Monthly Archives: March 2016

Ubuntu

USN-2919-1: JasPer vulnerabilities

Ubuntu Security Notice USN-2919-1

3rd March, 2016

jasper vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in JasPer.

Software description

  • jasper
    – Library for manipulating JPEG-2000 files

Details

Jacob Baines discovered that JasPer incorrectly handled ICC color profiles
in JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to
crash or possibly execute arbitrary code with user privileges.
(CVE-2016-1577)

Tyler Hicks discovered that JasPer incorrectly handled memory when
processing JPEG-2000 image files. If a user were tricked into opening a
specially crafted JPEG-2000 image file, a remote attacker could cause
JasPer to consume memory, resulting in a denial of service.
(CVE-2016-2116)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
libjasper1

1.900.1-debian1-2.4ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libjasper1

1.900.1-14ubuntu3.3
Ubuntu 12.04 LTS:
libjasper1

1.900.1-13ubuntu0.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1577,

CVE-2016-2116

Hackers News

Subgraph OS — Secure Linux Operating System for Non-Technical Users

Information security and privacy are consistently hot topics after Edward Snowden revelations of NSA’s global surveillance that brought the world’s attention towards data protection and encryption as never before.

Moreover, just days after Windows 10’s successful launch last summer, we saw various default settings in the Microsoft’s newest OS that compromise users’ privacy, making a large

Panda Security

10 things we learnt from viruses of the past

malware museum

A very special museum has just opened its doors, albeit virtual ones. The gallery is online and its works aren’t paintings, nor sculptures, nor antiques: they are pieces of malware that during the 80s and 90s attacked the now defunct operating system MS-DOS (remember that?!).

The collection is hosted on the pages of the Internet Archive, the largest online library, and allows us to travel back in time to an era in which viruses were a new thing. As always, looking back on the past can help us learn in the present, even when it comes to IT security, as it helps us to see errors, solutions, and even tricks that we can apply to our present work.

Before stepping foot back in time, let’s reassure ourselves – the malware in this museum has been disabled by experts and can’t cause any harm now! Enjoy the journey without any fears over adverse effects.

So, here are things that we have learnt from the Malware Museum:

Viruses have existed for a long time…

It seems obvious, but younger people often forget how long different technology, and the associated risks and threats, have been around for. Malware has been infecting personal computers for the past 30 years, ever since the pioneering Brain for MS-DOS was developed by two Pakistani brothers. Of course, back then the objective of the malware was quite different.

… but shady business is a lot more recent.

Cybercrime mafias who today reap the benefits of data theft and computer kidnapping didn’t exist back then. The creators of viruses were introverted types who did it as a hobby or for fun, without the aim of a financial gain.

dosbox

 

Malware wasn’t always so bad…

This is because money wasn’t at stake. By not looking for a profit with their creations, but rather personal satisfaction or infamy, the viruses were a lot less damaging for their victims. This, of course, doesn’t mean that they weren’t an annoyance all the same!

… but they were still pretty destructive

In fact, a lot of the malicious programs from the 80s and 90s that we can see in the Malware Museum left the infected computer unusable. They deleted the hard drive, placed a screen that was impossible to exit from, made working a nightmare… every annoyance possible. They may have had more innocent intentions, but they were still malware all the same.

It was easier to know if you were infected

Now the main objective for attackers is to go unnoticed by the victim, with it being a success for cyber-attackers if you don’t realize that there is a malware on your computer. However, in the past, the goal was to be as obvious as possible. Alarming sounds, bright colors, crazy animations… if you were a victim, it was impossible not to know about it. Nowadays it’s a totally different story.

Hackers were very creative…

In the effort to be noticed, many malware developers went full-on arty with their creations. In fact, many of the viruses that we can find in the museum could easily be used as screensavers.

bce

… they also had a sense of humor

Overall, it seemed to be a game for them, and sometimes it literally was. One of the most unusual programs turned the victims’ computers into casinos. The victim had five chances to recover the information on the hard drive by playing a slot machine – if luck wasn’t on your side, you had a visit to a service technician waiting for you.

Viruses were a form of activism

Some malware developers used their works to defend causes in what we could consider a form of “hacktivism”. In this museum we can see, among other things, calls for a more equal world (praiseworthy, were it not a virus) or for the legalization of marijuana. There are even examples of fervent patriotism.

Famous films were a goldmine

If there is one thing which hasn’t changed over the years it has to be the old trick of taking advantage of big events (such as the release of a famous film) to make a larger number of victims download malware without knowing it. Recently, cybercriminals have used the release of Star Wars: The Force Awakens, but in the past there was already a virus that referenced the famous intergalactic saga. In the museum we can also find a malicious program that paid homage to The Lord of the Rings.

FOTO 3

The most important lesson: an antivirus has always been necessary

And it always will be. While there are viruses, users can only be safe if a good antivirus is there to protect them. Paradoxically, one of the malwares that we can see in the Internet Archive collection reminds us of this. So, there you have it – nearly all of the lessons that we must apply to the present have come from the past, you just need to know how to look for them.

The post 10 things we learnt from viruses of the past appeared first on MediaCenter Panda Security.

Full Disclosure

Hacking Magento eCommerce For Fun And 17.000 USD

Posted by Egidio Romano on Mar 03

Hello list,

Tonight I’d like to share with you my latest blog post. Seeing my personal experience with the
Magento bug bounty program (and even experiences from other security researchers), it looks like
they truly believe in a “security through obscurity” methodology. I’m quite disappointed by the
fact they tried to downplay the severity of my vulnerabilities, silently patching them after
several months, without letting me…

Full Disclosure

Hacking Magento eCommerce For Fun And 17.000 USD

Posted by Egidio Romano on Mar 03

Hello list,

Tonight I’d like to share with you my latest blog post. Seeing my personal experience with the
Magento bug bounty program (and even experiences from other security researchers), it looks like
they truly believe in a “security through obscurity” methodology. I’m quite disappointed by the
fact they tried to downplay the severity of my vulnerabilities, silently patching them after
several months, without letting me…

AVG

Why Can’t Apple Just Give the FBI What it Wants?

Recently the FBI obtained a court order that compels Apple to create and install a backdoor into its iPhone software to intentionally disable certain security measures. Although benign on the surface, this raises serious and pressing questions about the relationship between the government and technology companies, public safety, and user security. These concerns are so pressing that the tech industry, device manufacturers, and civil rights groups have nearly unanimously registered their opposition to the FBI’s actions to force Apple to weaken and alter its software for the FBI’s criminal investigation.

Given the importance of this issue and the high stakes, we, like others have articulated our opposition in publications and through media channels. Today, we took an extraordinary step of filing an amicus brief, prepared by Andrew Bridges and Tyler Newby, leading tech attorneys at the firm of Fenwick & West. The brief is intended to further educate the court on the adverse consequences of the order and the proper application of the relevant laws to the facts in this specific case.

At issue is how much authority we, as citizens, are truly willing to cede to the government in the name of national security and public safety. We think this order goes too far. Strong technical security fosters strong public safety. In a world where everyone’s digital footprint is a potential point of physical vulnerability, strong public safety in fact isn’t even possible without strong technical security.

This case won’t change that, regardless of who wins. A secure product, digital network, and device ecosystem improves safety by making it harder for criminals and those with malicious intent to compromise users’ security and privacy. We understand this may make it harder for law enforcement at times, but we made that decision when we signed the Bill of Rights 225 years ago this December.

The Vice Chairman of the United States Joint Chiefs of Staff Admiral James A. Winnefeld, agrees, having recently remarked, “I think we would all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem … on the intelligence side than very vulnerable networks and an easy problem [for our intelligence agencies].” The benefits of strong security outweigh the costs.

This debate is not new; it has been going on with the tech industry since at least the 70s, in various forms. The tech industry has also largely cooperated with law enforcement in the past, as did Apple in this case. But to cooperate here asks too much. To do so would be to take an action most companies would never willingly take—one that is antithetical to their very business.

Regardless of what happens in this case, we foresee that the tech industry response will be to adopt even more rigorous security measures, including ones they themselves cannot even exploit, balanced only by the business need to provide users data-based services. We are committed to continuing these vital conversations with fellow tech companies, legal experts, consumer advocates, and anyone else affected by this issue, one whose importance we cannot overstate and whose ramifications we likely cannot even yet conceive.

By Harvey Anderson, Chief Legal Officer and Justin Olsson, Product Counsel