We have had a busy month with multiple announcements important to Avast customers and company-watchers. Here’s the quick rundown in case you missed it.
Avast SecureMe will launch in the next month or so to protect the new Apple Watch, as well as iPhones and iPads, when connected to unsecured Wi-Fi. That’s sure to make Apple gadget freaks happy. Read Avast SecureMe Protects Apple Watch Wi-Fi Users.
Avast customers who are using older versions of our Avast antivirus products cannot upgrade to Windows 10, but more importantly they will no longer receive product upgrades or enhancements. We recommend that everyone upgrade to the latest version to benefit from better detection rates and new features. Read Support for older Avast versions will end.
Want a career with Avast? A new Avast Software office has opened in Charlotte, North Carolina to bring the new free Avast for Business to the U.S. market and beyond. Read The Tar Heel State welcomes Avast Software.
Check out the Avast blog for other news and how-to articles that provide useful information about security, privacy, and Avast products. Have a great weekend!
Scan your router with Avast’s Home Network Security scanner.
Your router is one of the weakest links in your security, and researchers have proven once more that your home router puts you at risk.
Sixty security flaws have been identified in 22 router models that are distributed around the world, mostly by ISPs to their customers. These flaws could allow hackers to break into the device, change the password, and install and execute malicious scripts that change DNS servers to those the attacker wants. They do this so they can send your traffic through servers they control and direct you unwittingly to malicious sites or load malicious code on your machine when you visit a legitimate site.
Other flaws include allowing the hackers to read and write information on USB storage devices attached to the affected routers and reboot the devices.
The research report describes how the attackers can get in – through a backdoor with a universal password that is used by the ISP’s technical support staff to help troubleshoot for their customers over the phone. This second default administrator access is hidden from the router owner.
Which routers did the researchers test?
The researchers tested the following models: Amper Xavi 7968, 7968+ and ASL-26555; Astoria ARV7510; Belkin F5D7632-4; cLinksys WRT54GL; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; D-Link DSL-2750B and DIR-600; Huawei HG553 and HG556a; ; Netgear CG3100D; Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Sagem LiveBox Pro 2 SP and Fast 1201 and Zyxel P 660HW-B1A.
Since the researchers are based in Madrid, their interest was mainly in Spanish ISPs and the routers they distribute, but routers like Linksys, D-Link and Belkin are distributed in the U.S. and other countries.
What can you do to protect yourself?
Avast has a feature built into our antivirus products called Home Network Security (HNS), which scans for misconfigured Wi-Fi networks, exposes weak or default Wi-Fi passwords, vulnerable routers, compromised Internet connections, and enabled, but not protected, IPv6. It also lists all devices on the network so you can make sure only your known devices are connected. Avast is the only security company to offer a tool to help you secure this neglected area.
How to scan your home router with Home Network Security scanner
Open the Avast user interface, click Scan from the menu on the left, then choose Scan for network threats. Avast will take a look at your router and report back any issues. In most cases, if there is an issue to be addressed, then it will direct you to your router manufacturer’s website.
The future of Windows is just around the corner. (Image via TechRadar)
Earlier this week, Microsoft confirmed that the Windows 10 official launch date will be on July 29 and will be available as a free upgrade to Windows 7 and Windows 8.1 users (for one year). This latest OS will be available to pre-order in the upcoming weeks when it launches in 190 different markets across the globe. In anticipation of Microsoft’s exciting new OS, this Techradar article takes a brief look at the operating system’s past:
With Windows 8 and today Windows 8.1, Microsoft tried – not entirely successfully – to deliver an operating system (OS) that could handle the needs of not only number-crunching workstations and high-end gaming rigs, but touch-controlled systems from all-in-one PCs for the family and thin-and-light notebooks down to slender tablets.
Now, Windows 10 has emerged as an operating system optimized for PCs, tablets and phones in unique ways – a truly innovative move from Microsoft’s side. Its big reveal is now quickly approaching, and tech enthusiasts everywhere are curious to see how this OS will measure up.
Will Avast be compatible with Windows 10?
In short, ensuring that Avast is compatible with Windows 10 is quite simple. Avast version V2015 R2 and newer are already compatible with Windows 10. Users who currently have V2015 R2 or newer installed and plan to update from Windows 7 or 8 to Windows 10 will automatically have Avast transferred to Windows 10 at the same time.
For users currently using older versions of Avast, we highly suggest updating your Avast product prior to updating to Windows 10 to ensure an easy, hassle-free transition.
Question of the week: Why does Avast and other antivirus companies try to scare us with all this news about viruses and bad apps? It makes me think you are connected to the threats.
Antivirus companies do not create the viruses- there are enough hackers doing it already!
Avast and other reputable antivirus companies are not connected to the creation of threats – there are plenty of them without our developers making something up! But thanks for your question. We would like to help you and our other customers understand the nature of cybersecurity in today’s world and assure you that we have the tools to protect your online environment.
Enough to keep us busy
The Avast Virus Lab receives over 300,000 samples of new potential viruses every day and has documented increases in mobile malware infections, vulnerabilities in widely used software and devices, and a surge in spying via free Wi-Fi hotspots. We don’t mean to scare you, but with the knowledge that more than 60 percent of companies have been the victim of an attempted cyber attack, and that Avast prevented more than 2 billion virus attacks last month, we have lots to talk about.
An example of a new type of attack was the recent discovery of a mobile app called Dubsmatch 2 which had “porn-clicker” malware hidden within it. The app was installed 100,000-500,000 times from the Google Play Store, usually a trusted source, before we notified Google and the app was removed.
“We suspect the app developer used the porn clicker method for financial gain,” wrote virus analyst Jan Piskacek. “The app developer probably received pay-per-click earnings from advertisers who thought he was displaying their ads on websites for people to actually see.
When financial gain is the motivator, cybercrooks get creative. But financial gain is not the only motivator. Hackers at Black Hat USA 2014 told surveyors that they were driven by the fun and thrill of it. (51% said so.) State-sponsored attacks are also increasingly being revealed. China, Russia, Iran, and North Korea are emerging as major players in hacking for political, nationalistic, and competitive gain.
Many people, even if they are aware of the threats, have not taken any action to protect themselves or their assets.
People overall are more aware of online security and privacy concerns after the revelations of the NSA’s surveillance activities, but despite that, most American adults have not made significant changes to their digital behavior, and 54% say that it would be “somewhat” or “very” difficult to find the tools and strategies that would enhance their privacy online and when using cellphones, according to a Pew Research Center report.
I have nothing to hide and I do not have the time or expertise are the most common reasons given for not taking action.
Since the nature of attacks has changed, we offer an “ecosystem” of protection services beyond our antivirus protection. The need for a more complete kind of protection was quite evident after the New York Times was hacked for 4 months by Chinese hackers. Jindrich Kubec, Avast’s threat intelligence director, acknowledges that there’s a distinction between the kinds of threats encountered by everyday Web surfers and the carefully targeted attack the Times faced, but he adds this wisdom,
“Seatbelts and airbags are wonderful protection and improve the safety of millions, but they will not stop a bullet fired — say by a hired killer. Does it mean you will stop using airbags and seatbelts?”
Check out the varied products that Avast offers to create your own security ecosystem. Avast Mobile Security, SecureLine VPN, Browser Cleanup, and GrimeFighter are not just new ways to make money, (some of the products are free!), they are intended to keep you and your assets as safe as possible.
Soon, we’ll be living like The Jetsons (image via philosophymatters.org)
By the end of the decade, everyone on Earth will be connected. –Eric Schmidt, Google chairman
As a rule of thumb, it’s good to keep in mind that anything and everything that can be connected to the Internet can be hacked. Poorly designed or implemented systems could expose serious vulnerabilities that attackers can exploit. Now, most of us are fairly familiar with certain gadgets that can be connected to the Internet, such as mobiles devices and/or laptops, smart watches, and cars, but what about the things that are still emerging within the Internet-connected world? Some of these new items include routers, sensors, and everyday gadgets such as alarm clocks, wearables, microwaves, and grills.
When dealing with the devices that we’ve come to know and love, such as our Android phones or iPads, we already encounter a multitude of shortcomings within privacy policies, unintentional data leakages, and the transmission of tracking and personal data in clear text. Taking this a step further, it’s both intriguing and frightening to think about the challenges we will face as the Internet of Things (IoT) becomes more and more of a reality. In a recent article published by the Guardian, author Marc Goodman paints an evocative picture of a world powered by the IoT:
Because your alarm clock is connected to the internet, it will be able to access and read your calendar. It will know where and when your first appointment of the day is and be able to cross-reference that information against the latest traffic conditions. Light traffic, you get to sleep an extra 10 minutes; heavy traffic, and you might find yourself waking up earlier than you had hoped.
When your alarm does go off, it will gently raise the lights in the house, perhaps turn up the heat or run your bath. The electronic pet door will open to let Fido into the backyard for his morning visit, and the coffeemaker will begin brewing your coffee. You won’t have to ask your kids if they’ve brushed their teeth; the chip in their toothbrush will send a message to your smartphone letting you know the task is done. As you walk out the door, you won’t have to worry about finding your keys; the beacon sensor on the key chain makes them locatable to within two inches. It will be as if the Jetsons era has finally arrived.
So how can we use these space-age technologies to our advantage? Although most software is still in the process of being optimized for wearables and other emerging smart gadgets, there are three main things to be on the lookout for as we move into the IoT’s heyday:
Issues on devices that could result in device loss, poorly programmed apps, or attacks driven by social engineering
Transmission issues caused by low-level encryption on Wi-Fi or Bluetooth that could result in traffic sniffing, man-in-the-middle and redirection attacks
Storage issues in the cloud that could directly result in data breaches
The sure-fire way to defend yourself against these vulnerabilities is to use a VPN when connecting to open, unsecured Wi-Fi networks. Avast SecureLine VPN is available for Windows, Android and iOS.
Risk analysis is the first step towards managing risks, particularly when it comes to cyber risks. This recorded webinar introduces and explains key concepts, with links to several useful risk assessment tools.
Avast Web Shield scans HTTPS sites for malware and threats.
Internet users with basic security knowledge are aware that they should look for the padlock icon in the address bar or the HTTPS in a web address to indicate that a website is secure. We have gotten used to seeing it on bank sites or shopping carts where we input our credit card information. More and more, regular websites are making the switch from unencrypted HTTP to encrypted HTTPS. Last year, search giant Google sweetened the pot by adding HTTPS to their ranking algorithm. That action encouraged webmasters everywhere to make the switch to HTTPS.
But is HTTPS really more secure than HTTP?
The simple answer is not always. As more and more online services are moving to HTTPS, attacks are increasing. An encrypted connection ensures that the connection cannot be modified by anyone else, but it does not guarantee that the actual content being downloaded is safe. Just as with plain HTTP, if a legitimate website is hacked, malware scripts and binaries can be placed into the HTTPS page that appears to be safe.
That’s why it is imperative for security software to check this attack vector. To address this, Avast’s trusted Web Shield technology scans HTTPS sites for malware and threats.
How Avast’s HTTPS scanning feature works (the short version)
Avast is able to detect and decrypt TLS/SSL protected traffic in our Web-content filtering component. To detect malware and threats on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. Our certificates are digitally signed by Avast’s trusted root authority and added into the root certificate store in Windows and in major browsers to protect against threats coming over HTTPS; traffic that otherwise could not be detected.
Avast whitelists websites if we learn that they don’t accept our certificate. Users can also whitelist sites manually, so that the HTTPS scanning does not slow access to the site.
HyperText Transfer Protocol or HTTP is the network protocol used to deliver virtually all files and other data on the World Wide Web. When you visit a website you may see the HTTP:// prefix in the address. This means your browser is now connected to the server using HTTP. The problem with HTTP is that it is not a secure way to establish a connection, opening a door to cybercrooks who want to eavesdrop on your activities.
Hackers can eavesdrop via an HTTP address because when you connect to a website with HTTP, your browser assumes it is connected to the correct web server. The problem with this is that there is no way to authenticate that you are actually connected to the correct website. This is a big problem if you think you are connecting to your bank’s website, but you are really on a compromised network and have been redirected to a fake website. This is when the hacker can eavesdrop and see any passwords, credit cards, or other data.
HTTPS is meant to solve this problem
HTTPS, which literally stands for HTTP Secure, is the safe encrypted counterpart to HTTP. When you connect with HTTPS , it provides identity verification and security, so you get the benefit of encryption that prevents others from eavesdropping on your communications and ensures you that you are connected to the intended server.
What is a website security certificate?
HTTPS encryption and authentication are provided by security protocols known as TLS and SSL. The SSL protocol verifies that you are connected to the intended server with a “handshake” which proves the identity of the server to the client. This is achieved using SSL security certificates, which contain various pieces of information like the name of the holder, the domain, validity date, the certificate’s public key, and the digital signature.
Usually the certificate is digitally signed by a trusted certificate authority (CA) that it already knows. For the connection to succeed, the server, and in some cases the client, must provide a certificate that allows the computer to determine if the connection should be trusted or not. If the private key to the certificate is leaked, anyone can mimic the server’s identity.
Why does Avast create a ‘certificate authority’ and how is it created?
When the browser is about to make a connection to a HTTPS server, Avast Web Shield takes over the handshake and connects itself to the server. When the server sends its certificates, Web Shield verifies them against the Windows System Certificate Store – the same list of trusted certificates that Internet Explorer, Chrome, Opera, and other programs use. Web Shield scans the flow of the data connection, and after verifying that the communication is secure, hands over the connection to the browser.
What is a MITM attack and how does it differ from what Avast is doing?
The SSL protocol is imperfect, so hackers can take advantage of it. A man-in-the-middle (MITM) attack takes place when a hacker intercepts the communication between two systems by impersonating the two parties. This clever ruse makes them think that they are talking to each other when they are both actually talking to the attacker. The attacker can read, insert, or modify the data in the intercepted communication and no one ever knows.
The Avast WebShield must use a MITM approach in order to scan secure traffic, but the important difference is that the “middle man” we use is located in the same computer as the browser and uses the same connection. Since Avast is running with Administrator rights and elevated trust on the computer, it can create and store certificates that the browser correctly accepts and trusts for this, and only this, machine. For every original certificate, Avast makes a copy and signs it with Avast’s root certificate, located in the Windows Certificate store. This special certificate is called “Avast Web/Mail certificate root” to clearly distinguish who created it and for what purpose.
We want to emphasize that no one else has the same unique key that you have from the installation generated certificate. This certificate never leaves the computer and is never transmitted over the internet. The Windows System Certificate Store is the only place where your computer’s certificate is stored and accessed.
How do I maintain my privacy when Avast is scanning my banking connections?
Our customers’ privacy was our first concern when planning the implementation of HTTPS scanning. That’s why we created a way for whitelisting, or ignoring, the connection when Avast users access banking sites. Our current list has over 600 banks from all over the world and we are constantly adding new, verified banking sites. You can, and should, verify the bank’s security certificate when using online banking sites. Once verified, you can submit the banking or other web site to our whitelist by sending us an email: banks‑[email protected].
How to disable the HTTPS scanning feature
If you do not want Avast to scan HTTPS traffic, you have the option of disabling the feature in the Avast settings:
1. Open the Avast user interface → select Settings.
2. Select Active protection → click Customize next to Web Shield.
3. Select Main settings → check/uncheck Enable HTTPS scanning to turn this feature on/off.
Most of us can agree that we don’t want our personal data falling into other people’s hands. This may seem like an obvious concept, but with the amount of data we regularly share online, it’s not such an uncommon occurrence that our information is wrongfully passed onto others. In this clever video published by Facebook Security, we learn how to nip scams in the bud and prevent others from tricking us into sharing personal information.
In order to keep your personal data secure, make sure to practice the following:
Shred all personal documents before throwing them away. This is especially important when dealing with bank statements and bills.
Be mindful of what you post on social media and other online forums.
Choose your passwords carefully. Keep them diverse and don’t use the same password for each of your accounts.
Use security software on all of your devices and make sure that it’s up to date.
How to spot a hacker before it’s too late? As the video’s narrator warns, “Beware of anyone requesting your personal data or money, whether over the phone, via email or online. They may pretend to be a romantic interest, a family member in trouble, or even a foreign prince – odds are, they’re not.”
We love our fans and followers on Twitter because they frequently alert us to great resources. It happened today when we received a tweet from @LoveNerds4Ever letting us know that Avast Antivirus was mentioned on a Sacramento (California) News10 video segment. Thanks, Shawna!
The guest on this video segment is Ryan Eldridge, co-founder of Nerds on Call, a computer repair Business in Sacramento. He spoke to reporter Keba Arnold about technology mistakes that people typically make. These simple, but oh, so important points, are ones that we continually try to make, and Ryan puts it all together in one good video. Watch it now.
The security recommendations that Ryan makes:
Run updates on your computer and mobile phone. Program updates and security patches are very important to keep your device up to date and running optimally.
Download apps and programs from places you know and trust. On your mobile phone this would be the Google Play Store or Amazon App Store. For your computer, he says it’s a little bit harder, but suggest that you visit download.com, CNET’s well-known download site where you can read user reviews and see the reputation of the app before you download.
Ryan reminds computer users that when they get a new device antivirus software may be pre-installed, but it is a trial for a limited time. After it expires, you need to get protected with a quality antivirus product. Ryan recommends Avast Free Antivirus for your computer, your Mac, and your mobile phone.
Ms. Arnold confesses that she has one email address that acts as a catch-all for everything. Ryan says this is a no-no because if a hacker breaks into that email address, then he has access to everything. Ryan suggests that you have separate email addresses for friends and family, work, one for shopping, and one for banking.
Passwords, admittedly are a pain in the you-know-what. Ryan suggests using an algorithm, or a kind of personal code, to construct your own passwords. For example, you can use a line from your favorite song, say Somewhere Over the Rainbow. Use the first letter of each word, use letters from the website name, and end with a series of numbers. Each password will be unique and known only to you.
And Ryan, we have a tip for you! Small businesses like yours need security protection too, and consumer antivirus like Avast Free Antivirus, doesn’t do the trick when you need to manage multiple devices, platforms, and people in remote locations. Adding to our collection of free products is the new Avast for Business. Avast for Business is free to use for as long as you want and for an unlimited number of admins and devices.
Avast customers who are using older versions of our Avast antivirus products cannot upgrade to Windows 10, but more importantly they will no longer receive product upgrades or enhancements. We recommend that everyone upgrade to the latest version to benefit from better detection rates and new features. Read Support for older Avast versions will end.
The new Android powered tablets by ASUS come preloaded with Avast Mobile Security, so you are protected right out of the box. Read New ASUS ZenPad to come with Avast Mobile Security.
Want a career with Avast? A new Avast Software office has opened in Charlotte, North Carolina to bring the new free Avast for Business to the U.S. market and beyond. Read The Tar Heel State welcomes Avast Software.
What is a MITM attack and how does it differ from what Avast is doing?