Monthly Archives: September 2015
Keeping tabs on your employees in a multi-device environment
The traditional desktop computer is no longer the only device we use to get work done. For the past few years workers have increasingly begun to use their own smartphones and tablets for work. According to a study carried out by Tech Pro Research, 74% of businesses allow, or are planning to allow, their employees to bring their own devices to the office.
Despite the benefits to companies, such as being able to communicate easier with the employee when they aren’t at their workstation, security remains a priority and with the culture of BYOD (Bring Your Own Device), it’s important to keep on top of it.
The variety of devices used in the workplace, and the resulting loss of control held by the business, means that cybercriminals are able to take advantage of the many vulnerabilities in mobile devices to access the company’s network.
The National Cybersecurity Institute of Spain, the INCIBE, has advised businesses of the dangers that they face when adopting a BYOD culture and have therefore suggested some measures to avoid such threats.
So, instead of asking your employees to remove their work email from their mobile devices, the best thing you can do is follow the tips given by the INCIBE which will better protect your employees’ devices and guarantee the confidentiality of your company’s information.
-
Assign someone to be in charge of managing the devices
You need to give the responsibility to a member of the IT department to make it easier to control. If you company is small, you can contract an external service or one on the cloud.
-
Give support to all platforms possible
The IT department of the business has to guarantee technical support for all devices used by employees so as they can work in a safe an effective manner.
-
Educate about security
The first people who need to be aware of the vulnerabilities of their devices are the workers. Therefore, INCIBE recommends training them so that they know not to visit certain websites and that they are conscious of the risks involved with installing applications.
-
Keep on top of updates and avoid localization
Updating all of the applications and operating systems on the devices is a basic necessity – old versions of Android are exposed to a whole host of vulnerabilities. Deactivating the GPS is another tip that you should pass on to your employees, so as to avoid someone being able to localize them.
-
Keep your information secure
If an employee accesses relevant documents from their mobile device, it’s possible to add an extra password or encrypt the device so as to stop cybercriminals from getting their hands on the information.
-
Control access to highly confidential information
Give out ID cards (PIVs) and restrict access to confidential information to only those who need it for their daily work.
-
BYOD isn’t suitable for all businesses
In some networks, such as industrial control systems, it isn’t advisable for employees to use their own devices.
-
Be careful with external devices
Our mobiles leave traces and things such as Find My iPhone or Android’s administrator options help us to find them easily. We can also use these tools to control which devices are accessing our network and stop our information from being spied on from outside parties.
The post Keeping tabs on your employees in a multi-device environment appeared first on MediaCenter Panda Security.
Virtual skyscraper Cyphinx hopes to find cyber talent
A 3D skyscraper has been developed to help the Cyber Security Challenge find the next generation of cyber talent.
The post Virtual skyscraper Cyphinx hopes to find cyber talent appeared first on We Live Security.
[Infra] dev.centos.org redirection
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The CentOS Infra team would like you to know that the old node hosting the dev.centos.org vhost has been replaced. As all actual testing artifacts (RPM packages, iso images, cloud images, arm images, etc) are now pushed to buildlogs.centos.org, we've decided to just redirect dev.centos.org to buildlogs nodes. Should you encounter an issue, feel free to either report it on https://bugs.centos.org, or in #centos-devel on irc.freenode.net. on behalf of the Infra team, - -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: < at >arrfab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYLuRgACgkQnVkHo1a+xU7k7gCfd1A52o+VSUK4pwJUaAEtsnyN tA0AoJVybXm5SAT+hpbnMaqbpA6Ub0xm =aJai -----END PGP SIGNATURE-----
Arbitrary Code Execution in extension "MK Forms" (mkforms)
Release Date: September 30, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 1.0.23 and below
Vulnerability Type: Arbitrary Code Execution
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)
CVE: not assigned yet
Problem Description: The extension fails to delete uploaded, invalid files which can be executed by knowing the upload folder.
Solution: An updated version 1.0.24 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/mkforms/1.0.24/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Hannes Bochmann who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
SQL Injection in extension "http:BL Blocking" (mh_httpbl)
Release Date: September 30, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 1.1.7 and below
Vulnerability Type: SQL Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:C/A:N/E:F/RL:U/RC:C (What’s that?)
Problem Description: Failing to properly sanitize user-supplied input, the extension is vulnerable to SQL Injection. A valid backend login with permission to access the backend module is required to exploit this vulnerability.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension from your installation.
Credits: Credits go to Wouter van Dongen who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Cross-Site Request Forgery in extension "Typo3 Quixplorer" (t3quixplorer)
Release Date: September 30, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 1.7.2 and below
Vulnerability Type: Cross-Site Request Forgery
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:U/RC:C (What’s that?)
Problem Description: The extension fails to provide CSRF protection.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension from your installation.
Note: In general the TYPO3 Security Team recommends to not use any extensions that bundle database or file management tools on production TYPO3 websites.
Credits: Credits go to Wouter van Dongen who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
File Disclosure in extension "Zend Framework Integration" (zend_framework)
Release Date: September 30, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 1.7.6 and below
Vulnerability Type: File Disclosure
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What’s that?)
Problem Description: The extension includes a Zend Framework component which fails to sanitize user input properly. Further information can be found in the Security Advisory ZF2012-01.
Solution: An updated version 2.0.1 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/zend_framework/2.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to security team member Helmut Hummel who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Information Disclosure in extension "Adminer" (t3adminer)
Release Date: September 30, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 7.0.1 and below
Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:O/RC:C (What’s that?)
Problem Description: The extension fails to ensure TYPO3 user authentication and will output the user name of the PHP process. In certain server setups, when the user of the PHP process can also access the database without password, it is possible to perform database operations with the permissions of this user. The extension t3adminer must only be present in the TYPO3 installation but does not need to be activated to exploit this vulnerability.
Solution: Updated versions 1.4.1 and 7.0.2 are available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/t3adminer/1.4.1/t3x/ and http://typo3.org/extensions/repository/download/t3adminer/7.0.2/t3x/. Users of the extension are advised to update the extension as soon as possible.
Note: In general the TYPO3 Security Team recommends to not use any extensions that bundle database or file management tools on production TYPO3 websites.
Credits: Credits go to Harald Amelung who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Cross-Site Scripting in extension "News system" (news)
Release Date: September 30, 2015
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 3.2.1 and below
Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:O/RC:C (What’s that?)
CVE: not assigned yet
Problem Description: The extension fails to properly encode user input in the paginate widget. This is only exploitable when extension cooluri is used or if realurl is used and the configuration option doNotRawUrlEncodeParameterNames is enabled.
Solution: An updated version 3.2.2 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/news/3.2.2/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Marc Willmann who reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.