Panda Security

#XMASPANDA contest winners!

Christmas contest

We finally can communicate our #XMASPANDA contest winners.

If you are one of our Twitter winners, send us a Direct Message. Then if you are the one from Facebook , you can send us a Private Message too.

We need the following details:

  1. Name
  2. Address
  3. Mobile Phone
  4. Email Address

Panda Mobile Security License

  • Ramon Jarque Anton
  • Diana de Felipe Tenorio
  • Adrian Aguilera Quesada
  • Robert Mcdonald
  • Liz Schneider
  • Carol Foxx
  • Rob Diggle
  • Aleksey Apasov
  • Tomas Domingo Catalan
  • Francisco Dominguez Moreno
  • @javiermargarit
  • @nabil_freedom
  • @markes5d
  • @glenhilts
  • @p_sandhal
  • @_utdfan
  • @mnvikes40
  • @cathleen_ming
  • @avenue25
  • @hilbournetony

Panda Security Cup

  • Jesús Montes
  • Oscar Luis Maiso Pavia
  • David Escobar
  • Gayle L Johnson
  • Paulo Bispo
  • Iñaky Aion
  • Conceiçäo Carvalho
  • Victor Jiménez Rodríguez
  • Jamie RollerGirl Garland
  • Lisa Middleton
  • Joey Harden
  • @mariasedeo1
  • @travellermind1
  • @tannis91
  • @novairt
  • @ilorcisoft
  • @fabin_ferreira
  • @fer_cantillo
  • @iwantyourstuff
  • @dlrcorn

Panda Security Headphones

  • Ele Velasco Sastre
  • Carlos Martinez Rivero
  • Tina Loucks
  • Christine Gordon
  • Brad Belden
  • @carlosdefuentes
  • @elgrangeniofamy
  • @ybarralde
  • @aprilhaddock
  • @gasteiztarrabat

Thanks for taking part of our Christmas contest! :)

The post #XMASPANDA contest winners! appeared first on MediaCenter Panda Security.

Full Disclosure

SEC Consult SA-20150113-2 :: Cross-Site Request Forgery in XBMC / Kodi

Posted by SEC Consult Vulnerability Lab on Jan 13

SEC Consult Vulnerability Lab Security Advisory < 20150113-2 >
=======================================================================
title: Cross-Site Request Forgery
product: Kodi/XBMC
vulnerable version: XBMC/Kodi <=14
fixed version: no fixed version available
impact: medium
homepage: http://kodi.tv/
found: 2014-10-29
by: W. Ettlinger…

Full Disclosure

SEC Consult SA-20150113-1 :: Privilege Escalation & XSS & Missing Authentication in Ansible Tower

Posted by SEC Consult Vulnerability Lab on Jan 13

SEC Consult Vulnerability Lab Security Advisory < 20150113-1 >
=======================================================================
title: Privilege Escalation & XSS & Missing Authentication
product: Ansible Tower
vulnerable version: <=2.0.2
fixed version: >=2.0.5
impact: high
homepage: http://www.ansible.com/tower
found: 2014-10-15
by:…

AVG

The web gets ready for voice recognition

News broke earlier in January that Facebook has acquired Wit.ai, an 18 month old startup that specializes in voice recognition technology. At first, this might seem like a strange move but upon closer inspection, the rationale is clear.

Millions of users are turning to mobile as their preferred platform, where typing long messages and interacting with friends is far more challenging than on a PC keyboard.

It’s clear that companies like Facebook face a challenge to make mobile interaction easier and more engaging.

Using Wit.ai’s expertise, Facebook can build a mobile-first platform with a voice activated interface and text-to-speech messaging some obvious steps.

The Facebook acquisition highlights the excitement and potential behind voice recognition technology. We are potentially witnessing a fundamental shift in the way we interact with our technology forever.

As we start integrating voice activated functionality into new smart devices and services we use on a daily basis, my primary concern isn’t one of convenience but of security.

As I wrote in this blog in September 2014, there is much work to be done in securing our digital devices from voice commands.

Most voice recognition technologies scan commands for meaning and then execute them. I believe there is a need for an additional step, one of authentication.

Does the person issuing the command have the authority to do so? When I ask the device to execute a command, does it validate that it is really me and not someone else?

As I demonstrate in the below video, it is quite simple to have a device act upon a voice command issued by a synthetic voice or by a 3rd party that has an access to the device – even remotely:

Video

Voice hacking a device

 

As Facebook and other leading companies add more voice activation technologies to their roadmap, it’s important to realize that we are also increasing the number of services and devices that are potentially vulnerable to voice attacks. So considering this, , let’s build it with safety in mind.

NVD

CVE-2014-100001 (seo_plugin_liveoptim)

Cross-site request forgery (CSRF) vulnerability in the SEO Plugin LiveOptim plugin before 1.1.4-free for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.

Software and Security Information