Monthly Archives: September 2015

Avira

ReverbNation breach points to an old yet newly ‘known unknown’

Having worked in the IT security industry for even a few years is enough to make one cynical at times, skeptical usually, and shocked rarely. But one thing did surprise me this morning when I opened my Gmail inbox: an “Important Security Notice About Your Password” from online music and band-hosting platform ReverbNation.

The post ReverbNation breach points to an old yet newly ‘known unknown’ appeared first on Avira Blog.

AVG

‘InstaPolicing’: Police departments are monitoring social media

The golden rule of social media is ‘think before you post.’ In the age of Instagram and living in the moment online, people sometimes forget how that one digital moment can now and forever be captured.

It happens to the best of us – and it is also happening to the worst of us, sometimes with real consequences.

In terms of the latter, social media has become a tool for law enforcement to fight crime almost since its inception. Now, Instagram photos have become a popular mechanism for helping police to track criminals who, you might say, are ‘selfie-incriminating’ themselves on social media.

The San Francisco Police Department, for example, has dedicated resources for monitoring Instagrams to track individuals of interest, and the program has yielded results.  Officer Eduard Ochoa, who has been SFPD’s “Instagram Officer” for a number of years, has monitored and tracked individuals who were on probation and observed them doing things in violation of their probation. In one case, a minor on probation posted photos of himself in possession of a firearm. The Instagram spottings allowed officers to perform a probation search, and in the course of the investigation firearms were found.

Recently, an appeals court ruled that those Instagram photos of the incident were admissible even though no one who was present when the photographs were taken testified. (You can read the court ruling here.) The individuals involved were also wearing the same clothes as they were in the Instagram photos when police arrived, which no doubt helped seal the deal.

The SF Police Officers Association’s newsletter singled out Ochoa and other officers for performing “an extremely intensive investigation using the most modern techniques provided by our new electronic age” to locate the suspect in a shooting.

“If the criminals are getting smarter and more tech savvy, so should the police department,” SFPD spokesman Officer Albie Esparza told a reporter for Marketwatch.

The Instagram officer is only one example of police using social media to fight criminals. Many departments across the country now use Facebook, YouTube and Twitter in police work. According to a 2013 social media survey from the International Association of Chiefs of Police, 96% of police departments were using social media in their policing, and more than 80% said it was helping solve crimes. (Of course, it works both ways, and the defense can find evidence of alibis on social media as well.)

Indeed, while social media usage is now commonplace in law enforcement, one item of concern is that guidelines and procedures to govern it may be lagging. According to a November 2014 study by LexisNexis, “Social Media Used in Law Enforcement,” 52% of the law enforcement agencies surveyed lacked procedures governing social media use. Further, Government Technology research found there is little training when it comes to social media usage by law enforcement departments.

Policies and guidelines for law enforcement using social media seem critical. As Police Chief Magazine reported in a 2013,  “Written policies will ensure that agency executives know what their employees are doing and why they are doing it, as well as protect citizens’ privacy and civil rights and liberties…Many agencies already have policies to protect civil rights and civil liberties. Agencies should include references to agency privacy protections when drafting social media policies to collect intelligence and investigate crimes.”

In Minnesota, where police used Instagram photos to make indictments in a weapons-for-sale scheme, ACLU executive director Chuck Samuelson noted: “The law has not caught up with social media and other technology used to share and gather personal information and even law-abiding citizens should be aware that their personal information is being collected by all sorts of organizations and can be used against them.”

It would seem, as in many aspects of our digital lives, vigilance and ongoing work needs to be done to keep pace with the technology innovation, in order protect us all – our rights, our privacy and our security.

(Note to Hollywood: There’s plenty of material here to create a new series, CSI InstaPolice.)

NVD

CVE-2015-4538

The XML parser in EMC Atmos before 2.2.3.426 and 2.3.x before 2.3.1.0 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

NVD

CVE-2015-4544

EMC Documentum Content Server before 7.1P20 and 7.2.x before 7.2P04 does not properly verify authorization for dm_job object access, which allows remote authenticated users to obtain superuser privileges via crafted object operations. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4626.

NVD

CVE-2015-6259

The JavaServer Pages (JSP) component in Cisco Integrated Management Controller (IMC) Supervisor before 1.0.0.1 and UCS Director (formerly Cloupia Unified Infrastructure Controller) before 5.2.0.1 allows remote attackers to write to arbitrary files via crafted HTTP requests, aka Bug IDs CSCus36435 and CSCus62625.

AVG

A London NHS clinic leaks 780 patients’ details.

The 56 Dean Street clinic in London accidentally released the names and email addresses of 780 patients who have attended HIV clinics.

In a statement released on their website, a spokesperson for Chelsea and Westminster Hospital NHS Foundation Trust stated:

“We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients.

“We have immediately contacted all the email recipients to inform them of the error and apologise. Any concerned patients can call  020 3315 9555 and 020 3315 9594.”

In an interview with BBC Dr. Alan McOwan has said that, “Not everybody on the list is HIV positive.”

This data breach comes on the heels of a similar incident that occurred earlier last month to UK based holiday company Thomson. The 56 Dean Street clinic data breach, while unfortunate, again underscores the importance of having appropriate data security policies and procedures in place, as well as the need for employee training on the handling and protection of sensitive data.

The cost of a data breach can affect more than your bottom line, it can affect lives too. So if you’re in doubt about the security of your own IT infrastructure, download AVG’s Small Business IT Security Guide or take the AVG Small Business IT Security Health Check now to find out what you can do to help prevent security and data breaches.

If you need comprehensive protection against online threats for your business PCs, network and email, take a look at AVG Internet Security Business Edition.

Security

Windows Registry Only Persistence

This Metasploit module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in “CurrentVersionRun” (depending on privilege and selected method). The payload will be installed completely in registry.