Monthly Archives: November 2014

Fedora

Fedora 20 Security Update: python-django14-1.4.16-1.fc20

Resolved Bugs
1132774 – CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483 python-django14: various flaws [fedora-all]
1129950 – CVE-2014-0480 Django: reverse() can generate URLs pointing to other hosts, leading to phishing attacks
1129952 – CVE-2014-0481 Django: file upload denial of service
1129954 – CVE-2014-0482 Django: RemoteUserMiddleware session hijacking
1129959 – CVE-2014-0483 Django: data leakage via querystring manipulation in admin<br
update to latest stable release

Fedora

Fedora 20 Security Update: wireshark-1.10.11-1.fc20

Resolved Bugs
1163585 – CVE-2014-8710 CVE-2014-8711 CVE-2014-8712 CVE-2014-8713 CVE-2014-8714 wireshark: various flaws [fedora-all]
1163581 – CVE-2014-8714 wireshark: TN5250 infinite loop (wnpa-sec-2014-23)
1163582 – CVE-2014-8712 CVE-2014-8713 wireshark: NCP dissector crashes (wnpa-sec-2014-22)
1163583 – CVE-2014-8711 wireshark: AMQP dissector crash (wnpa-sec-2014-21)
1163584 – CVE-2014-8710 wireshark: SigComp dissector crash (wnpa-sec-2014-20)<br
Ver. 1.10.11, Security fix for CVE-2014-8711, CVE-2014-8712, CVE-2014-8713, CVE-2014-8714, CVE-2014-8710

AVG

Internet of Things is web’s next money spinner say small businesses

We all suspected it and now we know it to be true.  Most small businesses (57 percent) are expecting the Internet of Things (IoT) – IP-connected devices, machines with sensors and cloud-based services – to make a significant impact on their bottom line.  Yet almost three quarters (71 percent) admit they are not ready from an IT security and data protection point of view.

These are just two of the key findings in AVG’s latest independent research which polled 1,770 small businesses and MSPs in the United States, Canada, the United Kingdom, Germany and Australia on a number of issues related to monetizing IoT. Over half (55 percent) of MSPs taking part in the study confirmed that customers are demanding IoT-related services and 77 percent are planning to expand their service or product portfolio to meet it. Little surprise then that only 18 percent of the small businesses we spoke to thought their IT provider was ahead of the curve when it came to their capacity to manage IoT.

So just what is IoT’s potential as a money spinner?  Well, more and more devices with built-in sensors are being connected to the Internet.  By remotely monitoring the data on these devices a business can achieve much greater all-round efficiency through raised productivity, lower costs and reduced wastage.  And as cloud services become the default way to make sense of this data you no longer need heavy up-front investment so IoT starts to become affordable for small businesses.

Our research highlighted four industries in particular – IT/telecoms, pharmaceuticals, utilities and manufacturing – that are set to make money from IoT. The IT/telecoms industry, as might be expected, is especially upbeat on IoT. Among the IT decision makers surveyed 84 percent indicate that their organization would shift its product/service offering to make the most out of the rise of IoT.  The proportion of pharmaceuticals companies looking to expand product offerings using IoT was even greater (91 percent).   Three quarters (75 percent) of utilities companies and 73 percent of manufacturers are also expecting to benefit.

Overall our study found the vibe from small businesses around IoT to be extremely positive.  If there was one note of caution it was the recognition that they need to do more about the security side of things.  They are right to be cautious. Many connected devices use the Linux operating system which has its own set of vulnerabilities as highlighted by the recent Shellshock event.  The lesson for companies is that they need to approach IoT just like the rest of their IT – by keeping them regularly updated and using identity management and user authentication.

Video

IoT Business Opportunities

A summary of the other key findings in the study were:

  • Almost half (46 percent) of SMBs think that the Internet of Things will be the IT trend that has the greatest impact on their organization over the next five years.
  • Around three fifths (62 percent) of SMB respondents report that their organization has budget specifically assigned over the next 12 months for the development of Internet of Things solutions. 49 percent have a moderate or substantial budget assigned for these solutions.
  • Only 18 percent of SMB respondents say that their IT provider is completely ahead of the curve with regard to the Internet of Things and the potential for their business. Of those with an IT provider, 68 percent feel that their provider could improve their service with regard to Internet of Things offerings and understanding.
  • The majority (84 percent) of SMB respondents say that their organization has purchased mobile devices within the last year, spending an average of over $6,500 on these devices. Of those who have purchased mobile devices within the last 12 months, SMB respondents estimate that their organization spends an average of around $4,500 in hidden costs annually.

In conclusion, the days when work was confined to an office with four walls and a locked door are gone for good.  Thanks to mobile technology and popular cloud-based applications today’s start-ups are already living in a world where doing business without walls is perfectly normal.  IoT is a further example of how small businesses are becoming more and more connected.  The flexibility and simplicity is great. But is it secure? AVG is ready to help businesses embrace IoT safely. A couple of weeks ago we announced that we will shortly expand AVG CloudCare’s capabilities to include breakthrough integration of Multi Factor Authentication, Secure Sign-On (SSO), Mobile Device Management and Mobile Application Management all managed through Active Directory to ease complexity and simplify management.

Avira

How to cure Location Fatigue

An overwhelming flood of apps that used location data became available, and down to this day, new ones are continuing to be launched all the time.

While there’s still interest in apps that use location data, some of that enthusiasm has started to die down. Quite frankly, many users are suffering from Location Fatigue. Since most users were once all too willing to share their location with anyone and anything, app developers have assumed that this is still the case and continue to use location data to the point that it feels like almost every app you download wants to access your location for some odd reason, even when it’s totally not required.

As you can imagine, this reality brings a host of privacy concerns with it. Not only might social apps share your location with your friends or possibly strangers, but other apps could even use that data for advertising purposes. When an app uses your location in a way that you understand and derive benefits from, then that can be a great experience, but having your location data observed and shared just because it can be done doesn’t always lead to a great user experience, especially when it’s being done in a way that’s not transparent.

If you look at the location settings in your smartphone right now, you’ll probably be shocked by how many apps have location functionality. Take a good look at your list of apps and decide which ones you actually want to be able to see where you are at any given moment. Additionally, whenever you download a new app, think for a moment about the location data that it might be accumulating and what the purpose of it is.

There are still plenty of smartphone users who don’t have a care in the world about the location data that their apps have access to, but if privacy is important to you, then you might want to make your location data available to apps on more of a need-to-know basis.

The post How to cure Location Fatigue appeared first on Avira Blog.

Fedora

Fedora EPEL 7 Security Update: kwebkitpart-1.3.4-5.el7

Resolved Bugs
1164293 – CVE-2014-8600 kwebkitpart, kde-runtime: Insufficient Input Validation By IO Slaves and Webkit Part
1164608 – CVE-2014-8600 kwebkitpart: kwebkitpart, kde-runtime: Insufficient Input Validation By IO Slaves and Webkit Part [epel-7]<br
Sanitize input to disallow javascript being executed in the context of the referenced hostname. See also https://www.kde.org/info/security/advisory-20141113-1.txt

Microsft

MS14-068 – Critical: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (November 18, 2014): Bulletin published
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account. An attacker could use these elevated privileges to compromise any computer in the domain, including domain controllers. An attacker must have valid domain credentials to exploit this vulnerability. The affected component is available remotely to users who have standard user accounts with domain credentials; this is not the case for users with local account credentials only. When this security bulletin was issued, Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.

US-CERT

IC3 Releases Scam Alert for Fraudulent Online Advertisements

Original release date: November 18, 2014

The Internet Crime Complaint Center (IC3) released a Scam Alert regarding fraudulent ads for normally expensive items, such as cars and boats, at discounted prices. Scam operators often use false contact information linked to reputable online marketplaces to imply that the transaction is legitimate. Consumers fall victim to the scam when they are enticed into pursuing financial transactions with scammers.

Users are encouraged to review the IC3 Scam Alert for details, refer to the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip for information on social engineering attacks, and refer to the Shopping Safely Online Cyber Security Tip for information on online shopping safety.

This product is provided subject to this Notification and this Privacy & Use policy.