Monthly Archives: August 2014

Avira

Two-factor authentication – Extensive protection

Leave a comment

“As a user, there is little one can do” is a statement often heard, followed closely by “everything was better offline”. However, there are in fact many possibilities to protect access to your data without having to be a technically gifted user.

The two-factor authentication enables extensive protection without neglecting usability. Its fancy name comes from the way it validates one’s identity: by verifying something s/he knows and something s/he has.

How does this work?

Users have login credentials to a website, usually consisting of an email address and a password. Anyone who tries to log in with this data, would be routed to another page where they must once again verify their identity with the secondary verification method This often is a temporarily valid code sent via SMS to a previously defined number, similarly to the mobile banking TAN procedure. Access to the data is only permitted following successful entry of this code. In the event of a data theft, the thief doesn’t have access to the victim’s cell phone (2nd factor) and the stolen information is thus worthless. The hackers won’t be able to access the account.

Some vendors offer additional ways to complete the extra verification: via hardware tokens (USB crypto devices, SSL certificates, e.a.); QR codes, which are scanned with a smartphone and generate a one-time code, are in the meantime also broadly available. There are thus several possibilities for better safeguarding access without making it complicated and laborious.

We believe that the combination of a virus-free system and strong passwords, changed on a regular basis and used for that sole service, is vital. The two-factor authentication provides an additional major security bonus for one’s own data. Even if your account data has been stolen, your data is worthless for the hacker without the corresponding 2nd authentication method.

All the famous & common services offer two-factor authentication these days and we strongly encourage you to activate them too.

The post Two-factor authentication – Extensive protection appeared first on Avira Blog.

ESET

Scareware: It’s back, and now it’s even scarier

Leave a comment

‘Scareware’ – fake antivirus programs which attempt to fool the user into downloading malware, by warning him or her of a “threat” on their PC – is back, with a new, even more annoying trick.

V3 reports that the new strain of scareware reverses a “dropping trend” in fake AV with a new way of making money – blocking the user from using the internet until they pay for the ‘product’.

Threatpost says, “Rogue antivirus was once the scourge of the Internet, and while this sort of malware is not entirely extinct, it’s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.”

Scareware: Antivirus that isn’t ‘anti’

Rogue AV is still found – indeed ESET has been repeatedly ‘honored’ with fake scareware versions of  of its products – but Microsoft reports that in the past 12 months, scareware had fallen out of fashion.

Variants on the tactic are still used, but the classic scareware warning inciting victims to download AV products that are, in fact, malware, is less common.

On Android, ESET researchers discovered a Trojan packaged to look like antimalware products, “This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security.”

Microsoft researcher Daniel Chipiristeanu says, “Lately we’re seeing a dropping trend in the telemetry for some of the once most-prevalent rogue families,  It’s likely this has happened due to the anti-malware industry’s intense targeting of these rogues in our products, and better end-user awareness and security practices.”

Chipiristeanu says that “education” has played a part – but new gangs have simply moved on to new methods to target victims.

Stops you using internet – until you pay

“The big malware “players” are having more trouble in taking advantage of users paying for fake security products, and are moving away from this kind of social engineering, we are seeing other players willing to fill the gapRogue:Win32/Defru has a different and simpler approach on how to trick the user and monetize on it. Basically, it prevents the user from using the internet by showing a fake scan when using different websites.”

The malware targets 300 websites, and when a user tries to access them, they instead see the following fake message, ““Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security ® was forced to intervene.”

Naturally, the ‘cure’ is to pay, Threatpost says. Thus far, the malware largely targets Russian-speakers.

“An unsuspecting user, after receiving this warning more than a few times when browsing, might be inclined to click “Pay Now”. This will lead them to a payment portal called “Payeer” (payeer.com) that will display payment information (see Figure 3). But of course, even if the user pays, the system will not be cleaned,” says Chipiristeanu.

“The user can clean their system by removing the entry value from the “run” registry key, delete the file from disk and delete the added entries from the hosts file. Before paying for a product (either a security product or any other) make a thorough investigation to make sure that it is a legitimate product and it is not fake or a copy of a free one.”

The post Scareware: It’s back, and now it’s even scarier appeared first on We Live Security.

ESET

Flight MH370 – did cyber attack steal its secret?

Leave a comment

Classified documents relating to the missing Malaysian Airlines Flight MH370 were stolen using a carefully-crafted spear-phishing attack, targeting 30 government officials just one day after the disappearance of the still-missing aircraft.

The Malaysian Star claims that the attack targeted officials with a PDF document which appeared to be a news report about Flight MH370, and was sent to a group of investigators. Around 30 computers were infected by the malware.

“We received reports from the administrators of the agencies telling us that their network was congested with e-mail going out of their servers,” CyberSecurity Malaysia chief exec Dr Amirudin Abdul Wahab said.

Flight MH370: ‘Confidential data’

“Those e-mail contained confidential data from the officials’ computers, including the minutes of meetings and classified documents. Some of these were related to the Flight MH370 investigation.”

Business Insider says that the attack occurred one day after the Boeing 777 went missing, and took the form of an .exe file disguised as a PDF (a common office file format).

It’s unclear who the attacker – or attackers – were, but information from infected computers was transmitted to an IP address in China. Officials in Malaysia blocked the transmission, The Star said.

‘Very sophisticated attack’

Department of Civil Aviation, the National Security Council and Malaysia Airlines were among those targeted by the hacker, the Telegraph reports. The infected machines were shut down, but “significant amounts” of information on Flight MH370 had been stolen.

“This was well-crafted malware that antivirus programs couldn’t detect. It was a very sophisticated attack,” Amirudin said.

CyberSecurity Malaysia suspects the motivation may have been curiosity about supposedly “secret” information held by the Malaysian government on Flight MH370.

“At that time, there were some people accusing the Government of not releasing crucial information,” Amirudin said.“But everything on the investigation had been disclosed.”

The post Flight MH370 – did cyber attack steal its secret? appeared first on We Live Security.

Avira

Geotagging: what your photos reveal about where you live

Leave a comment

A recent project out of the University of Florida entitled I know where your cat lives highlights how easy it is to identify people’s home address based on the pictures of their cats, uploaded to popular photo sharing platforms such as Instagram or Flickr.

I know where your cat lives

Researchers from the University of Florida located, with an accuracy of 7.8 meters, the exact place where pictures tagged with the word “cat” were shot.

They started by extracting metadata (including the latitude and longitude of where the picture was taken) from a sample of 1 million images, accessible from publicly available APIs from popular photo-sharing websites. The photos were then run through clustering algorithms with the help of a supercomputer. The researchers then created a website, where cat images were superimposed with GoogleMaps, pinpointing their exact location. Well, that’s just purrfect…

I know where your cat will be 24 hours from now

Okay, chances are even you don’t know that (much less your cat). But that’s where the technology is heading. Two years ago, a team from Birmingham University developed an algorithm that successfully detected where a test sample of people were going to be 24 hours in advance… How did they do it? By combining information on where they’d been (think of every time you checked into Foursquare) with the past movements of contacts in their Smartphone’s address book.

How your address finds its way into your pictures

When taking a picture, information is stored in the form of Exif tags. These detail the camera’s model, the image’s resolution in pixels, the time/date the picture was taken… This type of metadata is typically fairly innocuous. However as Smartphones now include in-built GPS, Exif tags frequently include the longitude and latitude as well. This functionality is referred to as Geotagging.

How to disable geotagging on your Smartphones

As your GPS is necessary for certain applications we’re just going how to show you how to remove geotagging when taking pictures.

If you’re an Android user:

  1. Access your phone’s camera application
  2. Select “Store location” on the left hand side, below “color effect”
  3. Switch off the geotagging

If you’re an iPhone user:

  1. Go to settings
  2. Select “Privacy”
  3. Select “Location Services”
  4. Find “Camera app” and switch it off

How to remove geotags from existing pictures

To remove geotags from all your pictures, you can do so with free software.

  • For Windows users:

Try Microsoft Pro Photo Tools version 2. This free tool enables you to easily edit or delete Exif tags from your digital photographs, including the GPS location.

It is also possible on Windows to remove Exif tags manually without installing additional software. For an overview of the process with step-by-step screenshots, please visit: www.technorms.com/38749/remove-personal-exif-information-from-digital-photos

  • For Mac users:

Try SmallImage or ImageOptim. Both tools are free and offer an easy drag-and-drop functionality for removing Exif tags.

Conclusion

Although privacy concerns over metadata is not new, the project I know where your cat lives did a great job of raising awareness for the problem. We recommend that you think carefully about what information you’re going to share (many users contacted the researchers at the university of Florida and asked them to upload their cat’s pictures and location to their map). If you are uncomfortable with sharing your location, please be sure to remove the Exif tags.

P.S. Avira developed a free tool to prevent companies for tracking your web activities. If you would like to learn more, please visit: www.avira.com/en/avira-browser-safety-lp

The post Geotagging: what your photos reveal about where you live appeared first on Avira Blog.

Avira

Browse the Internet smart and safely with Avira Browser Safety and SafeSearch

Leave a comment

The features are called Avira Browser Safety, (available for Chrome and Firefox) and Avira SafeSearch, and they both work as browser extensions.

Browse the Internet safely…

Why the focus on browsers? These days, as firewall protection has improved significantly, most malware and identity theft no longer come from e-mail attachments but instead come from infected websites exposing visitors to drive-by downloads, code injection, password-stealing Trojans, etc. Even perfectly legitimate sites can be temporarily compromised and website owners usually don’t even know their site has been hacked, so avoiding dodgy sites is no longer a guarantee that you won’t be infected.

Avira Browser Safety and Avira SafeSearch protect you and your privacy by blocking these website-based threats.

The new features work together to guide you to safe websites when you browse the Internet and warn you about harmful websites before you click on the links. They also block trackers and advertising scripts that are trying to profile your browsing activity.

… and smart

In addition to the security focus, when you are doing online shopping on e-commerce sites, Avira will notify you if the item you are looking at is available at a lower price on other sites.

avira-offers-screenshotThis additional feature makes online shopping safer by directing you to e-commerce sites from our trusted partners—which Avira has checked out for their security and privacy policies. We have researched these merchants for you to make sure they have appropriate data privacy procedures, reasonable return policies, no history of payment complaints, and no aggressive third-party ad networks running on their sites. So you save money, time and avoid potential hassles.

In case anyone might be wondering if Avira needs to track users’ web browsing habits in order to present these shopping offers, the answer is NO. Avira just compares the product SKU that is on your screen at that moment against a list of inventory among our partners. Avira does not permanently track your web habits in any way and you will never receive a re-targeted advertisement because of us, nor will we ever sell your information to anyone.

Avira also earns a commission from these shopping referrals. We use these earnings to help support our 350+ engineers so that we can continue to offer you the world’s best security software (which earned a 100% perfect detection rate as measured by AV-TEST)—all for free.

Of course, if you’d rather not use Avira Browser Safety or Avira SafeSearch you can always turn them off. The rest of our software will keep on protecting you as before.

CONSTANT IMPROVEMENT

The introduction of Avira Browser Safety and Avira SafeSearch represent just the latest step in Avira’s constant improvement.

When we opened our doors in 1986, the definition of computer “security” meant stopping annoying but relatively benign programs that spread via floppy disks! By the late-1990s, security had evolved to include e-mail viruses, and the growing use of the Internet lead to new forms of sending and contracting viruses, worms, Trojans and other malware. Professional spammers and organized crime syndicates took over from ‘recreational’ hackers in the mid-2000s, and introduced some of the first malware that actually stole credit card numbers and collected personal identity information.

To keep up with these changes in the nature of online threats, Avira constantly has to invent new technologies for detecting and disabling malware. You don’t even notice most of these innovations because they work behind the scenes.

The coders and virus hunters at Avira today are proud of the software that we have engineered for you, and we hope you’ll try out Avira Browser Safety (install for Chrome or Firefox) and Avira SafeSearch. Stay tuned for exciting future developments.

The post Browse the Internet smart and safely with Avira Browser Safety and SafeSearch appeared first on Avira Blog.

ESET

Traffic light – ‘easy’ to hack whole city’s systems

Leave a comment

The most famous traffic light ‘hack’ in history is in the classic film, The Italian Job (1969), a caper movie where the heist involves paralyzing Turin via its traffic control system. The plan’s author, played by Michael Caine, says, “It’s a very difficult job and the only way to get through it is we all work together as a team. And that means you do everything I say.”

The reality, it turns out, is much easier – at least according to researchers at the University of Michigan, who say that networked traffic systems are left vulnerable by unencrypted radio signals and factory-default passwords, and that access to individual lights – or even a city-wide attack, as in the film, is possible, according to Time’s report.

“This paper shows that these types of systems often have safety in mind but may forget the importance of security,” the researchers write. Technology Review points out that Michigan’s system, which networks 100 lights, is far from unique. Similar systems are used in 40 states.

An attacker focused, like the film’s ‘crew’ on robbery could control a series of lights to give himself passage through intersections, and then turn them red to slow emergency vehicles in pursuit, according to the BBC’s report.

Traffic light: Blow the bloody doors off

“Once the network is accessed at a single point, the attacker can send commands to any intersection on the network,” the researchers write.

“This means an adversary need only attack the weakest link in the system. The wireless connections are unencrypted and the radios use factory default user-names and passwords.”

Traffic light controllers also have known vulnerabilities, and attacks could paralyze cities: a traffic DDOS could, the researchers suggest, turn all lights to red, and cause “confusion” across a city.

Lights ‘go green automatically’ as thief escapes

“An attacker can also control lights for personal gain. Traffic lights could be changed to be green along the route the attacker is driving,” the researchers write.

“Since these attacks are remote, this could even be done automatically as she drove, with the traffic lights being reset to normal functionality after she passes through the intersection.”

“More maliciously, lights could be changed to red in coordination with another attack in order to cause traffic congestion and slow emergency vehicle response,” they write.They also suggest measures including encrypted signals and firewalls which could improve current systems.

Perhaps a film reboot is in order: after all, the 1969 version ends with Caine saying, “Hang on, lads; I’ve got a great idea.”

The post Traffic light – ‘easy’ to hack whole city’s systems appeared first on We Live Security.

ESET

PIN number: Police want codes on ALL devices

Leave a comment

Police hope to work with leading mobile phone manufacturers such as Samsung to build in the requirement for a password or PIN number as a default into new handsets, with the British police unit responsible for phone theft wanting to “target-harden” phones.

Currently, up to 60% of phones have no form of password protection, said the National Mobile Phone Crime Unit.This not only makes it easier to resell the gadgets, but hands over personal data – including, potentially GPS data showing the locations of homes, as well as passwords and banking details, according to The Register’s report.

DCI Bob Mahoney of the NMPCU said, “We are trying to get [PIN number systems and other codes] to be set as a default on new phones, so that when you purchase it you will physically have to switch the password off, rather than switch it on.”

The NMPCU said in a statement to Motherboard that PIN-protected phones were less valuable to thieves.

PIN number: Less valuable to thieves

“We have been talking to the industry and government. This is one of the main ideas among a range of measures we are trying to push to protect personal data. All of the industry has been engaged at all levels – and government too.”

“We have intelligence that shows a phone with personal information is worth more than other mobiles, because the thief can sell it on to anyone who can make use of that info,” the DCI said.

“On an unlocked phone, you can find a person’s home address, home telephone number, their partner’s details, diary, Facebook and Twitter account. This allows thieves to know when a target is not going to be at home or perhaps use their details to set up banking loans. They could destroy a person’s life.”

‘This can destroy lives’

We Live Security has written a guide to securing mobile devices (including tips such as ensuring screen time-outs are lowered before a PIN number is required so a thief is less likely to get access to an ‘unguarded’ handset).

PR efforts from major phone companies tend to focus on novel protection methods such as biometrics, but Get Safe Online, a government organization focused on cyber safety, said that passwords, when rolled out widely were an effective measure. “Fingerprint recognition offers a degree of safety, but there is still no substitute for a well-devised and protected password or PIN.”

Techradar said that Samsung had been in discussion with government. Mahoney said the discussions had been underway for two years and the “idea was gaining traction.”

Mahoney said, “If you have to get into the phone to switch something on, our research indicates people are less likely to do it. The industry are very supportive.”

The post PIN number: Police want codes on ALL devices appeared first on We Live Security.

NVD

CVE-2014-3528 (enterprise_linux_desktop, enterprise_linux_hpc_node, enterprise_linux_server, enterprise_linux_server_eus, enterprise_linux_workstation, opensuse, subversion, ubuntu_linux, xcode)

Leave a comment

Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.