The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Apple Mac OS X 10.6.8 and Security Update 20011-004: These updates address upwards of 25 security vulnerabilities. Updates are available at Apple’s Download Site.
BlackBerry Tablet OS: Vulnerabilities have been identified in the Blackberry Tablet OS versions 1.0.5.2342 and prior. These vulnerabilities are part of the Adobe Flash Player bundled with the OS. Users should upgrade to version 1.0.6 or later.
Mozilla Firefox 5.0 and Firefox 3.6.18: Mozilla has released Firefox 5.0. This new version fixes several vulnerabilities including the one we alerted readers to last week. Mozilla also released Firefox 3.6.18 for users still on the Firefox 3 platform. Users can update from “Help > About Firefox.”
Nitro PDF 2.0.0.29: Nitro PDF released an update to its popular PDF reader. Users can update from “Help > Check for Updates”
Other Warnings
WordPress Plugins: WordPress has announced that several compromised plugins were distributed containing a backdoor. The compromised files were distributed on or before June 21st. Readers having websites built in WordPress should refer their web developer to the announcement on WordPress’ Blog.
Newly Announced Unpatched Vulnerabilities (Zero-Days)
None
Important Unpatched Zero-Day Vulnerabilities.
ACDSee Photo: Several highly critical zero-day vulnerabilities have been identified in various ACDSee photo products. Zero-day vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues to be unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
Google Chrome 11.x: A highly critical zero-day vulnerability has been identified in Google Chrome, version 11.x. No patch is available at this time. Readers are urged to upgrade to version 12.0.742.91 or later. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Word: A highly critical zero-day vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Symantec Mail Security: Multiple highly critical zero-day vulnerabilities have been reported in Symantec Mail Security. Systems affected include Symantec Mail Security for Microsoft Exchange 6.x, Domino 7.x and Domino 8.x. No patches are available at this time. Readers in corporate environments using Microsoft Exchange or Domino are urged to forward this notice to their IT personnel so they may take appropriate action. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Dropbox Left User Accounts Unlocked for 4 Hours Sunday: At a time when hackers are on a tear looting information willy-nilly from insecure sites on the Web, Dropbox did the unthinkable Sunday — it allowed anyone in the world to access any one of its 25 million customers’ online storage lockers — simply by typing in any password. Dropbox, one of the most popular ways to share and sync files online, says the accounts became unlocked at 1:54pm Pacific time Sunday when a programming change introduced a bug. The company closed the hole a little less than 4 hours later. Wired, June 20, 2011
One more reason we strongly recommend users encrypt all sensitive information transferred via Dropbox and similar services.
Facebook Facial Recognition: Why It’s a Threat to Your Privacy: Facebook facial recognition is more than just creepy. It has enormous potential for dangerous misuse of facial recognition data, and Facebook has a long record of misusing all sorts of data. CIO, June 20, 2011
Senator: New Cybersecurity Regulations Needed for Banks: Current regulations aren’t enough to warn customers and protect them against data breaches at financial institutions, one U.S. senator said during a hearing Tuesday. PC World, June 21, 2011
UK police make arrest in hacking attacks: A 19-year-old man has been arrested on suspicion of involvement with cyber attacks on Sony and the CIA website, British police said Tuesday. LA Times, June 21, 2011
FBI Scrubbed 19,000 PCs Snared By Coreflood Botnet: The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built. KrebsOnSecurity, June 21, 2011
Suspected LulzSec player arrested, in custody in London: The day the authorities have been waiting for is finally here: A possible LulzSec leader has been arrested. He is 19-years-old and was arrested in Essex, England thanks to a cooperative effort between FBI and Scotland Yard. ZDNet, June 21, 2011
Feds bust ‘scareware’ ring accused of making $72 million by selling phony anti-virus software: There’s big money in scaring people into thinking they have a nasty computer virus. But you might also scare up a visit from international police. On Wednesday the U.S. Department of Justice, the FBI and cooperating overseas agencies said they had indicted two Latvians accused of running a “scareware” ring, infecting the computers of 960,000 users with phony anti-virus software. LA Times, June 22, 2011
Ponemon Institute Survey Finds 90 Percent of Businesses Fell Victim to Cyber Security Breach at Least Once in the Past 12 Months: A survey of US IT and IT Security professionals, conducted independently by Ponemon Institute and sponsored by Juniper Networks found the threat from cyber attacks today is nearing statistical certainty and businesses of every type and size are vulnerable to attacks. The Wall Street Journal, June 22, 2011
Shortage of adequately trained cyber pros puts US at risk: In testimony this year before the Senate Judiciary Committee’s Crime and Terrorism Subcommittee, Gordon Snow, assistant director of the FBI’s Cyber Division, said the number and sophistication of cyberattacks have increased dramatically during the past five years and are expected to continue to grow. Although that paints a pretty bleak picture, what he said next caught the attention of cybersecurity professionals around the world. “The threat has reached the point that given enough time, motivation and funding, a determined adversary will likely be able to penetrate any system that is accessible directly from the Internet,” he said. Defense Systems, June 22, 2011
LulzSec computer hackers release Arizona state files: WASHINGTON — Computer hackers who have hit the websites of the CIA, US Senate, Sony and others have released hundreds of documents from the Arizona Department of Public Safety (AZDPS) in their latest cyberattack. AFP, June 24, 2011
Cyberattacks Hit Brazil Government Websites; Data Secure: SAO PAULO -(Dow Jones)- Key Brazilian government websites have suffered a series of cyberattacks, with the worst occurring in the early morning hours Friday, but there is no evidence of any data loss, a government spokesman said. NASDAQ, June 24, 2011
Report: IRS databases with taxpayer data vulnerable to hackers: Thousands of Interal Revenue Service databases that hold sensitive taxpayer information use outdated security software, leaving them vulnerable to hackers, according to a government office that monitors the IRS. LA Times, June 23, 2011
EA confirms customer data stolen: Electronic Arts has confirmed that one of its server systems was breached and customer information was stolen and said this week that it’s continuing to investigate the intrusion. Cnet, June 24, 2011
$72M Scareware Ring Used Conficker Worm: Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime. KrebsOnSecurity, June 23, 2011
Inside LulzSec: Chatroom logs shine a light on the secretive hackers: It was a tight-knit and enigmatic group finding its feet in the febrile world of hacker collectives, where exposing and embarrassing your targets is just as important as protecting your own identity. But leaked logs from LulzSec’s private chatroom – seen, and published today, by the Guardian – provide for the first time a unique, fly-on-the-wall insight into a team of audacious young hackers whose inner workings have until now remained opaque. The Guardian, June 24, 2011
Sega hacked: LulzSec promise to destroy hackers responsible: After games industry titan Sega last week revealed that a recent cyber attack on its network left 1.29 million of its customers personal data compromised, the hacker collective LulzSec has promised to “destroy” those responsible for the hack. International Business Times, June 20, 2011
Hacking Group Lulz Security Says It Is Ending Spree: Lulz Security, a group of hackers who have tormented corporations and government agencies, said Saturday that it would stop its spree, 50 days after it first started attacks. The New York Times, June 25, 2011
LulzSec Strikes Brazil Again; Petrobras Denies Being Hacked: The Brazilian arm of the global computer hacker collective, LulzSec, struck again this weekend, this time invading and accessing data of government controlled oil major Petrobras, according to LulzSec. Forbes, June 25, 2011
Inside the Mega-Hack of Bitcoin: the Full Story: The storm had been building for over a week now. Last Monday at around 5 p.m. 25,000 Bitcoins were transferred from 478 accounts on the currency’s largest exchange — Mt. Gox. But that was just the beginning. Now Mt. Gox is admitting to a major breach and has shut down, in an unprecedented action. In all, approximately $8.75M USD worth of Bitcoins appear to have — at least temporarily — been stolen in the intrusion. Daily Tech, June 19, 2011
Banks, Finance Firms Targeted by Europe Union in Crackdown on Data Privacy: Banks will be among companies forced to notify authorities of “serious” leaks of customer data in a crackdown after hackers targeted Sony Corp. (6758) and Sega Sammy Holdings Inc. (6460), the European Union’s top privacy official said. Bloomberg, June 20, 2011
I was recently asked if I had any methods to “prevent hackers” from taking over websites.
Alas. I don’t. No one does and it’s doubtful that we will ever have methods to “prevent hackers from taking over websites” any more than we could develop methods to “prevent car thieves from stealing cars.”
But, just like protecting our cars, we can protect our websites, we can make it harder for the hackers, we can improve the odds.
Here are four “basic rules” for protecting your website. They are every bit as fundamental as (i) turn off your engine, (ii) take the keys, (iii) lock the doors. They should be considered the minimum necessary for any website.
Rule 1. Follow security configuration guidelines for WordPress, Drupal or whatever content management system you’re using. Do the same for the plug-ins. And make sure the company hosting your web site has configured their server(s) following security configuration guidelines.
Rule 2. Keep your content management system updated. Install patches and new versions when they’re released. Make sure the company hosting your web site is doing the same for the server(s) on which your web site is located.
Rule 3. Always use very strong passwords for direct access to your website and the server(s) it’s located on. In today’s world, “strong” means at least 15 alpha-numeric characters, including lower case, upper case, numbers and special characters.
Rule 4. Always keep a back-up of your web site. Store this off-line, on a computer that you always have access to.
You’ll want to do more than this if your website is at all “sensitive.” If your website is used for eCommerce, for example. Or you have a special section of your site where you exchange information with customers or where employees can access their 401(k), or your web site server connects with corporate servers where other sensitive information is present; in these circumstances the basics are definitely no longer adequate.
In these more sensitive situations you, first, need to make sure your web site conforms to whatever specific security requirements applies to it. For eCommerce, this means conforming with the Payment Card Industry’s Data Security Standard.
Second, you also want to make sure the web site is developed in accordance with a “Secure Systems Development Life-Cycle” methodology. A good starting point is the excellent work being done by the Open Web Application Security Project (OWASP), particularly their Top-10 Project. No sensitive web site should be put into production without, at the very least, testing it against the current OWASP Top-10 list.
Stan Stahl, president of Citadel Information Group, talks about the use of virtual currency. Stahl also discusses measures the government and businesses should take to prevent hack attacks. He speaks with Emily Chang on Bloomberg Television’s “Bloomberg West.”
The following software updates were released last week. Citadel Information Group strongly recommends that readers upgrade these programs on their computers.
Adobe Acrobat & PDF Reader: Adobe issued more than a dozen security updates for Acrobat and PDF Reader programs, including a feature update that will install future updates automatically. Readers can update these programs from the program under “Help > Check for Updates.”
Adobe Flash 10.3.181.26. Adobe has issued another update for its Flash player. The update is available from Adobe’s Download Center. Users running Internet Explorer and other browsers have to install the update twice, once in IE and once in either Mozilla or Opera. If you run Google Chrome, make sure you have the latest version 12.0.742.100. This fixes the Flash vulnerability in Chrome.
Microsoft Update Fixes 34 Security Flaws. Microsoft rated more than half of these updates “critical.” Readers can check the Security section of the Windows Control Panel to make sure updates have been installed
Newly Announced Unpatched Vulnerabilities (Zero-Days)
Microsoft Word: A highly critical zero-day vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time.
Mozilla Firefox: A non-critical zero-day vulnerability has been discovered in Firefox, version 4.0.1. Mozilla is scheduled to release an update on June 21.
Important Unpatched Zero-Day Vulnerabilities.
ACDSee Photo: Several highly critical zero-day vulnerabilities have been identified in various ACDSee photo products. Zero-day vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
Apple Safari 5.x: The critical zero-day vulnerability in Safari 5.x continues to be unpatched. We continue to consider Safari unsafe for browsing. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 18.
Google Chrome 11.x: A highly critical zero-day vulnerability has been identified in Google Chrome, version 11.x. No patch is available at this time. Readers are urged to upgrade to version 12.0.742.91 or later. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
HTC Mobile Devices: The zero-day security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
Microsoft Office for Mac: A highly critical zero-day vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical zero-day vulnerability in Microsoft Reader, versions 2.x, remains unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
PDF-Pro: Several highly critical zero-day vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Symantec Mail Security: Multiple highly critical zero-day vulnerabilities have been reported in Symantec Mail Security. Systems affected include Symantec Mail Security for Microsoft Exchange 6.x, Domino 7.x and Domino 8.x. No patches are available at this time. Readers in corporate environments using Microsoft Exchange or Domino are urged to forward this notice to their IT personnel so they may take appropriate action. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.