Category Archives: AVG

AVG

AVG

How safe are one-time passwords?

Most people have dozens of passwords, for dozens of online accounts.  At times it can be tricky to remember them all, as best practice says they should all be slightly different.

If you’re one of these many people, Yahoo’s recent announcement may get you excited. Earlier in March, Yahoo revealed an innovative idea that would mean we never have to remember a password again.

The concept is very simple. By selecting to use one-time passwords in your account settings, the next time you login it will send a password to your phone that you can use to login in with via a SMS.

While this seems very convenient, is it secure?

Generally speaking, there are three types of authentication in use today

  • ID and Password
  • ID, Password, Verification Code (using SMS)
  • Two Factor authentication using ID, Password and another device providing a unique password

The Yahoo solution seems to be half way between the least secure option A and Option B.

Sending a password on demand to a device is a step in the right direction, but there may be other security risks involved when transmitting data over SMS and to a potentially unprotected device.

The phone may not have a passcode and could be infected with malware that reads the SMS. This could mean the email account and all the data inside gets compromised.

If you do want to enable one-time passwords, I would recommend you have both of these: a passcode and AVG AntiVirus for Android on the phone to keep yourself protected.

 

What would I do differently?

Using the mobile device to add another layer of security is a smart idea as most people have one. Most of us also use apps regularly and if you’re a Yahoo user then you probably have the Yahoo app.

I would change the delivery method of the password from SMS and instead deliver it, in an encrypted format, via their own app.

On top of this, the Yahoo app with this one-time passwords enabled should require the device to have PIN security.

This would mean that an attacker would need the ID, the phone and the PIN in order to access the account. The app could even go further and check for the presence of an Anti-Virus product to ensure that it’s being scanned regularly.

It could be that there are currently technical limitations with one-time passwords, and that in the future we’ll see a lot more secure and comprehensive process.

My top advice right now though is if you’re going to use this service then be sure to have a security app and a PIN on your phone so you can help ensure that the password is being sent to a secure device.

Follow me on Twitter @tonyatavg

 

AVG

Backlash against the “Selfie Stick”

If you’ve been to a museum or tourist attraction recently you’ll have likely seen the now ubiquitous “selfie stick” in action. Users say the sticks provide better perspective and help avoid the fish-eye view of the hand-held phone camera. You could even argue that it’s also more secure than handing your valuable camera or phone over to a stranger(although I don’t know that there is much from preventing someone dashing by and snatching your stick along with your smartphone).

However the backlash against selfie sticks has appeared almost as quickly as the trend itself.

Many museums and other institutions are now taking the matter into their own hands and banning selfie sticks. For example, the Forbidden City in China joined the Palace of Versailles and Britain’s National Gallery, which both announced bans this past week. London’s National Gallery said it outlawed the “Narcisstick” in order to “protect paintings, individual privacy and the overall visitor experience”.

Earlier this month in the U.S., the Smithsonian museums in Washington also banned selfie sticks. Cameras and pictures are still allowed, but selfie sticks, tripods and monopods are not.

In a statement, the Smithsonian said, “For the safety of our visitors and collections, the Smithsonian prohibits the use of tripods or monopods in our museums and gardens. Effective today, March 3, monopod selfie sticks are included in this policy.” You can see the full statement here.

Other U.S. museums that ban selfie sticks include the Art Institute of Chicago, and New York’s Museum of Modern Art.  As do other international favorites such as the Uffizi in Florence and the Colosseum in Rome. A Collosseum spokesperson noted that the twirling around of hundreds of sticks can become unwittingly dangerous when “fully extended with outstretched arms, the devices take up over half the width of the monument’s interior corridors.”

Selfie Stick

Image courtesy of the BBC

 

In Canada, the Montreal Museum of Fine Arts and the Pointe-à-Callière Archaeology Museum called the stick the “wand of narcissism” when it placed it on the do not enter list.

The consensus among critics is that selfie sticks are obnoxious and a danger as well as a privacy concern.

The additional field of view that makes the selfie stick such a boon to the photographer also increases the chances that unsuspecting passersby  may get caught in the shot.

It’s a safe to say that if you’re traveling this spring or summer, it’s best to check to see what the policies are at the attractions you plan to visit before you consider taking a selfie stick along…

I personally have mixed feelings about selfie sticks. I’ve found them equal parts intrusive, (as I’ve tried to enjoy some art) and practical (as I’ve struggled to capture myself and friends in a unique moment).

For me it comes down to safety and privacy concerns. Crowded tourist attractions and exhibitions are enough of a ruckus without adding selfie sticks to the equation.

 

Title mage courtesy of New York Post

AVG

New ransomware targets gamers

CryptoLocker, the notorious ransomware that shot to prominence in 2013 is back and this time it is targeting gamers.

Reports suggest that the new malware targets several popular games including World of Warcraft, League of Legends and Minecraft.

What is ransomware?

The whole premise of ransomware as an effective malware attack is removing the victim’s access to important or personal files.  It encrypts certain files on your system and then extorts a ransom to unlock them.

Why is malware targeting gamers?

Gamers have become targets for malware writers as they can spend hundreds of hours playing and enjoying a game. Once the game files have been encrypted, the victim will lose access to these files, along with all the progress and achievements they may have unlocked.

How can you stay safe?

There are many things that you can do to help keep your online accounts, including gaming accounts secure.

Don’t share accounts

This is simple advice, and one that game companies often reiterate. No matter how long you’ve been playing with someone online that you don’t know in person, never hand over your details or control of your account. This recent example is enough to discourage you!

Two factor authentication

Just like with other important online accounts such as banking, many online gaming services have introduced two-factor authentication as an additional layer of account security; Blizzard being one of them.

If you’re a gamer, investigate whether or not the games and services you enjoy offer this form of protection.

Download security software

Having up-to-date security software is one of the most important measures we can all take to protect ourselves from malware and online fraud. It can check for malicious links and attachments and help protect your machine from malware.

AVG

Wearables will evolve beyond screens

A healthy human has multiple biological senses he or she was born with. Sight, hearing, taste, smell and touch are the five traditionally recognized. The ability to detect other stimuli beyond those governed by the traditional senses exists, including temperature, kinesthetic sense, pain and balance.

If I had to explain a human sense, in our digital world, I would describe it as a biological sensor that responds to a specific physical stimuli and transmits the data to brain cells that later interpret them for us and may lead to a response.

Our biological senses respond to physical stimuli, but could we develop a sensor that responds to stimuli created in the digital world?

I believe the answer is simple; yes.  For example, I could get a notification delivered directly to my brain when something important is happening, such as my child has not returned from school on time or when my glucose level is high.

The idea isn’t unprecedented. Many animals have unusual biological sensors that to support their surroundings and lifestyle. This however, took millions of years; we could create something in just a few.

Over the last few years, we’ve developed new technologies to help people with different disabilities to gain back their lost senses. Advances include a tiny eye implant that restores sight to the blind and electronic hearing devices that help people with severe hearing loss.

While these technologies are very important for our society and for the people who need them, their main goal is to restore (or provide an alternative to) the damaged/missing sense that respond to a physical stimuli.

How do we create a digital sense?

Digital senses aren’t as far away as you may think. Smartwatches have started to emerge. Although they are still in their first release version people struggle to understand the benefit of them. Is it yet another screen to look at? Does it just save me from having to take my phone out of my pocket? Will it replace some tasks I do on my smartphone? Or is it just another input peripheral to my smartphone? Where is the value to me?

While most of the available applications of a smartwatch are to bring the smartphone notifications to my eyes via a screen on my wrist, there is another – hidden- value in such devices and that is to develop a new sense. I call it the Digital Sense.

A digital sense can respond to digital events, convert them into physical ones and transmit that information to our brain cells in non-invasive methods – for example, with a combination of one or more micro vibrations. The human brain will then interpret them and respond.

In the digital mobile world, smartphones receive data from many sources: the web, email, embedded sensors and cloud services. However, the main method smartphones use to convey all this data to the human brain is via a screen. As a result, we find ourselves spending many hours in front of multiple screens in order to consume data.

Google Glass introduced new possibilities in the way we interact with and respond to our digital world. Some would say that Google Glass failed as it was too intrusive and harmful to real world social experiences.

A sensor would never do this. A sensor should be part of the body and transmit information for the brain cells to process – not to form another obstacle as we saw with Google Glass.

I believe that by taking advantage of wearable technologies and using them to transform digital data into a physical stimulus that our biological sensors can interpret, in a non-invasive way, will be the most valuable application of wearables. I believe it will dramatically increase the adoption of wearable tech as the value proposition can be immediately understood.

Imagine a smartband on your wrist or a smart device on your shirt that will vibrate or move when your glucose level is high or when your family or colleagues urgently need you.

This is not the notification sound, as we know it from our smartphone today.  They are intrusive, not necessarily private and not properly secured. It is more advanced than that. It’s a new sense that we wear and transforms our digital data into something our biological sense can transmit to our brain cells in a non-intrusive, secure and private way. This is where wearable technologies will find their home, not as an additional tiny screen.

Recently I experimented and implementation of such new sense on my wrist, and I do not feel like I will let it go any time soon.

AVG

All four major browsers hacked at pwn2own

Last week computer hacking competition pwn2own once again took place at the CanSecWest conference in Vancouver.

During the competition, hackers and security researchers are challenged to exploit popular software and devices using previously unknown vulnerabilities.

Successful hackers win the device that they exploited, a cash prize, and a “Masters” jacket celebrating the year of their win.

Pwn2own 2015 was an incredibly eventful competition with over $500,000 dollars of rewards issued and all four major browsers successfully hacked, some in under a second.

News of ubiquitous software being hacked in such a short time can often leave us feeling despondent about the state of security but I believe that competitions such as pwn2own give us cause for optimism.

Cash prizes for hacking at competitions and bug bounty programs, such as those run by Google and Facebook, motivate hackers and researchers to use their skills to help improve security and not just exploit it.

As long as vulnerabilities are disclosed to the right parties when they are discovered, it helps to reduce the window of opportunity for malicious hackers to turn a profit.

Remember to update

While software manufacturers were likely hoping to come through pwn2own 2015 unscathed, most will now set about fixing and patching their products and services to mitigate these newly discovered threats.

Expect new security updates in the near future and remember to always keep your operating system and programs up to date.

Title image courtesy of securityaffairs.co

AVG

Banking Trojan Vawtrak: Harvesting Passwords Worldwide

Over the last few months, AVG has tracked the rapid spread of a banking Trojan known as Vawtrak (aka Neverquest or Snifula).

Once it has infected a system, Vawtrak gains access to bank accounts visited by the victim. Furthermore, Vawtrak uses the infamous Pony module for stealing a wide range of login credentials.

While Vawtrak Trojans are not new, this particular sample is of great interest.

 

How and where is it spreading?

The Vawtrak Trojkan spreads in three main ways:

  • Drive-by download – in the form of spam email attachments or links to compromised sites
  • Malware downloader – such as Zemot or Chaintor
  • Exploit kit – such as Angler

Based on our statistics, the Czech Republic, USA, UK, and Germany are the most affected countries by the Vawtrak campaigns this year.

Countries most affected by the spreading of Vawtrak in Q1 2015.

 

What are the features of this Vawtrak?

This Vawtrak sample is remarkable for the high number of functions that it can execute on a victim’s machine. These include:

  • Theft of multiple types of passwords used by user online or stored on a local machine;
  • Injection of custom code in a user-displayed web pages (this is mostly related to online banking);
  • Surveillance of the user (key logging, taking screenshots, capturing video);
  • Creating a remote access to a user’s machine (VNC, SOCKS);
  • Automatic updating.

Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser.

Moreover, the communication with the remote server is done over SSL, which adds further encryption.

This Vawtrak sample also uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside.

 

Detailed analysis

Our complete analysis of this malware is too long to publish in full on this blog so we have prepared a detailed white paper that describes this infection, its internals and functions in detail.

 

You can also download the report here

 

Stay Safe

While this Vawtrak Trojan is very flexible in functionality, it’s coding is mostly basic and can be defended against. At AVG, we protect our users from Vawtrak in several ways:

  • AVG LinkScanner and Online Shield provide real-time scanning of clicked links and web pages containing malicious code.
  • AVG Antivirus for generic detection of malicious files and regular scans.
  • AVG Identity Protection, that uses a behavioral-based detection, will detect even the latest versions of such infections.
  • AVG Firewall prevents any unsolicited network traffic, such as communication with a C&C server.

AVG

Twitch hacked, resets all passwords

On March 23rd, online video-game streaming service Twitch issued a notice that users accounts may have been hacked.

As a result of the hack, Twitch reset of all account passwords and stream keys.

In an email to users, Twitch explained what has happened and what information was potentially accessed by attackers. This included:

  • Usernames
  • Email addresses
  • Passwords
  • First and last name
  • Phone number
  • Address
  • Date of birth
Twitch

 

This isn’t the first time that hackers have targeted Twitch and its users. Some of the most well-known streamers were attacked as far back as 2013.

Choosing a new strong password

For the millions of Twitch users, the challenge remains to pick a secure and strong new password for their Twitch account. It’s important to create a new password for any account that shares the same username/password combination as their Twitch account.

Making a Strong Password

AVG

TechHire: A New Initiative to Pay Dividends in Diversity in Tech

Companies and organizations from Starbucks to the Federal Government are desperate for tech workers, so there is no reason not to recruit the best talent whatever it resides.

It was also encouraging to see that these concerns are ongoing at our country’s highest levels. On March 9, President Obama announced the TechHire Initiative before the National League of Cities. It’s a new program that includes a grass-roots campaign to achieve greater diversity in the tech world.

In his remarks to city leaders, the President stated, “When these jobs go unfilled, it’s a missed opportunity for the workers, but it’s also a missed opportunity for your city, your community, your county, your state, and our nation.  And here’s something else:  If we’re not producing enough tech workers, over time that’s going to threaten our leadership and global innovation, which is the bread and butter of the 21st century economy.” You can learn more here.

It was no coincidence that President Obama unveiled the campaign at the National League of Cities convention, which is made up of mayors and community leaders from around the U.S., as TechHire involves local communities, local leaders in a number of ways.

For example, on a training and teaching basis, it includes universities and community colleges but also nontraditional approaches like “coding bootcamps,” and online courses.

The President announced that 20 cities and regions across the country, from Louisville to Portland, will work together to recruit and place applicants in some the 120,000 vacant positions and to develop more fast track tech training opportunities.

In other words, it’s addressing the current employee shortage and the pipeline issue simultaneously – a great approach, in my opinion.

The President also announced $100 million in new Federal investments to train and connect more workers to good jobs in technology and other in-demand fields. The initiative will provide training and employment support to those in need including individuals with child care responsibilities, disabilities, limited English or disconnected youth.

Here are just a few examples of the initiative in action:

  • In St. Louis, 150 employers will partner with local non-profit Launchcode, to train women and underrepresented minorities for tech jobs.
  • In New York City, the Tech Talent Pipeline has announced new commitments to prepare college students in the City University of New York system for and connect them to paid internship opportunities at local tech companies.
  • A $100 million competition has been launched to connect Americans with disabilities and disconnected youth to jobs in technology and other in-demand fields.

 

I know many of my readers are small business owners and managers.  I think we can all agree that tech and innovation are major parts of any business proposition these days.

I’m excited about this new initiative because it addresses a real need for employers. It is inclusive and engages local communities, where real work and progress can be made—and tracked!  People can get involved and learn more at #TechHire on social media and follow @WhiteHouseOSTP on Twitter.

AVG

Grab the new AVG Cleaner for Mac

Just as Windows and all applications tend to collect temporary files, log and so called “cache” files in order to function properly, so do applications on your iMac, MacBook or Mac Mini – and in many cases they leave those files behind.

AVG is happy to announce a brand-new version of AVG Cleaner for Mac, which helps remove leftover files from your Mac. Click here to download it right away!

AVG Cleaner for Mac

 

AVG Cleaner for Mac analyzes invisible data trash and unwanted duplicate files that gather on Mac computers through everyday usage, helping to disk space for storing precious photos, music and other important files. The new Cleaner for Mac app sports a new user interface, too, which helps makes the cleaning easier. Here’s what we actually help you remove:

  • NEW iPhoto Cache: iPhoto creates its own “cache” folders, which help speed up the viewing of photos, which takes up more and more space. Also, our users reported to us that they experienced problems with deleting photos which is directly tied to the iPhoto cache, which is why we decided to implement that cleaning mechanism.
  • Forgotten duplicate files: Viewing, copying and editing files could result in duplicate music,photos, videos and documents
  • Uninstall leftovers: Even if an application has been uninstalled, unneeded cache files may remain
  • Download folder: Many old unneeded files including setup files, videos, pictures and documents may end up in the OS X download folder
  • Browser cache: Safari®, Chrome®, and Firefox® browsers store non critical temporary cache files and cookies in a cache folder. Deleting this cache not onl frees up drive space but can hel protect privacy
  • Crash files and logs: Update logs and crash reports are created automatically by both Mac OS and 3rd party applications. This data is not critical and can waste lot of drive space.

AVG Cleaner for Mac Disk Cleaner

AVG Cleaner for Mac Duplicate Finder

 

 

AVG

Judith Bitterli answers your questions on Women in Tech

  • Why are there fewer women studying technology but more women using it?

  • Do you think more women would be in tech if there wasn’t so much misogyny in the media?

Video

Judith Bitterli Answers Your Questions on Women in Tech

 

  • Do women in tech jobs earn as much as their male counterparts?

  • Women in tech are facing time management issues. What can they do to solve this problem?

Video

Judith Bitterli Answers Your Questions on Women in Tech

 

  • Should young girls be discouraged that tech is a male dominated field?

  • What do companies like AVG do to encourage young women to start a career in tech?

Video

Judith Bitterli Answers Your Questions on Women in Tech

 

  • Do you think suppliers and consumers can work together to encourage more women to have a career in tech?

  • Is there an effort to feature women who are excelling as an example for others?

Video

Judith Bitterli Answers Your Questions on Women in Tech

 

Thank you for all your questions, if there’s something you’d like to ask me, please let me know by getting in touch via Twitter @JudyatAVG.