The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.
Adobe Reader: Adobe has released Reader X. This follows repeated security problems with previous versions of Reader. The new Reader should be more secure than earlier versions as it has been built using advanced “sandbox” technology. You can download Reader X using the Adobe Download Manager from the Adobe Reader web site. To avoid the Download Manager with its attempt to get you to download other software as well, Windows users can download Windows Reader X here while Mac users can download Mac Reader X here.
Apple iOS: Apple has released iOS 4.2 for for the iPhone, iPad and iTouch. In addition to improved performance, this update fixes several security vulnerabilities. These updates are available during synchronization.
Trend Micro: TrendMicro has released an update to OfficeScan 10.x. The update fixes a vulnerability that put users at risk of a cyber criminal taking full control of their computer.
News of Important Vulnerabilities.
Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week’s important vulnerability news and updates.
KrebsOnSecurity.com is reporting that Choice Escrow and Land Title, an escrow firm in Missouri, is suing its bank, BancorpSouth Inc., to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.
The epidemic of on-line bank fraud by cyber criminals succeeds because
In our role of assisting clients with cyber security management, we have seen first-hand how too many companies (i) fail to provide effective awareness training to staff to meet the cyber crime challenge and (ii) fail to impose rigorous security requirements on the management of their IT infrastructures.
We have also had the opportunity to see first-hand how easy it is for a bank to fail to meet the standard of commercial reasonableness of its ACH security procedures.
We echo Krebs’ warning that “The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud.”
The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.
Apple Safari: Apple has released Safari 5.0.3 and 4.1.3 to address multiple vulnerabilities in the Safari and WebKit packages. Because of these vulnerabilities, users are at risk of a cyber criminal taking full control of their computer. See Apple article HT4455 for more information.
Adobe Reader and Acrobat: Adobe has released security updates for Reader and Acrobat for Windows and Macintosh. These updates address multiple vulnerabilities that put users at risk of a cyber criminal taking full control of their computer. See Adobe Bulletin APSB10-28 for additional information.
Mac OS X: Apple has released Mac OS X v10.6.5 and Security Update 2010-007 to address multiple highly critical vulnerabilities in OS X. Mac users should install these. These updates are available on Apple’s Downloads page and we urge all users to apply them. News of Important Vulnerabilities.
Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.
RealPlayer: RealPlayer users should make sure they are running version 14.0.1.609 or later as serious vulnerabilities have been found in some earlier versions.
WordPress: For those of you with web sites coded in the popular WordPress, Secunia has announced that an extremely serious security vulnerability has been found in the WordPress’ Event Registration Plugin. (This follows the announcement last week of 6 serious WordPress vulnerabilities.) The vulnerability has the potential to allow a cyber criminal full access to any databases connected to a web site using the plug-in. Insist your web-master takes steps to protect any of your sensitive information that this vulnerability puts at risk. Direct your web-master to
Secunia Advisory SA42265 for more information. If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week’s important vulnerability news and updates.
US-CERT is receiving reports of an increased number of phishing scams and malicious software campaigns that take advantage of the winter holiday and holiday shopping season. We urge users to be on their guard, mindful of the potential that an email message could be part of a potential phishing scam or malware campaign.
Users are urged to be sensitive to:
We strongly urge users to protect themselves during the holiday season:
The New York Times Magazine: “One night in July 2003, a little before midnight, a plainclothes N.Y.P.D. detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man with long, stringy hair and a nose ring into the A.T.M. lobby of a bank. Pretending to use one of the machines, the detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash. Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something.”
“Indeed, the young man was in the act of “cashing out,” as he would later admit. He had programmed a stack of blank debit cards with stolen card numbers and was withdrawing as much cash as he could from each account. He was doing this just before 12 a.m., because that’s when daily withdrawal limits end, and a “casher” can double his take with another withdrawal a few minutes later. To throw off anyone who might later look at surveillance footage, the young man was wearing a woman’s wig and a costume-jewelry nose ring. The detective asked his name, and though the man went by many aliases on the Internet — sometimes he was cumbajohny, sometimes segvec, but his favorite was soupnazi — he politely told the truth. “Albert Gonzalez,” he said.”
…
“Over the course of several years, during much of which he worked for the government, Gonzalez and his crew of hackers and other affiliates gained access to roughly 180 million payment-card accounts from the customer databases of some of the most well known corporations in America: OfficeMax, BJ’s Wholesale Club, Dave & Buster’s restaurants, the T. J. Maxx and Marshalls clothing chains. They hacked into Target, Barnes & Noble, JCPenney, Sports Authority, Boston Market and 7-Eleven’s bank-machine network. In the words of the chief prosecutor in Gonzalez’s case, ‘The sheer extent of the human victimization caused by Gonzalez and his organization is unparalleled.’”
Click here to read the fascinating story of master cyber-thief, Albert Gonzalez.
Thanks to Dr. Andrea Belz for alerting us to this story.