Monthly Archives: July 2015

AVG

AVG demonstrates robust anti-theft solution in partnership with Qualcomm

Losing a smartphone means so much more than the cost of the device itself – personal and business information, messages, emails, contacts and social networking profiles may all be potentially compromised. When you add banking and shopping apps, the financial costs and associated risks can also escalate significantly.

That’s why we’re pleased to announce that AVG is working with Qualcomm Technologies, Inc., a leading supplier of semiconductors to the mobile industry, to expand the functionality of our applications to include Qualcomm SafeSwitch kill switch technology on devices with select Snapdragon chipsets.

Unlike other anti-theft alternatives, SafeSwitch provides a robust yet reversible kill switch solution that locks the device at the chip level, rendering it unusable and extremely difficult to crack. SafeSwitch also helps protect user privacy by encrypting the device’s storage, making it very difficult for attackers to obtain any personal or privileged information from a stolen device.

Any attempt to replace the SIM card, perform a factory reset or brute force the passcode will lock down the device and render it temporarily unusable. After locking, the device owner can unlock the device and restore it to its pre-locked condition by entering the master passcode.

AVG and Qualcomm conducted a demonstration of the SafeSwitch solution on a device incorporating Qualcomm’s premium-tier Snapdragon 810 chip at the 5th Annual International Cybersecurity conference held in Tel Aviv, Israel, June 22nd -25th, 2015.

Following the conference, AVG and Qualcomm Technologies will continue working together to offer a joint end-to-end commercial solution later this year.

Avast

Shopping online just got a little more risky

One of the largest e-commerce platforms, Magento, has been plagued by hackers who inject malicious code in order to spy and steal credit card data or any other data a customer submits to the system. More than 100,000+ merchants all over the world use Magento platform, including eBay, Nike Running, Lenovo, and the Ford Accessories Online website.

The company that discovered the flaws, Securi Security, says in their blog, “The sad part is that you won’t know it’s affecting you until it’s too late, in the worst cases it won’t become apparent until they appear on your bank statements.”

Minimize your risk for identity theft when shopping online

Minimize your risk for identity theft when shopping online

Data breaches are nothing new. The Identity Theft Research Center said there were 761 breaches in 2014 affecting more than 83 million accounts. You probably recall the reports of Sony, Target, Home Depot, and Chic Fil A.

We have heard lots about what we as individual consumers can do to protect ourselves: Use strong passwords, update your antivirus protection and keep your software patched, learn to recognize phishing software, and be wary of fake websites asking for our personal information.

But this kind of hack occurs on trusted websites and show no outward signs that there has been a compromise. The hackers have thoroughly covered their tracks, and you won’t know anything is wrong until you check your credit card bill.

So how do you minimize the risk of online shopping?

  • Use a payment service or your credit card– Experts agree that payment services like PayPal are safe because of their security practices and the encryption technology they use. Just don’t link it to your checking account. Link it to a credit card so you get your credit card’s fraud protections in addition to PayPal’s. If you only use a credit card, designate one card for online purchases so if something unusual happens, you don’t have to track down all your other cards.
  • Keep a paper trail – Once you place your order, print or save records of the transaction. Check your credit card statement to make sure transactions match and there were no unauthorized charges.
  • Avoid shopping while using public Wi-Fi – Unsecure public Wi-Fi hotspots do not give you any protection from hackers who want to monitor what you are doing online. It’s not difficult for someone to intercept and modify communications between you and another site. If you have to do it, then use a Virtual Private Network (VPN) so your communications will be encrypted.

What to do if you are caught in a data breach

  1. Get a new card – Either get a replacement card from the company or close your account.
  2. Change your passwords – If you have an account or have done business with any company that falls victim to a breach, then change your password ASAP. It’s a good idea to change all your passwords because hackers sell them to other cybercrooks.
  3. Monitor your bank and credit card statements – Don’t wait for your monthly statement to arrive in the mail. By then, a cybercrook could have done major damage. Check your online statement until your new card arrives. If you see any suspicious charges, report it immediately.
  4. Freeze your credit – you can request that your credit report be frozen from the three main credit bureaus; Equifax, Experian and TransUnion. This way, no one can access your credit report without your approval.

Security

LifeLock Patches XSS That Could’ve Led to Phishing

Researchers identified a cross-site scripting vulnerability in a page on the LifeLock website that could allow an attacker to create an authentic-looking login page for the service and harvest usernames and passwords from customers. LifeLock patched the vulnerability quickly after researchers Blake Welsh and Eric Taylor from Cinder Cyber Research reported it. Welsh said via […]

Drupal

Views Bulk Operations – Moderately critical – Access Bypass – SA-CONTRIB-2015-131

Description

The Views Bulk Operations module enables you to add bulk operations to administration views, executing actions on multiple selected rows.

The module doesn’t sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled (such as admin/people when the administration_views module is used), they will be able to edit their own account and give themselves a higher role (such as “administrator”) even if they don’t have the “‘administer users'” permission.

This vulnerability is mitigated by the fact that an attacker must have access to such a user listing page and that the bulk operation for changing Roles is enabled.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Views Bulk Operations 7.x-3.x versions prior to 7.x-3.3.
  • Views Bulk Operations 6.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Views Bulk Operations (VBO) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Views Bulk Operations module for Drupal 7.x, upgrade to Views Bulk Operations 7.x-3.3
  • If you use the Views Bulk Operations module for Drupal 6.x, uninstall the module.

Also see the Views Bulk Operations (VBO) project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 6.x
Drupal 7.x
Drupal

Migrate – Less critical – Cross Site Scripting (XSS) – SA-CONTRIB-2015-130

Description

This module enables you to manage migration processes through the administrative UI.

The module doesn’t sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability (XSS).

This vulnerability is mitigated by the fact that an attacker must have a role
with permission to create/edit fields (such as “administer taxonomy”), or be able to modify source data being imported by an administrator. Furthermore, the migrate_ui submodule must be enabled.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Migrate 7.x-2.x versions prior to 7.x-2.8.

Drupal core is not affected. If you do not use the contributed Migrate module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the migrate module’s migrate_ui submodule for Drupal 7.x, upgrade to Migrate 7.x-2.8

Also see the Migrate project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Avira

Avira’s Secure Browser

Now we are about to stretch even further and integrate a browser into our eco system. And in case you are wondering: There are very good reasons for that.

Nowadays the top use-case for a computer is to access the internet using a browser. The infrastructure of the internet is run by different entities (routers, DNS, servers). The homepages contain executable code that is run in the browser. Manifold data formats are used in the net (HTML, JS, CSS, PNG, SVG, video formats, …). All in all it’s a well connected and extremely complex system. And it is used to access valuable data (online banking, shopping, medical research, looking for a new job, …) – a disaster waiting to happen.

The browser developers (Mozilla and community, Google and community and Microsoft) are putting lots of resources into securing those browsers. And they are doing a very impressive job.

But the threats online are not getting less. There are a lot of them: Phising, insecure Wifis, malware drive-by, trackers, … you name them!

This needs fixing.

Basically there are three points to secure:

  • The client (your PC and browser): Detect attacks and block them
  • The Internet infrastructure (like Wifis): End-to-End encryption fixes that
  • The server (like the site that is trying to phish you): Identify and block

This is our opportunity to improve the situation.

  • For the first time ever we can go beyond add-on and have more of an add-in. This means: More options to secure the system
  • While the browser vendors have to produce a one-size-fits-all we can center on a more security aware customer base
  • We have lots of backend databases knowing the dangerous places in the internet
  • While high-end security extensions (Noscript) focus on the skilled user, we will build a system with an auto-pilot, basing the security decissions on our backend databases and our experience
  • This auto pilot will also automate repetitive tasks away
  • Before you ask: Skilled users can take over the wheel and override it
  • You can install additional extensions. It is your browser after all

The whole project is based on extensions and chromium. Both are Open Source. We will pay for our ride: We contribute to them to guarantee a perfect browsing experience. Of course we will also integrate our Avira technology.

If you want to test it, the just head for the Avira Beta Center !

  • There you can get the debian package that runs very well on my Ubuntu 15.4
  • Or the Mac packages that runs on my boss’s Mac
  • Or the Windows installation files requested by management – because some of you run Windows

We will also be happy to listen to your ideas and experience, so feel free to share yout thoughts with us. We would really appreciate it.

Upcoming will be a separate article describing our development process and tactics, so stay tuned.

The post Avira’s Secure Browser appeared first on Avira Blog.

AVG

Is the blockchain the next big thing in banking?

Late last year, it emerged  that that two major Dutch banks ABN Amro and ING were running trials of blockchain technology on their trading desks.  The move follows reports that international banking group Santander was testing the viability of moving their international payments infrastructure to the blockchain.

The move to the blockchain, which Santander estimated could save banks as much as $20 billion a year in infrastructural costs, would be a landmark endorsement of the technology behind cryptocurrencies such as Bitcoin.

While it seems that the move may now not go ahead, it is still a significant step for financial institutions that have gone largely unchanged in decades.  What we are witnessing is the first large scale reaction from a bank in the face of new technology that threatens their industry, Bitcoin has revealed how outdated the existing financial infrastructure is, and banks realize this.

What is the blockchain?

Many people confuse blockchain with Bitcoin. While Bitcoin is a cryptocurrency, blockchain is the ledger system that tracks and manages every transaction made. The blockchain is mostly known for being the ledger system used by Bitcoin.

The blockchain is essentially a record of all Bitcoin transactions in history. They are recorded live and stored chronologically in “blocks” so that if you followed the chain through to the end, it would return to the first ever Bitcoin transaction.

You can see the blockchain in action here, with a live scrolling list of all transactions made in Bitcoin shown in real time.

https://blockchain.info/new-transactions

 

Why move to the blockchain?

What’s interesting about the blockchain is that it is entirely transparent. The sender and recipient of every transaction is known. But the blockchain also grants pseudo anonymity, while the details of the transactions are shown, there is no way to trace the identity of the account holders.

As well as improved privacy, the blockchain allows end users to save money on international financial transactions, move money around instantly and securely.

Security is another important benefit of the blockchain. While a traditional bank has a small number of servers processing transactions, when using the blockchain, the legwork is split between thousands of computers around the world.

Naturally, having such a large bank of computers do the processing makes the blockchain incredibly secure. With each computer managing only a tiny fraction of the transactions, in order to successfully hack the ledger, hundreds, if not thousands, of computers would need to be successfully breached. On top of this, it means that banks no longer need to foot the bill for server maintenance and security.

 

What does this mean for Bitcoin?

With blockchain technology on the brink of mainstream adoption, where does that leave Bitcoin? Unfortunately for fans of the cryptocurrency, the traded volumes are still too small to really support its case as a viable alternative to traditional currency.

However, volumes are growing slowly over time and while early adopters such as Silkroad have brought negative press associations, they are also paving a way for legitimate business use – a proof of concept.

While we may have to wait some time to see either blockchain or Bitcoin adopted by mainstream industry and finance, the news that major corporations are investigating the applications of blockchain technology is a very positive sign.

I believe that in a few years’ time, blockchain will be the de-facto method for ledgering transactions and that businesses and banks will no longer ‘own’ how their clients move money but instead battle to be the platform of choice for blockchain transactions.

 

 

 

NVD

CVE-2014-1750 (nokia_maps_&_places)

Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-site scripting (XSS) vulnerability, but this may be inaccurate.

NVD

CVE-2014-1836

Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

NVD

CVE-2015-0848

Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.