EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2514.
Monthly Archives: August 2015
CVE-2015-4533 (documentum_content_server)
EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.
CVE-2015-4534 (documentum_content_server)
Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 allows remote authenticated users to execute arbitrary code by forging a signature for a query string that lacks the method_verb parameter.
CVE-2015-4535 (documentum_content_server)
Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02, when __debug_trace__ is configured, allows remote authenticated users to gain super-user privileges by leveraging the ability to read a log file containing a login ticket.
CVE-2015-4536 (documentum_content_server)
EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 before P02, when RPC tracing is configured, stores certain obfuscated password data in a log file, which allows remote authenticated users to obtain sensitive information by reading this file.
Ashley Madison. Should your company invest in cyber insurance?
What started out as a dating site – albeit a controversial one at that – has turned into a nightmare. Ashley Madison, a dating site for married people who are looking to have an affair on the side, suffered a devastating cyberattack this week as hackers published private details relating to nearly 40 million users.
The information released contained names, phone numbers, email addresses and even sexual preferences. The fallout of the attack, which took the form of a 10GB database on the “dark web” that could be accessed through a specialized web browser called Tor, was felt around the world. One radio show in Australia had listeners calling in to see if their partners had had accounts on the website, resulting in some unsavory moments.
This has resulted in the company’s reputation – like that of its users – lying in tatters and calls into the question the credibility of similar websites. How can a person be expected to sign up to a confidential website if their private information is so easily at risk of being exposed?
This is an example, recent and extreme, of what a cyberattack can mean for your company. The average cost of data theft is around $3.8 million (€3.4 million), according to the latest report by the Ponemon Institute. This is an increase of 23% compared to what a company would have lost to a hacker in the previous year.
Cyber insurances for companies
The damage done to a company’s credibility may not be repairable but there is at least a way of preventing the economic fallout from being too harsh. Large corporations are away of the risk that is posed and are looking for solutions. This has resulted in an increase in cyber insurance, which has seen an increase from 10% to 26% in the last year in the United State alone. It is estimated that up to 60 different insurance firms are offering this service.
Information theft is also a worry for European businesses and they are heading for a more rigorous legal framework for data protection, with a new law on the way. Protection against possible regulatory fines and penalties is something that every potential cyber-insurer must cover in Europe.
In general terms, you could say that there are two distinct risks that these policies cover: direct risks, which affect the company itself, and indirect risks which affect third parties (clients and users). In a typical information leak, the direct cover would help to defray the costs of notifying about an attack and the following analysis, the repair and restoration of the data, and the victims’ verification service. The indirect cover would take care of the costs of fines, legal fees, judges, and complaints on behalf of users.
So, is it worthwhile for your company to contract a cyber-insurer or is this just another way for insurance companies to increase their revenue by exploiting unchartered territory? It depends and the first thing to consider is rather obvious; prevention is always better than the cure. A good antivirus for businesses y and following recommended security steps is the best defense against a cyberattack.
That said, the main advantage of these insurance policies is that the company can continue operating if it suffers an attack. It doesn’t prevent or decrease the chances of being targeted, but it allows you to relax knowing that the future won’t be so grim.
However, no matter what insurance the company has, it will never recover its reputation after an attack and this can be devastating. According to a report by Ponemon, a cyberattack can cause a company to lose up to 4% of its clients and customers in some sectors.
So, if your company finally decides to contract a cyber-insurer there are a few things to consider. The insurer should offer retroactive cover (which pays for breaches that take place before the policy is activated), cover for unencrypted documents (text documents, spreadsheets, etc.), third party information, information stored on the cloud and mobile devices, and that it is clear what the company considers to be negligence – so they don’t leave you high and dry at the worst moment.
The post Ashley Madison. Should your company invest in cyber insurance? appeared first on MediaCenter Panda Security.
Infected ad networks hit popular websites
It is frustrating when your antivirus protection stops you from visiting a website that you know and trust, but these days even the most popular websites can fall prey to attacks.
This week security researchers discovered booby-trapped advertisements on popular websites including eBay, The Drudge Report, weather.com, and AOL. The ads, some of which can be initiated by a drive-by attack without the user’s knowledge or even any action, infected computers with adware or locked them down with ransomware.
Computer users running older browsers or unpatched software are more likely to get infected with malware just by visiting a website. Avast blocks these infected ads, but to be safe, please use the most updated version. To update your Avast, right-click the Avast Antivirus icon in the systems tray at the bottom-right corner of your desktop. From the menu, select Update.
“This kind of malvertising is a fairly easy way for cybercriminals to deliver adware or another malicious payload. Many websites sell advertising space to ad networks then deliver the targeted ads to your screen,” said Avast Virus Lab researcher Honza Zika. “All Avast users with current virus databases are fully protected against this attack, but those without protection or up-to-date security patches run the risk of being infected with ransomware.”
Malicious ads have appeared on legitimate websites for years now. In 2010, Jiri Sejtko, the director of Avast Virus Labs reported on ads poisoning and predicted that “The ad infiltration method is growing in popularity alongside with the web site infections. Now we are facing probably the biggest ad poisoning ever made.” In the years following, many legitimate sites have suffered this attack notably Reuters, Yahoo, and Youtube.
For a more technical explanation of how infected ad networks work, read the study done by Avast Virus Lab analysts, Malvertising and OpenX servers.
How to protect yourself from infected ad networks
Since infected ads can appear on legitimate sites that you normally visit with no problem, you have to trust your antivirus protection to do it’s job. Here are some steps you can take to protect yourself’
- 1. Make sure your antivirus protection is up-to-date and that you have applied security patches to software.
- 2. Disable Adobe Flash and Java. Cybercrooks often exploit the vulnerabilities in these services.
- 3. It may seem drastic, but you can even get an Ad-blocker browser plug-in to stop all ads from showing. The downside is that you miss something that could actually be useful.
Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.
Ashley Madison Hack – what has been leaked?
As with all privacy breaches there are multiple victims here. The customers whose personal data has been leaked, as well as the company trusted to keep it secure; a trust that may never be regained.
However, what makes this case highly significant is the collateral damage that will likely spread beyond just the direct privacy breach. Family ‘secrets’ are revealed and victims are ‘ousted’ – seemingly at the hands of anonymous hackers with a point to prove.
Another oddity in this case is that AshleyMadison.com charges only men for their subscriptions and message credits, while female users are able to use the site free of charge. This has resulted in the victims consisting mostly of men, connected by way of their credit card transaction histories, causing an asymmetry rarely seen in data breaches made public.
While the hackers have released the data in what could best be described as a harsh and judgmental way, they do offer some clues about how trustworthy the data may or may not be, “Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles.”
On that note, remember that the information obtained and released by hackers in data breaches by their very definition is never verified by the companies who are breached, and so this brings into question the integrity of all the data, regardless of how authentic it might seem. For example, there may be deliberately false information inserted by the hackers designed to damage reputations or serve another agenda.
Accordingly, as already reported the hackers also provided this disclaimer of sorts, “Chances are your man signed up on the world’s biggest affair site, but never had one.” In short, make sure you have all the facts before a potentially dangerous and damaging real-life Internet hoax unfolds in your own backyard.
Here’s a summary of the exact data that was breached:
- Full names and addresses
- Birthdates
- Email addresses
- Credit card transactions
- GPS Coordinates
- User Names & Passwords
- Sexual Preference
- Height, Weight, physical characteristics
- Smoking and drinking habits
Lastly, while it may be easy to fall into the trap of victim-blaming and judging based on your own set of moral or ethical standards in this case – as social media opinions begin to rush forth in the coming days and beyond, it’s important to keep sight of the broader picture of what is transpiring.
Today’s breach may well affect nearly 30 million victims, and maybe you don’t know any of them… this time. Next time, in another context, it could be you.
In the meantime, let’s hope that the active investigation into the perpetrators behind this hack are brought to justice, because as the statement from Avid Life Media rightly asserts, this is an act of criminality.
Until next time, stay safe out there.
Back to School Press Kit
Press Release:
AVG Nielsen Survey Press Release
Blog Posts:
Back to school: are you prepared?
Videos:
Infographic:
Drupal Releases Security Updates
Original release date: August 19, 2015
Drupal has released updates to address multiple vulnerabilities, one of which could allow an attacker with elevated permissions to inject malicious code.
Available updates include:
- Drupal core 6.37 for 6.x users
- Drupal core 7.39 for 7.x users
US-CERT encourages users and administrators to review Drupal’s Security Advisory and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.