Friday, October 29, 2010

Weekend Vulnerability and Patch Report, October 29, 2010

Adobe Shockwave Update: Adobe has released a critical update for its shockwave player. The shockwave patch plugs 11 different security holes affecting both Windows and Mac computers. Readers should update to the newest Adobe Shockwave Player.

Adobe Advisory for Flash Player, Acrobat Reader and Acrobat: Adobe has issued a security advisory that a new 0-day vulnerability has been found affecting all these products. The vulnerability affects these Adobe products on Windows, Mac and other operating systems. Readers are urged to be cautious until Adobe issues a patch for this vulnerability. We will alert readers to the patch when it is released.

Facebook Users Under Attack: According to KrebsOnSecurity.com, Facebook users running Mac OS X are being attacked by a new version of the Koobface worm. The attack uses a malicious Java applet. In order for the attack to succeed the user must OK a prompt to download and install the malicious software. Readers are urged to be cautious in allowing Facebook applets to run. Readers should also make sure the have the latest version of Java running on their Mac.

Firefox Update: Firefox has been updated to version 3.6.12. The program and its predecessor 3.6.11 (also released this week) fix 10 security vulnerabilities, many critical. Readers should update to the newest version. 

If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Friday, October 22, 2010

Weekend Patch Report, Oct 22, 2010

RealPlayer: RealPlayer has released a product upgrade that fixes several critical vulnerabilities. The latest versions are available here. (October 20). 

Microsoft Windows & Office: This month's Patch Tuesday fixed a record 49 security holes. Always install Microsoft patches. Home computers should have automatic updates turned on. All other things being equal so should business computers, except sometimes the IT department has to manage these updates differently. (October 12)

Java:  This is a critical update. Microsoft has issued a warning that it is seeing a huge increase in attacks against security vulnerabilities in Java. When you are on the Internet, Java is running. Make sure to install this update. (October 12)

Adobe Reader & Acrobat: This critical update plugs at least 23 holes in the Adobe PDF Reader and Acrobat software, including two vulnerabilities that are being actively exploited by cyber criminals. Update your program while running it. "Check for Updates" is on the drop-down list under "Help." (Oct 5)

If you are responsible for keeping your computer secure, this is for you. If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). Just like DNA, every program has hidden flaws, or vulnerabilities, in its code. When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

It is the user's responsibility to make sure update patches are installed. Home users usually have to do this themselves. Users working in offices may have IT staff to do this for them, but even here, Citadel recommends strongly that users take the initiative to check that updates are being installed on their computers.

The Weekend Patch report is intended to raise user awareness to the challenges of vulnerability management by alerting them to some of the week's important update patches. We do this to help users get the knowledge they need to take the necessary initiative in making sure the security of their computers is being effectively managed.


© Copyright 2010. Citadel Information Group. All Rights Reserved.


Wednesday, October 20, 2010

Internet Teleconferencing: A Security Concern?

A colleague asked me whether he should be concerned about the security of teleconferencing websites, like  Webex and GoToMeeting. [We regularly use both Webex and GoToMeeting.]

My colleague is right to be concerned as there are several “vulnerability points” in Internet teleconferencing, particularly when video, voice and (potentially sensitive) data is being passed around the internet. [As a sidebar: I designed the security test plan in the mid-1980s on a White House project to provide highly secure emergency teleconferencing between the White House, several cabinet secretaries, and various DoD components.]

First, the good news: I asked my friend and technology expert, Jason Lidow, President of The DigiTrust Group, if they were seeing attacks coming through teleconferencing sites and he said no. Jason’s got a very sensitive pulse on cyber attacks so if he says he’s not seeing them, there’s a pretty good bet that they aren’t there in any meaningful amount. Far better to spend scarce cyber security dollars managing the stuff that’s here and now.

That said, there are a few basics that everyone should always pay attention to given the fact that all of the information being communicated is being sent out over the Internet. The Internet is like the roads in the early west; robbers might be found behind any rock. That’s why the basic foundational principle of cyber security is “Assume nothing is secure if you aren’t actively managing it or assessing it. And even then, be cautious.”

So starting from the perspective of never taking security for granted, here’s a few of the things I would pay attention to when considering a teleconferencing provider:

1. Is all teleconferencing encrypted in transmission? Does the URL begin with https://? This is what keeps communications private during the time the bits are traveling around the Internet. Encryption protects the communication from the cyber equivalent of wire tapping. If the answer to this question is “No,” then find another solution. If all you’re doing is videoconferencing, with no Power Points or QuickBook reports or other data being transmited, then a “yes” answer here is most likely good enough [unless you need to talk securely to the Fed].

 2. What communications (data, video, voice) are being passed through the server? (The less the better.) Are communications being stored on teleconference servers. A “No” answer is better than a “Yes” answer.All other things being equal, I’d select the company that is able to meet your teleconferencing needs without getting its servers involved over the company whose servers process and, perhaps store, your sensitive information. I’d pay attention to this but I wouldn’t sweat it.

 3. The third thing I’d pay attention to is more dangerous, more subtle, and more strategic, which also makes it more important. This, I sweat over. Here’s the situation: In order for you to show a PowerPoint from your computer to a person or persons at other computers (whether in the building next door or halfway around the world), a software program on your computer must take your PowerPoint, send it out of your computer over the Internet, directing that PowerPoint to the other participants in the teleconference.

For a few technical reasons, it’s not prudent to assume that the software program doing all this teleconferencing work is behaving properly; it’s far more prudent to assume that the software is capable of behaving maliciously, stealing your information or even taking over your PC.

This risk is a generic one affecting every program on your computer. [Sidebar: Every modern complex computer program has software vulnerabilities. This fact is a consequence of (i) the mathematical complexity of computer programming and (ii) the economics of software engineering.] Cybercriminals exploit these vulnerabilities to attack computers on which the program is running. Standard anti-virus, anti-malware solutions manage a piece of the problem. So does patching, keeping software up-to-date with updates that fix known vulnerabilities. An emerging class of solutions in this space—replacing increasingly ineffective anti-virus and anti-spyware software—are called “host intrusion prevention systems.” These systems are capable of actually recognizing a cyber attack  and blocking it, something anti-virus anti-spyware solutions can’t do. Several of our clients have installed professionally-managed host intrusion prevention systems as these have become increasingly affordable to small and medium-sized businesses.

The second piece of managing this risk is to prefer—again all other things being equal—software from well known reputable companies with a history of taking security seriously and a positive leadership position in the industry.

That why we use Cisco’s Webex for our teleconferencing. It is a little more expensive but I feel I know what I’m getting, I know the seriousness with which Cisco takes security and the security talent they possess, and I’m confident that they’ll be there should something go wrong. I’ve never heard of tukbox, the program my colleague asked about,so can render no opinion.

One more thing to wrap-up this perhaps overly-long post. It’s important not to neglect the “human side” of security. Everybody needs to think about what they say or put on a PowerPoint; even what’s visible over the camera over someone’s shoulder. Ask yourselves questions like “What can we do to minimize the amount of sensitive data being sent over the Internet?” One strategy, for example, would be for voice communications to take place over regular land lines or a totally separate secure digital line. With this strategy, participants all agree that the ‘really sensitive information’ is to be talked about but not shown on shared PowerPoints, etc.

This is the most important strategic recommendation: That everyone keep thinking about cyber security.

Tuesday, October 5, 2010

Critical Security Updates Available for Adobe Acrobat/Reader

Adobe has announced that critical updates are now available for the Adobe Acrobat/Reader vulnerabilities we described in our blog post of September 8: Cybercriminals Exploit New 0-Day Adobe Acrobat/Reader Vulnerability.

We strongly recommend that users immediately update their Adobe Acrobat and Reader programs. To do so, open the Adobe Acrobat or Adobe Reader program, click on 'Help' and then 'Check for Updates."

Monday, October 4, 2010

Hackers Steal $600,000 from Brigantine, NJ

KrebsOnSecurity.com reports that "organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials. ... Brigantine City officials said the incident began sometime before 6 p.m. on September 28th, when TD Bank notified city finance officers that multiple wire transfers had been made from its accounts. Brigantine Police’s Lt. James Bennett said in a written statement:
“Unknown person(s) had apparently obtained a user name and password for the city’s main TD Bank account when our finance personnel attempted to login (through either a fake Web page or an undetectable virus). Then several wire transfers were started with amounts ranging from a few thousand to over $300,000, for a total of about $600,000. The last update from TD Bank was that they were able to recall approximately $400,000 in transfers and were working on recalling the remainder. The investigation is being handled by the FBI, New Jersey State Police with the Brigantine Police Department and TD Bank security.”

"Go Blue" Ends D.C. Online Voting Trial

The Washington Post reports that—as part of a security test—a team of students from The University of Michigan hacked D.C.'s new Internet-based voting system. The "White Hat" hackers from Michigan  compromised the system so that after a vote was cast the Web site played The University of Michigan fight song, "The Victors."

According to the Post, Jeremy Epstein, a computer scientist working with the Common Cause good-government nonprofit on online voting issues said "the fight song is a symptom of deeper vulnerabilities. ... In order to do that, they had to be able to change anything they wanted on the Web site."

Because of the hack, Paul Stenbjorn, the Board of Elections' chief technology officer said a portion of the Internet voting pilot—which was expected to be rolled out this month—is being temporarily scrapped.

The good news, of course, is that to ensure election integrity, D.C. took the opportunity to open its election web-site to community testing. That the vulnerability was found and exploited by a team of students from my Alma Mater is icing on the cake. That they rigged the system to play The Victors is the maraschino cherry on top. Go Blue!

The bad news—and one that every organization having a web site has to pay attention to—is that web-sites, like software everywhere, is buggy. That's why this story is a good reminder to all organizations of the importance of effectively managing cybersecurity risk.

Friday, October 1, 2010

October is National Cybersecurity Awareness Month

October 2010 marks the seventh annual National Cybersecurity Awareness Month. This year's theme —Our Shared Responsibility—reflects two facts about cybersecurity:

1.  The cybersecurity threat has become one of the most serious economic and national security challenges we face. America’s competitiveness and economic prosperity in the 21st century will depend on effective cybersecurity. Every business, not-for-profit, school, government organization and individual is at risk.

2. Every Internet user has a role to play in securing cyberspace and ensuring the safety of ourselves, our families, and our communities online.

Cybersecurity Awareness Month is sponsored by the National Cybersecurity Alliance (NCSA)—a nonprofit dedicated to fostering a culture of cybersecurity—along with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, a cybersecurity prevention and protection collaboration for state and local governments.

As cybersecurity management consultants, Citadel Information Group is proud to join with the Los Angeles Chapter of the Information Systems Security Association, ISACA-LA, InfraGARD-Los Angeles, the LA Chapter of the Open Web Application Security Project (OWASP), and other Los Angeles information security organizations in working together to help keep our community safe from cybercrime.