Monthly Archives: October 2014

NVD

CVE-2014-8765

Multiple cross-site scripting (XSS) vulnerabilities in the Project Issue File Review module (PIFR) module 6.x-2.x before 6.x-2.17 for Drupal allow (1) remote attackers to inject arbitrary web script or HTML via a crafted patch, which triggers a PIFR client to test the patch and return the results to the PIFR_Server test results page or (2) remote authenticated users with the “manage PIFR environments” permission to inject arbitrary web script or HTML via vectors involving a PIFR_Server administrative page.

NVD

CVE-2014-8766

Multiple SQL injection vulnerabilities in Allomani Weblinks 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter in a browse action to index.php or (2) unspecified parameters to admin.php.

Security

Dropbox Denies Hack, Says ‘Your Stuff is Safe’

Dropbox officials on Monday said that a large cache of usernames and passwords posted online and alleged to have come from the company’s users are not related to Dropbox customer accounts. A spate of media reports reported yesterday that attackers had stolen several million sets of credentials from Dropbox and posted them online. The claim of […]

AVG

What can Bitcoin teach us about privacy?

By now you’ve probably heard a little about Bitcoin or one of the other virtual currencies. You’ve probably heard about the price fluctuations, maybe about the connections with illegal activities, or maybe even new companies starting to accept them as payments. These are all great ways to start learning about Bitcoin, but what interests me the most is the potential positive impact on privacy.

Bitcoin has been around for over five years now and many are still trying to really get a good grasp on what it is. The best way to describe Bitcoin is that it is a protocol, similar to what powers your email or phone number, which uses a public ledger to record every transaction. So when I purchase a new computer with Bitcoin or even just give some to a friend, anybody in the world can see it happen in near real time if they are looking at the ledger. This makes the world a much more public place, but still gives us more privacy by the pseudo-anonymous addresses and decentralized system.

 

Pseudo-Anonymity

The biggest case for privacy in Bitcoin is the pseudo-anonymous transactions. When looking at the public ledger we can see transactions occurring every second, the exact amount in each address, any notes attached to transactions, and what address each transaction is going to. While everything is very public in the ledger, the addresses themselves are all random strings of letters and numbers to allow the owner of each address to remain private.

One way to understand how these random strings allow for us to be anonymous, if we wish, is by making sure nobody knows what your address is. These addresses are something you can generate yourself without any need to connect with an email address or real name. You can then make payments or send Bitcoin to other people without ever having to give over personal information.

Some people may wish to publicize one of their Bitcoin addresses to allow others to send Bitcoin their way. This might be posted on a website, in an email, or even on social media so that others can see. For this reason it’s easy to generate multiple addresses that don’t need to be tied together in any matter so that you can remain pseudo-anonymous while still providing some public information.

 

Decentralized System

One of the most common themes seen in today’s technology news is breaches or hacks around credit cards. Most of the time there is a central company or website that has a collection of credit cards, names and addresses associated with them, and sometimes even the pins to the cards. This presents hackers with a treasure chest of information to attempt to get their hands on. Using Bitcoin, all of the information remains in your hands, and any attempts to alter the transaction records and forge payments is instantly broadcast and seen by everybody.

There are many “wallets” for Bitcoin online, which allow users to quickly setup addresses and start using Bitcoin, but it’s important to make sure you utilize all of Bitcoin’s security and privacy settings by keeping things in your own hands. With any amount of Bitcoin it would be smart to send to an “offline wallet” or addresses that only you have access to the private key, similar to pins for debit cards. With an offline wallet it’s important to keep a backup of the private key and if stored on a computer encrypt so not anybody can access. The recommendation however is to print and save in a secure location like a bank or safe offline.

 

Bitcoin may be interesting to watch because of the investment opportunity and hearing about those that have become rich off of it but the protocol itself opens up a lot of doors for privacy and security in the payment industry. By being able to anonymously send Bitcoin to anybody in the world, audit the entire system at any time, and keep the keys in your own hands people should be able to feel more trust in a world full of breaches and hacks.

AVG

Seniors are going mobile

More than three quarters (77%) of Americans aged 65 and older are now using cellphones. While they lag the general population (91%+), it is a significant increase over two years ago, according to recently released studies conducted by the Pew Research Center. But a much smaller group (only 18%) of this demographic has made the leap to a smartphone. The older the person, the research suggests, the less likely they have been to make the move to a smartphone.

In support of the findings, many of the seniors that I know tend to own older model cellphones that are either a) turned off, or b) not carried at all or used only under special circumstances (for travel and at insistence of family on special occasions), and c) are not used for more than actual phone calls.

But this is changing fast.

Seniors are showing a larger appetite for and are finding more value in larger format devices like tablets and e-readers. The Pew survey found 27% of seniors now own a tablet, e-reader or both (and that’s more than the public average).

Smartphone adoption should continue among seniors as new devices like the new Samsung Galaxy, Amazon Fire and Apple iPhone 6 continue to get larger and become easier to read and manipulate. In fact, the researchers at Deloitte predict that people 55+ (that would include Boomers through seniors) will experience the fastest growth in smartphone adoption in 2014, with 45-50% predicted to own a smartphone by the end of 2014.

Financial considerations for many seniors (especially those on fixed incomes) and confusion about carrier plans have no doubt led to a lag in smartphone adoption. But needing assistance to learn how to use the new devices and associated apps is one of the largest concerns by seniors (77%) in adopting smartphone technology, according to Pew.

This should be a concern to us in the technology industry. Shouldn’t we be making technology that is inherently simple to adopt? Shouldn’t we be designing apps for that –and, more specifically, with seniors in mind?

AARP thinks so. The organization just introduced a new tablet the RealPad aimed at this market. (I’ll cover this in more detail in my next column.)

During the recent national AARP event in San Diego, where AVG participated, we were concerned to learn that about one-third of the seniors we spoke to admitted that they use no security software on their smartphone or tablet devices. That suggests there is a lot of work to be done to help educate this audience on how to stay safe online.

Security of data is a primary issue when dealing with a smartphone or any smart connected devices – whether it involves sharing photos on social media, emailing or banking. Once online, Pew and others have found that the senior demographic is rapidly embracing social media (46%). In the brief survey of those who stopped by our booth on technology usage (we’ll share more details on this later), email was the most popular online application for the group, followed by banking.

Here are some simple tips for smartphone users to make data safer – applicable to everyone:

  • Screen lock the phone. Setting your smartphone to require a PIN code or password for access after an inactive period is a relatively easy way to keep your data safe.
  • Apply operating system updates. Often when our device prompts us to install an update, many of us simply ignore it. We shouldn’t. Many updates carry security-related improvements so update whenever you can.
  • Think twice before connecting your smartphone to a public Wi-Fi hotspot, because just as with a PC, this kind of shared, unsecured connection can leave activity and data vulnerable to eavesdropping and theft.
  • Beware of text message spam. Just like a web page or an email, text messages can be used for mischief. Especially if your device doesn’t have security software, links hidden in text messages can lead to malicious sites, unwanted apps and sometimes even expensive phone bills.
  • Which brings us back to security software! Use it! Malware writers see the vast mobile market as a great opportunity to make some quick profit. In a world where your smartphones probably carries more of your sensitive personal information that your home PC, it’s a good idea to use some basic protection.

I am very excited that more seniors are embracing smartphones and tablets. They are great tools to keep connected with family and friends, be active and engaged. Now, we in the tech industry must catch up with them and provide the tools to make it more useful and enjoyable!

Microsft

2977292 – Update for Microsoft EAP Implementation that Enables the Use of TLS – Version: 1.0

Revision Note: V1.0 (October 14, 2014): Advisory published.
Summary: Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT for the Microsoft Extensible Authentication Protocol (EAP) implementation that enables the use of Transport Layer Security (TLS) 1.1 or 1.2 through the modification of the system registry. For more information, see Microsoft Knowledge Base Article 2977292.

Microsft

2949927 – Availability of SHA-2 Hashing Algorithm for Windows 7 and Windows Server 2008 R2 – Version: 1.0

Revision Note: V1.0 (October 14, 2014): Advisory published.
Summary: Microsoft is announcing the availability of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update as SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008

Microsft

3009008 – Vulnerability in SSL 3.0 Could Allow Information Disclosure – Version: 1.0

Revision Note: V1.0 (October 14, 2014): Advisory published
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL 3.0 traffic. This vulnerability impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.