Tag Archives: Security

Avast

Making technology simpler: Thanks to my mother

Some days ago we wrote about scams targeting senior citizens. This group is at risk because generally speaking, they have less computer education than younger people who have grown up in the digital world. I recommended the reading to my mother, thinking she will benefit from it. She thanked me, but said that there were “some things” she did not understand.

Learning to surf internet

Friends and family can help senior citizens enjoy a safe online experience

In the Avast blog we do our best to write in simple terms. However, we know much more about security and, quite frequently, explains things in technical writing. So, I’ve take some time to write what will be useful for your mother (and mine). What about recommending her to read this?

Computer and mobile security essentials for senior citizens

  • Ask for help from one you trust. Don’t be ashamed to ask for help. Remember there are a lot of people that love to help and share knowledge. Start with your family and friends. If you and your friend both have Avast installed, it’s possible for them to remotely access your computer.  If they don’t have spare time or knowledge, then try the Avast Community Forum. With sections in several languages, you’ll find friendly people that could guide you with security technology. Find us there!
  • Install and keep your security software updated. Avast makes everything simple for you. All the “difficult tasks” have been automated: Protection against viruses and malware, blocking spam, preventing fraud and hacker intrusions, automatic updates of your software.
  • Scan and protect your network. That “complex” device with lights blinking that gets you on the internet is called a “router”. Do you know that it could be the weaker part of your network? Avast can scan your home network and make sure it’s secure. Our next Avast version will give you much more control of an online pain: Passwords. Keep them updated and strong!
  • In your Android mobile devices, use an easy and comprehensive security app. Avast apps bring a lot of protective features that give peace of mind, like analyzing malicious app (maybe the ones with intrusive ads, right?). With our family of apps, you can clean temporary files, keep your battery in good shape, and stay safe when using free Wi-Fi connections. Also, to stay safe, use only known app stores like Google Play and Amazon.
  • Common sense! Do not open unsolicited emails, ever! Don’t trust strange messages about promises of a better computer, prizes, and special offers. Keep your attention always on: Do not install unknown software, and do not accept extra offers during installation of trusted programs. If you have any suspicions, ask others or in Avast Community Forum.

What do you think? Did I write enough for your mother to understand? If so, I accomplished my goal.

Special thanks for my mother (for the inspiration and love). And a special thanks to the guys that share all their time and effort to make the internet a better place and for teaching me to write with such pleasure: The volunteers on the Avast Community Forum.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Redhat

Important security notice regarding signing key and distribution of Red Hat Ceph Storage on Ubuntu and CentOS

Last week, Red Hat investigated an intrusion on the sites of both the Ceph community project (ceph.com) and Inktank (download.inktank.com), which were hosted on a computer system outside of Red Hat infrastructure.

download.inktank.com provided releases of the Red Hat Ceph product for Ubuntu and CentOS operating systems. Those product versions were signed with an Inktank signing key (id 5438C7019DCEEEAD). ceph.com provided the upstream packages for the Ceph community versions signed with a Ceph signing key (id 7EBFDD5D17ED316D). While the investigation into the intrusion is ongoing, our initial focus was on the integrity of the software and distribution channel for both sites.

To date, our investigation has not discovered any compromised code available for download on these sites. We can not not fully rule out the possibility that some compromised code was available for download at some point in the past.

For download.inktank.com, all builds were verified matching known good builds from a clean system. However, we can no longer trust the integrity of the Inktank signing key, and therefore have re-signed these versions of the Red Hat Ceph Storage products with the standard Red Hat release key. Customers of Red Hat Ceph Storage products should only use versions signed by the Red Hat release key.

For ceph.com, the Ceph community has created a new signing key (id E84AC2C0460F3994) for verifying their downloads.  See ceph.com for more details.

Customer data was not stored on the compromised system. The system did have usernames and hashes of the fixed passwords we supplied to customers to authenticate downloads.

To reiterate, based on our investigation to date, the customers of the CentOS and Ubuntu versions of Red Hat Ceph Storage should take action as a precautionary measure to download the rebuilt and newly-signed product versions. We have identified and notified those customers directly.

Customers using Red Hat Ceph Storage products for Red Hat Enterprise Linux are not affected by this issue. Other Red Hat products are also not affected.

Customers who have any questions or need help moving to the new builds should contact Red Hat support or their Technical Account Manager.

Wordpress

WordPress 4.3.1 Security and Maintenance Release

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

  • WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
  • A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
  • Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.3.1 also fixes twenty-six bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.

Thanks to everyone who contributed to 4.3.1:

Adam Silverstein, Andrea FerciaAndrew Ozz, Boone Gorges, Brandon Kraft, chriscct7, Daisuke Takahashi, Dion Hulse, Dominik Schilling, Drew Jaynes, dustinbolton, Gary Pendergast, hauvong, James Huff, Jeremy Felt, jobst, Marin Atanasov, Nick Halsey, nikeo, Nikolay Bachiyski, Pascal Birchler, Paul Ryan, Peter Wilson, Robert Chapin, Samuel Wood, Scott Taylor, Sergey Biryukov, tmatsuur, Tracy Levesque, Umesh Nevase, vortfu, welcher, Weston Ruter

AVG

Why Every Company Should Have a One-Page Privacy Policy

Most companies know you won’t read their 45-page privacy policy before downloading their app. I suspect they also know that their privacy policy needs to change. The problem is, when you gloss over a privacy policy, you could be giving software makers access to your personal information. Once you click the “I accept” button, your data could be theirs.

When my daughter was 10 years old, she asked to download a single-player, non-web connected game on her mobile device. Aimed at 8-12 year old children, the game required the user to accept an agreement that was illegible on a mobile phone. Looking more closely, I discovered that the app claimed the right to collect information including but not limited to my daughter’s name, profile, photos, telephone numbers, email address, contacts, GPS location, browser history and chat or messaging activity, without clearly explaining what the company did with that information or who it might share it with.

As you can imagine, I said “no” to downloading the game. However, that experience was my motivation to launch a campaign to simplify these privacy policies. At Mobile World Congress in March, I announced that AVG would produce a one-page privacy policy that is simple and transparent, and I challenged other companies to do the same. This week, out of our commitment to make the Internet safer for everyone, AVG has fulfilled on this promise with our latest privacy policy.

What’s a one-page privacy policy?

AVG’s one-page privacy policy is an at-a-glance summary of which data our company will collect or won’t collect and an explanation of how and why the data may be shared. We believe our users have the right to understand how and where their information will be used.

AVG’s users are important to us, and we want to earn and keep their trust. A simple and transparent privacy policy helps strengthen this relationship with our customers. A recent study shows that almost half of respondents (49 percent) report that lack of trust prevented them from downloading apps or using them once installed. Over a third (34 percent) said lack of trust stopped them from buying any mobile apps and services. I believe that the more consumers are clearly told the full extent to which companies collect their personal information, the less likely they will be to download new apps or software.

We see the world around us beginning to change: devices now capture new kinds of sensitive information, including health data through wearables and biometric devices and information from smart-home devices. Users must understand what companies will do with their personal information before they hit the “I agree” button.  And, they should understand this clearly and at a glance, not having to read pages and pages of a privacy policy. Users have a right to control their own information, and companies have the obligation to be transparent about their company’s use of this information. Here at AVG, we’ve created a simple, one-page, graphical summary for our users of what we will and won’t do with data.  I continue to challenge other companies to do the same. Let us know what you think.

 

one-page privacy policy

AVG

‘InstaPolicing’: Police departments are monitoring social media

The golden rule of social media is ‘think before you post.’ In the age of Instagram and living in the moment online, people sometimes forget how that one digital moment can now and forever be captured.

It happens to the best of us – and it is also happening to the worst of us, sometimes with real consequences.

In terms of the latter, social media has become a tool for law enforcement to fight crime almost since its inception. Now, Instagram photos have become a popular mechanism for helping police to track criminals who, you might say, are ‘selfie-incriminating’ themselves on social media.

The San Francisco Police Department, for example, has dedicated resources for monitoring Instagrams to track individuals of interest, and the program has yielded results.  Officer Eduard Ochoa, who has been SFPD’s “Instagram Officer” for a number of years, has monitored and tracked individuals who were on probation and observed them doing things in violation of their probation. In one case, a minor on probation posted photos of himself in possession of a firearm. The Instagram spottings allowed officers to perform a probation search, and in the course of the investigation firearms were found.

Recently, an appeals court ruled that those Instagram photos of the incident were admissible even though no one who was present when the photographs were taken testified. (You can read the court ruling here.) The individuals involved were also wearing the same clothes as they were in the Instagram photos when police arrived, which no doubt helped seal the deal.

The SF Police Officers Association’s newsletter singled out Ochoa and other officers for performing “an extremely intensive investigation using the most modern techniques provided by our new electronic age” to locate the suspect in a shooting.

“If the criminals are getting smarter and more tech savvy, so should the police department,” SFPD spokesman Officer Albie Esparza told a reporter for Marketwatch.

The Instagram officer is only one example of police using social media to fight criminals. Many departments across the country now use Facebook, YouTube and Twitter in police work. According to a 2013 social media survey from the International Association of Chiefs of Police, 96% of police departments were using social media in their policing, and more than 80% said it was helping solve crimes. (Of course, it works both ways, and the defense can find evidence of alibis on social media as well.)

Indeed, while social media usage is now commonplace in law enforcement, one item of concern is that guidelines and procedures to govern it may be lagging. According to a November 2014 study by LexisNexis, “Social Media Used in Law Enforcement,” 52% of the law enforcement agencies surveyed lacked procedures governing social media use. Further, Government Technology research found there is little training when it comes to social media usage by law enforcement departments.

Policies and guidelines for law enforcement using social media seem critical. As Police Chief Magazine reported in a 2013,  “Written policies will ensure that agency executives know what their employees are doing and why they are doing it, as well as protect citizens’ privacy and civil rights and liberties…Many agencies already have policies to protect civil rights and civil liberties. Agencies should include references to agency privacy protections when drafting social media policies to collect intelligence and investigate crimes.”

In Minnesota, where police used Instagram photos to make indictments in a weapons-for-sale scheme, ACLU executive director Chuck Samuelson noted: “The law has not caught up with social media and other technology used to share and gather personal information and even law-abiding citizens should be aware that their personal information is being collected by all sorts of organizations and can be used against them.”

It would seem, as in many aspects of our digital lives, vigilance and ongoing work needs to be done to keep pace with the technology innovation, in order protect us all – our rights, our privacy and our security.

(Note to Hollywood: There’s plenty of material here to create a new series, CSI InstaPolice.)

AVG

A London NHS clinic leaks 780 patients’ details.

The 56 Dean Street clinic in London accidentally released the names and email addresses of 780 patients who have attended HIV clinics.

In a statement released on their website, a spokesperson for Chelsea and Westminster Hospital NHS Foundation Trust stated:

“We can confirm that due to an administrative error, a newsletter about services at 56 Dean Street was sent to an email group rather than individual recipients.

“We have immediately contacted all the email recipients to inform them of the error and apologise. Any concerned patients can call  020 3315 9555 and 020 3315 9594.”

In an interview with BBC Dr. Alan McOwan has said that, “Not everybody on the list is HIV positive.”

This data breach comes on the heels of a similar incident that occurred earlier last month to UK based holiday company Thomson. The 56 Dean Street clinic data breach, while unfortunate, again underscores the importance of having appropriate data security policies and procedures in place, as well as the need for employee training on the handling and protection of sensitive data.

The cost of a data breach can affect more than your bottom line, it can affect lives too. So if you’re in doubt about the security of your own IT infrastructure, download AVG’s Small Business IT Security Guide or take the AVG Small Business IT Security Health Check now to find out what you can do to help prevent security and data breaches.

If you need comprehensive protection against online threats for your business PCs, network and email, take a look at AVG Internet Security Business Edition.