Monthly Archives: May 2015

Ubuntu

USN-2594-1: ClamAV vulnerabilities

Ubuntu Security Notice USN-2594-1

5th May, 2015

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu (vivid)
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

ClamAV could be made to crash or run programs if it processed a specially
crafted file.

Software description

  • clamav
    – Anti-virus utility for Unix

Details

It was discovered that ClamAV incorrectly handled certain malformed files.
A remote attacker could use this issue to cause ClamAV to crash, resulting
in a denial of service, or possibly execute arbitrary code.

In the default installation, attackers would be isolated by the ClamAV
AppArmor profile.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):
clamav

0.98.7+dfsg-0ubuntu0.15.04.1
Ubuntu 14.10:
clamav

0.98.7+dfsg-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
clamav

0.98.7+dfsg-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
clamav

0.98.7+dfsg-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

CVE-2015-2170,

CVE-2015-2221,

CVE-2015-2222,

CVE-2015-2305,

CVE-2015-2668

Ubuntu

USN-2595-1: ppp vulnerability

Ubuntu Security Notice USN-2595-1

5th May, 2015

ppp vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

ppp could be made to crash if it received specially crafted network
traffic.

Software description

  • ppp
    – Point-to-Point Protocol (PPP)

Details

It was discovered that ppp incorrectly handled large PIDs. When pppd is
used with a RADIUS server, a remote attacker could use this issue to cause
it to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
ppp

2.4.5-5.1ubuntu3.2
Ubuntu 14.04 LTS:
ppp

2.4.5-5.1ubuntu2.2
Ubuntu 12.04 LTS:
ppp

2.4.5-5ubuntu1.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3310

AVG

Commercial Use for Drones Gets a Boost from FAA

This past weekend Drones, Data X Conference took place in Santa Cruz, CA where between 550 and 1,000 inventors, investors, regulators and the general public got to see what the future of drones may look like.

The big news from the conference came on Friday when Jim Williams, who is in charge of the FAA’s Unmanned Aircraft Systems (UAS) Integration Office, (UAS are drones for the rest of us) told a rapt audience that the FAA is re-considering its “line of sight” mandate. Basically, the line of sight rule means just that — that drones must be in the sight of their operators at all times.

Specifically, the FAA last summer announced a list of ‘do’s and don’ts’ regarding model aircraft, mostly focused on keeping them away from airports and within sight line of the user. The FAA followed this up with proposed regulations this February that would limit flights to daylight and visual-line-of-sight operations. The rule also addresses height restrictions, operator certification, optional use of a visual observer, aircraft registration and marking, and operational limits. (You can read more about it here.)

The line-of-sight rule has been key for businesses. You can imagine the chilling effect this proposed rule had on companies that were viewing drones as a key technology delivery method to add to their services, or, really for a hundred other commercial uses, from real estate to agriculture and more. So, this apparent change of view on the part of the FAA is huge.

“We understand there’s a lot of value in flying out of line of sight and that’s one of the areas we’re looking to get ahead rapidly in the next few years,” Williams said, in his presentation on Friday. (You can see a video from Mashable here.)

This has to be welcome news for those in the commercial food chain, from giant companies like Amazon to small start-ups dreaming up ways to use drones commercially. (Of note, Amazon Prime Air was a sponsor of the event).

If drones can be used safely, there are millions of great commercial and humanitarian uses ahead: from product delivery (including pizzas!) to autonomous personal air transportation via drones (hello Jetsons!), to rescuing lost hikers and delivering life-saving supplies in emergency situations, among those discussed at last week’s conference.

What also strikes me is that many of the same technologies that are coming to self-driving cars will be a way to ensure drone safety as well. Sensors, radar, lasers, cameras, and mapping technology all come into play.

“Every home is going to have a drone pretty soon,” predicted Parimal Keparekar, who works for NASA in air traffic management research, and is quoted in the Santa Cruz Sentinel describing efforts to build a highway in the sky for them. “Right now there is no congestion management problem, but eventually there will be.”

There’s still a lot to be figured out before that day arrives, including more focus on associated privacy and data concerns.

While the FAA works on getting the rules down, NASA Unmanned Aerial Systems announced it will host a UAS Traffic Management Convention, July 28-30 at NASA Ames Research Center, Moffett Field in Mountain View, CA. The focus will be on “low altitude traffic management with reference to policy issues such as privacy, safety and security, emerging markets and international perspectives.” To learn more and register: SVC-AUVSI.org.

AVG

Secure your business this Small Business Week

Small businesses don’t typically make the headlines when it comes to cyber security. Fortunately for small businesses, those stories remain the domain of large enterprises. However, cyber security for small businesses has the attention of hackers, insurers and the government.

While large enterprises may be the ultimate treasure, small businesses often represent easier targets, and compromising enough small business can add up quickly.

A recent Business Journals article citing a National Small Business Association survey reported that half of small business report that they’ve been a victim of a cyber-attack and that the average amount of money stolen through those attacks rose to $19,948 by the end of 2014.

The tools that have become so critical to small business success also create multiple points of vulnerability. Laptops, tablets, and smartphones continue to proliferate and with BYOD becoming a reality, the ability to control and manage access to data and applications has become overwhelming for many small and medium sized businesses.

Clearly, a comprehensive security review is essential for all companies and in many cases a good starting point is evaluating and addressing the risk of attack through the range of devices connected to a company’s systems.

Whether your business has its own IT department or works with a Managed Service Provider, be sure to spend time during Small Business Week 2015 to address the following vulnerabilities:

Mobile devices:

The ability to easily authorize and de-authorize mobile devices for specific applications and data sources, even BYOD, is critical. Your mobile device management system should allow for complete reporting of all connected devices, who they belong to and what they can access. This not only saves time as new employees come on board, it allows instant removal of access when an employee leaves. In the event a device is lost or stolen, locking and/or wiping of the device can be managed quickly and effectively.

Identity and password management:

Employees simply have too many passwords to remember and resort to repeatedly using the same password or writing them down on post-it notes. To make matters worse, when passwords are forgotten, employees call support which reduces their efficiency and increases costs to a small business. Single sign on with multi factor authentication and easy integration with Office 365 is an essential security component and will help protect systems, reduce costs and improve employee efficiency.

Not all attacks simply take information

They may also delete or remove critical business data. It’s essential that a comprehensive backup and disaster recovery system is implemented to ensure that your operations can continue even in the event of a natural…or un-natural disaster.

Small business cyber security doesn’t require huge budgets or even a dedicated IT department. MSPs like those that work with AVG Business can help evaluate your systems and recommend a set of security measures that will help your company to operate effectively and efficiently, even in the face of uncertain attackers.

For more information on keeping your business secure check out our AVG Small Business Digital Policy Guide