Security News

Cyber Security Vulnerability and Patch Report, December 3, 2017

Cyber Security Vulnerability and Patch Report

 

From our friends at

 Citadel Information Group

 

Cybersecurity Vulnerability and Patch Report

 

Important Security Updates

Apple macOS: Apple has released an update to macOS High Sierra. Apply the update. Details are available on Apple’s website. Special note regarding the Apple update on KrebsonSecurity.

Comodo Free Firewall: Comodo has released version 10.0.2.6420 of its free firewall and antivirus. Updates are available from Comodo’s website.

Mozilla Firefox: Mozilla has released version 57.0.1. Updates are available within the browser or from Mozilla’s website.

Spotify: Spotify has released version 1.0.68.407. Updates are available on Spotify’s website.

Viber: Viber has released version 7.6.0.1 for Windows. Updates are available on Viber’s website.

WinZip: Winzip has released version 22.0.12684. Updates are available from within the program, look for “Check for Updates” on the Help menu, or download from the WinZip website.

Current Software Versions

Adobe Flash Player 27.0.0.187

Adobe Reader DC 2018.009.20044

Dropbox 39.4.49 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 57.0.1 [Windows]

Google Chrome 62.0.3202.94

Internet Explorer 11.0.47

Java SE 8 Update 151 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 41.16299.15.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 11.0 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.40.0.104

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in WebEx Recording Format and Advanced Recording Format Players, Data Center Network Manager, WebEx Meeting Center, WebEx Event Center, WebEx Meeting Server, USC Central Software, Multilayer Director, Nexus 7000 Series, Nexus 7700 Series, Prime Service Catalog, NX-OS System Software, Jabber, IP Phone 8800, IOS XR Software, FXOS and NX-OS System Software, Email Security Appliance, Unified Communications Manager, Meeting Server, Application Policy Infrastructure Controller, Secure Access Control System, Wi-Fi Protected Access and Protected Access II, Unified Computing System Manager and Firepower 9000, and others. Apply updates. Additional details are available on Cisco’s website.

McAfee: McAfee has released updates to fix several vulnerabilities in its Web Gateway. Apply updates. Additional details are available on McAfee’s website.

WordPress: WordPress has released version 4.9.1. Apply updates. Additional details are available on WordPress’ website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your system(s) patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, December 3, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cybersecurity News for the Week of, December 3, 2017

Cyber Security News

 

CYBER SECURITY NEWS

from our friends at Citadel Information Group

 

Individuals at Risk

Cyber Update

MacOS High Sierra Users: Change Root Password Now: A newly-discovered critical flaw in macOS High Sierra — Apple’s latest iteration of its operating system — allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now. KrebsOnSecurity, November 28, 2017

Cyber Defense

How secure are cryptocurrency mobile apps? 90 Android Apps analyzed by High-Tech Bridge: Are the mobile apps you’re using to store or handle your cryptocurrency stash, track the currencies’ price, or interact with cryptocurrency exchanges secure? Judging by the results of a recent audit by High-Tech Bridge, the chances are slim. HelpNetSecurity, December 1, 2017

Shopping Online Securely: The holiday season is nearing for many of us, and soon millions of people around the world will be looking to buy the perfect gifts. Many of us will choose to shop online in search of great deals and to avoid long lines and impatient crowds. Unfortunately, this is also the time of year many cyber criminals create fake shopping websites to scam and steal from others. Below, we explain the risks of shopping online and how to get that amazing deal safely. SANS, November 2017

Information Security Management in the Organization

Information Security Management and Governance

‘Blocking and Tackling’ in the New Age of Security: In a pep talk to CISOs, the chief security strategist at PSCU advises teams to prioritize resilience in addition to security. DarkReading, December 1, 2017

Defense Contractors Take Note: NIST’s Compliance Deadline is Almost Here!: The end of the year approaches and that means Department of Defense (DoD) contractors must make changes to their own unclassified information systems to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Steptoe Cyberblog, December 1, 2017

Cyber Awareness

How Can I Tell This is an Attack? – Amazon Support Phish: Quite a few folks have been asking how can they tell this Amazon email is a Phish. Below are the indicators. I like this example as it demonstrates how the bad guys are constantly evolving and adapting in their attacks. Notice in this email how there is no malicious link or infected attachment to click on, making it much more difficult for perimeter defenses to detect and stop it. Notice how all the domains used in the attack are legitimate and owned by Amazon, including any links you hover over. SANS, November 29, 2017

Cybersecurity Culture

How Facebook’s Annual “Hacktober” Campaign Promotes Cybersecurity to Employees: While the word “cybersecurity” may evoke thoughts of highly sophisticated attacks that require fancy computing equipment and skilled hackers, the reality is that most attacks — especially in a corporate environment — involve simpler strategies that depend upon one thing: exploiting human behavior. Harvard Business Review, November 29, 2017

Cyber Defense

What is SIEM software? How it works and how to choose the right tool: Evolving beyond its log-management roots, today’s security information and event management (SIEM) software vendors are introducing machine learning, advanced statistical analysis and other analytic methods to their products. CSO, November 28, 2017

Cyber Update

Cisco Patches Critical Playback Bugs in WebEx Players: Cisco Systems issued a Critical alert on Wednesday warning of multiple vulnerabilities in its popular WebEx player. Six bugs were listed in the security advisory, each of them relating to holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files. ThreatPost, November 30, 2017

Cybersecurity in Society

Cyber Crime

Video shows cyberthieves stealing Mercedes with keys locked inside the house: Do you own a Mercedes or other fancy car that starts with a keyless fob – and which you’d rather not see thieves drive off in? Naked Security, December 1, 2017

Chicago: Uber’s claim that hackers fully deleted stolen data is “nonsensical”: Uber’s been sued at least 11 times in just 1 week, faces new scrutiny from Senate. ars technica, November 28, 2017

Driving Privacy Regulators Crazy: UK Probes Uber Breach: British regulators have launched a probe of the massive data breach suffered by taxi competitor Uber, which is scrambling to notify 57 million individuals in an unspecified number of countries that their details were exposed last year (see Uber Concealed Breach of 57 Million Accounts For A Year). BankInfoSecurity, November 22, 2017

Cyber Attack

Iraqi Hacking Group Posting Porn On ISIS Websites: Growing up Muslim, ideas around sexuality are often suppressed and forbidden. No one ever really talks about sex or tells you about it. When I saw that scene in Titanic when DiCaprio’s hand slides down the foggy window, I was told to look away from the screen—my imagination was forced to fill in the gaps. When I first saw porn, it pretty starkly opposed the innocent picture my mind had conjured up about romance. I felt a little sick and very ashamed, then a little pissed off that my parents had been doing that. And then I felt sick again. VICE, November 30, 2017

National Cybersecurity

UK National Cyber Security Centre issues Kaspersky Labs warning to government departments with national security systems: The British government has issued a fresh warning about the security risks of using Russian anti-virus software. BBC, December 2, 2017

Ex-NSA Hackers Worry China And Russia Will Try to Arrest Them: The US government has been indicting foreign government hackers, and American government hackers are worried China and Russia might start doing the same to them. Motherboard, December 1, 2017

Who Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’ Hacking Tools?: In August 2016, a mysterious entity calling itself “The Shadow Brokers” began releasing the first of several troves of classified documents and hacking tools purportedly stolen from “The Equation Group,” a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency. According to media reports, at least some of the information was stolen from the computer of an unidentified software developer and NSA contractor who was arrested in 2015 after taking the hacking tools home. In this post, we’ll examine clues left behind in the leaked Equation Group documents that may point to the identity of the mysterious software developer. KrebsOnSecurity, November 27, 2017

Cyber Government

Cybersecurity reigns as top priority for city and county CIOs in 2017: New research from the Public Technology Institute shows that security is dominating local government investment in new projects and initiatives. State Scoop, December 1, 2017

Cyber Law

Lawsuits Pile Up on Uber: Washington AG files multimillion-dollar consumer protection lawsuit; multiple states also confirm they are investigating the Uber breach, which means more lawsuits may follow. DarkReading, November 30, 2017

How the Supreme Court Could Keep Police From Using Your Cellphone to Spy on You: The cellphones we carry with us constantly are the most perfect surveillance device ever invented, and our laws haven’t caught up to that reality. That might change soon. Schneier on Security, November 28, 2017

Uber’s security practices come under fire (again) after new evidence comes to light in the Alphabet lawsuit: A former Uber employee claims some of the company’s security officers worked to actively avoid creating a “paper trail.” recode, November 28, 2017

Cyber Sunshine

Russian involved in massive debit card hack sentenced in U.S. to 14 years in prison: A Russian cybercriminal who officials say helped hackers get fraudulent access to millions of debit card numbers and steal millions of dollars was sentenced this week in Atlanta to spend 14 years in prison — a sentence that will be served simultaneously with a 27-year term he was already serving. The Los Angeles Times, December 1, 2017

 The post Cybersecurity News of the Week, December 3, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security Vulnerability and Patch Report, October 15, 2017

Cyber Security Vulnerability and Patch Report

 

 

From our friends at

 Citadel Information Group

 

Important Security Updates

Adobe Flash Player: Adobe has released version 27.0.0.159. Updates are available from Adobe’s website.

Avira Antivirus: Avira has released version 15.0.32.12 of its free Antivirus. Updates are available from Avira’s website.

Mozilla Firefox: Mozilla has released version 56.0.1. Updates are available within the browser or from Mozilla’s website. 

LastPass: LastPass has released version 4.2.0 for its Free Password Manager. Updates are available from LastPass’ website.

Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released updates to address dozens of vulnerabilities, some of which are highly critical within Windows operating systems, Microsoft Edge, Internet Explorer, Office, and other Microsoft products. Additional details are available at Microsoft’s website.

Opera: Opera has released version 48.0.2685.39. Updates are available from within the browser or from Opera’s website.

Spotify: Spotify has released version 1.0.65.320. Updates are available on Spotify’s website.

Current Software Versions

Adobe Flash 27.0.0.159

Adobe Reader DC 2017.012.20093

Dropbox 36.4.22 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 56.0.1 [Windows]

Google Chrome 61.0.3163.100

Internet Explorer 11.0.9600.18763

Java SE 8 Update 144 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.40.0.103

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Adaptive Security Appliance Software, and others. Apply updates. Additional details are available at Cisco’s website.

 

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, October 15, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cybersecurity News of the Week of, October 15, 2017

Cyber Security News

 

 

CYBER SECURITY NEWS

from our friends at Citadel Information Group

 

Individuals at Risk

Identity Theft

Equifax Hackers Stole Info on 693,665 UK Residents: Equifax Inc. said today an investigation into information stolen in the epic data breach the company disclosed on Sept. 7 revealed that intruders took a file containing 15.2 million UK records. The company says it is now working to inform 693,665 U.K. consumers whose data was stolen in the attack. KrebsOnSecurity, October 10, 2017

Cyber Privacy

Equifax Credit Assistance Site Served Spyware: Big-three consumer credit bureau Equifax says it has removed third-party code from its credit report assistance Web site that prompted visitors to download spyware disguised as an update for Adobe’s Flash Player software. KrebsOnSecurity, October 12, 2017

Accenture left a huge trove of highly sensitive data on exposed servers: Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. ZDNet, October 10, 2017

Equifax Breach Fallout: Your Salary History: In May, KrebsOnSecurity broke a story about lax security at a payroll division of big-three credit bureau Equifax that let identity thieves access personal and financial data on an unknown number of Americans. Incredibly, this same division makes it simple to access detailed salary and employment history on a large portion of Americans using little more than someone’s Social Security number and date of birth — both data elements that were stolen in the recent breach at Equifax. KrebsOnSecurity, October 8, 2017

Cyber Update

Microsoft’s October Patch Batch Fixes 62 Flaws: Microsoft on Tuesday released software updates to fix at least 62 security vulnerabilities in Windows, Office and other software. Two of those flaws were detailed publicly before yesterday’s patches were released, and one of them is already being exploited in active attacks, so attackers already have a head start. KrebsOnSecurity, October 11, 2017

Cyber Defense

Think Twice Before Logging on to Public Wi-Fi: At the airport, in a coffee shop or hotel lobby? Think twice before logging on to that free Wi-Fi. Robert Braun, JMBM Cybersecurity Lawyer Forum, October 11, 2017

Cyber Warning

The malware that won’t die: Is Locky reclaiming its title as king of ransomware?: Not so long ago it was thought to be dead, but now Locky ransomware is back as one of the most commonly distributed forms of malware. ZDNet, October 12, 2017

Information Security Management in the Organization

Cyber Defense

10 Major Cloud Storage Security Slip-Ups (So Far) this Year: Accenture is the latest in a string of major companies to expose sensitive cloud data this year, following Verizon, Deloitte, and Dow Jones. Dark Reading, October 13, 2017

Cybersecurity evolution brings shifts for network security: Bloggers explore cybersecurity evolution and its impact on network security, new network fabrics from Extreme and take a deep dive on routing protocols, such as BFD. TechTarget, October 13, 2017

Kaspersky Lab and the AV Security Hole: It’s unclear what happened in the reported theft of NSA data by Russian spies, but an attacker would need little help to steal if he or she had privileged access to an AV vendor’s network, security experts say. DarkReading, October 12, 2017

Cybersecurity in Society

Cyber Freedom

How Facebook’s Ad System Works: SAN FRANCISCO — In early September, Facebook revealed that it had identified about $100,000 in ads purchased on its social network by a Russian company linked to the Kremlin. Distributed between June 2015 and May of this year, the more than 3,000 ads added to evidence that Russia interfered with the 2016 presidential election. The New York Times, October 12, 2017

How Russia Harvested American Rage to Reshape U.S. Politics: YouTube videos of police beatings on American streets. A widely circulated internet hoax about Muslim men in Michigan collecting welfare for multiple wives. A local news story about two veterans brutally mugged on a freezing winter night. The New York Times, October 9, 2017

Google uncovers Russian-bought ads on YouTube, Gmail and other platforms: SAN FRANCISCO — Google for the first time has uncovered evidence that Russian operatives exploited the company’s platforms in an attempt to interfere in the 2016 election, according to people familiar with the company’s investigation. The Washington Post, October 9, 2017

THE U.S. ELECTION SYSTEM REMAINS DEEPLY VULNERABLE, BUT STATES WOULD RATHER CELEBRATE FAKE SUCCESS: WHEN THE DEPARTMENT of Homeland Security notified 21 states that Russian actors had targeted their elections systems in the months leading up to the 2016 presidential election, the impacted states rolled out a series of defiant statements. “Oregon’s security measures thwarted Russian government attempts to access the Secretary of State computer network during the 2016 general election,” chest-thumped Oregon Secretary of State Dennis Richardson. The Interept, October 3, 2017

National Cybersecurity

How North Korean hackers stole 235 gigabytes of classified US and South Korean military plans: In September 2016, North Korean intelligence services stole a huge batch of classified US and South Korean military plans — including a plan to assassinate North Korea’s dictator Kim Jong Un and other top government officials. VOX, October 13, 2017

Hackers steal restricted information on F-35 fighter, JDAM, P-8 and C-130: Add the Australian defence industry to the already long list of those who’ve suffered at the hands of security weaknesses in third-party contractors. NakedSecurity, October 13, 2017

Germany: ‘No Evidence’ Kaspersky Software Used by Russians for Hacks: BERLIN — Germany’s BSI federal cyber agency said on Wednesday it had no evidence to back media reports that Russian hackers used Kaspersky Lab antivirus software to spy on U.S. authorities. The New York Times, October 11, 2017

Israeli Spies Found Russians Using Kaspersky Software for Hacks: Media: WASHINGTON — Israeli intelligence officials spying on Russian government hackers found they were using Kaspersky Lab antivirus software that is also used by 400 million people globally, including U.S. government agencies, according to media reports on Tuesday. The New York Times, October 11, 2017

Israel hacked Kaspersky, then tipped the NSA that its tools had been breached: In 2015, Israeli government hackers saw something suspicious in the computers of a Moscow-based cybersecurity firm: hacking tools that could only have come from the National Security Agency. The Washington Post, October 10, 2017

Cyber Crime

Hyatt Hotels hit by credit card data-stealing malware – again: Hotel group says guests who stayed at 41 of its properties between March and July this year could have had their details stolen by hackers. ZDNet, October 13, 2017

Cyber Attack

Hackers have turned Politifact’s website into a trap for your PC: PolitiFact has been an invaluable resource for debunking politicians’ misstatements and falsehoods. But now, it seems, some unknown actor is trying to profit off the website’s popularity — by hooking visitors’ computers into a virtual currency mining operation. The Washington Post, October 13, 2017

Know Your Enemy

Ransomware is now big business on the dark web and malware developers are cashing in: The total value of ransomware sales on dark web market places has rocketed from $250,000 to over $6m in just a year, as demand for the file-encrypting malware grows. ZDNet, October 11, 2017

Cyber Law

Supreme Court: Hacking conviction stands for man who didn’t hack computer: High court refuses to hear appeal of hacking conviction, one-year prison sentence. ars technica, October 10, 2017

Cyber Miscellany

IRS suspends contract with Equifax after malware discovered: The IRS said late Thursday that it has temporarily suspended the agency’s $7.1 million data security contract with Equifax (EFX) after malware found on the credit bureau’s website again called its security systems into question. CBS, October 12, 2017

SecureTheVillage Calendar

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

The post Cybersecurity News of the Week, October 15, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cybersecurity News of the Week of, October 8, 2017

Cyber Security News

 

CYBER SECURITY NEWS

from our friends at Citadel Information Group

 

 

Individuals at Risk

Identity Theft

Fear Not: You, Too, Are a Cybercrime Victim!: Maybe you’ve been feeling left out because you weren’t among the lucky few hundred million or billion who had their personal information stolen in either the Equifax or Yahoo! breaches. Well buck up, camper: Both companies took steps to make you feel better today. KrebsOnSecurity, October 4, 2017

Former Equifax CEO says breach boiled down to one person not doing their job: In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax’s recently departed CEO is blaming it all on a single person who failed to deploy a patch. Tech Crunch, October 3, 2017

The Equifax Hack Has the Hallmarks of State-Sponsored Pros: In the corridors and break rooms of Equifax Inc.’s giant Atlanta headquarters, employees used to joke that their enormously successful credit reporting company was just one hack away from bankruptcy. They weren’t being disparaging, just darkly honest: Founded in the 19th century as a retail credit company, Equifax had over the years morphed into one of the largest repositories of Americans’ most sensitive financial data, which the company sliced and diced and sold to banks and hedge funds. In short, the viability of Equifax and the security of its data were one and the same. Bloomberg, September 29, 2017

Cyber Privacy

USPS ‘Informed Delivery’ Is Stalker’s Dream: A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns. KrebsOnSecurity, October 2, 2017

Cyber Defense

Should Apple iPhone X Trust Facial Recognition for Security?: Your face is the future of smartphone security. Apple made that clear last week when it unveiled the pricey iPhone X, which trades in the familiar home button and TouchID fingerprint scanner for a new camera system that unlocks the device using facial recognition. Scientific American, October 2, 2017

Cyber Warning

4 ways you can get hacked through your smartphone: The relationship between smartphones and securing personal information can be complicated. Yahoo, October 6, 2017

Malware That Hijacks Your Computer to Mine Cryptocurrency Is Swarming Across the Internet: An increasing number of websites are turning the computers of unsuspecting visitors into cryptocurrency miners. Aside from slowing down CPU performance, these tools violate the privacy of users. Futurism, October 6, 2017

Hackers Are Using LinkedIn to Tailor their Phishing Attacks Just for You: Hackers have begun using LinkedIn, the popular social network for business professionals, to create better phishing attacks. Already, one breach – at Vevo – has been attributed to the practice. HashedOut, October 5, 2017

Information Security Management in the Organization

Security Leadership

Leaderships’ evolving role in cybersecurity: As the volume and severity of computer crime has grown, one group has stayed somewhat quiet about the issue: CEOs. Cybersecurity is a difficult topic for many business executives to discuss. They aren’t comfortable with the technology and they worry that speaking out will betray their naïveté. They fear being breached but are reluctant to discuss their own vulnerability. They may even assign security a lower priority because it doesn’t have a clear ROI. Altogether, this creates the impression that they don’t care about an issue that may actually worry them a great deal. CSO, October 3, 2017

Information Security Management and Governance

8 Tough Questions Every CISO Should Be Ready to Answer: When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security. BankInfoSecurity, October 5, 2017

Cyber Awareness

New Report: 7 in 10 employees lack the awareness needed to prevent common cyber incidents: Bothell, Wash., Oct. 3, 2017 /PRNewswire/ — Seven in 10 employees lack the awareness to stop preventable cybersecurity incidents, according to the second-annual State of Privacy and Security Awareness Report, released by MediaPro. Business Insider, October 3, 2017

Cyber Defense

81% of organizations fail to properly address cloud vulnerabilities, report says: RedLock’s recent Cloud Security Trends details the rise of data exposures, changes in cloud security, and what businesses need to do to address these issues. TechRepublic, October 6, 2017

The Five Tenets of Cyber Security: In the two day MGT433 Securing the Human course, we start the class by defining what risk is. Security awareness is nothing more than a control to manage human risk. To manage risk, you have to first define it. What stuns me is how often security professionals that have been in this field 5, 10 or even 15 years are so lost in the technical weeds they forget (or never truly learned) the fundamentals of what we do. So, just to recap for those of us who have forgotten (and those who are new to the field), here are the five key tenets of cyber security. SANS, October 5, 2017

Cybersecurity skills shortage leads more organizations to outsource CISO and other talent Do you have confidence that your in-house security personnel has the knowledge, experience and technology to defend against cyberattacks? If so, there’s a chance that you may be fooling yourself. CSO, October 5, 2017

How Businesses Should Respond to the Ransomware Surge: Modern endpoint security tools and incident response plans will be key in the fight against ransomware. DarkReading, October 5, 2017

Cybersecurity in Society

Cyber Crime

FDIC hit by 50+ breaches in a two year period: A new report suggests that the FDIC could have been breached numerous times between 2015 and 2016, leading to the leak of PII data. TechRepublic, October 6, 2017

World’s Biggest Data Breaches – Interactive map of world biggest data breaches, leaks and hacks. Information is Beautiful, September 10, 2017

Breaches up 27%, losses up 23% in 2017 Ponemon – Accenture Cost of Cyber Crime Study: Over the last two years, the accelerating cost of cyber crime means that it is now 23 percent more than last year and is costing organizations, on average, US$11.7 million. Whether managing incidents themselves or spending to recover from the disruption to the business and customers, organizations are investing on an unprecedented scale—but current spending priorities show that much of this is misdirected toward security capabilities that fail to deliver the greatest efficiency and effectiveness. Ponemon, 2017

Cyber Attack

EFF fights off phishing attack – Phish For the Future: This report describes “Phish For The Future,” an advanced persistent spearphishing campaign targeting digital civil liberties activists at Free Press and Fight For the Future. Between July 7th and August 8th of 2017 we observed almost 70 spearphishing attempts against employees of internet freedom NGOs Fight for the Future and Free Press, all coming from the same attackers. EFF, September 27, 2017

Cyber Defense

National Cyber Security Awareness Month 2017: As hacks, data breaches, and other cyber-enabled crime become increasingly commonplace, this year’s National Cyber Security Awareness Month is an important reminder of the need to take steps to protect yourself and your family when using the Internet. Launched in 2004 by the Department of Homeland Security and the National Cyber Security Alliance, the annual campaign held every October is designed to help the public stay safe online and to increase national resiliency in the event of a cyber incident. FBI, October 2, 2017

Cyber Freedom

US Top Law Enforcement Calls Strong Encryption a ‘Serious Problem’: BOSTON—Top U.S. law enforcement and policy makers touched the third-rail issue of encryption Wednesday with several high-ranking officials lamenting their inability to crack open phones, laptops and communications protected with strong encryption. ThreatPost, October 6, 2017

States work together to improve cybersecurity management: With protection from cyberthreats an ever-present concern for IT leaders at all levels, five states presented their approaches at NASCIO’s annual conference in Austin. GovernmentTechnology, October 4, 2017

National Cybersecurity

Russian Theft of NSA Secrets: Many Questions, Few Answers: Hackers working for Russia gained access to the home computer of an NSA employee in 2015, pilfering highly classified material and spying code that was apparently detected by Kaspersky Lab’s anti-virus software (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software). BankInfoSecurity, October 5, 2017

Russian government hackers used antivirus software to steal U.S. cyber capabilities: Russian government hackers lifted details of U.S. cyber capabilities from a National Security Agency employee who was running Russian antivirus software on his computer, according to several individuals familiar with the matter. The Washington Post, October 5, 2017

Interview w Jeremy Rabkin, co-author, Striking Power. Evolving cyberwar rules: In a delightfully iconoclastic new book, Jeremy Rabkin and John Yoo take the air out of 75 years worth of inflated claims about the law of war. They do it, not for its own sake, though God knows that would be enough, but as prelude to discussing how to use the new weapons – robots, space, and cyber — that technology makes possible. Brian Egan and I interview Jeremy Rabkin about these and other aspects of “Striking Power: How Cyber, Robots, and Space Weapons Change the Rules for War.” Steptoe Cyberblog, September 25, 2017<

Secure the Village

SecureTheVillage Leadership Council Member Michael Gold Nominated as a Leader in Cybersecurity Law by Los Angeles Business Journal: LOS ANGELES—Jeffer Mangels Butler & Mitchell LLP (JMBM) is pleased to announce that Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group and co-author of the Cybersecurity Lawyer Forum, has been nominated by the Los Angeles Business Journal as a “Leader in Law” in the area of Cybersecurity. Michael is a member of the SecureTheVillage Leadership Council. Cybersecurity Lawyer Forum, October 5, 2017

Cyber Miscellany

The Coming Software Apocalypse & What Might Prevent It: There were six hours during the night of April 10, 2014, when the entire population of Washington State had no 911 service. People who called for help got a busy signal. One Seattle woman dialed 911 at least 37 times while a stranger was trying to break into her house. When he finally crawled into her living room through a window, she picked up a kitchen knife. The man fled. The Atlantic, September 26, 2017

SecureTheVillage Calendar

Glendale Tech Week: SecureTheVillage and Citadel President Stan Stahl will join Louie Sadd, Datastream Managing Partner and SecureTheVillage Leadership Council member, and other cybersecurity panelists. October 12, 10:00 – 11:00, Glendale Central Library.

Securing Our Village & Our Country’s Election Process. Stan Stahl to Speak at Impact Roundtable: Our freedoms and democratic way of life are under attack — and we must act now to create a cybersecurity-sensitive culture. Event Date: Friday October 13, 2017

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

The post Cybersecurity News of the Week, October 8, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security Vulnerability and Patch Report, October 1, 2017

Cyber Security Vulnerability and Patch Report

 

From our friends at

 Citadel Information Group

 

Weekend Vulnerability and Patch Report, October 1, 2017

 

Important Security Updates

Apple Multiple Products: Apple has released updates in iOS, macOS Server, iCloud for Windows, macOS High Sierra, and others. Additional details are available on Apple’s website.

Mozilla Firefox: Mozilla has released version 56.0. Updates are available within the browser or from Mozilla’s website. 

Opera: Opera has released version 48.0.2685.32. Updates are available from within the browser or from Opera’s website.

Spotify: Spotify has released version 1.0.64.399. Updates are available on Spotify’s website.

Viber: Viber has released version 6.9.6.16 for Windows. Updates are available on Viber’s website.

Current Software Versions

Adobe Flash 27.0.0.130

Adobe Reader DC 2017.012.20093

Dropbox 34.4.20 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 56.0 [Windows]

Google Chrome 61.0.3163.100

Internet Explorer 11.0.9600.18763

Java SE 8 Update 144 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.40.0.103

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in IOS and IOS XE Software, Apache Struts 2, Mobility Express 1800 Access Point Series, Unified Customer Voice Portal, and others. Apply updates. Additional details are available at Cisco’s website.

 

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, October 1, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cybersecurity News of the Week of, October 1, 2017

Cyber Security News

CYBER SECURITY NEWS

from our friends at Citadel Information Group

 

Individuals at Risk

Identity Theft

Here’s What to Ask the Former Equifax CEO: Richard Smith — who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers — is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I’d ask when Mr. Smith goes to Washington. KrebsOnSecurity, September 29, 2017

Equifax or Equiphish?: More than a week after it said most people would be eligible to enroll in a free year of its TrustedID identity theft monitoring service, big three consumer credit bureau Equifax has begun sending out email notifications to people who were able to take the company up on its offer. But in yet another security stumble, the company appears to be training recipients to fall for phishing scams. KrebsOnSecurity, September 24, 2017

Identity Theft – How to Protect Yourself: List of Resources: As you might have heard by now, Equifax was hacked and it’s up to you to take steps to protect yourself against identity theft. However, we’re here to help! We’ve collated some information from SANS Security Awareness here to help you get answers quickly. The Economist recently wrote an article on identity theft, utilizing SANS Security Awareness Director, Lance Spitzner to weigh in on credit monitoring and how much work is involved in undoing the damage of identity theft. He says, “The best step is to establish a credit freeze at all of the Credit Bureaus…”. Of course, there are other actions you can be taking to protect yourself, your family and your organization. We’ve identified ways you can protect yourself and your company through this blog post. SANS, September 20, 2017

How to “Freeze” Your Credit Files: If you live in California, you have the right to put a “security freeze” on your credit file. A security freeze means that your file cannot be shared with potential creditors. A security freeze can help prevent identity theft. Most businesses will not open credit accounts without first checking a consumer’s credit history. If your credit files are frozen, even someone who has your name and Social Security number would probably not be able to get credit in your name. ca.gov

Stan Stahl discusses the Equifax mess with Larry Marino: Stan Stahl, President CEO of Citadel Information Group and Non Profit Secure the Village – Updates the Equifax hack that involves the stealing of approximately 143 Million American’s personal information records.. Sunday Morning Newsmakers, October 1, 2017

Cyber Privacy

What If We Told You About Your Digital Copies: This ‘digital copy’ is a very real and expanding entity that is both representing you and as a proxy and revealing more and more detailed aspects about your personal and private life. Shocking as that may sound, you are the very one who is feeding that copy by providing information freely in large proportions. Every day, we trade our personal information (and our privacy) for things like ‘free’ email, faster product shipping, and social news feeds that connect us with friends and family. This very public copy is not going away anytime soon, so the question is “Is that something that is helping or hindering you?” ITSP, September 2017

Cyber Defense

Tips for protecting your #CryptoCurrency: Intrigued by the many possibilities of cryptocurrencies – not least by the prospect to “earn” serious money while doing nothing – you’ve decided to take the plunge and invest in some. HelpNetSecurity, September 29, 2017

How Credit Card Companies Spot Fraud … And Advice for Consumers: Credit card companies and banks, to protect your account and themselves, have gotten good at detecting credit fraud, such as when a purchase is made in an unlikely location or for an unusual amount, or when transactions occur at odd times. The Motley Fool, September 29, 2017

Answers to 5 Computer Security Questions Readers Keep Asking: After my contemporary thriller Kill Big Brother came out readers started asking how they can protect themselves online. Many more also called into radio shows I was a guest on. As I began answering, radio show hosts would often ask me to stay on for another segment because the phone lines were lighting up. Over time I found people were mostly asking the same five questions—and they are important and topical questions. Forbes, September 28, 2017

Email Do’s and Don’ts – SANS Awareness Newsletter: Email is still one of the primary ways we communicate, both in our personal and professional lives. However, we can quite often be our own worst enemy when using email. In this newsletter, we will explain the most common mistakes people make with email and how you can avoid them in your day-to-day lives. Sans, September 2016

Cyber Warning

Chaos and hackers stalk investors on cryptocurrency exchanges: LONDON, SHANGHAI, NEW YORK (Reuters) – Dan Wasyluk discovered the hard way that trading cryptocurrencies such as bitcoin happens in an online Wild West where sheriffs are largely absent. Reuters, September 29, 2017

Many Macs vulnerable to firmware attacks, despite OS and security updates http://: Several updated Mac models don’t receive EFI security fixes, putting machines at risk for targeted cyberattacks. DarkReading, September 29, 2017

Information Security Management in the Organization

Information Security Management and Governance

Cisco Chief Information Security Officer Shares Strategy for Fighting Cybercrime: Steve Martino, chief information security officer at Cisco, shares his advice for assisting a worried Board of Directors. Business Insider, Sep 30, 2017

Company directors are increasingly involved with cybersecurity: According to a new survey by BDO USA, 79% of public company directors report that their board is more involved with cybersecurity than it was 12 months ago and 78% say they have increased company investments during the past year to defend against cyber-attacks, with an average budget expansion of 19 percent. HelpNetSecurity, September 29, 2017

Six Key Traits of an Effective Cyber Risk Advisor: What makes a good cyber risk advisor? What skills do they need to help board directors address cybersecurity? According to a report by BayDynamics, board directors “may not be experts in security, but they do know how to steer a business away from risk and toward profit by listening to subject matter experts. However, they expect those experts to frame that advice around relevant business concerns.” SecurityIntelligence, September 28, 2017

Cyber Awareness

Getting an Earful: Convincing Employees to Care About Network Security: Employees remain the biggest source of corporate cyber risk. According to the “IBM X-Force 2016 Cyber Security Intelligence Index,” staff members are responsible for 60 percent of all digital attacks endured by enterprises. In most cases, there’s no malicious intent. Employees may subvert network security by opening infected email attachments, falling for well-crafted phishing attacks, accessing compromised third-party apps or accidentally posting confidential information on social media sites. SecurityIntelligence, September 29, 2017

What’s Your Tech-to-Human Security Ratio?: Ever wonder why some security awareness programs successfully change and secure human behavior while others fail? One of the most common reasons for failure is minimal investment. Many organizations are heavily investing in their cyber security programs. The problem is they are stuck in the 1990s focusing only on bits-n-bytes. While technology is where every organization should start, we have hit the point of diminishing returns. In today’s world organizations need to start investing in their human security also. To see where your organization stands, determine your Tech-to-Human security ratio. There are two ways to do this. SANS, September 25, 2017

Cyber Defense

Oregon Medicaid System Shut Down Allegedly by Ex-Staffer After Inadequate Adverse Termination: A federal criminal case alleges that a former Hewlett-Packard Enterprise Corp. employee shut down Oregon’s Medicaid information systems for several hours after the vendor laid him off. Security experts caution organizations to take steps to minimize risks from workers who are laid off or fired. “When an employee is suddenly fired, a few minutes of unfettered access to information systems can lead to a lot of damage,” says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. BankInfoSecurity, September 29, 2017

Cyber Insurance

Cyberinsurance is gaining steam for smaller businesses: Cyberinsurance used to be only for large corporations, but policies are becoming available for small and medium-sized businesses. Read advice about what to consider before purchasing a cyber policy. TechRepublic, September 18, 2017

Cybersecurity in Society

Cyber Crime

Malware attacks San Ysidro School District, demands $19K ransom: Malware infected computers at a local school district this month, deleting emails and forcing the district to temporarily shut down part of its systems. inewsource.org, September 29, 2017

Whole Foods taprooms and restaurants hit by hack, credit card information stolen: If you ate or drank at Whole Foods recently, you might want to keep a close eye on your credit card transactions. CNet, September 29, 2017

Source: Deloitte Breach Affected All Company Email, Admin Accounts: Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system. KrebsOnSecurity, September 25, 2017

Cyber Privacy

DOJ demands Facebook information from ‘anti-administration activists’: Washington (CNN)Trump administration lawyers are demanding the private account information of potentially thousands of Facebook users in three separate search warrants served on the social media giant, according to court documents obtained by CNN. CNN, September 30, 2017

Cyber Defense

Google plans to stop trusting current Symantec certificates: Here’s what tech pros need to know: Validity concerns with existing Symantec SSL certificates are provoking some changes in upcoming Google Chrome releases. Learn the details involved. TechRepublic, September 29, 2017

Know Your Enemy

Cybercriminals increasingly focusing on credential theft: Criminal tactics used to access user credentials are growing in prevelance, and that a record 47 percent of all malware is new or zero day, and thus able to evade signature-based antivirus solutions, according to WatchGuard. HelpNetSecurity, September 29, 2017

Cyber Freedom

Securing Our Village & Our Country’s Election Process. Stan Stahl to Speak at Impact Roundtable: Our freedoms and democratic way of life are under attack — and we must act now to create a cybersecurity-sensitive culture. Event Date: Friday October 13, 2017

Cyber Culture

Cybersecurity CEO Emphasizes Sharing & Collaboration as Critical Defense against Cybercrime: Want to protect what you’ve built? Then you’ll need to work differently, according to Melanie Rieback. Entrepeneur, September 29, 2017

Cyber Gov

Many federal agencies still weak on information security, GAO report finds: In a time of rampant cybersecurity concerns, a recently released Government Accountability Office report expresses frustration with the information security at federal agencies. fedscoop, September 29, 2017

Cyber Research

Scientists hold world’s first intercontinental video conference using quantum encryption: Two scientists in Austria and China have held the first intercontinental video conference to have been encrypted using quantum technology. Independent, September 29, 2017

SecureTheVillage Calendar

Glendale Tech Week: SecureTheVillage and Citadel President Stan Stahl will join Louie Sadd, Datastream Managing Partner and SecureTheVillage Leadership Council member, and other cybersecurity panelists. October 12, 10:00 – 11:00, Glendale Central Library.

Securing Our Village & Our Country’s Election Process. Stan Stahl to Speak at Impact Roundtable: Our freedoms and democratic way of life are under attack — and we must act now to create a cybersecurity-sensitive culture. Event Date: Friday October 13, 2017

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

The post Cybersecurity News of the Week, October 1, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security Vulnerability and Patch Report, September 24, 2017

Cyber Security Vulnerability and Patch Report

 

From our friends at

 Citadel Information Group

 

Important Security Updates

Apple Multiple Products: Apple has released updates in Xcode 9 in macOS Sierra 10.1.6 or later, tvOS 11, watchOS 4, Safari 11, iOS 11, and others. Additional details are available on Apple’s website.

Avira Antivirus: Avira has released version 15.0.31.27 of its free Antivirus. Updates are available from Avira’s website.

Evernote: Evernote has released version 6.7.5.5825. Updates are available on Evernote’s website.

Google Chrome: Google has released Google Chrome version 61.0.3163.100. Updates are available from within the browser or from Google Chrome’s website.

Piriform CCleaner: Piriform has released version 5.35.6210 for CCleaner. Updates are available from Piriform’s website. Additional details about the recent security notification are available here on Piriform’s website.

Malwarebytes: Malwarebytes has released version 3.2.2.2029. Updates are available from Malwarebytes website.

TechSmith Corporation SnagIt: TechSmith has released version 13.1.4.8008 for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash 27.0.0.130

Adobe Reader DC 2017.012.20093

Dropbox 34.4.20 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 55.0.3 [Windows]

Google Chrome 61.0.3163.100

Internet Explorer 11.0.9600.18763

Java SE 8 Update 144 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.40.0.103

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Unified Customer Voice Portal Operations Console, Aironet 1800, 2800, 3800, 1830 and 1850 Series Access Points, Mobility Express 1800 Access Points, Apache Struts 2, IOS and IOS XE, Small Business Managed Switches, Email Security Appliance, Wide Area Application Services, UCS Center Software, Small Business SPA300, SPA500, and SPA51x Series, FindIT DLL, Unified Intelligence Center, Email Security Appliance, and others. Apply updates. Additional details are available at Cisco’s website.

WordPress: WordPress has released version 4.8.2. Apply updates. Additional details are available on WordPress’ website.

 

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, September 24, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cybersecurity News of the Week of, September 24, 2017

Cyber Security News

 

CYBER SECURITY NEWS

from our friends at Citadel Information Group

 

Individuals at Risk

Identity Theft

Why didn’t Equifax protect your data? Because corporations have all the power: When the credit-reporting agency Equifax announced this month that hackers had accessed the accounts of 143 million of its customers — over 40 percent of the population of the United States — it was another example of how little power consumers have over their own money and personal information. Indeed, it unfolded in a familiar way: Equifax isn’t communicating with its customers, and no one can make it. The Washington Post, September 21, 2017

Experian Site Can Give Anyone Your Credit Freeze PIN: An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian. KrebsOnSecurity, September 21, 2017

Equifax, the Credit Reporting Industry, and What Congress Should Do Next: Even for the experts, the recent data breach at Equifax was staggering. The data that undergirds the credit records of 143 million consumers was compromised. Social Security numbers, dates of birth, and drivers’ license records are used to authenticate identity. It is not difficult to change a credit card number, but changing Social Security numbers and birth dates is a whole different matter. Data breaches are on the rise in the United States. It’s time for Congress to act. Why does this require action by Congress? There are at least five major reasons that the private sector cannot handle this issue on its own. Harvard Business Review, September 20, 2017

Equifax Breach: Setting the Record Straight: Bloomberg published a story this week citing three unnamed sources who told the publication that Equifax experienced a breach earlier this year which predated the intrusion that the big-three credit bureau announced on Sept. 7. To be clear, this earlier breach at Equifax is not a new finding and has been a matter of public record for months. Furthermore, it was first reported on this Web site in May 2017. KrebsOnSecurity, September 20, 2017

Someone Made a Fake Equifax Site. Then Equifax Linked to It: People create fake versions of big companies’ websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake. The New York Times, September 20, 2017

Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed: Equifax Inc. learned about a major breach of its computer systems in March — almost five months before the date it has publicly disclosed, according to three people familiar with the situation. Bloomberg, September 18, 2017

New evidence raises doubts about executives’ handling of the Equifax breach: New evidence calls into question Equifax’s handling of the breach reported last week, which compromised 143 million user details including Social Security numbers, birthdates, and addresses. The Verge, September 19, 2017

The learned helplessness of Equifax: Is there a formal name for the fallacy of assuming that the status quo is sane? Such a name would become more useful with each passing year. There are a shocking number of examples, but I give you, as a perfect, vivid, front-of-mind example, the credit rating system of the United States of America, as exemplified by that radioactive disaster of a company called Equifax. TechCrunch, September 17, 2017

Equifax Should Be a Public Utility: Credit bureaus have little incentive to take hackers seriously. Only government oversight can change that. Harvard Business Review, September 15, 2017

Cyber Privacy

Motel 6 to revamp privacy, data sharing policies after Phoenix locations send guest info to ICE: Motel 6 employees in the Phoenix area who voluntarily and routinely handed guest registers to ICE officials without the benefit of a warrant may not have run afoul of the company’s privacy policy, but the hotel chain said it would take steps to shut down or prevent similar operations at its other properties nationwide. SC Magazine, September 18, 2017

Cyber Update

iOS 11 Update includes Patches for Eight Vulnerabilities: iOS 11 is out today and along with a new look and feel on the iPad especially comes a handful of patches for the Apple mobile OS. ThreatPost, September 19, 2017

Cyber Warning

iOS 11’s Control Center may say Bluetooth, Wi-Fi are off, but that’s just not true: Apple has made changes in iOS 11 that push its devices towards Wi-Fi and Bluetooth being enabled by default, which may make users more vulnerable to attacks. ZDNet, September 21, 2017

Hackers are locking people out of their MacBooks – here’s how to stay safe: Hackers using stolen iCloud credentials have been able to use Apple’ Find My Device features to remotely lock down computers and demand Bitcoin ransoms from affected users. However, that doesn’t mean Apple’s iCloud was hacked. Instead, hackers are likely trying their luck with some of the many available username and password combinations that resulted from recently publicized hacks. BGR, September 21, 2017

This is why you shouldn’t use texts for two-factor authentication: For a long time, security experts have warned that text messages are vulnerable to hijacking — and this morning, they showed what it looks like in practice. A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The Verge, September 18, 2017

Critical Bluetooth flaw could put nearly every connected device at risk of cyberattack: The vulnerability, discovered by Armis Labs, is an airborne attack targeting Android, iOS, Windows, and Linux devices. It would allow hackers to take complete control of the device. TechRepublic, September 13, 2017

Information Security Management in the Organization

Cyber Warning

Hackers hid malware in CCleaner software: Hackers have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team. TheVerge, September 18, 2017

CEOs beware: Your email address is spoofed most often for cyberattacks: A recent Trend Micro report identified that CEOs and managers are most likely to have their email spoofed, while CFOs are the biggest targets of these attacks. TechRepublic, September 12, 2017

Cyber Defense

Where Do Security Vulnerabilities Come From?: There are three major causes: code quality, complexity, and trusted data inputs. DarkReading, September 22, 2017

Cyber Law

Canada’s Tough New Breach Reporting Regulations: Canada had been lagging behind the U.S. and some other nations in terms of breach notification regulations, but now it’s catching up, says attorney Imran Ahmad, who explains new requirements that are coming into effect. BankInfoSecurity, September 21, 2017

Cybersecurity in Society

Cyber Crime

Report: SMBs paid $301M to ransomware hackers last year: About 5% of SMBs fell victim to ransomware attacks in the past year, leading to financial strain from downtime and data loss, according to a new survey from Datto. TechRepublic, September 21, 2017

Know Your Enemy

Low-cost tools making cybercrime more accessible: SecureWorks: A report from the security vendor has said the increasing affordability of cybercrime tools is providing budding criminals with a low barrier of entry into the game. ZDNet, September 19, 2017

Cyber Freedom

Feds Share More Details w States re Russian Election Hacking; Establish Coordinating Council: One of the public’s unanswered questions about Russia’s attempts to break into election systems last year was which states were targeted. On Friday, states found out. NPR, September 22, 2017

Facebook to Turn Over Russian-Linked Ads to Congress: WASHINGTON — Under growing pressure from Congress and the public to reveal more about the spread of covert Russian propaganda on Facebook, the company said on Thursday that it was turning over more than 3,000 Russia-linked ads to congressional committees investigating the Kremlin’s influence operation during the 2016 presidential campaign. The New York Times, September 21, 2017

Political campaigns prep for battle with hackers: Candidates are quizzing prospective campaign managers on anti-hacking plans. Democratic committees like the Democratic Congressional Campaign Committee, which was breached last year, have switched internally from email to encrypted messaging apps. And both parties are feverishly trying to spread advice and best practices to new campaigns before they become targets. Politico, September 19, 2017

Facebook hands over ads, account info to Mueller: After special counsel Robert Mueller produced a search warrant, Facebook handed over records associated with fake accounts that purchased and planted $100,000 worth of ads on behalf of Russian interests to influence the 2016 U.S. presidential election. SC Media, September 18, 2017

Financial Cyber Security

SEC Hack Threatens a Bedrock of U.S. Capitalism: Transparency: The U.S. Securities and Exchange Commission hails its database of company filings as an innovation that’s dramatically boosted corporate transparency. But a hack that led to the theft of market-moving secrets is the latest sign that technology also brings dangers the SEC is struggling to combat. Bloomberg, September 22, 2017

Cyber Research

Malware Steals Data From Air-Gapped Network via Security Cameras: Proof-of-concept malware called aIR-Jumper can be used to defeat air-gapped network protections and send data in and out of a targeted network. The technique uses security cameras and infrared LED lights that can blink back and forth to each other transmitting data that has been converted into data streams. ThreatPost, September 20, 2017

SecureTheVillage Calendar

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: The San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives, IT managers, and cybersecurity experts. The San Fernando Valley-East Roundtable is intended for both for-profit and nonprofit organizations. The Roundtable functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. September 28, 7:30 -10AM. Datastream, Glendale.

Glendale Tech Week: SecureTheVillage and Citadel President Stan Stahl will join Louie Sadd, Datastream Managing Partner and SecureTheVillage Leadership Council member, and other cybersecurity panelists. October 12, 10:00 – 11:00, Glendale Central Library.

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

The post Cybersecurity News of the Week, September 24, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security Vulnerability and Patch Report, September 10, 2017

Cyber Security Vulnerability and Patch Report

 

From our friends at

 Citadel Information Group

 

Important Security Updates

Avira Antivirus: Avira has released version 15.0.30.29 of its free Antivirus. Updates are available from Avira’s website.

Dropbox: Dropbox has released version 34.4.20 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Google Chrome: Google has released Google Chrome version 61.0.3163.79. Updates are available from within the browser or from Google Chrome’s website.

Microsoft: Microsoft has released updates for Office, Project and Visio. These are available from the Control Panel.

Opera: Opera has released version 47.0.2631.80. Updates are available from within the browser or from Opera’s website.

Viber: Viber has released version 6.9.1.77 for Windows. Updates are available on Viber’s website.

Current Software Versions

Adobe Flash 26.0.0.151

Adobe Reader DC 2017.012.20093

Dropbox 34.4.20 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 55.0.3 [Windows]

Google Chrome 61.0.3163.79

Internet Explorer 11.0.9600.18763

Java SE 8 Update 144 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.40.0.103

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Apache Struts 2, IOS, IOS XE, IoT Field Network Director, Unified Communication Manager, Yes Set-Top Box, SocialMiner XML, Prime LAN Management Solution, Prime Collaboration Provisioning Tool, IR800 Integrated Services Router, Firepower Management Center, Email Security Appliance, Unified Intelligence, Unity Connection, Cisco Meeting Server, Emergency Responder, Catalyst 4000 Series Switches, ASR 920 Series Routers, ASR 5500 System Architecture Evolution Gateway and others. Apply updates. Additional details are available at Cisco’s website.

McAfee: McAfee has released updates for it’s Threat Intelligence Exchange Server. Updates are available from McAfee’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, September 10, 2017, appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cybersecurity News of the Week of, September 10, 2017

Cyber Security News 05.17.jpg

 

CYBER SECURITY NEWS

from our friends at Citadel Information Group

 

Individuals at Risk

Identity Theft

Equifax Hack Exposes Regulatory Gaps, Leaving Consumers Vulnerable: Despite the wealth of sensitive information in their databases, credit bureaus don’t face the same kind of scrutiny and oversight that banks do. The New York Times, September 8, 2017

Here are all the ways the Equifax data breach is worse than you can imagine: Another day, another massive data breach. Except this one involves Equifax, one of the credit-monitoring companies you might expect to be ultrasensitive to the importance of safeguarding your personal information from hackers. LA Times, September 8, 2017

Equifax Breach Response Turns Dumpster Fire: I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans. KrebsOnSecurity, Septeber 8, 2017

Equifax Breach: 8 Takeaways: After Equifax on Thursday warned that 143 million consumers’ personal details may have been stolen by hackers, criticism of the consumer credit reporting agency – and data broker – has been swift. BankInfoSecurity, September 8, 2017

Outrage builds after Equifax executives banked $2 million in stock sales following data breach: The sale of nearly $2 million in corporate stock by high-level Equifax executives shortly after the company learned of a major data breach has sparked public outrage that could turn into another hurdle for the credit rating agency. The Washington Post, September 8, 2017

Equifax Says Cyberattack May Have Affected 143 Million in the U.S.: Criminals gained access to certain files in the company’s system from mid-May to July, according to an investigation by Equifax. The New York Times, September 7, 2017

Cyber Defense

Password Managers: One of the most important steps you can take to protect
yourself online is to use a unique, strong password for every one of your accounts and apps. Unfortunately, it is most likely impossible for you to remember all your different passwords for all your different accounts. This is why so many people reuse the same password. SANS, September 2016

Information Security Management in the Organization

Cyber Warning

New Dridex Phishing Campaign Delivers Fake Accounting Invoices: A new variant of the banking trojan Dridex is part of a sophisticated phishing attack targeting users of the cloud-based accounting firm Xero. ThreatPost, September 7, 2017

Cyber Defense

Are you an easy hacking target? Cybersecurity tips for small business: Small businesses and self-employed people are big targets for hackers, and the financial implications can be crippling. Gone are the days of thinking “It’ll never happen to us”. A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. Estimates vary on how much a breach truly costs, but it can often be millions of pounds. The Guardian, September 8, 2017

The 5 cyber attacks you’re most likely to face: As a consultant, one of the biggest security problems I see is perception: The threats companies think they face are often vastly different than the threats that pose the greatest risk. For example, they hire me to deploy state-of-the-art public key infrastructure (PKI) or an enterprise-wide intrusion detection system when really what they need is better patching. CSO, August 21, 2017

Cyber Talent

Meet the WISOs: 10 Women Information Security Officers to watch: As girls and young women become interested in cybersecurity, they can look to these Women Information Security Officers for inspiration. CSO, September 8, 2017

Cybersecurity in Society

Cyber Freedom

German hackers find security hole in software used for vote counts: Serious security flaws in the software used to register voting tallies in Germany and transmit them across the country have been found by a hackers’ collective, who have warned of the possibility of external attacks. The Guardian, September 8, 2017

Cash-strapped states brace for Russian hacking fight: The U.S. needs hundreds of millions of dollars to protect future elections from hackers — but neither the states nor Congress is rushing to fill the gap. Politico, September 3, 2017

Fake News

The Fake Americans Russia Created to Influence the Election: Posing as ordinary citizens on Facebook and building “warlists” of Twitter accounts, suspected Russian agents intervened last year in the American democratic process. The New York Times, September 7, 2017

The Fake-News Fallacy:Old fights about radio have lessons for new fights about the Internet: On the evening of October 30, 1938, a seventy-six-year-old millworker in Grover’s Mill, New Jersey, named Bill Dock heard something terrifying on the radio. Aliens had landed just down the road, a newscaster announced, and were rampaging through the countryside. Dock grabbed his double-barrelled shotgun and went out into the night, prepared to face down the invaders. But, after investigating, as a newspaper later reported, he “didn’t see anybody he thought needed shooting.” In fact, he’d been duped by Orson Welles’s radio adaptation of “The War of the Worlds.” Structured as a breaking-news report that detailed the invasion in real time, the broadcast adhered faithfully to the conventions of news radio, complete with elaborate sound effects and impersonations of government officials, with only a few brief warnings through the program that it was fiction. The New Yorker, September 4, 2017

National Cybersecurity

The Cyberlaw Podcast – Stewart Baker interviews Michael Mainelli: In Episode 177, fresh from hiatus, we try to summarize the most interesting cyber stories to break in August. Paul Rosenzweig kicks things off with the Shunning of Kaspersky. I argue that the most significant – though unsupported – claim about Kaspersky is Sen. Shaheen’s assertion that all of the company’s servers are in Russia. If true, that’s certainly an objective reason not to let Kaspersky install sensors in non-Russian computers. The question that remains is how much due process companies like Kaspersky should get. That’s a question unlikely to go away, as DOD is now comprehensively shunning DJI drones, issuing guidance that sounds a lot like Edward Snowden demanding that users uninstall all DJI apps and remove all batteries and storage media. Steptoe Cyberblog, September 5, 2017

The first quantum-cryptographic satellite network will be Chinese: IN THE never-ending arms race between encryptors and eavesdroppers, many of those on the side that is trying to keep messages secret are betting on quantum mechanics, a description of how subatomic particles behave, to come to their aid. In particular, they think a phenomenon called quantum entanglement may provide an unsubvertable way of determining whether or not a message has been intercepted by a third party. Such interception, quantum theory suggests, will necessarily alter the intercepted message in a recognisable way, meaning that the receiver will know it is insecure. This phenomenon depends on the fact, surprising but true, that particles with identical properties which are created simultaneously are entangled in a way that means one cannot have its properties altered without also altering the other, no matter how far apart they are. The Economist, August 31, 2017

Cyber Law

Could CareFirst Data Breach Case Be Headed to Supreme Court?: Could the class action lawsuit filed against CareFirst Blue Cross Blue Shield after a 2014 cyberattack impacting 1.1 million individuals be the first data breach case headed to the Supreme Court? A recent ruling by a federal court makes that a possibility. BankInfoSecurity, September 8, 2017

SEC Chief: Regulators must do more to help small investors better understand cyber crime and online fraud: NEW YORK (Reuters) – Regulators must do more to help mom-and-pop investors better understand the potential risks posed by cyber crime and new technologies used to commit fraud, U.S. Securities and Exchange Commission Chairman Jay Clayton said on Tuesday. Reuters, September 5, 2017

Cyber Medical

DHS Warns of 8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps: The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) on Thursday issued an advisory detailing eight cybersecurity vulnerabilities found in Smiths Medical’s Medfusion 4000 wireless infusion pumps. RAPS, September 8, 2017

Critical Infrastructure

Symantec Report: Hackers found to gain direct operational access to US power grid controls: In an era of hacker attacks on critical infrastructure, even a run-of-the-mill malware infection on an electric utility’s network is enough to raise alarm bells. But the latest collection of power grid penetrations went far deeper: Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will. Wired, September 6, 2017

Internet of Things

IoT Security: What’s Plan B?: In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn’t regulate the IoT market. It doesn’t single out any industries for particular attention, or force any companies to do anything. It doesn’t even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want. SchneierOnSecurity, September 2017

Cyber Miscellany

If Blockchain Is the Answer, What Is the Security Question?: Like any technology, blockchain has its strengths and weaknesses. But debunking three common myths can help you cut through the hype. DarkReading, September 8, 2017

Boston Red Sox Used Apple Watches to Steal Signs Against Yankees: When confronted by Major League Baseball, the Red Sox admitted they were using Apple Watches in a scheme to gain an edge at the plate. The New York Times, September 5, 2017

Cyber Research

Security researchers in China send silent commands to speech recognition systems with ultrasound: Security researchers in China have invented a clever way of activating voice recognition systems without speaking a word. By using high frequencies inaudible to humans but which register on electronic microphones, they were able to issue commands to every major “intelligent assistant” that were silent to every listener but the target device. TechCrunch, September 6, 2017

SecureTheVillage Calendar

PIHRA: Information Security Awareness: The Cyber Tsunami!: Citadel’s Kimberly Pease will facilitate a discussion of (i) steps to take to protect a company’s information from hackers and cyber criminals; (ii)tips to protect yourselves as consumers; (iii) understanding who the criminals are and why you are a target; (iv) real stories and scary examples that could happen to you. September 20, 7:30 – 9:30, The City Club

SecureTheVillage: Financial Services Cybersecurity Roundtable: The Financial Services Cybersecurity Roundtable is a cross-organizational, cross-functional “learning community” committed to working together to better protect our community from bank fraud, credit card theft, identity theft and other forms of cyber crime. September 22, 7:30 – 10:00, Grandpoint Bank

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: The San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives, IT managers, and cybersecurity experts. The San Fernando Valley-East Roundtable is intended for both for-profit and nonprofit organizations. The Roundtable functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. September 28, 7:30 -10AM. Datastream, Glendale.

Glendale Tech Week: SecureTheVillage and Citadel President Stan Stahl will join Louie Sadd, Datastream Managing Partner and SecureTheVillage Leadership Council member, and other cybersecurity panelists. October 12, 10:00 – 11:00, Glendale Central Library.

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

The post Cybersecurity News of the Week, September 10, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security Vulnerability and Patch Report, September 3, 2017

Cyber Security Vulnerability and Patch Report

 

From our friends at

 Citadel Information Group

 

Important Security Updates

Avast: Avast has released version 17.6.2310 for Free Antivirus. Updates are available on Avast’s website. Avast! has also released updates for Premier Antivirus, Pro Antivirus and Internet Security.

Comodo Free Firewall: Comodo has released version 10.0.1.6294 of its free firewall and antivirus. Updates are available from Comodo’s website.

Opera: Opera has released version 47.0.2631.71. Updates are available from within the browser or from Opera’s website.

Skype: Skype has released Skype 7.40.0.103. Updates are available from the program or Skype’s website.

Current Software Versions

Adobe Flash 26.0.0.151

Adobe Reader DC 2017.012.20093

Dropbox 33.4.23 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 55.0.3 [Windows]

Google Chrome 60.0.3112.113

Internet Explorer 11.0.9600.18763

Java SE 8 Update 144 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.40.0.103

For Your IT Department

None

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, September 3, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

 

Cyber Security News for the Week of, September 3, 2017

Cyber Security News

 

Cyber Security News

from our friends at Citadel Information Group

 

Individuals at Risk

Identity Theft

700 Million-Plus Email Addresses Leaked by Spam Operation: A sloppy spamming operation has exposed on a server in the Netherlands gigabytes of files that include 711 million email addressees and some associated account passwords. BankInfoSecurity, August 31, 2017

Cyber Privacy

Hackers are selling millions of Instagram celeb accounts on web. Selena Gomez among victims: A group of hackers used a bug earlier this week to scrape the phone numbers and email addresses of six million Instagram accounts and are now selling that information on the web. TechCrunch, September 1, 2017

Cyber Danger

Is Your Mobile Carrier Your Weakest Link?: More online services than ever now offer two-step authentication — requiring customers to complete a login using their phone or other mobile device after supplying a username and password. But with so many services relying on your mobile for that second factor, there has never been more riding on the security of your mobile account. Below are some tips to ensure your mobile device (or, more specifically, your mobile carrier) isn’t the weakest link in your security chain. KrebsOnSecurity, August 27, 2017

Victim of crypto-currency theft describes how cybercriminals hacked his cellphone: At about 9pm on Tuesday, August 22 a hacker swapped his or her own SIM card with mine, presumably by calling T-Mobile. This, in turn, shut off network services to my phone and, moments later, allowed the hacker to change most of my Gmail passwords, my Facebook password, and text on my behalf. All of the two-factor notifications went, by default, to my phone number so I received none of them and in about two minutes I was locked out of my digital life. TechCrunch, August 23, 2017

Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency: Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal. The New York Times, August 23, 2017

Cyber Defense

On what basis are we to trust online file conversion services?: Let’s imagine that you just received an attachment on your phone, such as an image, a document or a spreadsheet. Naked Security, September 1, 2017

Cyber Warning

Beware of Hurricane Harvey Relief Scams: U.S. federal agencies are warning citizens anxious to donate money for those victimized by Hurricane Harvey to be especially wary of scam artists. In years past we’ve seen shameless fraudsters stand up fake charities and other bogus relief efforts in a bid to capitalize on public concern over an ongoing disaster. Here are some tips to help ensure sure your aid dollars go directly to those most in need. KrebsOnSecurity, August 29, 2017

Information Security Management in the Organization

Cyber Warning

Locky Ransomware Campaign Returns via Spam and Dropbox-Themed Phishing Attacks: In today’s digital world, boundaries are blurring. Driven by “need it now” business demands, cloud applications are surfacing in business environments everywhere, often with little or no IT involvement. We’re allowing access to a growing and dynamic user population that includes not only employees but partners, customers, channels and contractors. And, while the always-on mobile and BYOD landscape offers much-needed convenience for users, it further blurs personal and corporate access boundaries. Ultimately, we need to find a way to embrace today’s boundaryless business world, while maintaining security confidence, ensuring that we meet increasing compliance demands, and doing so in a way that’s completely seamless and easy for our users. BankInfoSecurity, Event on September 5, 2017

Cyber Talent

CISOs’ Salaries Expected to Edge Above $240,000 in 2018: Other IT security professionals may garner six-figure salaries as well, new report shows. DarkReading, September 1, 2017

The Haves And Have-Nots In Cybersecurity: How Your Company Can Level The Playing Field: We all know about the income-inequality debate in America, and the controversy about too much wealth being held by the “one percent”. But did you know there’s also an inequality issue when it comes to our country’s cybersecurity? Forbes, August 29, 2017

Cybersecurity in Society

Cyber Crime

Canadian university scammed out of $11.8 million: MacEwan University in Edmonton, Alberta, is the latest confirmed victim of scammers. HelpNetSecurity, September 1, 2017

A server hosting dozens of popular file converter sites has been hacked: The server hosting the sites had been “tampered with for months on end, without the server owner noticing it.” ZDNet, August 31, 2017

Know Your Enemy

Hackers Host Ransomware on US Government Site to Infect Site-Visitors: As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware. ThreatPost, September 1, 2017

Cyber Law

Judge Nixes Bid to Quash Suit Filed by Yahoo Breach Victims: A federal judge in California has ruled that a consolidated class-action lawsuit filed by those affected by three Yahoo data breaches can proceed. BankInfoSecurity, September 1, 2017

Cyber Freedom

Open source or proprietary: how should we secure voting systems?: The stakes are always high when it comes to software security, which is why the ongoing debate over open-source vs. proprietary tends to be passionate. NakedSecurity, September 1, 2017

Software Glitch or Russian Hackers? Election Problems Draw Little Scrutiny or Analysis: The calls started flooding in from hundreds of irate North Carolina voters just after 7 a.m. on Election Day last November. The New York Times, September 1, 2017

National Cybersecurity

WikiLeaks alleges CIA created bogus software upgrade to steal data from FBI, NSA: The CIA didn’t trust its security service partners to share biometric information with it, so it created a bogus software upgrade to steal the data. ZDNet, August 25, 2017

Cyber Government

Trump’s Cabinet Leaves Key Cybersecurity Reports Unfinished: Major cybersecurity reports looking at the American government’s ability to defend itself from hacking are unfinished months after the deadline set by President Donald Trump. Newsweek, September 1, 2017

Cyber Medical

Pacemaker recall due to cybersecurity vulnerability affects at Least 456,000 US patients: Around 465,000 Americans with pacemakers fitted are being advised to visit their doctor to get an important software upgrade – otherwise their life-saving inner gadget could be vulnerable to a hacking attempt. Science Alert, September 1, 2017

Internet of Things

Leak of more than 1,700 valid passwords could make the IoT mess much worse: Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 “Internet of things” devices and make them part of a destructive botnet. ars technica, August 25, 2017

Cyber Sunshine

Mirai Malware Attacker Extradited From Germany to UK: Admitted Mirai malware mastermind Daniel Kaye, 29, has been extradited from Germany to the United Kingdom, where he faces charges that he launched cyberattacks against two of Britain’s biggest banks. BankInfoSecurity, August 31, 2017

Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet: A half dozen technology and security companies — some of them competitors — issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle ‘WireX,’ an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks. KrebsOnSecurity, August 28, 2017

Fake News

The Intimidators: Twitter bots unleashed in a social media disruption tactic: Overnight from August 28 to August 29, a major Twitter botnet opened a new front in its ongoing attempts to intimidate @DFRLab, creating fake accounts to impersonate and attack our team members. DFR Lab, August 30, 2017

Fake Twitter bots w Russian fingerprints used to intimidate and disrupt social media: I awoke this morning to find my account on Twitter (@briankrebs) had attracted almost 12,000 new followers overnight. Then I noticed I’d gained almost as many followers as the number of re-tweets (RTs) earned for a tweet I published on Tuesday. The tweet stated how every time I tweet something related to Russian President Vladimir Putin I get a predictable stream of replies that are in support of President Trump — even in cases when neither Trump nor the 2016 U.S. presidential campaign were mentioned. KrebsOnSecurity, August 30, 2017

SecureTheVillage Calendar

National Assn of Corporate Directors — Southern California Chapter: Join SecureTheVillage and Citadel President Stan Stahl, the National Cyber Forensics Training Alliance (NCFTA) CEO and former secret service agent Matt Lavigna, Apria Healthcare’s CISO Jerry Sto. Thomas and former SaaS CEO and PwC Partner, Bob Zukis. Learn about Southern California’s unique risks and local efforts to fight cybercrime. September 6, Noon Luncheon, California Club.

PIHRA: Information Security Awareness: The Cyber Tsunami!: Citadel’s Kimberly Pease will facilitate a discussion of (i) steps to take to protect a company’s information from hackers and cyber criminals; (ii)tips to protect yourselves as consumers; (iii) understanding who the criminals are and why you are a target; (iv) real stories and scary examples that could happen to you. September 20, 7:30 – 9:30, The City Club

SecureTheVillage: Financial Services Cybersecurity Roundtable: The Financial Services Cybersecurity Roundtable is a cross-organizational, cross-functional “learning community” committed to working together to better protect our community from bank fraud, credit card theft, identity theft and other forms of cyber crime. September 22, 7:30 – 10:00, Grandpoint Bank

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: The San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives, IT managers, and cybersecurity experts. The San Fernando Valley-East Roundtable is intended for both for-profit and nonprofit organizations. The Roundtable functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. September 28, 7:30 -10AM. Datastream, Glendale.

Glendale Tech Week: SecureTheVillage and Citadel President Stan Stahl will join Louie Sadd, Datastream Managing Partner and SecureTheVillage Leadership Council member, and other cybersecurity panelists. October 12, 10:00 – 11:00, Glendale Central Library.

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

 The post Cybersecurity News of the Week, September 3, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security Vulnerability and Patch Report, August 27, 2017

Cyber Security Vulnerability and Patch Report

  

From our friends at

 Citadel Information Group

Important Security Updates

AxCrypt: AxCrypt has released version 2.1.1534.0. Updates are available from AxCrypt’s website.

Dropbox: Dropbox has released version 33.4.23 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

Foxit Reader: Foxit has released Foxit Reader 8.3.2.25013 of its popular PDF-reader. Updates are available from within the program or from Foxit’s website.

Google Chrome: Google has released Google Chrome version 60.0.3112.113. Updates are available from within the browser or from Google Chrome’s website.

Google Earth Pro: Google has released version 7.3.0.3832 for Google Earth Pro. Updates are available from Google’s website.

LastPass: LastPass has released version 4.1.63 for its Free Password Manager. Updates are available from LastPass’ website.

Malwarebytes: Malwarebytes has released version 3.2.2.2018. Updates are available from Malwarebytes website.

Mozilla Firefox: Mozilla has released version 55.0.3. Updates are available within the browser or from Mozilla’s website. 

Current Software Versions

Adobe Flash 26.0.0.151

Adobe Reader DC 2017.012.20093

Dropbox 33.4.23 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 55.0.3 [Windows]

Google Chrome 60.0.3112.113

Internet Explorer 11.0.9600.18763

Java SE 8 Update 144 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.39.0.102

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Smart Net Total Care, Meeting Server and others. Apply updates. Additional details are available at Cisco’s website.

TeamViewer: TeamViewer has released version 12.1.16680. Updates are available from TeamViewer’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security News for the week of August 27, 2017

Cyber Security News

 

Cyber Security News

from our friends at Citadel Information Group

Individuals at Risk

Identity Theft

Why It’s Still A Bad Idea to Post or Trash Your Airline Boarding Pass: One reason may be that the advice remains timely and relevant: A talk recently given at a Czech security conference advances that research and offers several reminders of how being careless with your boarding pass could jeopardize your privacy or even cause trip disruptions down the road. KrebsOnSecurity, August 24, 2017

Cyber Danger

Bank-fraud malware not detected by any AV found in Chrome Web Store. Twice in 17 days:A researcher has uncovered an elaborate bank-fraud scam that’s using a malicious extension in Google’s Chrome Web Store to steal targets’ passwords. Ars Technica, August 16, 2017

Cyber Defense

Backup & Recovery: If you use a computer or mobile device long enough, sooner or later something will go wrong, resulting in you losing your personal files, documents, or photos.SANS Securing the Human, August 2017

10 browser extensions to help keep you safe on the web: These 10 browser extensions can help add more than just peace of mind; they can step in where the average web browser fails and protect you from common threats. Tech Republic, August 25 2017

Cyber Warning

Adware Spreading Via Social Engineering, Facebook Messenger: Attackers have taken to Facebook Messenger with a combination of social engineering and malicious JavaScript to spread adware, something that’s likely earning them a small chunk of change in the process. ThreatPost, August 24, 2017

Secret chips in replacement parts can completely hijack your phone’s security: Booby-trapped touchscreens can log passwords, install malicious apps, and more. Ars Technica, August 18, 2017

Information Security Management in the Organization

Information Security Management and Governance

Board Directors Need to Get Involved With Cyber Risk Governance: They know that it’s only a matter of time before their organization suffers a cyber incident, and all eyes will naturally be on the directors themselves to see if they were properly exercising their risk oversight. SecurityIntelligence, August 24, 2017

Fallout From Cybersecurity Regulatory Crackdown Pushing Companies to Strengthen Security Management: The rise in cyberattacks has led to more regulations, which in turn has forced companies to look into cyberinsurance. Forbes, August 25, 2017

Security Culture

Charts Like This are Why Information Security is Failing: Out of the 57 controls listed, ONLY ONE is dedicated to the Human Operating System. SANS Securing the Human, August 22, 2017

New SANS survey identifies & addresses root cybersecurity cultural challenges: Working with hundreds of security awareness programs has taught me one thing, people are key.SANS Securing the Human, August 24, 2017

Cyber Warning

Ransomware Hiding in Word Files Seen Targeting Education, Healthcare Industry:Researchers observed a new, albeit small and selective ransomware campaign earlier this month targeting both education and healthcare verticals. ThreatPost, August 25, 2017

Cyber Law

Eighth Circuit Affirms Dismissal of Scottrade Data Breach Suit: The United States Court of Appeals for the Eighth Circuit recently affirmed the district court’s dismissal of a putative class action brought by customers of the brokerage firm Scottrade in the wake of an alleged data breach impacting Scottrade in 2013. Alston & Bird Privacy & DataBlog, August 25, 2017

Cyber Talent

7 Tips for Recruiting the Infosec Talent You Need Now: New ways to attract job candidates and keep them around. BankInfoSecurity, August 23, 2017

Cyber Security in Society

Cyber Crime

Cryptocurrency Ethereum Cyber Fraud Has Cost Victims $225 Million This Year, Says Report: Here’s another reason to be leery of the initial coin offerings being done at a staggering pace in the cryptocurrency world: there’s a one-in-10 chance you’ll end up a victim of theft. Bloomberg Technology, August 23, 2017

The HBO hackers just sent us the end of ‘Game of Thrones’ Season 7: The so-called Mr. Smith hacking group that’s responsible for stealing approximately 1.5 terabytes of data from HBO just released what they’re calling the sixth wave of leaks — and it just so happens this data dump contains what they claim is the end to Season 7 of Game of Thrones. Mashable Technology, August 25, 2017

Cyber Privacy

DoJ Subject to Strict Judicial Oversight in Anti-Trump Site Investigation: A US judge has ruled that the Department of Justice (DoJ) must operate under strict court oversight when searching data associated with an anti-Trump website to find a group of alleged rioters. InfoSecurityGroup, August 25, 2017

Know Your Enemy

Zero-Day Broker Zerodium Offers $500K for Encrypted Messaging Exploits: There’s another option for governments trying to overcome the end-to-end encryption barrier: buy a zero-day software exploit. BankInfoSecurity, August 24, 2017

How lower barriers and increased profits have lead to a surge in cybercrime .. And what you need to do: Nowadays, nearly all crimes have an element of cyber to them and we’re seeing more ‘traditional’ criminals get into the cybercrime industry. CSO, August 25, 2017

No coding skills required: Android app allows wannabe cybercriminals to build custom ransomware: A free tool available on hacking forums allows budding hackers to build their own Android ransomware simply by filling out a few forms. ZDNet, August 25, 2017

Cyber Gov

Government ranks near bottom in cybersecurity review of 18 critical industries: Data breaches and hacks of US government networks, once novel and shocking, have become a problematic fact of life over the past few years. Wired, August 24, 2017

Critical Infrastructure

Is the Power Grid Getting More Vulnerable to Cyber Attacks?: Rising computerization opens doors for increasingly aggressive adversaries, but defenses are better than many might think. Scientific American, August 23, 2017

Internet of Things

Industrial Collaboration Robots (Cobots) Highly Vulnerable to Hacking, Says New Report:Researchers at IOActive have found nearly 50 vulnerabilities in industrial collaborative robots, machines that work side-by-side with people in manufacturing and other settings, that can be abused to possibly cause physical harm to workers, or even configured to spy on their surroundings. ThreatPost, August 22, 2017

Cyber Enforcement

The Imperfect Crime: How Blockchain Might Lead to the WannaCry Hackers: Even if they can exchange their ransom, the criminals will have a hard time accessing their money anonymously. Scientific American, August 16, 2017

Cyber Sunshine

Chinese national arrested for allegedly using malware linked to OPM hack: A Chinese national was arrested in Los Angeles this week on charges he used a rare type of computer malware that was also deployed to access millions of sensitive U.S. records from the Office of Personnel Management. The Washington Post, August 24, 2017

Accused ‘Hacker for Hire’ for Russia Pleads Not Guilty: Canadian allegedly aided Russians who perpetrated massive yahoo data breach. BankInfoSecurity, August 24, 2017

Cyber Miscellany

Quantum Internet Is 13 Years Away. Wait, What’s Quantum Internet?: A year ago this week, Chinese physicists launched the world’s first quantum satellite. Wired, August 15, 2017

SecureTheVillage Calendar

National Assn of Corporate Directors — Southern California Chapter: Join SecureTheVillage and Citadel President Stan Stahl, the National Cyber Forensics Training Alliance (NCFTA) CEO and former secret service agent Matt Lavigna, Apria Healthcare’s CISO Jerry Sto. Thomasand former SaaS CEO and PwC Partner, Bob Zukis. Learn about Southern California’s unique risks and local efforts to fight cybercrime. September 6, Noon Luncheon, California Club.

PIHRA: Information Security Awareness: The Cyber Tsunami!: Citadel’s Kimberly Pease will facilitate a discussion of (i) steps to take to protect a company’s information from hackers and cyber criminals; (ii)tips to protect yourselves as consumers; (iii) understanding who the criminals are and why you are a target; (iv) real stories and scary examples that could happen to you. September 20, 7:30 – 9:30, The City Club

SecureTheVillage: Financial Services Cybersecurity Roundtable: The Financial Services Cybersecurity Roundtable is a cross-organizational, cross-functional “learning community” committed to working together to better protect our community from bank fraud, credit card theft, identity theft and other forms of cyber crime. September 22, 7:30 – 10:00, Grandpoint Bank

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: The San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives, IT managers, and cybersecurity experts. The San Fernando Valley-East Roundtable is intended for both for-profit and nonprofit organizations. The Roundtable functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. September 28, 7:30 -10AM. Datastream, Glendale.

Glendale Tech Week: SecureTheVillage and Citadel President Stan Stahl will join Louie Sadd, Datastream Managing Partner and SecureTheVillage Leadership Council member, and other cybersecurity panelists. October 12, 10:00 – 11:00, Glendale Central Library.

SecureTheVillage: Cybersecure Los Angeles 2017 — Get Cyber Prepared: SecureTheVillage joins UCLA Extension for its first cybersecurity conference. Learn from leading information security professionals and law enforcement, including: information security providers, cyber-insurance, financial services, law, the FBI, LA County District Attorney’s Office, and more. Leave with SecureTheVillage’s Information Security Management and Leadership ResourceKit: A practical guide for implementing an information security management and leadership program in your organization. October 19, 9:00 – 2:00, UCLA Extension, Figueroa Courtyard

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security Vulnerability and Patch Report, August 20, 2017

Cybersecurity Vulnerability and Patch Report

From our friends at

 Citadel Information Group

 

Important Security Updates

1Password: 1Password has released version 4.6.9.90. Updates are available from 1Password’s website.

Google Chrome: Google has released Google Chrome version 60.0.3112.101. Updates are available from within the browser or from Google Chrome’s website.

Mozilla Firefox: Mozilla has released version 55.0.2. Updates are available within the browser or from Mozilla’s website.

Piriform CCleaner: Piriform has released version 5.33.6162 for CCleaner. Updates are available from Piriform’s website.

Current Software Versions

Adobe Flash 26.0.0.151

Adobe Reader DC 2017.012.20093

Dropbox 32.4.23 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 55.0.2 [Windows]

Google Chrome 60.0.3112.101

Internet Explorer 11.0.9600.18763

Java SE 8 Update 144 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.39.0.102

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in Virtual Network Function Element Manager, Application Policy Infrastructure, TelePresence Video Communication, Ultra Services Platform, Ultra Services Framework, Unified Communications Manager, Star OS for ASR 5000 Series Routers, Elastic Services Controller, Security Appliances, RV340, RV345 and RV345P Dual WAN, Policy Suite, Prime Infrastructure, AnyConnect WebLaunch and others. Apply updates. Additional details are available at Cisco’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, August 20, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

Cyber Security Vulnerability and Patch Report, August 13, 2017

Cyber Security Vulnerability and Patch Report

 

From our friends at

 Citadel Information Group

 

Important Security Updates

Adobe Flash Player: Adobe has released version 26.0.0.151. Updates are available from Adobe’s website. To see which version you have, go to Adobe’s web page.

Adobe Reader: Adobe has released version 2017.012.20093. Updates are available through the program’s Help menu/Check for Updates or from Adobe’s website. There is also an update for Acrobat.

Avira Antivirus: Avira has released version 15.0.29.32 of its free Antivirus and Pro. Updates are available from Avira’s website.

Dropbox: Dropbox has released version 32.4.23 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]

LastPass: LastPass has released version 4.1.61 for its Free Password Manager. Updates are available from LastPass’ website.

Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released updates to address dozens of vulnerabilities, some of which are highly critical within Windows operating systems, Microsoft Edge, Internet Explorer, Office, and other Microsoft products. Additional details are available at Microsoft’s website.

Mozilla Firefox: Mozilla has released version 55.0.1. Updates are available within the browser or from Mozilla’s website.

Panda Free Antivirus: Panda Free Antivirus has released version 18.03.0. Updates are available on Panda Security’s website.

Spotify: Spotify has released version 1.0.60.492. Updates are available on Spotify’s website.

Current Software Versions

Adobe Flash 26.0.0.151

Adobe Reader DC 2017.012.20093

Dropbox 32.4.23 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 55.0.1 [Windows]

Google Chrome 60.0.3112.90

Internet Explorer 11.0.9600.18763

Java SE 8 Update 144 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.39.0.102

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in WebEx, and others. Apply updates. Additional details are available at Cisco’s website.

VMware: Cisco has released updates to address vulnerabilities in VMware NSX-V Edge. Additional details are available at VMware’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

The post Weekend Vulnerability and Patch Report, August 13, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

 

 

 

 

Cyber Security News for the Week, August 6, 2017

Cyber Security News

Cyber Security News

from our friends at Citadel Information Group

 

Individuals at Risk

Cyber Privacy

Google wants to track you in real life – privacy group says, ‘No way!’: There’s a long-term marketing bugaboo that Google has plans to fix: how to convince its clients that their ad dollars are turning into sweet payola. NakedSecurity, August 4, 2017

Cyber Defense

Mozilla sets up private, encrypted file sharing service for large files: Mozilla has launched an online service for private sharing of encrypted files between two users. It’s called Send, and it’s meant to ensure users’ shared files do not remain online forever. HelpNetSecurity, August 4, 2017

Flash Player is Dead, Long Live Flash Player!: Adobe last week detailed plans to retire its Flash Player software, a cross-platform browser plugin so powerful and so packed with security holes that it has become the favorite target of malware developers. To help eradicate this ubiquitous liability, Adobe is enlisting the help of Apple, Facebook, Google, Microsoft and Mozilla. But don’t break out the bubbly just yet: Adobe says Flash won’t be put down officially until 2020. KrebsOnSecurity, August 2, 2017

Backup and Recovery – Securing the Human: If you use a computer or mobile device long enough, sooner or later something will go wrong, resulting in you losing your personal files, documents, or photos. For example, you may accidently delete the wrong files, have a hardware failure, lose a device, or become infected with malware, such as ransomware. At times like these, backups are often the only way you can rebuild your digital life. In this newsletter, we explain what backups are, how to back up your data, and how to develop a simple strategy that’s right for you. SANS, August 2017

Cyber Warning

iOS users beware: You’re the biggest target for mobile phishing attacks: Phishing continues to be a problem, and attacks are moving away from the email inbox. A new report found that iOS is the biggest target, with most attacks coming from game apps. TechRepublic, August 4, 2017

How Cyber Criminals Are Targeting You Through Text Messages: Cyber criminals are increasingly targeting victims through a text message scam called “smishing” that can infect your smartphone and let thieves steal your personal information. NBC, July 20, 2017

Information Security Management in the Organization

Information Security Management and Governance

How to Budget Cybersecurity Spending At Your Firm: Businesses understand today that poor cybersecurity protocols are not just a security risk, but a financial and reputational risk which can cost firms greatly whether through a data breach or ransomware. As a result, global cybersecurity spending is set to reach new highs in 2017, with global spending on informational security to reach $90 billion in 2017 and $113 billion by 2020. AccountingWeb, August 4, 2017

Separation of duties and IT security: Muddied responsibilities create unwanted risk and conflicts of interest. New regulations such as GDPR now require that you pay more attention to roles and duties on your security team. CSO, August 3, 2017

Cyber Warning

Business Email Compromise: The Cybercrime Scheme That Attacks Email Accounts And Your Bank Accounts: Cybercrime is ever present, and there is one particular fraud we all should be aware of—particularly anyone who sends or receives bank wiring instructions or the funds themselves. The fraud involves the hacking or impersonating of email accounts, it might be called business email compromise (BEC) fraud, CEO fraud, or CFO fraud, and it demonstrates that criminal participants are infinitely adaptable in pursuit of profitable schemes. Cybercrime is not always a technical attack, but often about social engineering—tricking a person into performing an action—which means we need to stay informed, be alert, and exercise sound judgment. Huffington Post, August 3, 2017

Cyber Defense

Amazon reaches out to AWS customers with bad security before the crooks do: We’ve read plenty of stories recently about the accidental exposure of data stored in the cloud because of users’ poor configuration choices. NakedSecurity, August 4, 2017

New Survey. Same Old Story. Poor Network Security Hygiene & Inadequate User Awareness Makes it Easy for Hackers: The level of security of Wi-Fi networks and user awareness regarding information security has fallen significantly; a Positive Technologies security audit says mostly due to common vulnerabilities not needing much skill to implement. SC Magazine, August 4, 2017

Cyber Talent

What Women in Cybersecurity Really Think About Their Careers: New survey conducted by a female security pro of other female security pros dispels a few myths. DarkReading, August 4, 2017

Cyber Security in Society

Cyber Crime

Someone has emptied the ransom accounts from the WannaCry attack: For months, the ransom money from the massive WannaCry cyberattack sat untouched in online accounts. Now, someone has moved it. CNN, August 3, 2017

Cyber Attack

Spoiler Alert: Hackers Are Gunning for Hollywood (Guest Column): The 2014 hack at Sony Pictures Entertainment was a watershed moment for the entertainment industry. This week, yet another targeted attack — this one against HBO — reminds us that cybercriminals continue to target Hollywood. Variety, August 4, 2017

HBO Hack: New Threat Promises Emails to Be Released Sunday: An email purported to be from the hacker or hackers behind the HBO breach is making a fresh wave of threats against the network. While the sender of the email, received by The Hollywood Reporter, appeared to use a pseudonym, the sender offered evidence of hacked materials to buttress the claim. Hollywood Reporter, August 3, 2017

HBO says full email system likely not compromised in data breach: HBO is the latest victim of a large-scale security breach, and the company is still investigating just how big it is. CNN, August 3, 2017

HBO Hack: Insiders Fear Leaked Emails as FBI Joins Investigation: The company is reeling from a sophisticated cyberattack that potentially compromised seven times the amount of data stolen in the Sony hack as the FBI investigates potential culprits. Hollywood Reporter, August 2, 2017

HBO hacked: Upcoming episodes, Game of Thrones data leaked online: HBO has joined the ranks of Hollywood entertainment companies to suffer a major cyber attack. Entertainment Weekly, July 31, 2017

Cyber Freedom

DEF CON Hackers Got Into Many Voting Machines and an E-Poll Book: How long will defenders of America’s electronic voting systems ignore the present danger hacking presents to U.S. elections? Alternet, August 2, 2017

“White Hat” Hackers easily break into voting machines at security conference: When the password for a voting machine is “abcde” and can’t be changed, the integrity of our democracy might be in trouble. CNet, July 30, 2017

National Cyber Security

States Take a Comprehensive Approach to Improving Cybersecurity: The National Governors Association has been focused on engaging states when it comes to cybersecurity, and now a multistate compact stands as another positive sign of progress. Governemnt Technology, August 3, 2017

White House officials tricked by email prankster: (CNN)A self-described “email prankster” in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official’s private email address unsolicited. CNN, August 1, 2017

Internet of Things

New Bill Seeks Basic IoT Security Standards: Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices. KrebsOnSecurity, August 1, 2017

Cyber Research

Arrest of WannaCry researcher sends chill through security community: The Wednesday arrest of cybersecurity researcher Marcus Hutchins is sending chills through the cyber community. The Hill, August 4, 2017

SecureTheVillage Calendar

Cyber Security Awareness Presented by Marcum LLP, DiamondIT, LBW Insurance & Citadel Information Group: Speakers Include: David Rice, COO of DiamondIT; Stan Stahl, President of Citadel Information Group / President of SecureTheVillage; Howard Miller, Senior Vice President of LBW Insurance. Event Date: August 10, 2017, 4 – 7 PM.

SecureTheVillage Financial Services Cybersecurity Roundtable: The Financial Services Cybersecurity Roundtable is a cross-organizational, cross-functional “learning community” committed to working together to better protect our community from bank fraud, credit card theft, identity theft and other forms of cyber crime. Event Date: August 11, 2017, 7;30 – 10AM

SecureTheVillage: San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable: The San Fernando Valley-East (Pasadena / Glendale) Cybersecurity Roundtable is designed to support communication and collaboration between C-Suite executives, IT managers, and cybersecurity experts. The San Fernando Valley-East Roundtable is intended for both for-profit and nonprofit organizations. The Roundtable functions as a cross-organizational “learning community” committed to working together to better protect our community from cybercrime. Event Date: August 17, 2017, 7:30 -10AM

The post Cyber Security News of the Week, August 6, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security News for the Week, July 30, 2017

Cyber Security News

Cyber Security News

from our friends at Citadel Information Group

 

Individuals at Risk

Cyber Privacy

Crossing the U.S. Border? Here’s How to Securely Wipe Your Computer: Many people crossing the U.S. border are concerned about the amount of power that the government has asserted to search and examine travelers’ possessions, including searching through or copying contents of digital devices, like photos, emails, and browsing history. The frequency of these intrusive practices has been increasing over time. Electronic Frontier Foundation, July 26, 2017

“Perverse” malware infecting hundreds of Macs remained undetected for years: A mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other sensitive resources has been infecting Macs for at least five years. The infections—known to number nearly 400 and possibly much higher—remained undetected until recently and may have been active for almost a decade. ars technica, July 24, 2017

Cyber Update

Bug in top smartphones could lead to unstoppable malware, researcher says: A recently patched bug found in the chips used to provide wifi in iPhones, Samsung Galaxies and Google Nexus devices could be used to build malware which jumps unstoppably from device to device, according to Nitay Artenstein, the researcher who discovered the flaw. The Guardian, July 27, 2017

Cyber Defense

Going on holiday? Here are our tips for a security-minded trip: With August looming, we at Naked Security won’t be the only ones getting ready to head off on holiday, so with the beach in mind, we’ve come up with some tips to help you plan a safer summer holiday (and with apologies to our readers in the southern hemisphere winter!) Naked Security, July 28, 2017

How to guard against identity theft and bank fraud: Reports of data breaches involving credit card networks at stores and hotels seem to be increasing. So maybe it’s not surprising that consumers are worrying more about it happening to them, and what it might mean. Consumer Affairs, July 27, 2017

NIST Has Spoken – Death to Entropy, Love Live the Passphrase!: PMNIST has spoken, and I could not be more excited. For years the security community has inflicted one of the most painful behaviors to date, the dreaded, complex password. I’ve watched many times in horror as security researchers made fun of ordinary computer users for using simple passwords, often calling out hacked databases of passwords and bemoaning what is wrong with the world. In reality, these very same people should have taken the time to look in the mirror and see what they were inflicting on others. SANS, July 27, 2017

Information Security Management in the Organization

Information Security Management and Governance

CSO survey: 61% of boards still see security as IT issue rather than corporate governance issue: The past year has been tough for enterprise security teams. Attacks like Petya and NotPetya suggest that the impact scale is increasing dramatically. The recent leak of government-developed malware and hoarded vulnerabilities has given cybercriminals greater capabilities. IT is struggling to keep pace with the flow of important security software patches and updates, and the continued adoption of new technologies like the internet of things (IoT) creates new vulnerabilities to contend with. CSO, July 28. 2017

Cyber Defense

How the DHS responds to cyberthreats, and what businesses can learn: Any organization can fall victim to cybercrime. Learn how the DHS deals with threats and how to apply their response plan to your business. TechRepublic, July 27, 2017

Facebook’s Stamos preaches defensive security research in Black Hat keynote: LAS VEGAS — Black Hat 2017 marks the 20th anniversary of the conference and during the show’s opening keynote, Facebook CSO Alex Stamos urged the community to take advantage of the voice it had and focus on bigger problems than just those that make good presentations and to expand that focus beyond traditional defensive security efforts. SearchSecurity, July 26, 2017

Cyber Career

How to Build a Path Toward Diversity in Information Security: Hiring women and minorities only addresses half the issue for the IT security industry — the next step is retaining these workers. DarkReading, July 27, 2017

Cyber Security in Society

Cyber Crime

Google Study Quantifies Ransomware Profits: LAS VEGAS—Over the past two years, 35 unique ransomware strains earned cybercriminals $25 million, with Locky and its many variants being the most profitable. ThreatPost, July 27, 2017

Cyber Defense

State Attorneys General Appear in Anti-Piracy PSA Campaign: WASHINGTON, D.C. — A group of 15 state attorneys general have launched a public service campaign to warn consumers about the risk of malware from visiting piracy sites. Variety, July 25, 2017

Cyber Espionage

Iranian hackers used female ‘honey pot’ on social media to lure targets, finds new research: Hackers believed to be working for the Iranian government have impersonated a young female photographer on social media for more than a year, luring men working in industries strategically important to Tehran’s regional adversaries, according to new research. The Independent, July 28, 2017

Know Your Enemy

North Korea hackers ‘want cash not secrets’: North Korean hackers are increasingly trying to steal cash rather than secrets, a South Korean government-backed report suggests. BBC, July 28, 2017

The rise and rise of Cybercrime as a Service: When cybercriminals wanted to launch cyberattacks, they once had to know how to code. No longer. Bad actors can now search among any number of underground online sites to buy or lease potent cyberweapons. CSO, July 27, 2017

The Lazy Habits of Phishing Attackers: Most hackers who phish accounts do little to hide their tracks or even mine all of the data they can from phished accounts, mostly because they can afford to be lazy. DarkReading, July 27, 2017

It’s a myth that most cyber-criminals are ‘sophisticated’: News reports and pop culture continually paint cyber-criminals as cunning and devious hackers, with almost magical computer skills. Is that actually true? BBC, July 26, 2017

Cyber Freedom

“White Hat” Hackers Scour Voting Machines for Election Bugs: LAS VEGAS — Hackers attending this weekend’s Def Con hacking convention in Las Vegas were invited to break into voting machines and voter databases in a bid to uncover vulnerabilities that could be exploited to sway election results. The New York Times, July 28, 2017

U.S. elections are an easier target for Russian hackers than once thought: When Chris Grayson pointed his Web browser in the direction of Georgia’s elections system earlier this year, what he found there shocked him. The LA Times, July 28, 2017

Over 100 cybersecurity and voting experts advise Congress on securing U.S. elections : More than 100 cybersecurity and voting experts are urging the government to make the U.S. voting system more secure. CNN, June 21, 2017

Cyber Government

IRS fails to resolve dozens of information security deficiencies, GAO says: The IRS’s ability to protect sensitive financial and taxpayer data is limited by its failure to resolve numerous information security deficiencies identified by the Government Accountability Office (GAO). The Hill, July 27, 2017

Financial Cyber Security

Hackers are making their online bank-fraud malware more powerful by copying WannaCry and Petya ransomware tricks: Hackers responsible for one of the most common forms of banking Trojans have learned lessons from the global WannaCry ransomware outbreak and the Petya cyberattack, and have equipped their malware with a worm propagation module to help it spread more efficiently. ZDNet, July 28, 2017

HIPAA

HIPAA “Wall of Shame” Gets Update from OCR: Yesterday, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced the launch of a newly revised HIPAA Breach Reporting Tool. The tool, commonly referred to as the “Wall of Shame,” is a publically available listing of reported breaches of unsecured protected health information (“PHI”) affecting 500 or more individuals. National Law Review, July 27, 2017

Critical Infrastructure

Should you stay awake at night worrying about hackers on the grid?: Analysis The energy sector across multiple Western countries is under intensified assault by hackers. Security experts warn that industrial systems are wide open to potential exploit once hackers secure a foothold, the most difficult part of the hacking process, using targeted phishing or similar tactics. The Register, July 28, 2017

Researchers Release Free Tool to Analyze ICS Malware: CrashOverride/Industroyer malware used against Ukraine’s power grid the inspiration for the reverse-engineering tool. DarkReading, July 27, 2017

Internet of Things

Will Blockchain Improve Internet of Things (IoT) Security?: Because the Internet of Things (IoT) is creating its own ecosystem, the biggest challenge for the industry is how companies secure and manage the exponential growth of decentralized endpoint devices. Unfortunately, most security experts only know how to defend against attacks from a centralized perspective. Most Chief Information Security Officers (CISO) only understand centralized networks and depend on choke points or linear cyber kill chains that focus on traditional perimeter and inbound security protocols to defend against malware, viruses and other attacks that inevitably overwhelm networks and damage servers, devices and workstations. One of the potential solutions available to improve the distributed nature of IoT security is blockchain. Forbes, July 28, 2017

Cyber Warning

Researchers at Black Hat show how hackers ‘could make car wash attack’: Researchers say they have found a way to hack an internet-enabled carwash and make it “attack” users. BBC, July 28, 2017

Cyber Enforcement

Feds Indict Russian Over BTC-e Bitcoin Exchange: Police in Greece on Tuesday arrested Alexander Vinnik, 38, for allegedly running a massive money laundering operation that processed $4 billion in bitcoins, many of which may be tied to the largest bitcoin exchange heist in history. BankInfoSecurity, July 27, 2017

 The post Cyber Security News of the Week, July 30, 2017 appeared first on Citadel Information Group.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810

 

Cyber Security Vulnerability and Patch Report, July 23, 2017

 

From our friends at

 Citadel Information Group

Important Security Updates

Apple iTunes: Apple has released version 12.6.2 (64-bit and 32-bit) of iTunes. Updates are available from Apple’s website.

Apple Multiple Products: Apple has released updates in tvOS 10.2.2, iCloud for Windows 6.2.2, Safari 10.1.2, macOS Sierra 10.12.6, OS X El Capitan 10.11.6, OS X Yosemite 10.10.5, IOS 10.3.3, watchOS 3.2.3 and others. Additional details are available on Apple’s website.

Avast: Avast! Free Antivirus has released version 17.5.2303. Updates are available on Avast’s website. Avast! has also released updates for Premier Antivirus, Pro Antivirus and Internet Security.

Opera: Opera has released version 46.0.2597.57. Updates are available from within the browser or from Opera’s website.

Oracle Java: Oracle has released versions Java SE 8 Update 141. The update is available through Windows Control Panel or Java’s website. [See Citadel’s recommendation below]

Current Software Versions

Adobe Flash 26.0.0.137

Adobe Reader DC 17.009.20044

Dropbox 30.4.22 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]

Firefox 54.0.1 [Windows]

Google Chrome 59.0.3071.115

Internet Explorer 11.0.9600.18739

Java SE 8 Update 141 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]

Microsoft Edge 40.15063.0.0

QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, 2016 US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]

Safari 10.1.2 [Mac OS X Mavericks, Yosemite, El Capitan]

Skype 7.38.0.101

For Your IT Department

Cisco Multiple Products: Cisco has released updates to address vulnerabilities in SNMP, WebEx, Web Security Appliance, Prime, ASR 5000 Series and others. Apply updates. Additional details are available at Cisco’s website.

*******************

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.

If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.

Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.

Copyright © 2017 Citadel Information Group. All rights reserved.

Jeff Snyder's, SecuirtyRecruiter.comSecurity Recruiter Blog, 719.686.8810