Monthly Archives: September 2014

AVG

AVG Technologies Announces Intention to Acquire Location Labs

Leave a comment

Today, we announced our intention to acquire Location Labs, which is best known for its “mobile security for humansâ€.

AVG has been talking for some time about the need for a more holistic approach to security; one that protects not only devices, but also data and, ultimately, the people using those devices and data. Products that encompass all these elements must be easy to understand and easy to use.

AVG’s security for Android smartphones is one the top security apps on the Google Play store. Location Labs products, sold by major mobile operators and running on both the Android and iOS platforms, provide exceptional security and safety for people – you and those you care for.

Additionally, Location Labs’ mobile products and services draw on the value of the mobile operator network to provide features and functionality that are not possible otherwise. Having multiple distribution channels delivers good choices for customers. They may want to download our apps directly from App stores, or they may prefer to choose a service that has been validated and integrated with their network provider, including their billing and customer support services. Currently, AVG’s mobile offerings use the first method; Location Labs’, the second.

At AVG and Location Labs, we understand that for our customers, safety and security for connected devices is first and foremost about ensuring that their families, or those they care deeply about, are protected. This is where the combination of AVG Zen and the Location Labs’ products will really shine. With AVG Zen, customers can connect to, and manage the device and data security of their own, and others’, phones, laptops, and PCs.

With Location Labs offerings, they can also manage the content, applications, and permissions available on each of those devices, and see the location and status of the users. As massive numbers of mobile devices are adopted worldwide, and as we all connect more and more items to our own personal networks, this promises to be an important and growing market.

We are particularly pleased that the leadership and the team at Location Labs will be joining AVG. They have built a compelling business within the mobile industry – not an easy thing to do – and helped grow the company to over 1.3 million paying subscribers. We are looking forward to working with them to grow the business further to improve safety and security for all mobile users.

Today’s announcement is the first step in a longer journey and we believe it marks the start of a new approach to mobile security for consumers. We understand that to really enjoy the rich experience of today’s connected world, we all need to feel comfortable and safe, and to have confidence and trust in the smart devices that enable us to monitor and secure the people we care about. As we move forward, we’ll be working hard to make this vision a reality for our customers.

Redhat

Is your software fixed?

Leave a comment

A common query seen at Red Hat is “our auditor says our Red Hat machines are vulnerable to CVE-2015-1234, is this true?” or “Why hasn’t Red Hat updated software package foo to version 1.2.3?” In other words, our customers (and their auditors) are not sure whether or not we have fixed a security vulnerability, or if a given package is up to date with respect to security issues. In an effort to help our security-conscious customers, Red Hat make this information available in an easy to consume format.

What’s the deal with CVEs?

Red Hat is committed to the CVE process. To quote our CVE compatibility page:

We believe that giving our users accurate and complete information about security issues is extremely important. By including CVE names when we discuss security issues in our services and products, we can help users cross-reference vulnerabilities so they spend less time investigating and categorizing security events.

Red Hat has a representative on the CVE Editorial Board and declared CVE compatibility in April 2002.

To put it simply: if it’s a security issue and we fix it in an RHSA it gets a CVE. In fact we usually assign CVEs as soon as we determine a security issue exists (additional information on determining what constitutes a security issue can be found on our blog.).

How to tell if you software is fixed?

A CVE can be queried at our public CVE page.  Details concerning the vulnerability, the CVSS v2 metrics, and security errata are easily accessible from here.

To verify you system is secure, simply check which version of the package you have installed and if the NVR of your installed package is equal to or higher than the NVR of the package in the RHSA then you’re safe.

What’s an NVR?

The NVR is the Name-Version-Release of the package. The Heartbleed RHSA lists packages such as: openssl-1.0.1e-16.el6_5.7.x86_64.rpm. So from this we see a package name of “openssl” (a hyphen), a version of 1.0.1e (a hyphen) and the release is 16.el6_5.7. Assuming you are running RHEL 6, x86_64, if you have openssl version 1.0.1e release 16.el6_5.7 or later you’re protected from the Heartbleed issue.

Please note, there is an additional field called “epoch”, this field actually supersedes the version number (and release), most packages do not have an epoch number, however a larger epoch number means that a package can override a package with a lower epoch. This can be useful, for example, if you need a custom modified version of a package that also exists in RPM repos you are already using.  By assigning an epoch number to your package RPM you can override the same version package RPMs from another repo even if they have a higher version number. So be aware, using packages that have the same name and a higher epoch number you will not get security updates unless you specifically create new RPM’s with the epoch number and the security update.

But what if there is no CVE page?

As part of our process the CVE pages are automatically created if public entries exist in Bugzilla.  CVE information may not be available if the details of the vulnerability have not been released or the issue is still embargoed.  We do encourage responsible handling of vulnerabilities and sometimes delay CVE information from being made public.

Also, CVE information will not be created if the software we shipped wasn’t vulnerable.

How to tell if your system is vulnerable?

If you have a specific CVE or set of CVEs that you are worried about you can use the yum command to see if your system is vulnerable. Start by installing yum-plugin-security:

sudo yum install yum-plugin-security

Then query the CVE you are interested in, for example on a RHEL 7 system without the OpenSSL update:

[root@localhost ~]# yum updateinfo info --cve CVE-2014-0224
===============================================
 Important: openssl security update
===============================================
 Update ID : RHSA-2014:0679
 Release : 
 Type : security
 Status : final
 Issued : 2014-06-10 00:00:00
 Bugs : 1087195 - CVE-2010-5298 openssl: freelist misuse causing 
        a possible use-after-free
 : 1093837 - CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL
   pointer dereference in do_ssl3_write()
 : 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
 : 1103593 - CVE-2014-0221 openssl: DoS when sending invalid DTLS
   handshake
 : 1103598 - CVE-2014-0195 openssl: Buffer overflow via DTLS 
   invalid fragment
 : 1103600 - CVE-2014-3470 openssl: client-side denial of service 
   when using anonymous ECDH
 CVEs : CVE-2014-0224
 : CVE-2014-0221
 : CVE-2014-0198
 : CVE-2014-0195
 : CVE-2010-5298
 : CVE-2014-3470
Description : OpenSSL is a toolkit that implements the Secure 
Sockets Layer

If your system is up to date or the CVE doesn’t affect the platform you’re on then no information will be returned.

Conclusion

Red Hat Product Security makes available as much information as we can regarding vulnerabilities affecting our customers.  This information is available on our customer portal as well as within the software repositories. As you can see it is both easy and quick to determine if your system is up to date on security patches with the provided information and tools.

The following checklist can be used to check if systems or packages are affected by specific security issues:

1) Check if the issue you’re concerned about has a CVE and check the Red Hat CVE page:

https://access.redhat.com/security/cve/CVE-2014-0224

2) Check to see if your system is up to date for that issue:

sudo yum install yum-plugin-security 
yum updateinfo info --cve CVE-2014-0224

3) Alternatively you can check the package NVR in the RHSA errata listed in the CVE page (in #1) and compare it to the packages on your system to see if they are the same or greater.
4) If you still have questions please contact Red Hat Support!

AVG

AVG to lead innovation sessions at The Pitch, London

Leave a comment

This Thursday 4th September in London, AVG will be attending the first of two small business boot-camps as part of The Pitch, UK. Now in its seventh year The Pitch is one of the UK’s longest running small business competitions and awards thousands of pounds worth of prizes to innovative startups.

The boot camps will be attended by 100 small businesses that made it through the first stage of the competition. These are split into two regional groups, North and South, who will attend boot camps in Manchester (on 18th September) and this week in London where after an intense day of mentoring their pitching prowess will be assessed.

As a main sponsor for The Pitch, AVG is delighted to attend these boot camp sessions and will be working directly with the competitors in one of the hands-on sessions. The boot camps will focus on the four key pillars of pitching:

  • Marketing
  • Finance
  • Business model innovation
  • Pitching

AVG’s Director of Partner Enablement Mike Byrne will be leading the Business Model Innovation session aimed to provide candidates with some useful ideas about how to optimise their business models and sharpen their sales techniques using technology. Whether it’s managing relationships, assessing the competition, reducing sales cycle time/costs or simply making life easier, technology has a lot offer business sales activities.

AVG’s philosophy is all about empowering small businesses to manage their technology simply and reliably so they can stop worrying about their data and concentrate on growth in today’s fast changing, increasingly mobile workplace.

After the boot camps, the competitors will be narrowed down from 100 to 30 applicants to proceed to the final where a winner will be chosen by a panel of judges including AVG’s own Judith Bitterli.

 

The overall winner of The Pitch will win a priceless prize package that includes expert mentoring from business leaders and free access to world leading products and services including free AVG CloudCare services for two years.

Avira

What can actually happen #IfMyPhoneGotHacked

Leave a comment

Everybody will know what you did last summer

The danger of getting your data stolen might seem rather abstract to you as the word “data” usually makes you think of valuable information you would not have on your phone. With “data” we mean everything on your phone: photos, videos, documents and browsing information, regardless of their economic “value”. Remember the selfies you took with your phone this summer but never had the courage to share with your friends? How about the Justin Bieber playlist you secretly stored in a hidden music folder? Well, if your phone gets hacked, it will all become public. And do trust us when we tell you that the “I don’t know how they got there” argument doesn’t stand a chance.

PS: don’t even make us open up the Browsing History subject; once it’s compromised, no superpower can save you from what’s coming next. Moving to a different country might be the only option left.

I just called to say…who are you?

If only the thought of some strangers having your phone number scares you, imagine how it would be if those strangers could also access all of your contacts and your recent dials? Not only would they be able to store and even sell all this private information about your family, friends and colleagues but they might also bother them with all sorts of pranks. And no, texts are not protected either so make sure you don’t ruin the flirt you’ve got going on because of some disturbing replies coming from people controlling your phone. Some of them can have a pretty twisted sense of humor.

Peekaboo I see you

We all use the “Big brother is watching” expression often enough that it has become a matter of speech more than a matter of fact. What if your newest “big brother” is a hacker who can activate your phone’s camera and spy on you whenever he feels like? One thing is sure: you’ll regret not being able to separate yourself from your phone in no situation. Too many examples of exposing the smartphone to private…events come to our mind (we’ll let you think of the most uncomfortable ones yourself). Now imagine sharing those images with a bunch of strangers. In real time. Sufficiently awkward yet?

Social Networks come just as a cherry on top of any hacking scheme mentioned on the #IfMyPhoneGotHacked thread. All of your data could go public (and even viral depending on the level of compromising information you store on your devices) in a matter of hours after your phone gets hacked. Just make sure you stay protected.

The post What can actually happen #IfMyPhoneGotHacked appeared first on Avira Blog.

Microsft

MS14-028 – Important: Vulnerabilities in iSCSI Could Allow Denial of Service (2962485) – Version: 1.1

Leave a comment

Severity Rating: Important
Revision Note: V1.1 (September 3, 2014): Updated the Known Issues entry in the Knowledge Base Article section from “None” to “Yes”.
Summary: This security update resolves two vulnerabilities in the Microsoft Windows. The vulnerabilities could allow denial of service if an attacker sends large amounts of specially crafted iSCSI packets over the target network. This vulnerability only affects servers for which the iSCSI target role has been enabled.

Avast

Think celebrities are the only ones that can get hacked? Think again…

Leave a comment

News broke on Sunday that nude photos of female celebrities were posted on the photo sharing site 4Chan. Along with the news came many theories and discussions as to how the hacker managed to collect intimate photos and videos from a long list of celebrities. While figuring out how the hacker accessed these intimate files will hopefully patch vulnerabilities, there are general steps that everyone should take now to protect their personal data.

Don’t blame the cloud

shutterstock_208714210

One of the theories circulating on the Internet is that iCloud was hacked via a vulnerability in Apple’s “Find My iPhone” app. Kirsten Dunst, one of the celebrities whose private photos were hacked tweeted the following: “Thank you iCloud”. Should Kirsten and the other hack victims be blaming the cloud though? The iCloud hack theory is just a theory, the hackers could have gained access to celebrity accounts via phishing mails or gained passwords from celebrity insiders. The hackers could have gained access to celebrity email and password combinations through breaches like the recent eBay breach or Heartbleed, which affected nearly two-thirds of all websites, including Yahoo Mail, OKCupid and WeTransfer. If the celebrities whose photos have been exposed were affected by these breaches and used the same passwords on several accounts, including iCloud, it would have been easy for the hackers to steal their personal photos.

Even if the hacker got the data by hacking iCloud accounts, the cloud should not be blamed. The hacker, first and foremost, should be blamed. However, we all should know that there are bad guys out there and we need to protect ourselves and our personal data from them. The lack of cybersecurity awareness amongst these celebrities also deserves a portion of the blame.

Know where you are saving what

Back in 2011, when nude photos of Scarlett Johansson and Mila Kunis appeared, we learned that celebrities are not immune to hacks, in fact they were specifically targeted and will probably be targeted again. It seems that many celebrities did not learn the importance of cybersecurity from the 2011 hack. Every mobile user, celebrities included, should be learning a lesson from this awful and unfortunate event and be re-thinking where they are saving their intimate and personal data.

Many mobile users are unaware of the fact that their data is no longer only saved to their hardware. Many devices and apps come with automatic cloud back up features. Cloud based back up can be a very useful tool to prevent data loss, but if you want to delete intimate photos from your device you should also remember to delete it from the cloud. 

How to protect your accounts

 

Whether the hackers gained access to the data via an iCloud vulnerability, phishing scams, or by using brute force programs there is one common denominator: passwords.

Mobile malware specialist, Filip Chytry recommends the following to protect your accounts:

  • Use strong passwords – Strong passwords are critical when it comes to protecting online accounts. Strong passwords should be at least 8 characters long, contain a combination of letters, numbers, and symbols. Ideally, you should not be able to remember your own password the first time you try to log into your account with your new password. You should update all of your passwords every three months and after news of account breaches.
  • Use different passwords for each of your accounts – It is not easy to remember different passwords for all your online accounts, but it is vital that each online account has a different and strong password. Passwords need to be thought of as keys, you wouldn’t want your house key to open your car – passwords and online accounts should be no different. Password managers like avast! EasyPass can help you secure your passwords and accounts.
  • Enable two factor authentication – Many sites and services offer two factor authentication, meaning you are required to enter a pin number sent to your mobile device, in addition to your password, in order to gain access to your account. This helps verify that the person trying to log into the account is the actual account owner and in fact a real person (not just a program trying to hack accounts).
  • Download anti-virus protection for your mobile device – Anti-virus protection, such as avast! Mobile Security, not only protects your mobile devices from malware, but can also protects you from phishing links. Phishing sites look like legitimate sites designed to trick you into giving up your log in credentials, which may be how the hackers who published the nude photos gained access to celebrity accounts.

If it can happen to them it can happen to you

We often put celebrities on pedestals, but at the end of the day they are normal people just like you and I. No one is immune to hacks per se, but being aware of where you store your sensitive data and using the proper tools to protect your data can prevent hackers from accessing it. We should all take this situation as an opportunity to learn how to protect our very personal information.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ andInstagram. Business owners – check out our business products.