There were a number of big security breaches during 2014, but which was the biggest? We count down the top 5.
The post The Biggest Hacks of 2014 appeared first on We Live Security.
Tag Archives: Security
Security improvements in Red Hat Enterprise Linux 7
Each new release of Red Hat® Enterprise Linux® is not only built on top of the previous version, but a large number of its components incorporate development from the Fedora distribution. For Red Hat Enterprise Linux 7, most components are aligned with Fedora 19, and with select components coming from Fedora 20. This means that users benefit from new development in Fedora, such as firewalld which is described below. While preparing the next release of Red Hat Enterprise Linux, we review components for their readiness for an enterprise-class distribution. We also make sure that we address known vulnerabilities before the initial release. And we review new components to check that they meet our standards regarding security and general suitability for enterprise use.
One of the first things that happens is a review of the material going into a new version of Red Hat Enterprise Linux. Each release includes new packages that Red Hat has never shipped before and anything that has never been shipped in a Red Hat product receives a security review. We look for various problems – from security bugs in the actual software to packaging issues. It’s even possible that some packages won’t make the cut if they prove to have issues that cannot be resolved in a manner we decide is acceptable. It’s also possible that a package was once included as a dependency or feature that is no longer planned for the release. Rather than leave those in the release, we do our best to remove the unneeded packages as they could result in security problems later down the road.
Previously fixed security issues are also reviewed to ensure nothing has been missed since the last version. While uncommon, it is possible that a security fix didn’t make it upstream, or was somehow dropped from a package at some point during the move between major releases. We spend time reviewing these to ensure nothing important was missed that could create problems later.
Red Hat Product Security also adds several new security features in order to better protect the system.
Before its 2011 revision, the C++ language definition was ambiguous as to what should happen if an integer overflow occurs during the size computation of an array allocation. The C++ compiler in Red Hat Enterprise Linux 7 will perform a size check (and throw std::bad_alloc on failure) if the size (in bytes) of the allocated array exceeds the width of a register, even in C++98 mode. This change affects the code generated by the compiler–it is not a library-level correction. Consequently, we compiled all of Red Hat Enterprise Linux 7 with a compiler version that performs this additional check.
When we compiled Red Hat Enterprise Linux 7, we also tuned the compiler to add “stack protector” instrumentation to additional functions. The GCC compiler in Red Hat Enterprise Linux 6 used heuristics to determine whether a function warrants “stack protector” instrumentation. In contrast, the compiler in Red Hat Enterprise Linux 7 uses precise rules that add the instrumentation to only those functions that need it. This allowed us to instrument additional functions with minimal performance impact, extending this probabilistic defense against stack-based buffer overflows to an even larger part of the code base.
Red Hat Enterprise Linux 7 also includes firewalld. firewalld allows for centralized firewall management using high-level concepts, such as zones. It also extends spoofing protection based on reverse path filters to IPv6, where previous Red Hat Enterprise Linux versions only applied anti-spoofing filter rules to IPv4 network traffic.
Every version of Red Hat Enterprise Linux is the result of countless hours of work from many individuals. Above we highlighted a few of the efforts that the Red Hat Product Security team assisted with in the release of Red Hat Enterprise Linux 7. We also worked with a number of other individuals to see these changes become reality. Our job doesn’t stop there, though. Once Red Hat Enterprise Linux 7 was released, we immediately began tracking new security issues and deciding how to fix them. We’ll further explain that process in an upcoming blog post about fixing security issues in Red Hat Enterprise Linux 7.
Infographic: Privacy tips for business
Privacy plays a growing part in customer buying decisions. With every data breach, trust is eroded further.
Privacy and security are intertwined when it comes to our individual information. Consumers are becoming increasingly aware of the value of their personal data, so that means that businesses have to step up and do a better job of securing that data. Identity theft is the #1 fear of consumers, but for your business the risk is loss of trust and brand damage.
Since trust is the core of any transaction it’s important to know how privacy factors into your customer’s buying decisions. Research shows that almost 40% of consumers made buying decisions based upon privacy. When looking at who these people are, it was found that these individuals are aged 46-65 and have the highest incomes. But don’t rely on the business of the younger generation to supplant that once trust is lost; 27% of millenials abandoned an online purchase in the past month due to privacy or security concerns.
To mark Data Privacy Day on January 28, the following Privacy is Good for Business tips were created by privacy experts in civil-society, non-profit, government and industry and aspire to help business address the public’s growing privacy concerns:
- If you collect it, protect it. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access.
- Be open and honest about how you collect, use and share consumers’ personal information. Think about how the consumer may expect their data to be used.
- Build trust by doing what you say you will do. Communicate clearly and concisely to the public about what privacy means to your organization and the steps you take to achieve and maintain privacy.
- Create a culture of privacy in your organization. Explain to and educate employees about the importance and impact of protecting consumer and employee information as well as the role they play in keeping it safe.
- Don’t count on your privacy notice as your only tool to educate consumers about your data practices.
- Conduct due diligence and maintain oversight of partners and vendors. You are also responsible for how they collect and use personal information.
How can businesses save money on internet security in 2015?
A recent report from Piper Jaffray found that 75% of companies expected to increase their IT security spending in 2015, following a year of high-profile hacks and data breaches in 2014.
The post How can businesses save money on internet security in 2015? appeared first on We Live Security.
Threatpost News Wrap, January 16, 2015
Dennis Fisher and Mike Mimoso discuss the security news of the past week, including the proposed changes to the CFAA, David Cameron’s encryption comments, the NSA’s quasi-apology regarding Dual EC and the Microsoft-Google disclosure feud.
5 tips to help you stay safe on Instagram
Instagram has many settings to make sure your photos are kept safe and secure. Start with these top five tips/
The post 5 tips to help you stay safe on Instagram appeared first on We Live Security.
The web gets ready for voice recognition
News broke earlier in January that Facebook has acquired Wit.ai, an 18 month old startup that specializes in voice recognition technology. At first, this might seem like a strange move but upon closer inspection, the rationale is clear.
Millions of users are turning to mobile as their preferred platform, where typing long messages and interacting with friends is far more challenging than on a PC keyboard.
It’s clear that companies like Facebook face a challenge to make mobile interaction easier and more engaging.
Using Wit.ai’s expertise, Facebook can build a mobile-first platform with a voice activated interface and text-to-speech messaging some obvious steps.
The Facebook acquisition highlights the excitement and potential behind voice recognition technology. We are potentially witnessing a fundamental shift in the way we interact with our technology forever.
As we start integrating voice activated functionality into new smart devices and services we use on a daily basis, my primary concern isn’t one of convenience but of security.
As I wrote in this blog in September 2014, there is much work to be done in securing our digital devices from voice commands.
Most voice recognition technologies scan commands for meaning and then execute them. I believe there is a need for an additional step, one of authentication.
Does the person issuing the command have the authority to do so? When I ask the device to execute a command, does it validate that it is really me and not someone else?
As I demonstrate in the below video, it is quite simple to have a device act upon a voice command issued by a synthetic voice or by a 3rd party that has an access to the device – even remotely:
Video
Voice hacking a device
As Facebook and other leading companies add more voice activation technologies to their roadmap, it’s important to realize that we are also increasing the number of services and devices that are potentially vulnerable to voice attacks. So considering this, , let’s build it with safety in mind.
Update on Red Hat Enterprise Linux 6 and FIPS 140 validations
Red Hat achieved its latest successful FIPS 140 validation back in April 2013. Since then, a lot has happened. There have been well publicized attacks on cryptographic protocols, weaknesses in implementations, and changing government requirements. With all of these issues in play, we want to explain what we are doing about it.
One of the big changes was that we enabled support of Elliptic Curve Cryptography (ECC) and Elliptic Curve Diffie Hellman (ECDH) in Red Hat Enterprise Linux to meet the National Institute of Standards and Technology’s (NIST’s) “Suite B” requirements taking effect this year. Because we added new ciphers, we knew we needed to re-certify. Re-certification brings many advantages to our government customers, who not only benefit from the re-certification, but they also maintain coverage from our last FIPS 140 validation effort. One advantage of re-certification is that we have picked up fixes for BEAST, Lucky 13, Heartbleed, Poodle, and some lesser known vulnerabilities around certificate validation. It should be noted that these attacks are against higher level protocols that are not part of any crypto primitives covered by a FIPS validation. But, knowing the fixes are in the packages under evaluation should give customers additional peace of mind.
The Red Hat Enterprise Linux 6 re-certification is now under way. It includes reworked packages to meet all the updated requirements that NIST has put forth taking effect Jan. 1, 2014, such as a new Deterministic Random Bit Generator (DRGB) as specified in SP 800-90A (PDF); an updated RSA key generation technique as specified in FIPS 186-4 (PDF); and updated key sizes and algorithms as specified in SP 800-131A (PDF).
Progress on the certification is moving along – we’ve completed review and preliminary testing and are now applying for Cryptographic Algorithm Validation System (CAVS) certificates. After that, we’ll submit validation paperwork to NIST. All modules being re-certified are currently listed on NIST’s Modules in Process page, except Volume Encryption (dm-crypt). Its re-certification is taking a different route because the change is so minor thus not needing CAVS testing. We are expecting the certifications to be completed early this year.
Three resolutions that will change tech in 2015
As we come to the end of 2014, it is time to reflect on the developments of the last 12 months and also look ahead at what improvements we can make in the year to come.
Personally, there were three major issues in technology that caught my eye in 2014 and they form the basis for my New Year’s Resolutions for 2015.
Cybersecurity and privacy
2014 was a watershed year for cybersecurity and privacy issues. With security breaches impacting many of our most trusted brands, retailers and banks (Sony, Target, Home Depot, JP Morgan Chase to name a few).
The good news is people are now more aware of online privacy. The bad news is that these attacks look to remain an issue for the foreseeable future.
In 2015, each of us has a responsibility to be the best digital citizens we can be, and do our part to protect ourselves, our privacy, our data and devices online. I’m getting involved through AVG’s Smart User Mission which aims to educate the next generation of connected people as they come online around the globe.
Photo Courtesy of Barbara Kinney, Clinton Global Initiative
As businesses, we have an ongoing responsibility to our customers to ensure their data is protected. That means upping our game in the increasingly changing and challenging cyber security environment.
Diversity in the tech industry
This important issue finally gained a much-deserved attention in 2014. Over the past year, we’ve seen Silicon Valley’s first major reporting on diversity in the workforce, after some high profile prodding by civil rights champion Rev. Jesse Jackson. Among others, a book released by Stanford scholar Vivek Wadhwa on Innovating Women and Babson College’s report on VC funding for women entrepreneurs drew further attention to the disparity issues women face in tech.
While the diversity numbers are not pretty, the good news is tackling the diversity issue in technology has gained momentum and has resulted in some positive actions; among them the Diversity 2.0 Summit and The National Venture Capital Association has taken steps to increase opportunities for women and minorities.
I am looking forward to doing my part, and I am delighted to have been selected as a speaker at the 2015 SXSW Interactive program with a Core Conversation on “Boardroom or Baby” on March 14th.
Video
SXSW Talk – Boardroom or baby?
We’ve made good progress but, without doubt, there is much more to be done. I believe that in 2015 we should all make an effort to support diversity in technology. It can only bring benefits to everyone involved.
Boomers and technology
It’s hard to believe, but the last of the Baby Boomer generation (1946-1964) turned 50 this month. Last fall, the PBS series The Boomer List chronicled an amazing list of 50 people who represent the iconic generation and the impact they have had culture and our lives from arts and entertainment to science and technology, including Apple co-founder Steve Wozniak (below).
Though Boomers helped invent the digital age – and we get little credit for it – we are often viewed as neophytes and often marketed to by tech companies as novices (if, in fact, at all).
Image courtesy of technmarketing.com
My final resolution for 2015 is to do what I can to change the way that the technology talks to the older generations. I’ll start by sharing new AVG research along with my thoughts on the tech industry’s need to adapt to new and different needs of this audience during my talk on “The Fear Factor” at the 2015 International Consumer Electronics Show’s Lifelong Tech Summit on January 6 in Las Vegas. If you are attending CES, please come check it out.
Here’s to a very happy, healthy, fulfilling and safe 2015 for us all. Look forward to seeing you in the New Year!
AVG CloudCare wins VB100 antivirus award
AVG CloudCare™ is a platform that simplifies IT management for the small and medium-sized business. It protects devices, data and people with a set of flexible services that you can manage remotely from any web browser. Activate or deactivate services, roll out policies, install software, and simply take care of issues, all in a single platform.
The importance of independent reviews on products designed for the SMB’s is that these businesses do not have the time and resource, nor the inclination in many cases, to research which solution will give them the security and reliability that their business requires.
In large enterprises teams of IT professionals evaluate multiple products and select based on criteria that their business demands. In small organisations the requirement to have a solution that answers the business needs does not change but the ability to research a market does differ.
Most SMB organizations trust their IT security to a partner, a reseller or consulting company that provides them the services and selection of products that an enterprise IT department would. The fact that the purchaser can easily validate the proposal from their IT partner by looking to see what accolades and awards the solution being offered has achieved makes the decision process much simpler.
VB100 is a comparative review conducted by Virus Bulletin, who put antivirus solutions through their paces with rigorous testing. In this case the testing was for servers running Windows Server 2008 R2 SP1.
Try AVG CloudCare free for 30 days