-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:221 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : clamav Date : May 4, 2015 Affected: Business Server 1.0, Business Server 2.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in clamav: Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior (CVE-2015-2221). Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior (CVE-2015-2222). Fix an infinite loop condition on a crafted xz archive file. This was reported by Dimitri Kirchner and Goulven Guiheux (CVE-2015-2668). Apply upstream patch for possible heap overflow in H
Monthly Archives: May 2015
Heartbleed. Why do the vast majority of companies remain vulnerable?
When you visit a webpage, your computer actually accesses the server where the files displayed on your screen are located. If you enter a password on this site, it will also go to the server, where it will be stored. Companies use secure protocols, like the popular OpenSSL, which encrypt communications of computers connected to the network.
So when in April 2014 a serious vulnerability in the software package of OpenSSL was published, companies all around the world held their breath. Since 2012, the open source SSL protocol version was not complying with its protection duty.
The ultimate responsible for the finding was Google’s engineer Neel Mehta, who found it after thoroughly reviewing the tool’s open source code. Mehta along with team members of Codenomicon gave CVE-2014-0160 a simplest name: Heartbleed. With a logo of a bleeding heart to expose the severity of the fault.
The vulnerability allowed cybercriminals to access users information (passwords, bank accounts, and other sensitive information) stored on the Internet servers using OpenSSL.
The news kept on edge thousands of companies that used this system to encrypt communications in their webpages or between internal servers. Even ‘routers’ use the SSL system. One of the affected organizations was the Community Health System (CHS) in the United States: compromising the data of 4.5 million patients until the authorities fixed the error.
Fortunately, as with any other security breach, a fix was found. OpenSSL team developed a software update which made it disappear. Professionals had only to follow a few steps to safeguard their communications again.
However, a recent report carried out by a group of security experts revealed that 74% of the largest companies in the world are still at risk. The reason being that those companies have not yet gotten rid of the malware. In addition to installing the new version (1.0.1g or higher) they had to cancel and change the encryption keys and the library certificates. This process requires some computer skills and, in many cases, contact with the digital certificates’ suppliers. Something many of them left half done.
Although some experts doubted the test results, the fact is that Heartbleed is not a regular ‘bug’. When vulnerabilities affect only one program they can be quickly fixed but during its two years of life the OpenSSL breach infected 66% of the active pages on the Internet, according to Netcraft. Even Yahoo! or Flickr were affected and had to fix the problem.
The cryptographic library is one of the companies most used software, from an online shop to a simple user identification on a corporate platform. OpenSSL is often used to protect mail servers, chats and virtual private networks.
Internet users couldn’t do anything about it, just trust that the people responsible for their most visited websites had solved the security breach. Companies did have homework to do in order to solve the problem. We just hope that, at least, the report results make the stragglers get down to work.
More | Heartbleed, how bad was it?
The post Heartbleed. Why do the vast majority of companies remain vulnerable? appeared first on MediaCenter Panda Security.
White House data breach: what are the risks?
The news of a security incident involving public institutions is always treated with high importance, taking into consideration the volume of sensitive information stored by these entities. The recent White House data breach didn’t involve any classified information but hacking into the West Wing computer network might have been just enough to provide the attackers with important data: correspondence with certain diplomats or details about White House visitors.
Although it’s not been officially confirmed if the authorities are up against professional cyber thieves or foreign spies, personal information of American citizens can now be used by the attackers however this may serve their purposes.
An urgent letter signed by the U.S. Senate Commerce Committee was addressed to President Barack Obama raising several concerns about the White House data breach.
Committee chairman John Thune released a statement last night expressing his concern over the hacking episode.
‘Just like any entity that handles personally-identifiable information, the White House has a responsibility to notify Americans if the recent, or any future breach, results in a compromise. If such information has been lost, the White House still has a responsibility to victims even if it believes the hack was perpetrated by foreign spies and not cyber thieves.’ said Committee chairman John Thune.
The letter mentions that the White House computer system contained not only personal data of the White House visitors but also sensitive information such as schedules, policy discussions and emails, including exchanges with diplomats. Do you think this type of information ending up in the hands of the attackers can do more harm than everybody initially thought?
Read more on the topic: http://www.dailymail.co.uk/news/article-3066787/U-S-Senate-panel-raises-privacy-concerns-White-House-hacking-incident.html#ixzz3ZBDTuy8h
The post White House data breach: what are the risks? appeared first on Avira Blog.
Researchers, FBI Warn of Nepal Earthquake Scams
The earthquake that hit Nepal late last month has caused untold damage in the region and kicked off a massive relief and aid effort. Attackers are loathe to let a chance like that go by, and they have concocted a number of schemes to deprive victims of their money and hope for relief funds. Aid organizations […]
David Harley on the evolution of scams and social engineering
Harley says that scams and social engineering have been a constant in cybercrime – but in the past few years, some scams have got markedly more sophisticated, and more difficult even for a trained eye to spot.
The post David Harley on the evolution of scams and social engineering appeared first on We Live Security.
National Small Business Week: a cybersecurity survival guide
It’s National Small Business Week in the U.S. and, because properly protecting the digital assets of your small business could be vital to its success, here’s a cybersecurity survival guide.
The post National Small Business Week: a cybersecurity survival guide appeared first on We Live Security.
AVG’s Marco La Vecchia named among CRN Channel Chiefs
AVG is delighted that our own Marco LaVecchia has been recognised by CRN as a top channel chief. The nomination, which came earlier in April, underlines AVG’s commitment to excellence and expertise in the channel.
This isn’t the first time that Marco has been recognised by CRN, as he was named as among their “100 People You Don’t Know, But Should” in 2012.
With more than 10 years’ experience in the channel industry, Marco has made a big impact since joining AVG little over a year ago. He now leads a team that handles over 4,500 managed service providers (MSP) to help them get the most out of their technology.
As part of his nomination, Marco interviewed with CRN where they asked him to talk about his highlights since joining AVG.
The Power of Partnerships
Marco is a firm believer in the power of partnerships and has overseen more than 1,000 new partners join AVG since he arrived.
This is in no small way down to AVG’s Partner Enablement Program which helps MSPs to evolve from a reactive business model where they are responding to incidents as and when they occur to being an aware, proactive and preventative system.
The best tools for the job
Marco also highlighted the arrival of AVG Managed Workplace 9.0 which shows that innovation and technology are at the heart of AVG Business.
AVG Businesses’ insistence on providing powerful, cutting edge and easy to use remote management tools means that our partners can focus on what matters to them – running their business.
Rewarding excellence
2014 was a busy year for Marco, attending over 50 industry events. These included the inaugural AVG Business Partner Summit in Phoenix, Arizona which was attended by more than 200 partners from around the world.
They also included the first ever AVG Awards given to outstanding partners across the globe.
Building for the future
Looking into 2015, Marco hopes to champion partner satisfaction by making it one his key priorities for the year.
The world’s most wanted hackers
The FBI is taking cybercrime seriously. Here are some of the most wanted hackers in the world, and what they’re wanted for…
The post The world’s most wanted hackers appeared first on We Live Security.
