Avira
When you have to work with thousands of files per day, it is generally a good idea to generate a hash of a file that would identify it on a unique way. A hash function is any function that can be used to map digital data of arbitrary size to digital data of fixed size.
The post MD5: The broken algorithm appeared first on Avira Blog.
Wow, that sentence sounds rather boring, right? Well, let’s elaborate a bit. If you are an avid PC gamer you most like know Steam, and if you are into playing (or watching) gamers compete in Multiplayer Online Battle Arenas (MOBAs), you also might have noticed that some of the more famous DotA 2 players got their accounts stolen. Of course their accounts were not the only ones affected, but definitely the most noticeable ones.
What happened is that Steam apparently had a rather big loophole in its system: One could access another account with only the username – and it was as simple as eating pie. Just take a look at the video below and be amazed:
The issue is now fixed, after Valve learned of it on July 25th – so if you are a gamer with a lot of games in your steam library (or a professional DotA/CS:GO player) you can relax.
According to Kotaku, Valve release a statement to those affected:
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.
We apologize for any inconvenience.”
The post Steam Account Security Issue Got Fixed appeared first on Avira Blog.
The guys from WordPress just released version 4.2.3 of their software, which is mostly a security update. They “strongly encourage you to update your sites immediately.“ To do so just visit your Dashboard, click on ‘Updates’ and then on ‘Update Now’. As mentioned above you’ll only have to update manually if, for whatever reason, you decided to disable the automatic updates.
According to their blog entry the newest version contains fixes for 20 bugs from 4.2. The page also says: “WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.“
And don’t forget: Since WordPress is definitely one of the most popular Content Management Systems and blogging platforms out there it remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.
If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.
The post XSS Vulnerability In WordPress – Update Now appeared first on Avira Blog.
A new study on the Internet of Things with focus on smartwatches released by HP revealed that of 10 smartwatches that were tested, all contain significant vulnerabilities and are a “risk that goes beyond the device”.
So what exactly are we talking about? According to the study (PDF) “the results of the research were disappointing, but not surprising.” There are deficiencies when it comes to authentication and authorization, privacy concerns, and problems with the implementation of SSL/TSL.
Their key takeaways are as following:
So yes, it’s basically the same cycle as with most of the ‘newer’ tech gadgets. They get released, there is a big hype, but security becomes only important after lots and lots of reports on hacks, vulnerabilities, and the inevitable bad press. Think nothing of it guys, everything is just the way it always was …
The post New Study: 10 Out of 10 Smartwatches Vulnerable appeared first on Avira Blog.
Why? Because cars are now definitely hackable. It has been proven. By driving a Chrysler Jeep Cherokee in a ditch. Let me tell you guys: It didn’t end well for the car!
What basically happened is this: Two security researchers, Charlie Miller and Chris Valasek, were asked by WIRED writer Andy Greenberg to hack his car.
“I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.
Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass,” he describes the experience.
But that was merely the beginning. After Greenberg entered the highway the two hackers cut the transmission. Yes, you’ve hear right. The results? The accelerator stopped working. The car got slower and slower. Cars were honking and driving by. But “the most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.”
Are you not sure whether to believe the tale or not? Then just take a look at his expercience yourself:
But how can something like that even happen? The issue apparently lies in a wireless service called Uconnect which connects these cars to the Sprint cellphone network. Uconnectis featured in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks. It not only controls the vehicle’s entertainment and navigation systems but also, enables phone calls, and offers a Wi-Fi hot spot! The researchers only had to find a vulnerability – which they did – to access and control the car’s system. Anyone who knows the IP address can gain access to it.
Luckily Chrysler released a patch – so make sure to apply it ASAP if you own one of the vulnerable cars. But while it fixes the described issue, how many others remain unfound, exploitable and dangerous?
The post Hacked Car Is Driven Into Ditch appeared first on Avira Blog.
Yesterday Microsoft released an emergency security update for all of the supported Windows version (this means Windows 7, Windows 8/8.1, Windows RT and apparently even the unreleased Windows 10). The patch is supposed to fix an exploit that would allow hackers to access another computer easily. According to the company the flaw lies in the way the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts.
“An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft says in their security bulletin. “There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.“
Microsoft also says that while they had information that indicates that the issue was public there is no evidence that the vulnerability was used in any actual attack on customers.
The vulnerability itself was apparently found after going through loads of data from the Hacking Team email breach.
The post Patch now: Microsoft Emergency Fix appeared first on Avira Blog.
„Users often run several programs and browsers at once. What matters to them is that they can complete their daily tasks without fear of data theft and unwanted malware. This includes sharing documents, managing photos and videos, creating presentations for school and work, as well as online banking and shopping“, explains Daniel Prauser, Manager Global Channel Management at Avira.
Avira Antivirus Pro + WPS Office Suite are easy to install and resource-friendly. Avira’s fast malware protection with award-winning detection technology provides the perfect level of security for your PC. Better still: Your personal data also remains safe – for example, from web trackers who monitor your browsing habits or from unsolicited promo messages that keep popping up.
The WPS Office Suite also includes programs to edit and create documents, spreadsheets, and presentations. The software is Microsoft Office and Google Docs compatible, and can open and save all common file formats. And with cloud support, files can be edited anywhere.
The Avira Antivirus Pro + WPS Office Suite license is available for 1 device / 1 year. The WPS Office Suite can be used on two additional PCs, plus an unlimited number of Android and iOS devices.
Interested in this great bundle? Contact your local partner.
The post The all-you-need PC solution: Antivius + Office software appeared first on Avira Blog.
Ashley Madison is a social network for people in relationship (mostly married I’d guess) who want to have an affair. Now, according to Krebs on Security, the page has been hacked by “an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information”. Large parts of stolen data have been posted online by The Impact Team, the people responsible for said hack.
Apparently The Impact Team decided to post the stolen data because while Avid Life Media (ALM), the company that owns Ashley Madison, says that they will delete user profiles permanently for $19 that’s not happening, at least not completely. While there has been some controversy concerning this topic before the reaction of The Impact Team seems rather extreme.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” the hacking group wrote.
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
According to ALM CEO Noel Biderman the company’s investigation is ongoing. He also states that he believes that the breach was actually an inside job – perhaps by a former employee or contractor: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.“
The post Adulterers Beware: Ashley Madison Hacked appeared first on Avira Blog.
The goal with the browser is to create an easy-to-use, secure and privacy respecting browser. These are the more advanced tactics we will be using:
Adding cloud features to file scanning was a large success. The detection quality of malicious files went straight up. Short:
On the client there is a behaviour detection kind of pre-selection. If a file is suspicious the cloud server is asked if the file is already known
If unknown:
We built incredible databases covering malicious files during the last years. We should have something similar for the browser and use our large knowledge base and server side classification tools for web threats as well.
It should look something like that:
)To get there we will have to improve the signal-to-noise ratio. We are only interested in malicious pages. If the pre-selection in the browser is too aggressive and sends non-malicious pages to us, it‘s a waste of CPU cycles and bandwidth. With millions of users as a factor, even minor slips will be expensive and annoying for everyone involved.
We will also remove private data before sending it (we are not interested in user data. We are spying on malware). Personal data is actually toxic for us. Servers get hacked, databases stolen, companies gag-ordered. Not having that kind of data on our servers protects us as well as you. I mean just think of it: Some web pages have the user name in the URL (*/facepalm*). I do not think we can automatically detect and remove that trace of data though. But maybe we could shame the web pages into fixing it …*/think*
The parts in the source that collect the data and prepare them for sending are Open Source. Here I am asking you to NOT trust us and review the code! 
I hope we find a simple solution to display the data being sent to us before sending. The only problem is that it could have a negative impact on your browsing experience. Having a modal dialog when you expect a page to load …
One option could be to at least offer a global configuration to switch cloud requests off (always, in incognito mode only, never) and show you in logs what got sent.
You want your own AV? Or protection technology in your Tetris game to make it unique? Just contact our SI department and make a deal.
Other companies have thousands of web-crawlers simulating user behavior to identify malware.
Millions of real Avira users are our scouts and sensors.
We need some branding. That would include Avira specific changes in the browser (names, logos, some other texts). But also links. This is not only relevant for brand-awareness but also to keep our users away from Chrome/Chromium support to avoid confusion (“Which Chrome version do you have ?” … listens … “we never released that, can you please click on “about and tell me the version number” … listen … “WTF?!?” => Confusion) and direct them to our support – who actually CAN help.
We will always improve the build process. There are compiler switches for features called Position Independent Executable (PIE), Fortify Source, etc. that we should enable on compilation (many are already enabled). Most time here will be spent on ensuring that they do not get disabled by accident, are enabled on all platforms, and do not slow down the browser. This task can start simple and suddenly spawn nasty side effects. This is why we need TestingTestingTesting.
Google added the Hotwords feature to Chromium and Chrome. It’s a nice feature. But it switches on the microphone and “spies” on the user (this is a convenience feature many users want). For our secure and privacy respecting browser this crossed a line though. This is the reason why we will have to verify that no “surprise !!!”-Extensions get installed by default. One more task for our testers that add verification tasks to the browser to handle our specific requirements. Keep in mind: Chrome and Chromium already have very good unit-tests and other automated test cases. We just need some extra paranoia. That’s the job for our testers in the team.
We will write blog posts covering all the features. The attacks they block, their weaknesses, what we did and will be doing to improve them. We will offer you a guided tour Down the Rabbit Hole. Go with us as far as you dare.
TL;DR:
There is so much we can do to improve the browser; without touching the core.
We reached the bottom of this specific Rabbit Hole.
Thorsten Sick
#content .entry-content
.bq{width:100%;border:1px
solid #dde5ed;margin-top:0px;margin-bottom:25px}#content .entry-content
.quest{margin:0px;font-weight:bold;font-size:16px;text-shadow:0px 1px 0px #f8fafb;padding:6px
11px;background:#eaeff5;border-top:1px solid #f4f7fa;border-bottom:1px solid #dde5ed}#content .entry-content
.text{line-height:19px;margin:0px;padding:10px;font-size:14px;background:#f8fafd;color:#758fa3}#content .entry-content .text
p{line-height:19px;background:#f8fafd;font-size:14px;color:#758fa3}
The post Avira’s Secure Browser: Plans and Tactics (Part 2) appeared first on Avira Blog.
We were excited to welcome in Tettnang Beta testers from USA, Italy, Germany, Greece, China & Malaysia.
The members we invited to this workshop are the most active beta testers in our Antivirus for Windows Beta project and they were chosen based on the quality of their feedback and the number of forum posts or bug reports they provided.
Although they contribute to the Avira Beta Community out of their own interest, most of them are also our customers, making the information exchange even more interesting.
We offered the participants a detailed tour of the Avira Protection Lab, giving them the opportunity to meet the people behind our products. In order to provide them with a technical overview as well, our experts showed them how we are visualizing the digital threats in real time. They even had the chance to hear everything about our vision as company directly from our CEO, Travis Witteveen, and meet the company founder, Tjark Auerbach.
Throughout the workshop, most of the discussions were carried around the Avira products, the current threat landscape, but we also focused on global privacy and security topics.
We collected feedback from our guests and placed them under several categories of which Features, Usability, Product ideas and also Problems resolution were the most discussed ones.
While we were happy to discover that all participants agreed that the anti-malware technology used by Avira is one of the best in the world, they seem to think we still have some work to do to improve the product usability.
Considerin
g the number of photos shared on social media, our guests seem to have enjoyed the Avira experience. As for us, we have our To Do list before the next Beta Testing Community Workshop we are looking forward to organize next year.
Thinking about joining the Avira Beta Testing Community? Click here to register now.
The post A Workshop with Avira Beta Community Members appeared first on Avira Blog.