Monthly Archives: October 2014

NVD

CVE-2014-5169

Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title.

Security

HP Security Bulletin HPSBGN03142

HP Security Bulletin HPSBGN03142 – A potential security vulnerability has been identified with HP Business Service Automation Essentials. This is the Bash Shell vulnerability known as “Shellshock” which could be exploited remotely to allow execution of code. This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. Revision 1 of this advisory.

Security

HP Security Bulletin HPSBST03097

HP Security Bulletin HPSBST03097 – A potential security vulnerability has been identified with HP Command View for Tape Libraries (CVTL) running OpenSSL with SMI-S client when retrieving information from legacy tape libraries. The OpenSSL vulnerability could be exploited remotely resulting in unauthorized access or disclosure of information. Revision 1 of this advisory.

Security

HP Security Bulletin HPSBST03129

HP Security Bulletin HPSBST03129 – A potential security vulnerability has been identified with HP StoreFabric B-series switches running Bash Shell. This is the Bash Shell vulnerability known as “ShellShock” which could be exploited remotely to allow execution of code. Revision 1 of this advisory.

AVG

Thoughts on Mobile Digital Parenting

Dear Abby: My birthday is in 26 days…And I really want an iPod Touch for school. I’m in the fifth grade and everyone in my class has an iPod Touch, iPad or iPhone. EXCEPT ME!

Desperate Girl in North Carolina

 

This was a real letter sent recently to the venerable U.S. newspaper advice columnist Dear Abby. In her response to the 10-year-old, Abby wisely advised the “desperate” girl of some of the possible reasons for her parents’ opposition (among them, the ability to afford a device) and then encouraged the girl to talk with her parents about their concerns and how they could address them.

Digital-age parenting means there is a lot to consider about if and when is the right time for a child to get their own cell phone or other digital devices. Depending on the research you look at, between 56% (CTIA) and 30% (Kaiser) of children aged 8-12 have cell phones. In most cases, the research is a few years old – which means the percentage is likely to be much larger.

On the “pro” side a cellphone can be a great device to keep you connected to and keep track of your kids. On the “con” side, it also connects your kids more readily to the vast and not-always-friendly online world of social media, videos, games, movies, music, and TV shows and more.  Online safety and protection for our kids is a paramount concern.

In research we conducted earlier this year, 42% of parents said they worry that their child is spending too much time online. They are also unsure of what their kids are exposed to and many are uncertain as to how to keep them safe.

If your child is ready for a mobile phone, it’s important to educate them and have rules. Here are a few suggestions, starting with some rules:

House Rules

  • Consider a basic phone as a starter phone. Turn off extras if you are passing down an older model phone.
  • Set limits. Such as: Designated times the phone can be used. Number of minutes that can be used. Caps on number of texts that can be sent.
  • Block internet access and calls from unapproved numbers.

Some Do’s and Don’ts

  • Just as in the real world – never talk to strangers. Never respond to messages, emails, and texts from people they don’t know.
  • Always tell an adult if they receive any hurtful messages online… or requests from online friends to meet offline

In addition to our online and mobile security software, we’ve attempted to help parents by giving them other tools to address online safety. We’ve collaborated with the international children’s safety organization, Childnet, to create a guide to online and mobile phone safety starting at an early age, with our new Magda and Mo eBook series …The series, developed from a child’s eyes, using a series of click-and-tell stories that parents can use to help educate and foster dialogue with their kids about online safety.

NVD

CVE-2012-5696

Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

NVD

CVE-2012-5695

Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS message.

NVD

CVE-2012-5694

Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.pl; the (6) modemPhoneNo, (7) controlKey, or (8) appURLPath parameter to frameworkgui/attachMobileModem.pl; the agentsDD parameter to (9) escalatePrivileges.pl, (10) getContacts.pl, (11) getDatabase.pl, (12) sendSMS.pl, or (13) takePic.pl in frameworkgui/; or the modemNoDD parameter to (14) escalatePrivileges.pl, (15) getContacts.pl, (16) getDatabase.pl, (17) SEAttack.pl, (18) sendSMS.pl, (19) takePic.pl, or (20) CSAttack.pl in frameworkgui/.

NVD

CVE-2012-5697

The btinstall installation script in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 uses weak permissions (777) for all files in the frameworkgui/ directory, which allows local users to obtain sensitive information or inject arbitrary Perl code via direct access to these files.