Monthly Archives: September 2015
Driverless Cars Vulnerable To Paralysis Through Laser Hack Attack
Ashley Madison Made Dumb Security Mistakes
The future of work-life balance and tech
Many of us question the impact of technology on work-life balance, as our lives play out in the always on, always connected 24×7 workplace.
Now, in the heat of the late summer, the topic has become a hot one in the tech industry itself – from a controversial new New York Times expose that examines Amazon’s purported workplace culture to the highly-reported news of increased parental leave programs by key companies and, finally, a release of some annual “top” ranked company lists.
First, a look at the expanded parental leave offerings unveiled this summer:
- Netflix announced it is offering a year’s paid maternity or paternity leave to its employees. Specifically, Netflix has put in place “an unlimited leave policy for new moms and dads that allow them to take off as much time as they want during the first year after a child’s birth or adoption.”
- Microsoft said it would offer 20 weeks of paid leave to new mothers, up from its current 12 weeks paid and eight weeks of unpaid leave. New fathers will get 12 paid weeks, instead of four paid and eight unpaid.
- Adobe said it would offer parents who are the primary caregivers 16 weeks of paid leave after the birth or adoption of a child – in addition to 10 weeks of paid medical leave following childbirth. That means a new mother could take a total of 26 weeks off — up from the current nine weeks.
Among offerings of other tech giants already in place: Google raised its paid maternity leave from 12 to 18 weeks in 2007. Facebook’s new parents receive four months of paid leave, as well as $4,000 in “baby cash.”
Analysts say the underlying goal of the newly updated parental leave programs is not totally altruistic,but are efforts for the companies to stay competitive in the super competitive Silicon Valley tech job market. They also expect that outside of the tech sector, little will change… particularly for startups and smaller businesses that cannot afford to provide equally rich programs.
While the new parental-leave policies of tech powerhouses are innovative, the U.S. is still playing catch-up when it comes to other nations. For example, the U.S. is the only developed country that does not mandate any paid leave for new mothers. (See Pew research on the topic from 2013 here.) BTW, in most countries that offer paid time for mothers (a median of 5-6 months), their government picks up the tab and paternity leave is more limited (offered by only 25 of the 38 nations).
U.S. Sen. Kirsten Gillibrand of New York and U.S. Congresswoman Rosa DeLauro of Connecticut are pushing for a new law that would provide 12 weeks, but not unlimited leave, in the U.S. under their bill, employees and employers would make small contributions and pool them so that workers can draw a significant portion of their pay while caring for a newborn or for other serious personal or family illness.
To be sure, advances that are taking place toward work/life balance in the U.S. aren’t only in the domain of Silicon Valley. In its examination of the 25 companies that have “the best” work/life balance in the U.S, Forbes Magazine cited more exemplary non-tech companies than tech examples. Forbes’ criteria went beyond time-off to other considerations.
According to the Forbes list, the best company for work/life balance for the third year in a row, is non-tech giant Colgate/Palmolive. Among tech companies to rank on the list were Google, Nokia, Philips, Motorola, and Intel… You can access the list here. (The Forbes survey, conducted in concert with the job search engine Indeed, ranked companies with least 100 employees which hire primarily full-time workers. The list does not include government or military organizations, colleges and universities, nonprofits, or staffing agencies.)
The Forbes survey also notes that in 2015 work/life balance, flexibility is fast rising up the ranks in importance. Though the number one consideration for people is still pay, number two is location and number three is flexibility – even ahead of benefits.
In the end, though it may be a culprit when it comes to taking away from our work/life balance, technology is also a driving factor in helping make the balance possible…
And there lies a conundrum that we in the tech industry and all companies must all continue to work on.
Carbanak gang is back and packing new guns
A few days ago CSIS published details about new Carbanak samples found in the wild. In this blog we examine the latest developments in the Carbanak story.
The post Carbanak gang is back and packing new guns appeared first on We Live Security.
Mozillas Bugzilla: Hacker Gained Access To Privileged Account
Bugzilla is the Mozilla bug database. Its purpose is to allow users to search for reported bugs and report new ones, according to its page. But what if it was compromised itself?
The post Mozillas Bugzilla: Hacker Gained Access To Privileged Account appeared first on Avira Blog.
Luis Corrons (Panda): “Companies should act as if they’ve already been attacked, if they really want to remain safeâ€
The director of Pandalabs, the laboratory which Panda Security set up to fight against malware, shares with us the main tips that businesses should follow to be safe in the digital, multi-device, and mobile era.
Panda Security.: There are more and more security hurdles for businesses these days. The volume of malware is increasing and the threats are getting more sophisticated. Ransomware such as Cryptolocker, direct threats and persistent advanced threats are the main risks but there are more. How do you see this complex panorama?
Luis Corrons: It’s true. Businesses are facing ever greater security risks. The advancement of technology is every faster and this means that risks no longer affect us as they did previously – instead of focusing on PCs, we need to keep an eye on mobile devices and tablets, not to mention any other device that employees use to access corporate applications that the company may not be aware of. There are new ways for attacks to enter the business and there will be even more in the future. Wearables, without saying more, could be another entrance point for attacks. If companies aren’t aware of this and don’t take the correct precautions, this could end up being a nightmare from a security perspective.
P.S.: Are they aware of this reality?
L.C.: They are well aware of it, in fact, they have quickly jumped on the bandwagon. However, they aren’t fully aware of the risks nor how to correctly react to it.
P.S.: In your opinion, how should they behave?
L.C.: The first thing that they have to do is identify all of the devices which can access the corporate applications. It could be convenient if they introduce a policy such as BYOD (Bring Your Own Device). Many employees would prefer to use their own device but, in this case, the company will need to inform them that in order to access the corporate systems, there needs to be some controls in place. The business needs to always know which devices are connected and what security measures each one has.
Another key tip is to act as if they’ve already been attacked and that the “baddies” have already gotten in. You should never think that you are completely safe, as there is always the possibility of an attack, this is why it is vital to know what is running on your network at all times.
It’s common for a cybercriminal to attack a small business with the intention of accessing the systems of a larger one.
The problem is that many businesses think “why would they attack us? We’re small and of little interest”. This way of thinking is a mistake and it’s common for a cybercriminal to attack a small business with the intention of accessing the systems of a larger one. Small businesses can be customers of providers for large multinationals and if their systems aren’t secure then this can represent an easy entry point for attackers. This is what happened with target, the large American supermarket chain, which was attacked in 2013 thanks to a hole in the security system of its air-conditioning provider, which also happened to be a small business. Thanks to this small hole, the cybercriminals were able to infect the POS and steal credit card details of the customers. A small business could put the largest multinational in the world at risk.
P.S.: Suppose that, owing to the lack of resources that they have available, this is why small businesses are the most vulnerable…
L.C.: In reality, every business is at risk of an infection or attack. Obviously the larger the business, the more attractive it is to criminals – they have more computers and distribution points, which means more possibilities to attack. However, they are also the ones which have better protected their systems. Smaller companies, although they have less points of attack, usually leave a lot to be desired when it comes to security as they lack resources or the cost is too high.
Not having updated software is one of the biggest holes in security that there is. The other is lack of knowledge and awareness.
P.S.: Lots of small businesses (and large ones, too) have antiviruses, however, these solutions aren’t enough in the face of new attacks…
L.C.: An antivirus can detect lots of malware but it can’t detect them all, especially new attacks which are more sophisticated and are based on social engineering which tricks the users. So, what is the solution? What can a small business do to ensure its security? The first thing is to have an antivirus and software updated (obviously Windows, which updates itself automatically, but also other software, extensions of Flash, etc.). Not having updated software is one of the biggest holes in security that there is. The other is lack of knowledge and awareness. It’s important to explain to employees the social engineering techniques that are being produced, that they don’t open suspicious files or ones from unknown senders, etc. There’s a lot of information available and courses to learn about Cryptolocker and other types of attacks. If both these holes are sealed up then businesses will be much better off.
P.S.: Panda has created Adaptive Defense to cover the areas where a traditional antivirus can’t reach. Can you tell us more on this solution?
L.C.: It is a solution that controls everything that happens on your network. It allows the administrators to have total control of all files and applications that are running on the company’s computers or servers, and in the near future it will expand its abilities to mobile devices.
Adaptive Defense monitors everything and if it sees that what is being downloaded is good, it leaves it be (it continues to monitor it, just in case). However, if it spots something unusual it will block the download and, in the case of it being something which we have never seen before, or unknown, it will block it temporarily until it can be classified. The user can also personalize the management of the tool via different parameters, meaning they can see everything clearly with this platform. It also informs you if you are running an up-to-date version of an application or if, for example, an employee is using Dropbox to copy confidential information. Finally, the most important part, it analyzes everything and can be used alongside the antivirus that the company already has, be it a Panda one or not.
P.S.: PC, servers, mobiles… the next area to protect will be the Internet of Things? What with the increase in wearables and the huge number of sensors….
L.C.: Without a doubt, in fact, at Panda we are already working on covering the Internet of Things, it’s our next, big step.
The post Luis Corrons (Panda): “Companies should act as if they’ve already been attacked, if they really want to remain safe” appeared first on MediaCenter Panda Security.
Non-Persistent Cross-Site Scripting
Component Type: TYPO3 CMS
Release Date: September 8, 2015
Vulnerable subcomponent: Backend
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.0
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C
CVE: CVE-2015-5956
Problem Description: It has been discovered, that it is possible to forge a link to a backend module, which contains a JavaScript payload. This JavaScript is executed, if an authenticated editor with access to the module follows the link and after that, is tricked to click on a certain HTML target. Because TYPO3 versions 7.4.0 and above include a secret token unknown to an attacker in every URL, an exploit would not be feasible for these versions.
Solution: Update to TYPO3 versions 6.2.15 or 7.4.0 that fix the problem described.
Credits: Thanks to Julien Ahrens (secunet Security Networks AG) who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Unauthenticated Path Disclosure
Component Type: TYPO3 CMS
Release Date: September 8, 2015
Vulnerable subcomponent: Frontend
Vulnerability Type: Information Disclosure
Affected Versions: Versions 6.2.0 to 6.2.14, 7.0.0 to 7.3.1
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
CVE: not assigned yet
Problem Description: It has been discovered, that calling a PHP script which is delivered with TYPO3 for testing purposes, discloses the absolute server path to the TYPO3 installation.
Solution: Update to TYPO3 versions 6.2.15 or 7.4.0 that fix the problem described.
Credits: Thanks to Heiko Kromm who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
3083992 – Update to Improve AppLocker Publisher Rule Enforcement – Version: 1.0
Revision Note: V1.0 (September 8, 2015):
Summary: Microsoft is announcing the availability of a defense-in-depth update that improves the enforcement of publisher rules by Windows AppLocker in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The improvement is part of ongoing efforts to bolster the effectiveness of security controls in Windows.