices, begin by not blaming them. BankInfoSecurity, June 9, 2017

The Cybersecurity Brand: Nudging Towards Security (Touchpoints) – Part 5: What is a touchpoint? A touch point is a point of contact or interaction. Be it any organization, the Information Security team has a lot of user touch points. A few examples are classroom presentations, brown bag sessions, town halls, computer based training, awareness emails, newsletters, security forums and meetings, Intranet microsites, webinars, posters and screensavers. SANS, June 6, 2017

Cyber Defense

Your Information Isn’t Being Hacked, It’s Being Neglected: To stop customer information from being compromised, we must shore up the most vulnerable parts first, the day-to-day IT operations work that builds, configures, and changes systems. DarkReading, June 9, 2017

Don’t Wait for the Next WannaCry — IT Depts Need to Update SMB Protocol: Much has been written about WannaCry, and the security community has learned countless valuable lessons from the unprecedented ransomware attack. One thing that is seldom mentioned, however, is how to protect your infrastructure against future Server Message Block (SMB) exploits. SecurityIntelligence, June 9, 2017

BitSight Study: Outdated systems significantly increase likelihood of breach. Patch. Patch. Patch.: BitSight analyzed more than 35,000 companies from industries across the globe over the last year, to better understand the usage of outdated computer operating systems and Internet browsers, the time to it took to update operating systems once a new release was made available, and how these practices correlate to data breaches. The data shows that there are large gaps in asset management programs across the globe. HelpNetSecurity, June 9, 2017

Cyber Update

VMware Patches Critical Vulnerabilities in vSphere Data Protection: VMware fixed two critical vulnerabilities in its vSphere Data Protection solution this week that could have allowed an attacker to execute commands on the virtual appliance, among other outcomes. ThreatPost, June 8, 2017

Cyber Insurance

How To Streamline The Cybersecurity Insurance Process: If you’ve ever suffered through the application process for cybersecurity insurance, you know that “suffered” is the right word because of a triple whammy. ITSP Magazine, June 2017

Cyber Career

Looking for a job in cybersecurity? Healthcare hiring is about to pick up: While the crisis in cybersecurity staffing grows, healthcare IT and HR executives could be in a good position to lure cybersecurity talent. HealthcareITNews, June 8, 2017

Cyber Security in Society

Know Your Enemy

Bitcoin Experts to Congress: Overseas Exchanges Are Enabling Cybercrime: Bitcoin and blockchain experts are urging US lawmakers to ramp up pressure on unlicensed offshore exchanges. CoinDesk, June 9, 2017

Move Over, Mirai: Persirai Now the Top IP Camera Botnet: The success of the massive Mirai botnet-enabled DDoS attacks of last year has spawned a lot of me-too malware designed to break into and exploit vulnerable Internet of Things devices. DarkReading, June 8, 2017

Russia is struggling to keep its cybercrime groups on a tight leash: Russia’s control of cybercrime groups that have come to play a part in its espionage activity is crumbling, according to Cybereason. The Register, June 6, 2017

You’ll never guess where Russian spies are hiding their control servers: A Russian-speaking hacking group that, for years, has targeted governments around the world is experimenting with a clever new method that uses social media sites to conceal espionage malware once it infects a network of interest. ars technica, June 6, 2017

Following the Money Hobbled vDOS Attack-for-Hire Service: A new report proves the value of following the money in the fight against dodgy cybercrime services known as “booters” or “stressers” — virtual hired muscle that can be rented to knock nearly any website offline. KrebsOnSecurity, June 6, 2017

National Cyber Security

Comey: Hundreds of Organizations Targeted by Russia: Former FBI Director’s James Comey’s testimony before the Senate Intelligence Committee on Thursday affirmed Russia’s cyber interference with the 2016 U.S. presidential election. While largely quiet about the ongoing investigation, Comey trickled a handful of new details that contribute to a broader picture of Russian hacking. BankInfoSecurity, June 9, 2017

Cyber Medical

Task force tells Congress health IT security is in critical condition: A congressionally mandated healthcare industry task force has published the findings of its investigation into the state of health information systems security, and the diagnosis is dire. ars technica, June 8, 2017

Critical Infrastructure

Infrastructure Software Vulnerabilities Raise Concern Among Cybersecurity Experts: (TNS) — Vulnerabilities in software that automates everything from factories to traffic lights has become the nation’s top cybersecurity threat, an agent on the FBI’s Denver Cyber Task Force said Thursday in Colorado Springs. Government Technology, June 9, 2017

Internet of Things

Why Car Companies Are Hiring Computer Security Experts: It started about seven years ago. Iran’s top nuclear scientists were being assassinated in a string of similar attacks: Assailants on motorcycles were pulling up to their moving cars, attaching magnetic bombs and detonating them after the motorcyclists had fled the scene. The New York Times, June 7, 2017

Fake News

Want Instagram likes? Now you can buy popularity from a vending machine: I was talking to an IT headhunter the other day who’s been slaving away on his YouTube channel, filling it with tutorials full of career tips that are really quite helpful, albeit woefully under-Liked. NakedSecurity, June 9, 2017

Al-Jazeera claims to be victim of cyber attack as Qatar crisis continues: Broadcaster targeted after hackers planted “fake news” on Qatar’s state news service. ars technica, June 8, 2017

Qatar investigation finds state news agency hacked: foreign ministry: A preliminary investigation has confirmed that Qatar’s state news agency was hacked, and false statements attributed to the country’s ruler were posted that helped ignite a rift with other Gulf states, the Qatari foreign ministry said on Wednesday. Reuters, June 7, 2017

The post Cyber Security News of the Week, June 11, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.com, Security Recruiter Blog, 719.686.8810

Security Recruiter Blog 2.0

A New Location For An Established Blog

The Security Recruiter Blog has been on-line since it's inception in 2007.  

In this blog I provide a weekly Cyber Security News report and a Cyber Security Vulnerability and Patch Report on Sunday afternoon's or sometimes Monday mornings.

Additional blog articles focus on security jobs, security careers and career development topics for security, risk, compliance, threat and privacy professionals.

At times, this blog will focus on resume writing topics, LinkedIn topics and other topics that fit into the personal branding and personal marketing categories. 

What I'm most passionate about is helping security, risk, compliance, threat and privacy professionals to advance their careers. In order to provide this assistance, I have devoted time, energy and money to becoming a Strengths Coach. As a Strengths Coach, I leverage the power of the Clifton StregnthsFinder™. Additionally, as a Certified Emotional Intelligence Coach, I leverage the power of the EQi-2.0 Emotional Quotient Inventory from Multi-Health Systems, Inc.

Results from my Career Coaching and Executive Coaching work may be found at Jeff Snyder Coaching.  

SecurityRecruiter.com's Security Recruiter Blog, 719.686.8810

Cyber Security News of the Week, June 4, 2017

Cyber Security News

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

 

Individuals at Risk

Cyber Privacy

Little users can do as thousands of enterprise apps found to be exposing data on back-end servers.Something is going badly wrong with the way the mountain of big data generated by enterprise mobile apps is being stored on back-end servers, a new analysis has shown. NakedSecurity, June 2, 2017

Cyber Defense

A reminder of good cyber-hygiene practices every user needs to implement: If you work without concern for security, your data will be breeched. Jack Wallen offers up a few bits of advice that will help you to use your devices intelligently and avoid malware. TechRepublic, June 1, 2017

Cyber Warning

FIREBALL – The Chinese Malware of 250 Million Computers Infected: Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities: the ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware. CheckPoint, June 1, 2017

Hackers Hide Cyberattacks in Social Media Posts: SAN FRANCISCO — It took only one attempt for Russian hackers to make their way into the computer of a Pentagon official. But the attack didn’t come through an email or a file buried within a seemingly innocuous document. The New York Times, May 28, 2017

Information Security Management in the Organization

Cyber Awareness

Teach employees to guard against malicious malware. Distrust & Caution: What strategies should organisations follow to block malware attachments which continue to account for two-thirds of malware infections that result in data breaches? ComputerWeekly, June 2017

Lessons From WannaCry | SANS Security Awareness Newsletter: Recently, you most likely watched widespread news coverage of a new cyber attack called WannaCry. It infected over 200,000 computers worldwide and locked numerous organizations out of their data, including hospitals in the United Kingdom. There are several reasons this attack gained so much attention. SANS, June 2017

Cyber Warning

OneLogin Breach Requires IT Department Action; Reignites Concerns over Password Managers:Entrusting all your passwords to a single organization creates a single point of failure, experts say in the wake of a new data breach at OneLogin. DarkReading, June 1, 2017

OneLogin Notifies Customers of Breach Exposing Customer Encrypted Information: OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data. KrebsOnSecurity, June 1, 2017

Cyber Defense

How to conduct a production outage post-mortem: Production outages can be stressful, but they can also result in valuable lessons. Here’s are some tips on conducting a post-mortem to prevent repeat occurrences. TechRepublic, June 2, 2017

Is Security weakened by too much technology packaged in too many solutions from too many vendors?: Businesses are suffering from an influx of too much security technology packaged into too many solutions offered by too many vendors, says former RSA Chairman Art Coviello, who’s now a partner at venture capital firm Rally Ventures. He claims the proliferation of products isn’t helping improve cybersecurity. BankInfoSecurity, May 30, 2017

Think your SaaS provider has your information security completely covered? Think again: As the first decade of cloud computing draws to a close, confidence in the way SaaS- and cloud service providers manage data protection and security is very high. Occasionally surveys will highlight concerns, but these are significantly diminished compared to past years. SC Magazine, May 30, 2017

Cyber Security in Society

Cyber Crime

Hackers publish private photos from cosmetic surgery clinic in cyber-extortion attempt: Hackers have published more than 25,000 private photos, including nude pictures, and other personal data from patients of a Lithuanian cosmetic surgery clinic, police say. The Guardian, May 31, 2017

Credit Card Breach at Kmart Stores. Again.: For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems.KrebsOnSecurity, May 31, 2017

Chipotle says hackers stole customers’ data at vast majority of its 2,000+ restaurant locations:Restaurant chain Chipotle Mexican Grill says customers’ payment card data was stolen by hackers via malware installed at the vast majority of its more than 2,000 restaurant locations.BankInfoSecurity, May 29, 2017

Know Your Enemy

Cyber Criminals or State-Backed Hackers? It’s Getting Harder to Tell…: Veteran espionage researcher Jon DiMaggio was hot on the trail three months ago of what on the face of it looked like a menacing new industrial espionage attack by Russian cyber spies. Insurance Journal, June 2, 2017

National Cyber Security

Maybe Private Russian Hackers Meddled in Election, Putin Says: MOSCOW — Shifting from his previous blanket denials, President Vladimir V. Putin of Russia suggested on Thursday that “patriotically minded” private Russian hackers could have been involved in cyberattacks last year that meddled in the United States presidential election. The New York Times, June 1, 2017

WikiLeaks reveals CIA exploit for using compromised servers to infect other network devices:WikiLeaks just published details of a purported CIA operation that turns Windows file servers into covert attack machines that surreptitiously infect computers of interest inside a targeted network. ars technica, June 1, 2017

Cybersecurity leadership absence in full view as U.S. Rep blames others for her non-compliance:Florida Democratic Rep. Debbie Wasserman Schultz, whose office equipment U.S. Capitol Police seized in a criminal investigation into congressional network security violations, admitted she violates official information security policy and blamed the House’s chief administrative officer for not stopping her. The Daily Caller, May 31, 2017

Shadow Brokers Offers NSA 0-Days Subscription Service. Should Good Guys Buy from Cyber Thieves?: The mysterious group that over the past nine months has leaked millions of dollars’ worth of advanced hacking tools developed by the National Security Agency said Tuesday it will release a new batch of tools to individuals who pay a $21,000 subscription fee. The plans, announced in a cryptographically signed post published Tuesday morning, are generating an intense moral dilemma for security professionals around the world. ars technica, May 30, 2017

Why the NSA Makes Us More Vulnerable to Cyberattacks: There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims’ access to their computers until they pay a fee. Then there are the users who didn’t install the Windows security patch that would have prevented an attack. A small portion of the blame falls on Microsoft, which wrote the insecure code in the first place. One could certainly condemn the Shadow Brokers, a group of hackers with links to Russia who stole and published the National Security Agency attack tools that included the exploit code used in the ransomware. But before all of this, there was the NSA, which found the vulnerability years ago and decided to exploit it rather than disclose it. Schneier on Security, May 30, 2017

Stewart Baker Interviews FireEye’s Kevin Mandia: Episode 166 is the interview that goes with episode 165’s news roundup, released separately to ensure the timeliness of the news. Steptoe Cyberblog, May 26, 2017

Stewart Baker – WannaCry Festivus celebration: Episode 165 is a WannaCry Festivus celebration, as The Airing of Grievances overtakes The Patching of Old Machines. Michael Vatis joins me in identifying all the entities who’ve been blamed for WannaCry, starting with Microsoft for not patching Windows XP until after the damage was done. (We exonerate Microsoft on that count.) Steptoe Cyberblog, May 22, 2017

Cyber Law

EFF sues FBI for records of alleged informants at Best Buy: The rights group worries that the warrantless searches of devices circumvents customers’ Fourth Amendment rights. CNet, May 31, 2017

China’s New Cybersecurity Law Leaves Foreign Firms Guessing: BEIJING — As China moves to start enforcing a new cybersecurity law, foreign companies face a major problem: They know very little about it. The New York Times, May 31, 2017

Financial Cyber Security

FDIC Needs to Improve Controls over Financial Systems and Information, Says New GAO Report:The Federal Deposit Insurance Corporation (FDIC) implemented numerous information security controls intended to protect its key financial systems. However, further actions are needed to address weaknesses in access controls—including boundary protection, identification and authentication, and authorization controls—and in configuration management controls. For example, the corporation did not sufficiently isolate financial systems from other parts of its network, ensure that users would be held accountable for the use of a key privileged account, or establish a single, accurate listing of all IT assets in its environment. GAO, May 31, 2017

Russian Cybersecurity Company Pins European Bank Attacks on North Korea: Russian threat intelligence firm Group-IB alleges that North Korea is behind recent attacks against financial institutions in Europe employing fraudulent SWIFT messages. But other experts caution that such conclusions shouldn’t be made solely based on technical data. BankInfoSecurity, May 30, 2017

Cyber Medical

HHS task force wants cybersecurity treated as a patient safety issue: The Health Care Industry Cybersecurity Task Force today released the final version of its cybersecurity report, calling on the government to write policies that would help healthcare organizations boost their defenses—a need made even more evident after last month’s WannaCry ransomware attacks. Modern Healthcare, June 2, 2017

Cyber Disinformation

Researchers Unravel Russian Cyber-Espionage Attacks Used to Spread Disinformation: A “single cyber espionage campaign” apparently linked to Russia has targeted more than 200 people in 39 countries with phishing attacks, according to privacy researchers at University of Toronto’s Citizen Lab. BankInfoSecurity, May 30, 2017

The post Cyber Security News of the Week, June 4, 2017 appeared first on Citadel Information Group.

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

Cyber Security Vulnerability and Patch Report, June 4, 2017

Cybersecurity Vulnerability and Patch Report

CYBERSECURITY VULNERABILITY

AND PATCH REPORT

 

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

 

 

Important Security Updates

Dropbox: Dropbox has released version 27.4.22 for its file hosting program. Updates are available atDropbox’s website. [See Citadel’s warning below]

Opera: Opera has released version 45.0.2552.888. Updates are available from within the browser or fromOpera’s website.

RoboForm: Siber Systems has released Version 8.3.5. Updates are available from within the program or from RoboForm’s website.

Current Software Versions

Adobe Flash 25.0.0.171

Adobe Reader DC 2017.009.20044

Dropbox 27.4.22 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 53.0.3 [Windows]

Google Chrome 58.0.3029.110

Internet Explorer 11.0.9600.18639

Java SE 8 Update 131 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.1 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.36.0.101

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Samba, Integrated Management Controller, Aironet 1830 and 1850 Series Access Points, Linux Kernel Affecting Cisco Products and others. Apply updates. Additional details are available at Cisco’s website. Cisco has also released breach guidance for OneLogin at Cisco’s website.

TeamViewer: TeamViewer has released version 12.1.12777.0. Updates are available from TeamViewer’s website.

 

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved

The post Weekend Vulnerability and Patch Report, June 4, 2017 appeared first on Citadel Information Group.

Jeff Snyder’s, SecurityRecruiter.com, Jeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

Mikhael Felker, Candidate for ISSA International Director 2017

Mikhael Felker

I’m Mikhael, I’m running for one of the open 2017 ISSA International Director positions. My candidate biography and statement of goals that appears on the ISSA Election site is noted below.

I’m happy to speak with you about your ideas also for improving ISSA.  You can reach me via e-mail (mikhael at gmail.com) on Twitter (@mikhaelf) or on LinkedIN.

Mikhael Felker is Director of Information Security and Risk Management at Farmers Insurance. He started his relationship with the ISSA Pittsburgh Chapter as a graduate student member in 2006 and is currently an ISSA CISO executive member with the Los Angeles Chapter.

Mikhael served two years on the ISSA Los Angeles Chapter Board of Directors, contributed to the ISSA Journal, and taught bootcamp courses at the ISSA LA Summit for several years. He has worked in a number of industries including financial services/insurance, defense, health care, non-profit education, and technology/Internet, seeing first-hand the variance in information security culture and program maturity.

As an educator, Mr. Felker has taught courses at USC Engineering and UCLA Extension on information security and Internet technologies, respectively. He has shared his industry perspectives at numerous venues including RSAC, OWASP, PMI, CSA, YearUP, ISACA, LinuxLA, (ISC)2, and VC events.

Mikhael received his MS in Information Security Policy and Management from Carnegie Mellon University (as recipient of the NSF CyberCorps Scholarship for Service program) and BS in Computer Science from UCLA. His written work of 50+ publications has been featured in the ISSA Journal, Forbes, ACM, IEEE Security & Privacy, ISACA Journal, case studies, and a number of online magazines. He lives in Los Angeles with his wife, daughter, and dog and enjoys cycling. @mikhaelf

Statement of Goals

  • Develop, communicate, and enhance the value proposition for ISSA members.
  • Support the needs and solicit continuous feedback from the local chapter board of directors.
  • Improve partnership opportunities with other organizations (i.e., IAPP, PMI, OWASP, etc.).

Where to vote:  issa.org 

Voting for the ISSA International Board Election will begin on June 5, 2017. Members in good standing will be contacted with voting instructions and a secure unique login on the date of the election. All ballots must be received by June 19, 2017 at 11:59 Eastern Time.

Note: Voting instructions will be sent by e-mail to your e-mail address on file with ISSA International