The UK’s communications regulator Ofcom is investigating what could be the biggest data breach in its history. The incident was caused internally – former employee had been surreptitiously gathering data over a six-year period.
The post Ofcom experiences major data breach thanks to former employee appeared first on We Live Security.
Have you considered securing your personal data with a Virtual Private Network?
The post VPN: 5 reasons you need it appeared first on Avira Blog.
Red Hat Enterprise Linux: Updated xerces-c packages that fix one security issue are now available
for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2016-0729
Red Hat Enterprise Linux: Updated OpenStack Block Storage packages that resolve various issues are
now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno)
for RHEL 7.
Red Hat Enterprise Linux: Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse)
for RHEL 6.
Red Hat Enterprise Linux: Updated OpenStack Networking packages that resolve various issues are now
available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse)
for RHEL 7.
10th March, 2016
A security issue affects these releases of Ubuntu and its
derivatives:
OTR could be made to crash or run programs if it received specially crafted
network traffic.
Markus Vervier discovered that OTR incorrectly handled large incoming
messages. A remote attacker could use this issue to cause OTR to crash,
resulting in a denial of service, or possibly execute arbitrary code.
The problem can be corrected by updating your system to the following
package version:
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart OTR applications to
make all the necessary changes
10th March, 2016
A security issue affects these releases of Ubuntu and its
derivatives:
Several security issues were fixed in Oxide.
It was discovered that the ContainerNode::parserRemoveChild function in
Blink mishandled widget updates in some circumstances. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same-origin restrictions.
(CVE-2016-1630)
It was discovered that the PPB_Flash_MessageLoop_Impl::InternalRun
function in Chromium mishandled nested message loops. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same-origin restrictions.
(CVE-2016-1631)
Multiple use-after-frees were discovered in Blink. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service via renderer crash or execute
arbitrary code with the privileges of the sandboxed render process.
(CVE-2016-1633, CVE-2016-1634, CVE-2016-1644)
It was discovered that the PendingScript::notifyFinished function in
Blink relied on memory-cache information about integrity-check occurrences
instead of integrity-check successes. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
bypass Subresource Integrity (SRI) protections. (CVE-2016-1636)
It was discovered that the SkATan2_255 function in Skia mishandled
arctangent calculations. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to obtain
sensitive information. (CVE-2016-1637)
A use-after-free was discovered in Chromium. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2016-1641)
Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2016-1642)
A type-confusion bug was discovered in Blink. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via renderer crash or execute
arbitrary code with the privileges of the sandboxed render process.
(CVE-2016-1643)
Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit these to read uninitialized memory, cause a denial of service via
renderer crash or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2016-2843)
An invalid cast was discovered in Blink. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via renderer crash or execute arbitrary
code with the privileges of the sandboxed render process. (CVE-2016-2844)
It was discovered that the Content Security Policy (CSP) implementation in
Blink did not ignore a URL’s path component in the case of a ServiceWorker
fetch. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2016-2845)
The problem can be corrected by updating your system to the following
package version:
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
In an era when children are becoming digital natives, using and understanding technology from an early age, safety risks that have existed for some time could also affect them, if we fail to take the necessary precautions.
The post Online grooming: A threat to minors that demands our attention appeared first on We Live Security.
Get ready for this: Soon, selfies will not only be a good way to record the passing of time upon your face everywhere you go. As physical features are unique of each person, they will also be used as credit card passwords. At least that’s what credit card firm MasterCard thinks.
The company announced at the Mobile World Congress tech show in Barcelona that it will soon be accepting selfies as an alternative to passwords for online payments. The service will be available next summer in the USA, Canada and several European countries such as Italy, France, Netherlands, UK and Spain.
In order to use it, customers will only have to download an app to their computer, tablet or smartphone. Then, they will only have to look at the camera or use the device’s fingerprint reader (if available). However (at least for the moment), customers will still have to provide their credit card details. It’s if additional authentication is required that they will be able to use the aforementioned feature.
With this new strategy, MasterCard aims to protect customers from fake online transactions made with users’ stolen passwords, as well as providing a more convenient system to users. In fact, the company says that 92 percent of the people who have tested the new system prefer it to traditional passwords.
Despite all the fuss, this is not the first time that this technology is put forward. E-commerce giant Alibaba announced some months ago that it would use facial recognition technologies for online payments.
Even though biometric security experts have already heralded that iris-scanning, facial recognition, fingerprints and even voice recognition will be the future, MasterCard’s initiative has re-opened the debate of whether selfies can be a safe replacement for passwords.
In fact, some experts have started wondering how information will be protected to prevent cyber-crooks from easily obtaining a user’s fingerprints or facial photograph if a transaction is made via careless use of a public Wi-Fi network.
These cyber-security experts claim that the system should incorporate several security layers to prevent potential theft of users’ facial photographs. After all, online payments make a very attractive target for cyber-criminals.
A few months ago, a group of experts from the Technical University of Berlin demonstrated that it is possible to extract the PIN of any smartphone using the owner’s selfie. To do that, they read the passcode reflected on a user’s eyes as he typed it on his OPPO N1 phone. An attacker simply has to take control of a device’s front camera to carry out this rudimentary attack. Could a criminal take control of a user’s device to take a selfie photo and make online payments with the password they saw written on the victim’s face?
MasterCard insists its security mechanisms should be able to detect suspicious behavior. For example, users will be required to blink for the app to demonstrate it is a live image and not a photo or a previously-filmed video. The system maps out a picture of the user’s face, converting it to code and transmitting it securely over the Internet to MasterCard. The firm promises that this information remains safe on its servers, and the company won’t be able to reconstruct the user’s face.
MasterCard has explained that the new service will only be used for the moment in certain contexts where additional authentication is required. Additionally, this technology will also help identify the user’s location and the place where the goods are being shipped to, other indicators of a fake online transaction.
In a few months, security experts will be able to tell whether MasterCard’s system is sufficiently safe, or if in this case the cure is worse than the disease. Meanwhile, the company will continue to investigate into iris, voice and even electrocardiogram recognition as biometric alternatives to passwords.
The post Will it be safe to use a selfie instead of your password to pay with your credit card? appeared first on MediaCenter Panda Security.