Sunday, December 26, 2010

Weekend Vulnerability and Patch Report, December 24, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Java Update: Sun has published an update to Java, its ubiquitous browser plug-in. The new version is Java 6, Update 23. Readers can identify their version of Java and get installation help here. Readers will want to pay attention in upgrading Java to make sure that the install does not also install other software, such as the Yahoo Toolbar. 

Important Vulnerabilities.

Microsoft Internet Explorer Vulnerability: Microsoft has warned in a security advisory that an exploit now exists for the critical security vulnerability in Internet Explorer that we wrote about last week. The exploit runs remotely over the Internet, compromising a user's system and stealing sensitive information. The vulnerability has been confirmed in all versions of Internet Explorer, including IE 7 and 8. The exploit for this vulnerability gets around two of the key security defenses built into Windows Vista and Windows 7. We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. 

IBM Lotus Notes: Several security vulnerabilities have been identified in IBM Lotus Notes Traveler. Readers should update to version 8.5.1.3 or later. More information is available here.

Adobe Flash: Adobe Flash is a favorite of cyber criminals who seem able to regularly find critical security vulnerabilities in the program. Readers should make sure they are running the latest version of Flash. You can check your version of Adobe Flash here. 

Adobe Reader: Adobe Reader is another favorite of cyber criminals who seem able to regularly find critical security vulnerabilities in the program. Readers should make sure they are running the latest version of Reader. Readers can check for update under "Help" in the file menu. The latest version is 10.0.0.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
 
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Sunday, December 19, 2010

Weekend Vulnerability and Patch Report, December 17, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Microsoft Security Update: This month's Patch Tuesday from Microsoft contains 17 software updates plugging a total of 40 security holes. According to Microsoft the updates include fixes for at least 7 vulnerabilities in Internet Explorer versions 6, 7 & 8, including the 0-day vulnerability we've had on our vulnerability list for the last month. Patches are available through Microsoft Update (using IE) or Automatic Update.


Google Chrome Update: Google has released Chrome 8.0.552.224 to address multiple vulnerabilities. These vulnerabilities allow a cyber criminal to take control of a user's system and steal sensitive information or cause a denial-of-service condition. Users can get the Google Chrome update here.

F-Secure Anti-Virus Products: A vulnerability has been reported in various F-Secure products which can be exploited to compromise a user's system and steal sensitive information. Updates are distributed automatically by the update system.Users should make sure they are running the latest version. 

Adobe PhotoShop Update: A critical vulnerability has been discovered in Adobe PhotoShop. A cyber criminal can exploit the vulnerability to take control of a user's system and steal sensitive information. The vulnerability has been confirmed in CS4 and CS5 for Windows. Other versions may also be affected. Users should apply Adobe Photoshop 12.0.3 update for Adobe Photoshop CS5.

Apple AirPort Updates: Apple has released AirPort Utility 5.5.2 for Mac and Windows to fix security vulnerabilities. Apple has also fixed security vulnerabilities in its newly released AirPort Base Station and Time Capsule firmware update 7.5.2. Users can download these updates from Apple's Downloads page.
 
iTunes Update: Apple has released iTunes 10.1.1 which fixes several performance and security vulnerabilities.

Important Vulnerabilities.

Symantec Antivirus Alert Management System Vulnerability:  A vulnerability has been reported in Symantec Antivirus, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is reported in Symantec Antivirus Corporate Edition 10.1.4.4010. Other versions may also be affected. No patch is available at this time.   

Opera: Multiple vulnerabilities have been reported in Opera some of which can be exploited by malicious people to disclose potentially sensitive information and manipulate data. The vulnerabilities are reported in versions prior to 11.00. Users should upgrade to version 11.00 which can be found here. 

Microsoft Internet Explorer Vulnerability: On the same day that Microsoft finally fixed the security vulnerabilities that we had listed on our blog for a month, a new critical vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system and steal sensitive information. The vulnerability is confirmed in Internet Explorer 7 and 8 on a fully patched Windows XP SP3 system. We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE. 

RealPlayer Vulnerabilities: Twenty eight critical security vulnerabilities have been found in earlier versions of RealPlayer. Windows users want to make sure they are running RealPlayer 14.0.0 or later. Mac users should make sure they are running version 12.0.0.1548 or later. 

BlackBerry Vulnerabilities: RIM has released a security advisory to address a vulnerability that allow a cyber criminal to take control of a user's BlackBerry and steal sensitive information or cause a denial-of-service condition. Users should alert their IT staff to BlackBerry server security advisory KB24761 so that they may apply  necessary updates to help mitigate these risks. Vulnerabilities in BlackBerry Desktop Software have been discovered. Windows users should make sure they are running BlackBerry Desktop Software version 6.0.1 or later. Macintosh users should make sure they are running BlackBerry Desktop Software version 2.0 or later.

 If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Saturday, December 11, 2010

Weekend Vulnerability and Patch Report, December 10, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

Apple QuickTime Update: Apple has released QuickTime version 7.6.9. This update fixes 15 highly critical security vulnerabilities that a cyber criminal can use to take control of a user's system and steal sensitive information. Updates are available for both Mac and Windows versions of the program are available through Apple Downloads. Windows users can also download and install the update through the their iTunes or QuickTime Software Update feature. Mac users can update through the Mac's Software Update feature.
Firefox Update: Firefox has released version 3.6.13 fixing several highly critical security vulnerabilities that a cyber criminal can use to take control of a user's system and steal sensitive information. Users can update by going to "Help/Check for Updates" on the Taskbar.

WordPress Update: A week after releasing 3.0.2, WordPress has released version 3.0.3 to address a highly critical vulnerability that allows a cyber criminal to change or delete a web site built in WordPress. A cyber criminal could also exploit the vulnerability to attack the computers of visitors to the web site. Users will want to notify their web master to upgrade to version 3.0.3. Users whose website has been built using Joomla will also want to notify their webmaster of two newly discovered Joomla vulnerabilities in that popular content management system.
 
Apple MacBook Firmware Update: Apple has released a firmware update to its 11-inch and 13-inch MacBook Air models.According to Apple, the "update resolves a rare issue where MacBook Air boots or wakes to a black screen or becomes unresponsive."  While not a security update, users will want to update. Users can download the update here.
 
Important Vulnerabilities.

Microsoft Patch Tuesday: Microsoft is scheduled to release its monthly updates this coming Tuesday. Let's hope the IE Vulnerability we've been writing about is on the list. Make sure your PC gets updated.

Google Earth: A vulnerability has been discovered in Google Earth, which can be exploited by malicious people to to take control of a user's system. The vulnerability is confirmed in version 5.1.3533.1731. Users want to make sure they are running version 6.0.

Citrix Web Interface Vulnerability: A vulnerability has been found affecting versions 5.0, 5.1, and 5.3. The vulnerability does not affect version 5.4. You most likely want to update but check with IT staff before doing so.
 If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.
If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Sunday, December 5, 2010

Weekend Vulnerability and Patch Report, December 3, 2010

The following software updates were released last week. Citadel strongly recommends that readers upgrade these programs on their computers.

McAfee VirusScan Enterprise: A highly critical vulnerability has been found in McAfee VirusScan Enterprise, which can be exploited by malicious people to compromise a user's system. The vulnerability is confirmed in version 8.5.0i. Other versions may also be affected. The vulnerability has been fixed in McAfee VirusScan version 8.7i and later.

Google Chrome: Google has released version 8.0.552.215 to fix multiple vulnerabilities in Google Chrome 7.x. The latest version of Chrome is available here.

WordPress 3.0.2: WordPress has released WordPress 3.0.2 to address multiple security vulnerabilities. The new version is available here.

D-Link DIR-615: Moderately critical vulnerabilities have been found in this popular wireless router. The vulnerabilities have been found in firmware versions prior to revision D.4-13B01. Users should update their routers to the latest firmware version. Information from D-Link on how to upgrade the firmware on the DIR-615 line of routers can be found here.  

News of Important Vulnerabilities.

CA Internet Security Suite Plus 2010: A vulnerability has has been discovered in CA Internet Security Suite Plus which can be exploited by malicious, local users to gain escalated privileges. No patch is available at this time.

Palm Pre WebOS: Dark Reading reports a moderately critical vulnerability has been found in WebOS 1.4.x versions. According to Secunia, this vulnerability has reportedly been fixed in WebOS 2.0 beta.We have no more information at this time. Palm's web-site is here.  

Kindle for PC: A vulnerability has been discovered in the Kindle for PC program 1.x. According to Secunia, no patch is available at this time. Users are cautioned to only open files from trusted sources. 

Adobe Reader: If you have not yet updated to Adobe Reader X (as we recommended last week), you should do so now. You can download Reader X using the Adobe Download Manager from the Adobe Reader web site. To avoid the Download Manager with its attempt to get you to download other software as well, Windows users can download Windows Reader X here while Mac users can download Mac Reader X here. 

Microsoft Internet Explorer: Microsoft has still not issued an update to fix a zero-day highly critical vulnerability in Internet Explorer that, according to KrebsOnSecurity.com, cyber criminals are exploiting to break into Windows computers.We suggest running the latest version of Firefox with the NoScript add-on as an alternative to IE.

If you are responsible for keeping your computer secure, our weekly report is for you. We strongly urge you to take action to keep your workstation secure.

If someone else is responsible for keeping your computer secure, protect it by forwarding our Weekend Vulnerability and Patch Report to them and following up to make sure your computer has been patched.

Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that "exploit" vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they will issue an update patch to fix the code running in their customer's computers.

The Weekend Vulnerability and Patch Report is intended to raise user awareness to cyber security challenges by alerting them to some of the week's important vulnerability news and updates.  
 
© Copyright 2010. Citadel Information Group. All Rights Reserved.

Saturday, December 4, 2010

WikiLeaks Exposes "Vast Hacking by a China Fearful of the Web"

We began covering the Chinese hack into Google and other western companies on our blog last March. An article in the New York Times based on an analysis of cables released by WikiLeaks provides a fascinating look at Chinese cyber espionage as seen through the eyes of the American government.

Wednesday, December 1, 2010

Personal Guide to Staying Safe Online

Cyber criminals want your bank account and credit card numbers so they can take your money and use your credit while stiffing you with the bill. They want your social security number so they can apply for credit in your name, stealing your identity. They have even begun selling stolen medical insurance information.

Cybercriminals steal your sensitive personal information by taking control of your computer. This control also lets them install rogue programs on your computer, turning your computer into a zombie under their control—the cyber-equivalent of Night of the Living Dead. Even reasonably well-protected computers can be turned into computer-zombies if users unwittingly click on Internet links, visit sabotaged web-sites or open attachments on emails.

The consequences of having your computer turned into a zombie under the control of a cyber criminal can be devastating. Just ask the owner of the escrow company  in Redondo Beach after cyber criminals withdrew $400,000 from her bank account using the firm’s on-line bank id and password which they stole after turning her computer into a zombie. You can read about her and other victims of on-line bank fraud indexed under Financial Systems Security on our blog:  http://blog.citadel-information.com.

Online bank fraud is just one of the ways cyber criminals can make money from turning your computer into a computer-zombie. Besides stealing your credit card numbers and the login credentials to your online bank and brokerage accounts, these cyber criminals also display annoying pop-up ads on your computer, send spam from your computer and use your computer to commit a wide variety of sophisticated computer crimes.

Cybercriminals take control of your computer by exploiting four weaknesses:
  1. Every computer program running on your computer has subtle programming errors (vulnerabilities) that cybercriminals exploit to take control of your computer.
  2. Legitimate internet web sites often fail to prevent cybercriminals from installing malicious programs on their web sites. When you visit these sites, these malicious programs silently install Trojan horses and other malware on your computer.
  3. Default settings for many computer programs make it easy for cyber criminals to take control of your computer.
  4. Users often don’t know what they need to do to minimize the dangers and risks of cybercrime, particularly the need for defense-in-depth.
Defense Strategy 1: Keep Cybercriminals Off Your Computer
  • Keep Systems Patched: Software manufacturers issue program updates containing patches to fix known vulnerabilities. Set Microsoft Windows and Office to automatically update. Manually update other programs like Adobe Acrobat, iTunes, Flash and Java. We list available updates for some of the more common programs in our Weekly Patch and Vulnerability Report, available on our blog:  http://blog.citadel-information.com.
  • Limit Exposure: Create separate accounts for all family members. This is done in the Control Panel. Set account type to “Limited” unless the account needs to run programs as “Administrator.” This will make it harder for cybercriminals to install malware on your computer.
  • Protect Your Desktop: Install a reputable antivirus / antispyware product & keep it up-to-date. If you’re technical, run Firefox with the NoScript add-on inside of sandboxie and install a host intrusion prevention system.  Sophisticated cybercriminals can get past basic antivirus/antispyware software. Antivirus is necessary. It is not sufficient.
  • Secure Your WiFi: If you have a wireless network, encrypt it with WPA2 encryption. Otherwise anyone near you can eavesdrop on your communications and piggy-back on your connection.
  • Stay Away from P2P Networks: Don’t run Peer-to-Peer or other file sharing programs, such as Kazaa, Limewire or BitTorrent. These networks provide strangers access to your computer.
  • Beware of Scams, 1: Don’t click on web-site ads or pop-ups offering to scan your computer for free. Cybercriminals love to take advantage of people’s fear of getting a virus. Instead of scanning your computer, these programs will infect it. Always be wary.
  • Beware of Scams, 2: Don’t open unusual or unexpected attachments, not even from people you know. It’s easy to send an email so it looks like it came from someone else. Also, how do you know your friend’s computer hasn’t been taken over? Always be wary.
  • Beware of Scams, 3: Don’t follow links in unfamiliar or unusual emails, especially those requesting your user names, passwords, or financial information. A SPAM filter can help you avoid these e-mails but you must be on guard for emails that get past your SPAM filter. Always be wary.
Defense Strategy 2: Be Careful With Your Financial Information On-Line
  1. Don’t send your Social Security Number, bank account numbers or credit card numbers in unencrypted email.
  2. Use different strong passwords [8+ characters, upper & lower case, numbers, characters] for all eCommerce websites. Use Password Safe or RoboForm to securely manage online passwords.
  3. Only buy on-line from merchants using SSL, which means the website address begins with https://. Look for the “lock” on the title bar of Internet Explorer or Firefox’s lower right corner.
  4. Use a credit card rather than a debit card when shopping on-line. Link PayPal to your credit card, not your bank account. Federal law limits your credit card exposure to $50. There is no corresponding limit if you use a debit card (even though many banks cover debit card fraud).
Defense Strategy 3: Protect Your Information Away from Home
  1. Keep your laptop with you at all times. Never leave it unattended in your car.
  2. Keep WiFi and Bluetooth turned off except when you are using them.
  3. Encrypt the hard drive of your laptop, protecting it with a strong 15+ character passphrase. If you lose the laptop, the information is still safe. You can get free encryption software at http://www.truecrypt.org/.
  4. Never use a public computer, Kiosk, or public WiFi for online banking, shopping or to access sensitive information. Since you don’t know how secure these are, prudence requires you to assume they are insecure.
Defense Strategy 4: Watch Your Credit
  1. Subscribe to a basic credit monitoring service (AAA California offers members a free service)
  2. Regularly review your bank, credit card and investment accounts for fraudulent activity.
Defense Strategy 5: Better Safe Than Sorry
  1. Always think about the information you are giving out.
  2. When in doubt, don’t.
  3. Stay up-to-date by reading our blog:  http://blog.citadel-information.com.