STE WILLIAMS

NEWPORT BEACH, Calif., Sept. 13, 2013 /PRNewswire/ — Cloud Security Corporation, (OTCBB: CLDS) a leading technology company focused on the next generation of Internet Security, announced that it has entered into a $2 million common stock purchase agreement with Kodiak Capital Group, LLC, a Newport Beach based institutional investor. The Company has agreed to file a registration statement with the U.S. Securities Exchange Commission (“SEC”) covering the shares that may be issued to Kodiak under the terms of the common stock purchase agreement. After the SEC has declared the registration statement related to the transaction effective, the Company has the right at its sole discretion over a period of one year to sell up to $2 million of its common stock to Kodiak under the terms set forth in the agreement. Proceeds from this transaction will be used to fund the company’s expansion and for general corporate purposes.

“We’re very thankful to Kodiak for this recognition,” commented Safa Movassaghi, Chief Executive Officer, of Cloud Security. “Kodiak shares our opinion that Cloud Security Corporation is well positioned in the rapidly developing internet security sector. With this capital infusion we will continue to develop and deploy innovative technology that improves cybersecurity.”

Under the terms of the agreement, there are no upper limits to the price that Kodiak may pay to purchase the Company’s common stock and this transaction in no way impedes or changes the Company’s goals. The Kodiak financing commitment simply strengthens the Company’s balance sheet and makes available an additional source of funding. Under the terms of the agreement, Kodiak has covenanted not to cause or engage in any manner whatsoever, any direct or indirect short selling or hedging of the Company’s shares of common stock.

Ryan Hodson, Managing Director of Kodiak, said, “After a successful week at Techcrunch and the Deutsche Bank Technology Conference we are pleased to formalize our partnership with Cloud Security Corporation; we are happy to add them to our growing disruptive technologies portfolio.”

About Kodiak Capital Group, LLC

Kodiak is an institutional investor headquartered in Newport Beach, CA. Kodiak makes private investments in public and private entities utilizing proprietary equity and debt instruments. These investments provide long-term strategic capital offering companies certainty, flexibility and consistency. Kodiak’s investments are in a wide range of industries emphasizing alternative energy, consumer products, life sciences, natural resources, and social media technology. For more information, visit www.kodiak-capital.us.

About Cloud Security Corporation

Cloud Security Corporation is an innovative cloud computing company that creates security, technology, and products. The Company develops products in the remote-access computing sector including enhanced security connections. Cloud Security Corporation has developed patent-protected remote access security devices such as MyComputerKey(TM). The Company also develops online application security products and is expanding into other verticals.

Article source: http://www.darkreading.com/management/cloud-security-corporation-secures-2-mil/240161279

SAN FRANCISCO, Sept. 12, 2013 /PRNewswire/ —

— Identity Theft Protection: Continuous monitoring of the web and the

“dark web” to safeguard personal and financial data

— Social Media Protection: Helps parents unobtrusively monitor children’s

activity online

— Receive warnings immediately via email or SMS and react to them right

away

— Web-based service is accessible from any internet-connected PC, Mac,

smartphone or tablet

— Works alongside any existing security solution

— 24/7 support and straightforward setup allows for fast and easy

operation

BullGuard, the leading provider of user-friendly internet and mobile security solutions for consumers, has today announced the release of BullGuard Identity Protection, a new suite of security tools designed to guard against the growing number of threats that target internet and social media users.

Today, cybercrime is rampant and the number of attacks designed to steal sensitive information is growing at an exponential rate. This could include credit card, social security or passport numbers, date of birth, drivers license, personal login details and financial data, all designed to help would-be thieves gather information about a person’s identity for illegitimate purposes.

Social media users are also vulnerable. Younger users can easily be exposed to inappropriate content while malicious code is often stealthily embedded in linking web pages, ready to be activated by unsuspecting users.

BullGuard Identity Protection works alongside any existing internet security suite and ensures that both personal and financial information and your children’s social networking activities are protected against these threats.

By continually monitoring the web and the “dark web,” where personal data is traded and private information is accessed by third parties, malicious or inappropriate behaviour is clearly flagged for users to act against if necessary.

The Identity Protection module allows users to select the personal details they want protected, such as credit card numbers, bank account data, social security, phone numbers, usernames and passwords as well as the sorts of information detailed above. BullGuard then notifies users via email or SMS of any suspicious activity to help prevent fraud.

The Social Media Protection component helps parents keep an eye on a child’s Facebook profile without being intrusive and supports up to three monitored profiles. Activities that are selected as high risk, such as receiving inappropriate content (including photos and private messages), suspicious friends, or links to malicious websites, will be flagged and parents given the option to block any such communication from an account.

Alex Balan, Head of Product Management at BullGuard, says: “We’re all too well aware of the growing number of threats that are targeting internet users, and the popularity of social media sites such as Facebook has made it an increasingly attractive alternative for would-be cyber-criminals and cyber-bullies.”

“We developed BullGuard Identity Protection squarely with this in mind. It provides frequent and casual internet users with peace of mind because their data and their children’s activity, is monitored and kept safe.”

BullGuard Identity Protection is a web-based service and as such works on any device that has an internet browser. Monitoring and changing settings is as easy as logging into an account from any such platform. Supplied with BullGuard’s world-leading 24/7 support, new users will find it easy to get started with no software installation required. BullGuard Identity Protection costs just $4.95 per month, or $39.95 per year, a saving of $19.45 for the full year.

For more information visit www.bullguard.com

About BullGuard:

Launched in 2002, BullGuard is one of the fastest growing internet and mobile security brands. Today, its product portfolio also includes award-winning antivirus, premium 24/7 identity and social media protection, as well as PC and mobile backup software solutions. BullGuard’s philosophy has always remained the same – to combine technical excellence with a genuine understanding of consumer needs, creating simple, easy-to-use products that deliver complete protection, and to enable customers to control and manage their digital footprint.

For two consecutive years (January 2012 and 2013), BullGuard Internet Security has won a coveted “Best Buy” award from Which?. BullGuard Internet Security comes with an award-winning Antivirus program, Parental Control and Online Backup for your most valued files and precious photos.

Article source: http://www.darkreading.com/end-user/protect-sensitive-data-and-keep-kids-saf/240161297

57% of college students view their Facebook postings through rose-tinted glasses, blithely seeing nothing inappropriate.

That’s a dangerous perception mismatch, given that at least one previous industry survey found that 69% of recruiters have rejected candidates because of what their social media personas reveal.

The figures concerning students’ blissful ignorance come out of a new study from Persona, a social media utility dedicated to helping Facebook, Twitter, and Google+ users protect their professional reputations.

According to the earlier industry survey about recruiters’ use of social media to screen job applicants, which was done in 2011 by the online image management company TrustedID Reppler and posted on CNN, out of about 300 recruiters surveyed, the vast majority – 91% – said that they trawl the internet to screen job candidates.

In fact, recruiters are nearly unanimous: Persona cites a 2012 Jobvite survey that found that 92% of recruiters planned to mine social media for recruiting.

So, where do college students get the idea that their postings are pristine?

It’s not ignorance at work: 71% of students surveyed by Persona believe that Facebook profiles are “influential” or “very influential” components of hiring decisions.

In spite of that, students aren’t clearing away their tracks. Some of the survey’s findings:

• 55% “never” delete or untag inappropriate photos and posts, or do so only “once a year.”
• 80% would feel “comfortable” or “very comfortable” if a recruiter examined their profiles.
• 57% rely on privacy settings rather than actively monitoring their profiles.

Could it be that students aren’t aware of what, exactly, a potential employer might find objectionable with, for example, pictures of candidates face-down in their oatmeal after one too many?

Students, I’m here to help. Read on.

In an April 2012 write-up of a CareerBuilder survey of some 2,300 hiring managers, AOL Jobs’ David Schepp reported that those responsible for hiring were turned off by these categories of social media missteps:

• Candidate’s provocative/inappropriate photos/comments: 49%
• Candidate drinking or using drugs: 45%
• Candidate had “poor communication skills”: 35%
• Candidate bad-mouthed a previous employer: 33%
• Candidate made discriminatory comments related to race, gender or religion: 28
• Candidate lied about qualifications: 22%

Sophos has recently been pumping readers full of tips on keeping safe on Facebook, plus some further tips and tricks for Facebook, like how to block someone, or remove certain posts.

If college students need further help with keeping safe on Facebook, as in, keeping safe their chances of ever getting hired, it would behoove them to take a peek at one site that collates truly embarrassing Facebook postings.

If anything on that site raises a sense of déjà vu, you’ve got some cleaning up to do.

It’s not just students who need to be taken to task, here.

None of us should trust privacy settings to block all the inadvisable things our friends post.

We should all be actively monitoring our online presences, including deleting or untagging inappropriate photos and posts on a regular basis.

Have I done that recently? Well… Uhhh… Hmm….

Excuse me, I have a bit of work to do.

Follow @LisaVaas

Follow @NakedSecurity

Image of party guy and Facebook screenshot courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JJFNsBH-EjA/

Three quarters of UK women support the Government’s proposals to make internet porn ‘opt-in’, according to a new survey from market research company Kantar.

The study, reported by The Telegraph and others also discovered that two-thirds of women feel that new laws are required to deal with the problem of online trolling.

When Kantar asked whether people were in favour of the internet porn opt-in proposals they found, perhaps unsurprisingly, that the response from men was not so in line with the Government’s plans. Here’s what they discovered:

Men
43% in favour of ‘opt-in’ porn proposals
23% ‘strongly’ in favour

Women
75% in favour of ‘opt-in’ porn proposals
59% ‘strongly’ in favour

Mothers were discovered to be especially concerned about porn with 71% in favour of better internet controls to protect their children, whilst only 57% of childless women backed such plans. Older women were found to feel even more strongly as 94% of the over 65s who were questioned said they supported the opt-in proposals.

Anti-trolling laws

We all know how unpleasant and damaging trolling can be to those on the end of it. 7% of the women in this particular sample had suffered some sort of trolling, and a whopping 83% said that new legislation is required to tackle the trolling problem.

But as before, it’s women who feel more strongly about the proposals, with 67% of women backing new laws in comparison to just 48% of men.

Dr Michelle Harrison, chief executive of Kantar, had this to say:

For some time the concerns around internet porn and its impact on children have been growing, but we are now reaching something close to a tipping point on the need to act. Women, and particularly mothers, are anxious about its effects. Alongside this is recognition that internet trolling can have a devastating effect on young people. Once again, this ‘new’ media is old enough for it to have become a mainstream issue at the heart of public policy.

The online poll, which used a representative sample of 1,234 people, also discovered that women especially felt that social media companies could play a bigger role in tackling online bullying and trolling, with 91% of women feeling that organisations such as Twitter and Facebook could be more proactive in tackling trolls and bullies.

There was some rough equality in the views on the causes of cyber bullying, with some 72% of women and 64% of men saying that they believed websites and social networks that allowed anonymous posting actually contribute to cyber bullying and trolling.

Will porn filters and trolling laws actually work?

We asked you back in July whether you thought web censorship plans would make kids safer and your responses were resoundingly ‘No!’

There is a cultural and education issue here that the UK Government plans to address around children’s sex education and the dangers of the internet.

Despite the strong feeling unearthed by Kantar’s survey, I do wonder how will the Government tackle parents’ concerns with viable and effective control and policing?

Follow @Security_FAQs
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/z5j_qtfp5d0/

Supercharge your infrastructure

Quotw This was the week when Linus Torvalds, chief Penguin of LinuxLand, unleashed not one, but two mighty rants on the interwebs. First, Torvalds said he resented recent attacks on the integrity of the kernel’s security.

This is after a call was made for the use of Intel processor instruction RdRand for generating random numbers to be pulled from the kernel, purportedly by a lad from Yorkshire who reckoned it could be influenced by US spooks to produce cryptographically weak values.

He branded a petition asking for it to be pulled “ignorant”. In a comparatively restrained rant, he said:

Where do I start a petition to raise the IQ and kernel knowledge of people? Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong.

Short answer: we actually know what we are doing. You don’t.

Clearly, that little episode was enough to ramp his irritation up to its max, because the next time he lost it, he really lost it. Replying to a debate about ARM systems-on-a-chip (SoC) and how they need to be handled under Linux 3.12, he said:

I still really despise the absolute incredible sh*t that is non-discoverable buses, and I hope that ARM SoC hardware designers all die in some incredibly painful accident.

So if you see any, send them my love, and possibly puncture the brake-lines on their car and put a little surprise in their coffee, ok?

Speaking of US spooks, the NSA apparently can’t believe how easy we all make it for them to spy on us, according to the latest revelations. New documents detailed by Spiegel Online refer to the ease of getting data through iPhones, BlackBerrys and Android mobes with one analyst presentation talking about how extensive surveillance methods against fanbois already are:

Who knew in 1984 that [Steve Jobs] would be Big Brother and the zombies would be paying customers?

In other iPhone news this week, Apple had a typical song-and-dance introduction to its latest iMobes, the 5S and 5C, though they don’t seem to have blown anyone’s socks off. In fact, some folks are actively against them, including the Free Software Foundation, which reckons that the new fingerprint recognition feature is an absolutely terrible idea. Executive director John Sullivan said:

We can’t imagine a more hostile reaction to the wave of privacy concerns sweeping the world right now than debuting a proprietary, network-accessible fingerprint scanner as your new ‘feature’.

Apple has given us new hardware with the same old restrictions, allowing only Apple-approved software, putting users – along with their data, their privacy, and their freedom of expression – at the mercy of programs whose operations are secret and demonstrably untrustworthy.

But others, like Rik Ferguson, veep of security research at Trend Micro, thought the privacy concerns were a bit overegged:

Why is a fingerprint sensor on an iPhone such a violation of privacy when laptops have featured them for years and no one even blinked? Giving our fingerprints to Wintel PCs and various border control for years but Apple = NSA? This is crazy.

This was also the week when Intel came to tell us that Moore’s Law is not dead after all, because it’s got the first 14-nanometre PC. CEO Brian Krzanich said at the Intel Developer Forum:

This is it, folks. Fourteen nanometres is here, it’s working, and will be shipping by the end of this year.

While Intel president Renée James added:

Moore’s Law has been declared dead at least once a decade since I’ve been at Intel and as you know – you heard from Brian – we have 14 nanometre working and we can see beyond that. I assure you it’s alive and well.

And finally, Britain’s favourite guy-with-animals-off-the-telly David Attenborough has claimed that humans have managed to stop the process of natural selection:

I think that we’ve stopped evolving. Because if natural selection, as proposed by Darwin, is the main mechanism of evolution – there may be other things, but it does look as though that’s the case – then we’ve stopped natural selection.

We stopped natural selection as soon as we started being able to rear 95-99 per cent of our babies that are born. We are the only species to have put a halt to natural selection – of its own free will, as it were.

But fear not. While we might not be getting telepathic powers or doing some other cool thing with that unused bit of brain we cart around, it’s not time to despair yet:

Stopping natural selection is not as important, or as depressing, as it might sound – because our evolutionary process is now cultural.

Humans have a great cultural inheritance as well as a physical, genetic inheritance – we can inherit a knowledge of computers or television, electronics, aeroplanes and so on. Each generation has got all these books that tell them these things, so our cultural evolution is proceeding with extraordinary swiftness. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/quotw_ending_november_13/

Supercharge your infrastructure

French newspaper L’Express has published a memo it says comes from Christophe Chantepy, chief of staff to French prime minister Jean-Marc Ayrault, and which recommends French cabinet ministers stop using smartphones for phone calls because they are not secure.

The paper’s report includes three images of the memo, one for each of its pages.

Native French speaker Elodie Quievre, who works in the office where Vulture South camps, was kind enough to translate all three and we rammed L’Express’ report through Google and Bing to help out.

Dated August 19th, the memo opens by referring obliquely to recent Snowden-related events and suggesting the make now an ideal time for to “remind elementary rules which must be applied within the administration.”

Those rules state the following0:

• BYOD is forbidden
• Mobile phones are a bad idea: landline phones secured by Thales’ TEOREM technology for voice calls are far better idea
• Smartphones should be secured by French spook house ANSSI before being used for anything
• ANSSI will make sure you encrypt everything
• TXT? Fuggedaboutit!
• Intranet-based secure email is mandatory for even low-level secrets
• Computers and phones should be in the same room as ministers when overseas, and beware snooping when abroad
• Twelve-character passwords please, using letters and numbers, changed every six months and use different passwords for personal and work devices please!
• Are you sure that attachment is safe to click on? Don’t unless you are.

Cabinet ministers are busy folks who may not encounter basic infosec advice often, so the suggestions in the document don’t look like evidence France has been caught with its pants down. The mere fact the memo was issued, and the fact it says it will be backed up by an official ANSSI edict, does however show that Edward Snowden’s revelations have made at least one nation feel it is time to get the basics right among a user population that represents an obvious target. ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/french_ministers_told_to_use_only_secure_comms_postprism/

Supercharge your infrastructure

Exclusive A top Huawei exec has dismissed claims that his company poses a threat to British and US national security – despite Western government officials’ fears over Huawei’s alleged connections to the Chinese Communist Party.

Professor Sanqi Li – speaking in an exclusive interview with The Register at the multinational’s RD centre in Stockholm, Sweden – repeatedly attempted to paint a picture of a benign company that simply deals with “packet in, packet out”.

When pressed about Parliament’s concerns that Huawei may have too much control over Blighty’s critical infrastructure and communications systems – based on claims that the company’s chairman (and erstwhile member of the People’s Liberation Army) Ren Zhengfei was helping Chinese authorities to spy on the Western world – Li said: “No, we are not a threat”.

He added: “There’s no substance, just more speculation.”

Li, the company’s Carrier Business Group CTO, said Huawei, which provides equipment to Britain’s one-time national telco BT, was an easy target because it is a Chinese company that operates in the Western world. But he insisted fears of compromised national security presented an industry-wide problem for all tech outfits.

“Because of the internet technologies and the security issues with the new digital age, it becomes much more challenging than what people originally expected,” Li said in a clear nod to this year’s NSA-GCHQ scandal: “Now you’ve seen what’s happened recently.”

He continued: “People thought the infrastructure was the corner point of the security, but it’s actually in the data centres and the devices… It’s a great challenge. Huawei’s position has always been, how to join the community of the world, work together to find the way to solve these security issues.”

Li said that the entire industry was having to deal with the fact that different countries and different governments had different controls, rules and regulations. But he described those challenges as being “secondary” to working with the open community to develop standards that help “to solve the security issue”.

But what of the specific allegations that Huawei helps the Chinese government’s espionage programme?

Li insisted that his company simply provides the kit to operators who then manage those systems.

“Yes, data are passing through the Huawei equipment from a network perspective… packet in, packet out. But it doesn’t store the data. We do develop the products to enable carriers to operate the network… most of the intelligence in the data centre is where the data is stored.”

He added: “We are the provider of network infrastructure to a great extent. People may have misunderstood a lot of things.”

More recently, however, Huawei has moved into the consumer devices market by developing its own range of smartphones, for example. The company’s CTO told us – as recently proved by Microsoft’s planned buyout of Nokia – it’s hard to survive on one technology now. Li said that infrastructure, cloud and devices were key for vendors in today’s market.

Li told us he was surprised to hear about claims that some unnamed tech companies based in the US and abroad were alleged to be collaborating with spooks to build backdoors into their equipment.

“I’m glad people recognise the issues are much more complicated in this new digital economy. How do you set the rules, the governance, the policy? It’s still unknown,” he said.

Li said that having so many apps located in the cloud meant that companies – such as Yahoo! and Google – were “exposed more in the data centre”.

He repeatedly claimed that Huawei was simply a provider of equipment to carriers. Li said he was routinely asked the same question about whether the company had provided entry points into its gear for China’s government to listen in.

“‘You are a Chinese company, you’re Huawei’, people say, but it’s a challenge to all.” ®

Supercharge your infrastructure

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/huawei_sanqi_li_says_no_national_security_threat/

Denial-of-service attacks have long been considered the blunt wooden club of online hazards, a multi-gigabit stream of shock and awe.

Yet, increasingly the noisy attacks are being used to hide more subtle infiltrations of a target’s network. A number of financial institutions, for example, have been targeted by distributed denial-of-service (DDoS) attacks immediately following a wire transfer, according to security firms familiar with the cases. The attacks, generated by computers infected with the DirtJumper DDoS malware, attempt to disrupt any response to the fraudulent transfer of funds, which are usually in the six-figure dollar range, according to a report by Dell Secureworks published in April.

“The analogy is signal jamming,” says Kevin Houle, director of threat intelligence for managed security provider Dell Secureworks. “To the extent that you can use the DDoS attack to do cause chaos electronically, to prevent access to particular systems during an attack, the tactic has proven successful.”

While DirtJumper has focused on causing chaos immediately following money transfers, the technique could be generalized to other attack scenarios. A variation of the attack has been used by Iranian hacktivists groups to disrupt the online operations of U.S. financial institutions by hiding more subtle application-layer attacks within larger packet floods. And South Korean companies were flooded with data while malware deleted information on organizations’ servers.

“Your goal is to sow confusion,” says Vann Abernethy, a senior product manager at NSFOCUS, a DDoS mitigation firm. “A DDoS attack is designed to get your IT department to run around like their hair is on fire.”

[While distributed denial-of-service attacks topping 100 Gbps garner the headlines, they are not the threat that should worry most companies. See Large Attacks Hide More Subtle Threats In DDoS Data.]

In addition, noisy DDoS attacks could attract more attackers, says Terrence Gareau, principal security architect for Prolexic, a DDoS mitigation firm. A very public attack could convince other groups to attempt their own operations in the chaos, he says.

“If it’s a very public attack, then there is a high probability that other opportunistic attackers could take part as well,” Gareau says. “Opportunistic criminals will say, wow they are under a DDoS attack, so lets look at the network and see what changes have been made.”

Companies need to structure their response group to handle a large infrastructure attack, but not be blinded by the influx of alerts to their system. Like magicians, the goal of the attackers is to force the security staff to only pay attention to a distraction to keep them from discovering the actual trick.

“You almost have to have a team that deals with the infrastructure attack, and a separate group that goes into hyper-vigilance to find any other attacks coming in,” says NSFOCUS’s Abernethy.

A third-party provider, who can use intelligence from attacks on other customers to more quickly identify new attacks, can help eliminate much of the inbound attack traffic, dialing down the volume of alerts that the security team has to process. The level of alerts seen by a security team during a denial-of-service attacks can increase by an order of magnitude. Filtering them out at the edge of the Internet can greatly reduce the impact on a business’s network and employees.

“If you don’t have to have all those alerts on your network, you can pay attention to what matters,” Prolexic’s Gareau says. “Using a third part mitigation provider can significantly reduce the noise.”

Yet, attacks that use a variety of traffic and techniques in a short time period can cause problems for denial-of-service mitigation firms, says Lance James, head of intelligence for Vigilance, a threat information firm that is now part of Deloitte.

“They are not perfect,” James says. “We still see major banks going down. But they do well against long period term DDoS attacks.”

While DirtJumper, also known as Drive, is not the only botnet that is used for combined attacks, it a popular one. DirtJumper has a half dozen ways of attacking infrastructure, including flooding Web sites with GET requests and POST requests, targeting infrastructure with two types of IP floods, and using UDP packets to slow down networks.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/threat-intelligence/countering-attacks-hiding-in-denial-of-s/240161237

Mega-popular blogging and content management system WordPress has just put out version 3.6.1.

Since it’s a maintenance release (an update from 3.6), it doesn’t have a huge raft of new features, but it does fix three security holes.

One of them is a Remote Code Execution vulnerability reported b a young Belgian web application security researcher named Tom Van Goethem.

Now that the fix is out, Van Goethem has published a very detailed description of the bug and the steps he went through to uncover it.

He also mentions that, by using a popular plugin, he was able to go from vulnerability (“there’s a hole, and it could be risky”) to exploit (“here’s how to use the vulnerability for unauthorised access”).

Fortunately, however, he hasn’t gone down the complete-and-total disclosure route, stopping short of giving you a working exploit and, saying:

Due to ethical considerations, I will not disclose a Proof of Concept of this exploit at this time, as there are too many vulnerable WordPress installations out there.

Van Goethem’s bug relates to PHP serialisation.

That’s where you take data, and perhaps even code, from a programming environment, and convert it into text string representation.

This means it can easily be saved, moved around on a network, and restored later.

It’s called serialisation because even data structures that have a complex layout in memory, such as arrays and tables, end up as a linear (i.e. serial) stream of bytes.

Going back from a serialised text string to live, run-time data inside a program is, unsurpisingly, known as unserialisation.

Any software that inadvertently passes unfiltered, remotely-supplied data into an unserialisation function is taking a bit of a chance, and that’s what was happening inside WordPress.

By the time you get round to validating that unserialised data, it already exists as a live data structure inside a live run-time environment: that’s a bit like dry-firing a handgun as a way of satisfying yourself that it isn’t loaded.

WordPress, which currently claims more than 7,500,000 million downloads, has unsurprisingly suggested that “you update your sites immediately.”

Note. Sophos Naked Security and the Sophos Corporate Blog are hosted on WordPress.com VIP servers. These servers were already updated by the time we received the advisory email from WordPress [2013-09-12T13:24Z].

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JHFACu5VdJQ/

Police are investigating yet another British newspaper group in the phone hacking scandal that was brought to us courtesy of the now-defunct News of the World and its parent company, News International.

On Thursday, news group Trinity Mirror said that the police were investigating whether the company was criminally liable for allegations of “unlawful conduct” by ex-employees of the Sunday Mirror, according to the New York Times, among other sources.

The Wall Street Journal reports that Trinity Mirror, who own the British tabloid, said that London’s Metropolitan Police are investigating possible criminal liability for alleged illegal phone hacking carried out at the Sunday Mirror.

Trinity Mirror said in a statement that it’s not accepting wrongdoing and that it’s too early to be able to predict where this all will go:

The Group does not accept wrongdoing within its business and takes these allegations seriously. …. It is too soon to know how these matters will progress, and further updates will be made if there are any significant developments.

Media mogul Rupert Murdoch closed his tabloid, The News of the World, in July 2011 after it came to light that its employees had hacked into mobile phone messages of Milly Dowler, a teenager who had been abducted and was later found murdered.

In March 2013, London police announced that they had arrested four journalists or former journalists of the Mirror Group Newspapers on suspicion of phone hacking.

According to the Wall Street Journal, police on Thursday put out a statement saying that they’re investigating a “suspected conspiracy” that “mainly concerned the Sunday Mirror newspaper in 2003 and 2004”.

Beyond phone hacking, Metropolitan Police are also investigating allegations that journalists hacked computers or bribed police or public officials as they sought information.

Police are also investigating whether the arrested journalists’ employer bears corporate responsibility for any wrongdoing.

Prosecutors said on Thursday that they’re charging Ben O’Driscoll, former Deputy News Editor at News Corp’s tabloid, the Sun, with one count of conspiracy to commit misconduct in public office.

They also alleged that between 2007 and 2011, Mr O’Driscoll “authorised payments of at least £5,000 to public officials, including police officers and employees of Broadmoor secure hospital, in exchange for information,” including information about the health of Broadmoor patients, according to the Wall Street Journal.

So how does phone hacking work?

It can actually be fairly simple, as mobile phone security expert David Rogers of blog.mobilephonesecurity.org explained after the tabloid fiasco initially erupted.

It’s not really “hacking” at all, Rogers said at the time.

Rather, the misdeeds have to do with illicit access to voicemail messages.

Many of the problems that arose from journalists getting their hands on voice messages have to do with well-known, default PINs for voicemail access, he said.

He gives a pair of homework assignments for finding out what the remote access number is for your voicemail and how simple it might be for somebody to “hack” your number by simply calling and entering a default PIN (which can be as simple as the last digits of your phone number, for example).

Call yourself and see what happens. Let us know how easy it is to hack your voicemail in the comments below, and then go change that default PIN!

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6_GyE3WBzNY/