-
See the Archives
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- February 2009
-
Filter by Category
- Business at risk
- Citadel in the news
- Citadel Information Security Guides
- Citadel: Guide to Blog
- Citadel: Thinking about Security
- Cloud Security
- Combatting Cybercrime
- Consumers at risk
- Cost of Cybercrime
- Cost of Piracy
- Credit card fraud
- Culture Change
- cyber security learning community
- Cyber Security Management
- Cyber War
- events
- Financial systems security
- Future of Cyberspace
- Healthcare
- Identity theft
- Information at Risk
- Insurance
- Internet badlands
- ISSA-LA
- Law Firms
- Legal
- Miscellany
- mobile banking
- mobile internet
- Mobile Security
- national security
- Not-for-Profit
- Online Privacy
- OWASP
- Privacy Matters
- Ray of Sunshine
- School security
- Security Alert: Vulnerability Management
- Security management
- Security Research
- Security Surveys
- Social Engineering
- Social networks
- Virtual Currency
Weekend Patch and Vulnerability Report, January 22, 2012
Important Security Updates
Adobe Reader and Acrobat 10.1.2: Adobe has released an update to patch several highly critical vulnerabilities. For users who cannot upgrade to version X, Adobe has also released version 9.5. Updates are available through the program.
Apple iTunes 10.5.3: Apple has released an update to patch several minor issues, including security.
Current Software Versions
Adobe Flash 11.1.102.55 [Warning; see below]
Adobe Reader 10.1.2
Apple QuickTime 7.7.1
Apple Safari 5.1.2 [Warning; see below]
Google Chrome 16.0.912.75
Internet Explorer 9.0.8112.16421
Java SE 6 Update 30
Mozilla Firefox 9.0.1 [Warning; see below]
Newly Announced Unpatched Vulnerabilities
McAfee SaaS: Secunia reports a highly critical vulnerability in McAfee SaaS Endpoint Protection. No patch is available at this time.
For Your IT Department
McAfee GroupShield: Secunia reports a highly critical vulnerability in McAfee GroupShield. No patch is available at this time. The vulnerability is reported in version 7.0.716.101. Other versions may also be affected.
Oracle: US-CERT reports Oracle has released its Critical Patch Update for January 2012 to address 78 vulnerabilities across multiple products. Several of these are highly critical.
Sonicwall: Secunia reports a less-critical vulnerability in Sonicwall AntiSpam & EMail security. The vulnerability is reported in version 7.3.1 and 7.3.4.5725. Other versions may also be affected. No patch is available at this time.
Important Unpatched Vulnerabilities
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. We recommend users disable the Flash player in their browsers.
Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.
Microsoft Windows: Secunia reports a highly critical unpatched vulnerability in Windows 7 Professional 64-bit. Other versions may also be affected. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
Mozilla Firefox: Secunia reports a less critical vulnerability in Mozilla Firefox. The vulnerability is confirmed in Mozilla 9.0.1. Other versions may also be affected. No patch is available at this time. Users should exercise extra caution on untrusted websites.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
VLC Media Player: VLC has released an advisory regarding a highly critical unpatched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Cyber Security News of the Week, January 22, 2012
News of the Week Summary – Cybergeddon?
Zappo’s reported that it had been hacked, exposing the personal information of 24 million customers. Anonymous brought down the Justice Department’s website and several websites associated with the entertainment industry in response to the Feds bringing down MegaUpload, a large pirate site. America’s critical infrastructure, including water and power, as well as our manufacturing base was put at greater risk with the public release of exploits that target vulnerabilities in industrial control systems. Cyber criminals are targeting our children by installing malicious software (malware) on popular child-focused sites. Israel, Palestine and hacktivists in Saudi Arabia seem locked in cyber war. Adding insult to injury, security vendor McAfee was caught with it’s pants down as a vulnerability in one of its products allowed cyber criminals to send spam from supposedly protected PCs.
The New York Times reports again on how difficult it is even for large companies to protect their sensitive information while PC World once again documents several challenges every organization faces in securing information outside the corporate perimeter, whether in the Cloud, in employee’s homes, on laptops, on iPads and other tablets, etc. Meanwhile bank regulators are pushing financial institutions to do more to protect their customers from online bank fraud.
Want to know how cyber crime might impact your organization? Want to better understand your exposure to cyber crime? We encourage you to contact us.
Threats and Warnings
Email, Personal Information on PlayBook Left Vulnerable to Hackers: Research in Motion may have improved its overall experience on the PlayBook with its recent update, but security researchers recently revealed that the device leaves corporate email and user information open to potential hackers. Researchers Zach Lenier and Ben Nell of Intrepidus Group uncovered a vulnerability in the PlayBook’s Bridge application that leaves the authentication token for the Bridge application somewhere anyone could dig it up. PCWorld, January 17, 2012
Cyber Crime
Hackers Steal $6.7 Million in Cyber Bank Robbery: The first major cybercrime of 2012 has taken place in South Africa, with hackers made off with about $6.7 million from Postbank, which is state-owned and part of the South African post office. PCWorld, January 18, 2012
Zappos hacked, 24 million accounts accessed: NEW YORK (CNNMoney) — Online shoe store Zappos has been hacked, exposing the names, e-mail addresses, addresses, phone numbers and partial credit card numbers of its 24 million customers, the company said late Sunday night. CNN, January 16, 2012
Internet Badlands
Megaupload Founder Kim Dotcom, By the Numbers: When news of the international raid on Megaupload broke Thursday in the U.S., Internet aficionados got a glimpse at the man behind of the largest file-sharing websites in the world. And it turns out the site’s founder, Kim Dotcom, was rich, large, and most certainly in charge. He currently sits in a New Zealand prison awaiting trial, while we attempt to dissect the man who (formerly) controlled the online media empire. Time, January 21, 2012
Megaupload Execs Had Thing For Bling, Indictment Shows: The Justice Department Thursday unsealed an indictment in Virginia charging seven executives at file-sharing site Megaupload.com with copyright violations, racketeering, and money laundering. Four of the people charged, including 37-year-old Megaupload CEO and founder Kim Dotcom (aka Kim Tim Jim Vestor, aka Kim Schmitz), were arrested by New Zealand authorities, while the others remain at large. InformationWeek, January 20, 2012
Anonymous tricked people into joining Web site attacks: If you clicked a link distributed by Anonymous yesterday, you may have unwittingly helped the online activists in their attacks against U.S. government and entertainment industry sites that were organized to protest proposed antipiracy legislation. Cnet, January 20, 2012
New Report Shows Malware ‘Sleeps’ on Computer for Average of 8 Months, Collecting Data: In a new investigative report from Daily Safety Check ™, the average time before ‘activation’ of malware before committing cyber crimes – such as bank transfers, fraud and information theft – is 8 months. SFGate, January 18, 2012
Facebook exposes hackers behind Koobface worm: As expected, Facebook today started to release information about the Koobface worm (its name is an anagram of “Facebook”) and those behind it. The update comes almost a year since Facebook’s last post about the infamous piece of malware. After more than three years and numerous hours of working closely with industry leaders, the security community, and law enforcement, Facebook has announced its social network has been free of the virus for over nine months. ZDNet, January 17, 2012
Web Gang Operating in the Open: Five men believed to be responsible for spreading a notorious computer worm on Facebook and other social networks — and pocketing several million dollars from online schemes — are hiding in plain sight in St. Petersburg, Russia, according to investigators at Facebook and several independent computer security researchers. The New York Times, January 16, 2012
Cyber Security Management
Clamor for Cloud Apps Increases Corporate Data Breach Risk: Employees bringing in their own devices and choosing their own application services is significantly increasing the risk to enterprise data. PC World, January 17, 2012
Regulators push banks to improve online security: According to a report in the New York Times , the Federal Deposit Insurance Corporation wants financial institutions to add a new security layer that detects unusual patterns of online activity — such as a volley of transfers to an account in Russia — in real time, starting this month. However, the Financial Times reported that a poll by a bank technology firm in November suggested that 40 percent of banks weren’t even aware that regulators want them to adopt new measures. Atm Marketplace, January 17, 2012
Even Big Companies Cannot Protect Their Data: Barbara Scott just hit the trifecta of computer security breaches. Since the New Year, Ms. Scott has been a victim of three separate cyberattacks. Two weeks ago, the online auction site eBay said in an e-mail to her that there had been suspicious activity on her account. On Monday, she received an e-mail from Zappos and another from 6PM, two online shoe retailers owned by Amazon. Both messages alerted her that — once again — her information had been compromised. The New York Times, January 17, 2012
Kids and Families Cyber Security
Hackers Target Children as Adults Wise Up to Spam: Hackers are targeting websites aimed at children, by embedding malicious software in free gaming sites, praying on the young as adults grow wise to their strategies. Forbes, January 19, 2012
Hackers spread malware via children’s gaming websites: Hackers are increasingly targeting child-focused gaming websites, according to a leading anti-virus firm. BBC, January 16, 2012
Hactivism
‘Anonymous’ hackers attack Brazilian websites: RIO DE JANEIRO — The computer hacker group Anonymous attacked websites of Brazil’s federal district Saturday as well as one belonging to a Brazilian singer to protest the forced closure of Megaupload.com. AFP, January 21, 2012
Hackers disrupt websites of Israel’s stock exchange, national air carrier: JERUSALEM — A hacker network that claims to be based in Saudi Arabia paralyzed the websites of Israel’s stock exchange and national airline on Monday, escalating an international cyber war that has jolted this security-obsessed country. The Washington Post, January 16, 2012
Critical Infrastructure Security
Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software: MIAMI, Florida — A group of researchers has discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released on Thursday, have also made it easy for hackers to attack the systems before they’re patched or taken offline. Wired, January 19, 2012
Cyber War – The Middle East
Israel in the frame after rapid rise in cybercrime: There has been a huge and sudden rise in online attacks in the region that seem to originate in Israel, a major anti-virus company warns. The National, January 22, 2012
Israeli and Palestinian hackers trade DDoS attacks in rising cyber-gang war: Pro-Palestinian and pro-Israeli hackers are waging a cyber street-fight in a tit-for-tat exchange of posturing, threats of mass credit card exposures, and denial-of-service attacks. As Hamas has egged on hackers in recent weeks, promoting more “hacktivist” attacks against Israeli targets, pro-Israel hackers have responded in kind, today taking down the websites of stock exchanges in Saudi Arabia and the United Arab Emirates. Both sites appear to be back online. ars technica, January 17, 2012
Cyber Irony
PSA: McAfee computer security patches flaw: are you fixed?: Earlier this week, the McAfee group began sending out a fix to stopper up a flaw which turned their protection service into a hijacked spam festival. The flaw, they say, was allowing hackers to attach themselves to your computer specifically and shoot spam throughout your machine – hijacking that which was supposed to be protected using a flaw in the system that was supposed to be doing the protecting. The exploit was reported earlier this week by two customers who were taken aback by the flaw earlier this week, McAfee responding with a fix now here at the end of it. SlashGear, January 20, 2012
Ray of Sunshine
Alleged Muscovite cybercrime daddy hauled in to face US court: A suspected Russian cyber-crook has arrived in the US to face charges of security fraud, computer hacking and ID theft following his deportation from Switzerland. The Register, January 18, 2012
Cybergeddon?
Three stories from today’s cyber security news.
“U.S. shuts Megaupload.com, hackers retaliate.”
“Anonymous Claims DOJ, RIAA, MPAA Sites Hit for Megaupload Bust.”
The “distributed denial of service” (ddos) attacks by hacktivists on FBI, Justice Department and entertainment industry websites suggests that the battle to protect intellectual property on the Internet has taken a new and ugly turn. Cybergeddon?
Left unnoticed may be the most ominous of headlines as it makes the tools of cyber terrorism available to anyone with a grudge against America: “Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software.” Cybergeddon?
The world changed today and with it the need to prepare for a new and more dangerous round of cyber attacks. It’s more important than ever to follow the advice I learned years ago as a Boy Scout: “Be Prepared.”
Weekend Patch and Vulnerability Report, January 15, 2012
Important Security Updates
Microsoft Windows Media Player: Microsoft has released patches for several highly critical vulnerabilities. Updates are available through the update feature of the Windows control panel.
HP LaserJet P3015: HP has released version 07.080.3 to patch a less critical vulnerability. The update is available from HP’s website.
Yahoo Messenger: Yahoo has released version 11.5.0.155 to patch a moderately critical vulnerability. The update is available through the program.
Current Software Versions
Adobe Flash: The current version is 11.1.102.55 [Warning; see below]
Adobe Reader:The current version is 10.1.2 [Warning; see below]
Apple QuickTime: The current version is 7.7.1
Apple Safari: The current version is 5.1.2 (7534.52.7) [Warning; see below]
Google Chrome: The current version is 16.0.912.75
Internet Explorer: The current version is IE9.0.8112.16421
Java: The current version is SE 6 Update 30
Mozilla Firefox: The current version is 9.0.1 [Warning; see below]
Newly Announced Unpatched Vulnerabilities
Mozilla Firefox: Secunia reports a less critical vulnerability in Mozilla Firefox. The vulnerability is confirmed in Mozilla 9.0.1. Other versions may also be affected. No patch is available at this time. Users should exercise extra caution on untrusted websites.
For Your IT Department
None
Important Unpatched Vulnerabilities
ACDSee Photo: Several highly critical vulnerabilities have been identified in various ACDSee photo products. Vulnerabilities have been identified in FotoSlate, Photo Editor 2008, and Picture Frame Manager. No patches are available at this time. Readers should refrain from using ACDSee to open untrusted files. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 12. We alerted readers to a second vulnerability in FotoSlate in Weekend Vulnerability and Patch Report, September 18.
ACD Systems Canvas CorelDRAW: A highly critical vulnerability has been found in ACD Systems Canvas which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files. Readers should refrain from opening untrusted files in ACD Systems Canvas. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
Adobe Flash: The highly critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. We recommend users disable the Flash player in their browsers.
Adobe Reader and Acrobat: Adobe continues to be struggling with various vulnerabilities within Reader and Acrobat. Update to version 9.5 or 10.1.2 for the latest versions, Macintosh or Windows, respectively. Users may also want to consider alternative PDF readers such as Foxit, PDF-Xchange Viewer or Nitro PDF.
Android Browser: Secunia reports a vulnerability in the Android browser that can be exploited to trick a user into believing he is connected to a trusted site by including the trusted site in an iframe. The vulnerability is confirmed in Browser version 2.3.3 included in Android version 2.3.3 and Browser version 3.2 included in Android version 3.2. Other versions may also be affected. Users are cautioned to not rely on displayed certificate information. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Apple Safari: Secunia reports a non-critical unpatched vulnerability in Safari 5.1.2. Other versions may also be affected.
Firefox version 7 and Thunderbird version 7: As we reported in Weekend Vulnerability and Patch Report, November 13, 2011, multiple unpatched security vulnerabilities, several of them highly critical, have been reported in version 7 of Firefox and Mozilla. Mozilla recommends users upgrade to version 8.
HTC Mobile Devices: The security vulnerability in the default Twitter application (Peep) in HTC products remain unpatched. Readers should refrain from using the default Twitter application (Peep). We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, February 11.
HTC Touch2: The highly critical 0-day vulnerability in the HTC Touch2 VideoPlayer remains unpatched. Users are advised to not open files from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, December 18, 2011.
Microsoft Windows: Secunia reports a highly critical unpatched vulnerability in Windows 7 Professional 64-bit. Other versions may also be affected. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
Microsoft Office Publisher 2007: A moderately critical vulnerability has been reported in Microsoft Office Publisher. No patch is available at this time. Readers are advised to not use content from untrusted sources. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 23, 2011.
Microsoft Windows XP: A less-critical security vulnerability has been found in Windows XP which can be exploited by malicious, local users to disclose potentially sensitive information or cause a DoS (Denial of Service). No patch is available at this time. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, August 7.
Microsoft Word: A highly critical vulnerability has been found in Microsoft Word XP and 2002. No patch is available at this time. Readers should refrain from opening untrusted files in these earlier versions of Word. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, June 19.
Microsoft Office for Mac: A highly critical vulnerability has been discovered in Microsoft Office for the Mac which can be exploited by cyber criminals to take control of a user’s computer. Security updates are currently unavailable. Readers should refrain from opening untrusted files in Office. We first alerted readers to this vulnerability in Weekend Vulnerability & Patch Report, May 13, 2011.
Microsoft Reader: The highly critical vulnerability in Microsoft Reader, versions 2.x, remains unpatched. Readers should refrain from opening untrusted files in Reader. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, April 15.
Multiple Browser Vulnerabilities: The non-critical vulnerability we reported in Weekend Vulnerability and Patch Report, December 11 remains unpatched. Affected web browsers include Internet Explorer, Opera, Google Chrome and Firefox. We have no information at this time whether other browsers are affected. The vulnerability can be exploited by a malicious website to enumerate other sites visited by the user. Users may want to enable”Private Browsing” when visiting untrusted websites.
PDF-Pro: Several highly critical vulnerabilities in PDF-Pro, a popular alternative to Adobe Acrobat, remain unpatched. Readers should refrain from opening untrusted files in PDF-Pro. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, March 4.
Photoshop Elements: Adobe versions 1 – 8 contain a highly critical unpatched vulnerability. The vulnerability is confirmed in version 8.0 20090905.r.605812 and Adobe reports that the vulnerability affects versions 8.0 and earlier. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, October 9, 2011.
Quick View Plus CorelDRAW: A highly critical vulnerability has been found in Quick View Plus which can be exploited by malicious people to compromise a user’s system. Users should not view untrusted CDR files in Quick View Plus. We first alerted readers to this vulnerability in Weekend Vulnerability and Patch Report, July 31.
VLC Media Player: VLC has released an advisory regarding a highly critical unpatched vulnerability in versions 0.9.0 through 1.1.12. VLC has announced that media player 1.1.13 will address the issue. We first alerted readers to a this vulnerability in Weekend Vulnerability and Patch Report, December 25, 2011.
If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Cyber Security News of the Week, January 15, 2012
Cyber Security Story of the Week – When Will US Companies Learn?
Defenses Against Hackers Are Like the ‘Maginot Line,’ NSA Chief Says: U.S. companies still aren’t taking the threat of computer attacks seriously enough, despite a recent string of high-profile security failures, top government cybersecurity officials said this week. The Wall Street Journal, January 13, 2012
Information at Risk
Viruses stole City College of S.F. data for years: Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called “an infestation” of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned. SFGate, San Francisco Chronicle, January 13, 2012
Tax Department computer glitch inadvertently displayed Social Security numbers: The Vermont Department of Taxes (VDT) inadvertently displayed personal data from a weekly batch of Property Transfer Tax Returns for less than two hours on a vendor portion of its website on January 9th. A computer error began a process that resulted in an extra field added to a routine public report. The social security numbers of 1,332 individuals and the Federal Employee Identification Number of 245 businesses were involved. VTDigger, January 10, 2012
DuPont, Makhteshim, Kodak, News Corp: Intellectual Property: China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting for technological secrets that made the company one of the world’s most successful chemical makers. Bloomberg, January 11, 2012
Internet Badlands
FBI Warns of Malware Phishing Scam: So long as people click on unsolicited attachments in e-mail, scammers will invent new ways to take their money, identities and more. The FBI last week issued a warning on one such new Internet blight called “Gameover,” which, once ensconced on your PC, can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. PC World, January 8, 2012
Malicious Software Attacks Security Cards Used by Pentagon: Chinese hackers have deployed a new cyber weapon that is aimed at the Defense Department, the Department of Homeland Security, the State Department and potentially a number of other United States government agencies and businesses, security researchers say. The New York Times, January 12, 2012
Phishing Campaign Using Spoofed US-CERT Email Addresses: On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector organizations as well as federal, state and local governments. US-CERT, January 12, 2012
Cyber Security Management
Lawsuit Claims Symantec “Scareware” Warns Of Fake Threats To Sell Upgrades: Security firms often warn users about “scareware”: malicious software that performs fake antivirus scans and then demands the user pay for a cleanup. Now a lawsuit claims that the world’s top antivirus firm, Symantec, is itself a scareware scammer. Forbes, January 11, 2012
Hack Attacks Now Leading Cause Of Data Breaches: The majority of data breaches stem from hack attacks, followed by data that’s lost while physically in transit. That’s according to a forthcoming study from the Identity Theft Resource Center (ITRC), which assessed all known information relating to the 419 breaches that were publicly disclosed in the United States in 2011. A copy of the report was provided to InformationWeek in advance of its release. InformationWeek, January 12, 2012
Hacking of DuPont computers won’t go unreported anymore: China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world’s most successful chemical makers. DelawareOnline, January 14, 2012
Cyber Security Management – Online Bank Fraud
Banks Unite to Battle Online Theft: Rising cybersecurity threats are pushing big banks to do something that doesn’t come naturally for these secrecy-steeped institutions: share information with one another. The Wall Street Journal, January 10, 2012
Legal Actions – PCI Dispute
Rare Legal Fight Takes On Credit Card Company Security Standards and Fines: A small celebrity-friendly restaurant in Utah is finally doing what many merchants have only dreamed of doing for a long time — taking on a part of the payment card industry’s powerful but flawed system for securing card data by fining merchants for failing to secure their data. Wired, January 11, 2012
Park City Eatery Balks at Credit Card Fines in Rare Court Fight: Stephen and Cissy McComb say they managed their Italian eatery in Park City, Utah, for more than two decades without running afoul of security rules of Visa Inc. and MasterCard Inc. — until they were accused of mishandling data and opening the door to $1.26 million in fraud. SFGate, San Francisco Chronicle, January 9, 2012
National Cyber Security
Israel warns against computer-hacker vigilantism: Israel Thursday called on computer hackers not to take the law into their own hands to avenge attacks on Israeli credit card companies, and said the authorities were capable of countering all cyber threats. Reuters, January 12, 2012
DISA OKs secure Android mobile system for DOD: The Defense Information Systems Agency has certified a secure Android-based mobile system for use by Defense Department agencies. The system allows DOD personnel to sign, encrypt and decrypt e-mail, and securely access data from a smart phone or tablet computer. GCN, January 5, 2012
Israeli, Saudi Hacker Battle Escalates: A war of words and website hacks is escalating in Israel over the purported hack of credit card data by a hacker from Saudi Arabia. InformationWeek, January 11, 2012
Cyber crime a major risk to stability, warns WEF: The survey, which points to a bleak outlook just two weeks before the start of the WEF’s annual meeting in Davos, warns that although the “impacts of crime, terrorism and war in the virtual world have yet to equal that of the physical world but there is a fear that this could change.” The Telegraph, January 11, 2012
Shifting Priorities: Investing in Cybersecurity: Cyber-based threats against information infrastructures in the United States have generated an increasing concern for national security. Understanding these real threats against our nation enforces the need for a shift in prioritization and funding to address any future cyber security threats in all capacities. Partnership in a Secure America, January 13, 2012
Ray of Sunshine
NJ ringleader of ID theft, fraud ploy admits guilt: The leader of an identity theft and fraud ring has pleaded guilty in a scheme that federal authorities said operated as a veritable “crime superstore” that reached from northern New Jersey to U.S. territories in the Pacific. Newsday, January 10, 2012