In an announcement eerily reminiscent of the early phases of the Heartbleed flaw that took internet security by storm earlier in the year, Google has uncovered an exploit that could allow attackers to decode the plaintext traffic of a secure connection.
The post POODLE Attack – Google uncovers major flaw in SSL 3.0 appeared first on We Live Security.
With details of the new POODLE attack on SSLv3 now public, browser vendors are in the process of planning how they’re going to address the issue in their products in a way that doesn’t break the Internet for millions of users but still provides protection. The attack, which was disclosed by a trio of Google […]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
As most of you already know, there is an important SSLv3 vulnerability
(CVE-2014-3566 - see https://access.redhat.com/articles/1232123) ,
known as Poodle.
While it's easy to disable SSLv3 in the allowed Protocols at the
server level (for example SSLProtocol All -SSLv2 -SSLv3 for apache),
some clients are still defaulting to SSLv3, and Koji does that.
We currently have disabled SSLv3 on our cbs.centos.org koji instance,
so if you're a cbs/koji user, please adapt your local koji package
(local fix !)
At the moment, there is no available upstream package, but the
following patch has been tested by Fedora people too (and credits go
to
https://lists.fedoraproject.org/pipermail/infrastructure/2014-October/014976.html)
=====================================================
- --- SSLCommon.py.orig2014-10-15 11:42:54.747082029 +0200
+++ SSLCommon.py2014-10-15 11:44:08.215257590 +0200
< at >< at > -37,7 +37,8 < at >< at >
if f and not os.access(f, os.R_OK):
raise StandardError, "%s does not exist or is not
readable" % f
- - ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only
+ #ctx = SSL.Context(SSL.SSLv3_METHOD) # SSLv3 only
+ ctx = SSL.Context(SSL.TLSv1_METHOD) # TLSv1 only
ctx.use_certificate_file(key_and_cert)
ctx.use_privatekey_file(key_and_cert)
ctx.load_client_ca(ca_cert)
< at >< at > -45,7 +46,8 < at >< at >
verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
ctx.set_verify(verify, our_verify)
ctx.set_verify_depth(10)
- - ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+ #ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+ ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3)
return ctx
=====================================================
We'll keep you informed about possible upstream koji packages that
would default to at least TLSv1
If you encounter a problem, feel free to drop into #centos-devel
channel on irc.freenode.net and have a chat with us
on behalf of the Infra team,
- --
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: < at >arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlQ+TUUACgkQnVkHo1a+xU4JyQCfefp2h7yRdmljBqRc+M76jPTf
z7wAn3dOkaNPNfEnV0pxWDFX7BDDqKuY
=lxsg
-----END PGP SIGNATURE-----
Since October 2012, the European Cyber Security Month is going live as a pilot plan across Europe. Inspired by the concept of other similar projects that were successfully implemented around the globe. One of them is the Stop. Thinking. Connect campaign supported by the National Cyber Security Awareness Month in the United States.
The post October is the Cyber Security Month: stats, events and advice appeared first on We Live Security.
Indeed Job Search version 2.5 suffers from a cross site scripting vulnerability.
When Edward Snowden came forward in May 2013, accusing the world’s largest intelligence service of spying on US allies, people, and private companies, it became evident that electronic data is quite vulnerable. This major event even caused Russian and German government officials to consider cataloguing their data, using old-fashioned manual typewriters instead of computers. Should you do the same with your business’ data to protect it?
The only way to keep your data absolutely safe from hackers and spies is to keep it far away from computers and servers, but this approach isn’t realistic. So here are five steps that you can take to protect your small or medium size business’ data:
1)    Configure your computer network properly Regardless of the way your computers are connected in your company, via work group or server, make sure that you have implemented the right configuration. Make sure you haven’t left any gaps for hack attacks, such as software that has not been updated or free network accessibility to suppliers or all company employees.
2)    Install a business-grade antivirusThis one sounds obvious, however, it is important to point out that several SMBs still use personal antivirus to protect their business data. A company that opts to use consumer security products might not get into legal problems (although this is possible), but the major issue here is the security of the data itself. Business antivirus allows an entrepreneur to manage the company’s electronic security remotely instead of being obligated to check  each PC’s security manually. With a administration console, you can check on current problems, their solutions, and in the event of an infection or unauthorized action your console can get real-time alerts.
3)    Educate your employees about online security At AVAST we receive 50,000 samples of new viruses a day. Online security is evolving, which means you need to educate your employees about the dangers of online security and how they can best protect your company’s data on a regular basis. Try to focus on explaining the concept of social engineering to your employees, what the most recent methods of attacks are, and what the latest malware on the market is. The AVAST blog is a great place to find this information.
4)Â Â Â Â Keep in mind that humans can fail Remember that although a great part of online security can be automated, it continues to be dependable on human actions, which from time to time can fail. Minimize the risks by training your employees properly and sharing the responsibility for data security with everyone. If a mistake is made, take it as an experience to learn from as a company, rather than cracking down on one person.
5)Â Â Â Â Encrypt your most important data Currently, SMB owners have the option to encrypt data, so that in the case of an attack, their files will be protected. Encrypting files turns the information into unreadable code and only those who have the access to the encryption key are able to restore the files to their original state. This process is not simple, which is why it is recommended to encrypt your most important and sensitive files.
In addition to these five steps, make sure you stay up-to-date with the latest data security news. If a company in the same field as yours gets attacked, it can hit your SMB quicker than you may think! Remember, the digital world has neither frontiers nor barriers!
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
Oracle’s Critical Patch update addresses 154 vulnerabilities, many of which are remotely exploitable. Security Explorations of Poland, meanwhile, published details on a number of Java flaws in the Java Reflection API.
It’s no secret that Facebook collects a large amount of information to better target advertisements towards you, but exactly what information is being used has for the most part remained a mystery. The treasure chest of data Facebook stores on over 1 billion users ranges from what people like, to what pages they visit, and who they interact with online. So what pieces of information actually goes into each advertisement, and how does this data look to the average person?
Recently Facebook has been on a big push to improve privacy for their users. They have released everything from the “Privacy Dinosaur†to help with basic settings, changed the default privacy settings for new users, and even enabled a hidden page to allow users to see their ad preferences profile.
To access your Ad Preferences profile on Facebook, just follow the following steps.
Or alternatively you can skip right to your Ad Preferences, although you will miss other relevant privacy information about advertisements, by going directly to https://www.facebook.com/ads/preferences/edit/?ad_id=6015766102901.
Once on this page you can start expanding the different sections and seeing exactly what Facebook is using as targeting terms for you. If there are some items you would prefer not to be targeted ads based upon you can click the blue switch at the right side of the term and that item will be removed.
Some users may actually prefer to provide more terms as well, so that they can see better and more relevant ads on their pages. To do this simply click in the “Add Preference†textbox at the top of the page and begin to type. You should see a dropdown with suggestions as you type more letters and once you see your item just click on it and it will be added to your profile.
This page shows Facebook is making strides to become more open and transparent in regards to their data use and privacy practices. It may be beneficial to check back at this page a few times to see how your preferences are being changed from your natural use of Facebook.
To keep up to date with the latest Facebook tips and privacy settings follow us on Twitter @AVGFree or like the AVG Facebook page.
PayPal Inc iOS Mobile Application – Banking version 4.6.0 suffers from an authorization bypass vulnerability.
The PayPal Inc MultiOrderShipping API suffered from filter bypass and persistent XML vulnerabilities.
