Tag Archives: Technology

Avira

Hacking tools to become weapons of war

Leave a comment

Hackers can start wars. That’s a fact. It’s also one of the fears people have learned to live with. As opposed to some reductionist definitions of war, when it comes to the cyber-war topic, it’s not always a good vs. bad kind of battle. It’s more of a battle of competences between highly skilled hackers.

Divide and conquer

In order for a massive hacking to succeed, some advanced software programs are required. Here’s where the US government saw on opportunity to try and keep under control foreign hacking initiatives.

The Bureau of Industry and Security (BIS), an agency of the United States Department of Commerce that focuses on national security and high technology issues, is currently struggling to obtain tighter export rules for computer security tools. The objective is to disallow encryption license exceptions for cyber security tools that qualify as “intrusion software” thanks to the ability to extract or modify data from a computer or a network-enabled device or simply tweak the standard execution path of a program.

No hacking without license

As mentioned in the official presentation, the BIS proposal  focuses on:

  • systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software;
  • software specially designed or modified for the development or production of such systems, equipment or components;
  • software specially designed for the generation, operation or delivery of, or communication with, intrusion software;
  • technology required for the development of intrusion software;
  • Internet Protocol network communications surveillance systems or equipment and test, inspection, production equipment, specially designed components therefor, and development and production software and technology therefor

Although we are talking about the United States Government, this proposal can lead to the revision of international agreements and thus have an important impact on the work of security researchers all around the world.

Initially mentioned in the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013, the proposal is up to debate for another two months so make sure to submit a formal comment in the Federal Register.

Read more about this on the BetaNews website.

 

 

The post Hacking tools to become weapons of war appeared first on Avira Blog.

Avira

Unlimited Free Coffee at Starbucks? A Hacker Made It Happen

Leave a comment

Egor Homakov made it actually happen. In his blogpost he describes how he managed to find a way to generate an unlimited amount of money on Starbucks gift cards.

If you are like me the only thing you want to know now is “HOW?!” (and your second thought will probably be: I want this so bad!).  So let me curve your enthusiasm right now: Homakov of course did the right thing and reported the exploit to Starbucks.

Now back to topic! What the security expert did was to use a vulnerability called “race condition”. He bought three Starbucks card for $5 each and tried to use the vulnerability to transfer money between the cards without it being deduced.

“So the transfer of money from card1 to card2 is stateful: first request POST /step1?amount=1&from=wallet1&to=wallet2 saves these values in the session and the second POST/step2?confirm actually transfers the money and clears the session”, Homakov writes and continues: “After 5 failed attempts I was about to give up. Race condition is a kind of a vulnerability when you never know if the app is vulnerable, you just need to try some more. […]But yeah, the 6th request created two $5 transfers from wallet1 with 5 dollars balance. Now we have 2 cards with 15 and 5 (20 in total).”

The only thing left to do was to buy something with this money in order to deliver the  proof of concept. One chicken sandwich, a few bottles of water, and some gum later the new balance on his cards was $5.70.

Starbucks was pretty unhappy with the stunt despite Homakov adding the $10 to his account from his credit card and disclosing the bug immediately.  They might have been even unhappier though, if a lot of hungry and coffee addicted customers would have abused the system …

The post Unlimited Free Coffee at Starbucks? A Hacker Made It Happen appeared first on Avira Blog.

Avira

Millions of Android Phones Fail to Purge Data

Leave a comment

That basically means that your login data, mails, contacts, SMS, images, and videos can be retrieved at least partially. Not even a Full-disk encryption is of much help here: The flawed Android factory reset leaves behind enough data for the key to be recovered.

The study unveils five critical failures:

  • “The lack of Android support for proper deletion of the data partition in v2.3.x devices
  • The incompleteness of upgrades pushed to flawed devices by vendors
  • The lack of driver support for proper deletion shipped by vendors in newer devices (e.g. on v4.[1,2,3])
  • The lack of Android support for proper deletion of the internal and external SD card in all OS versions
  • The fragility of full-disk encryption to mitigate those problems up to Android v4.4 (KitKat)”

The researcher examined 21 Android phones that used version 2.3.x to 4.3 of the OS and were sold by five different vendors. Apart from being able to recover said data, they could also recover Google authentication tokens: “We recovered Google tokens in all devices with flawed Factory Reset, and the master token 80 percent of the time. Tokens for other apps such as Facebook can be recovered similarly. We stress that we have never attempted to use those tokens to access anyone’s account.”

So what to do if you want to sell your mobile? The study recommends filling up the partition of interest with random-byte files, to overwrite all unallocated space. In order for this to work you would have to install the third-party app that would fill the partition manually though because otherwise the Google credentials stored on the file system would not be erased.

Take a look at the study to find out more.

The post Millions of Android Phones Fail to Purge Data appeared first on Avira Blog.

Avira

Google Study: How Secure are Secret Questions?

Leave a comment

Right, I’m talking about the ‘secret questions’ that have long been used as a backup mechanism to reclaim accounts (for example if you have lost your password). It’s a pretty common method used by a lot of services, since they are an easy way to provide an extra layer of security. But now a new study by Google actually questions that. The researcher conducting the study claim that their “analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords.”

For the study they analyzed hundreds of millions of secret answers and millions of account recovery claims from Google users and concluded “that in practice secret questions have poor security and memorability […] From millions of account recovery attempts we observed a significant fraction of users (e.g 40% of our English-speaking US users) were unable to recall their answers when needed. This is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%).”

The security side does not fare much better. If you’d have to guess what an English-speaking user chose for an answer to the question “What’s your favorite food”, pizza would be the way to go: 19.7% apparently have the same taste. In a Spanish speaking country you’d have a 3.8% success rate at answering the “Father’s middle name” one correctly and with only 10 guesses you would be able guess the answer to “City of birth” for 39% of the Korean-speaking users. The fact that some 37% provide fake answers in order to make them harder to guess is of no help either. Apparently their little trick has the opposite effect since they now answer the questions in a predicable way.

The Google researcher conclude that it is almost impossible to find the perfect secret question: One that is both memorable and secure. Google itself prefers SMS and secondary email addresses to confirm a user’s identity but admits that those are not perfect either.

The post Google Study: How Secure are Secret Questions? appeared first on Avira Blog.

Avast

Avast Home Network Security is ideal for the self-employed

Leave a comment
Don't let your router be the weakest link when it comes to protecting your home business.

Don’t let your router be the weakest link when it comes to protecting your home business.

For those of us who are self-employed and/or work from home, our houses are sacred spaces on both personal and professional levels. Although often overlooked, our routers hold the key to our productivity, as they provide the powerful and consistent network connection that we depend on in order to get our work done. Unfortunately, we often take these little guys for granted, and because of this, routers have become the weakest security point in many home and small business networks these days.

“Unsecured routers create an easy entry point for hackers to attack millions of American home networks,” said Vince Steckler, chief executive officer of Avast. “If a router is not properly secured, cybercriminals can easily gain access to an individual’s personal information, including financial information, user names and passwords, photos, and browsing history.”

Securing your router is vital for both you and your business

You may have heard about the recent NetUSB driver flaw that made millions of routers vulnerable to malicious attacks. Unfortunately, this is just one case surrounded by the larger issue of users not taking the necessarily precautions to properly secure their home networks.

Avast now features Home Network Security (HNS), which scans for home router security problems. Avast is the only security company to offer a tool to help you secure this neglected area. Avast Home Network Security scans a user’s home network and routers for potential security issues that could allow a hacker attack. The scan looks for misconfigured Wi-Fi networks, exposes weak or default Wi-Fi passwords, vulnerable routers, compromised Internet connections, and enabled, but not protected, IPv6. It also lists all devices on the network so you can make sure only your known devices are connected.

In addition to protecting your devices using Avast Home Network Security, there several steps you can take in order to further improve your router’s security.

  • Change the default admin username and password to a strong password. Do not use default passwords because they’re generated from well-known algorithms that makes hacker attacks even easier. Do not use your name, date of birth, home address or any personal information as the password.
  • Turn off WPSthe automated network configuration method that makes your wireless password more vulnerable to hacker attacks.Turn on WPA2 encryption and, if you can, protect it with a strong password.
  • Change the default admin username and password to a strong password. Do not use default passwords because they’re generated from well-known algorithms that makes hacker attacks even easier. Do not use your name, date of birth, home address or any personal information as the password.
  • Upgrade your router firmware to fix known vulnerabilities of the router.
  • Don’t forget to log out after managing the router, avoiding abuse of the authenticated browser sessions.

Protect your router against malicious attacks with Avast Home Network Security.
Avast Home Network Security's scan helps you keep your router secure and safe from hackers.
Results are shown once Avast Home Network Security's scan is complete.

 

The Home Network Security Solution is available in free and paid versions of Avast. Get it at www.avast.com.


// <![CDATA[
!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?’http’:’https’;if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+’://platform.twitter.com/widgets.js’;fjs.parentNode.insertBefore(js,fjs);}}(document, ‘script’, ‘twitter-wjs’);
// ]]>

Avira

Watch OS 1.0.1 for the Apple Watch Released

Leave a comment

With Watch OS 1.0.1 Apple has released the first update for its watch. While it doesn’t include any flashy new features you should definitely make sure to install the patch as soon as possible, since it includes fixes for several critical security issues.

One of them is the well known FREAK bug, the SSL/TSL vulnerability which was disclosed in March. The vulnerability can allow hackers to perform a Man in the Middle (MITM) attack on traffic routed between a device that uses the affected version of OpenSSL and many websites, by downgrading the encryption to an easy to crack 512 bits (64KB).

Other than that the update includes fixes for vulnerabilities that could lead to arbitrary code execution, disclose information, cause a denial of service, redirect user traffic to arbitrary hosts, and bypass network filters.

According to Macworld Watch OS 1.0.1 also improves your Apple Watch’s performance, adds seven new languages, and support for new emoji.

To install the new Watch OS just do the following: Open your Apple Watch app on your iPhone and go to My Watch > General > Software Update. Make sure that the watch is within range of the iPhone and connected to a charger. It should also be at least 50 percent charged.

The post Watch OS 1.0.1 for the Apple Watch Released appeared first on Avira Blog.

Avira

Avira Offers PRIVATE WiFi Encrypted VPN in new bundle

Leave a comment

Users who purchase the new bundle will be fully protected against malware and data theft. Our Antivirus Pro is built upon some of the most cutting-edge antivirus technologies available, allowing millions of users around the world to no longer worry about malware.

PRIVATE WiFi Encrypted VPN completes the package perfectly, as it provides users with a personal VPN (Virtual Private Network) to automatically encrypt data transferred over any WiFi network.

Protection on the move with your personal VPN

“Avira and PRIVATE WiFi Encrypted VPN have a common mission: to offer people best-in-class digital protection, wherever they are. In a world with increasing mobility, we decided to provide our customers with protection on the move: our German engineered antivirus that fights against all types of viruses, combined with a professional encryption service that prevents any phishing attacks from happening” said Thorsten Bruchhaeuser, EVP Sales and Business Development at Avira.

With all the hidden dangers encountered by users accessing public WiFi hotspots, it has become essential for users to add an extra layer of protection for their sensitive data. An encrypted VPN will stop hackers from intercepting private data from their devices, regardless of the method chosen by the attackers: rogue WiFi access points, man-in-the-middle attacks or software sniffers.

Alok Kapur, President and Chief Operating Officer of PRIVATE WiFi said “We are excited to join forces with Avira in creating a complete protection bundle. Users who purchase the package will be in possession of the best weapons to fight against all types of digital attacks and they will no longer have to worry about their private data ending up in the hands of others without their consent”.

Our new product bundle from Avira will be distributed via its partner network globally and will be available both in German and in English.

The post Avira Offers PRIVATE WiFi Encrypted VPN in new bundle appeared first on Avira Blog.

Avira

Avira Offers PRIVATE WiFi Encrypted VPN in new bundle

Leave a comment

Users who purchase the new bundle will be fully protected against malware and data theft. Our Antivirus Pro is built upon some of the most cutting-edge antivirus technologies available, allowing millions of users around the world to no longer worry about malware.

PRIVATE WiFi Encrypted VPN completes the package perfectly, as it provides users with a personal VPN (Virtual Private Network) to automatically encrypt data transferred over any WiFi network.

Protection on the move with your personal VPN

“Avira and PRIVATE WiFi Encrypted VPN have a common mission: to offer people best-in-class digital protection, wherever they are. In a world with increasing mobility, we decided to provide our customers with protection on the move: our German engineered antivirus that fights against all types of viruses, combined with a professional encryption service that prevents any phishing attacks from happening” said Thorsten Bruchhaeuser, EVP Sales and Business Development at Avira.

With all the hidden dangers encountered by users accessing public WiFi hotspots, it has become essential for users to add an extra layer of protection for their sensitive data. An encrypted VPN will stop hackers from intercepting private data from their devices, regardless of the method chosen by the attackers: rogue WiFi access points, man-in-the-middle attacks or software sniffers.

Alok Kapur, President and Chief Operating Officer of PRIVATE WiFi said “We are excited to join forces with Avira in creating a complete protection bundle. Users who purchase the package will be in possession of the best weapons to fight against all types of digital attacks and they will no longer have to worry about their private data ending up in the hands of others without their consent”.

Our new product bundle from Avira will be distributed via its partner network globally and will be available both in German and in English.

The post Avira Offers PRIVATE WiFi Encrypted VPN in new bundle appeared first on Avira Blog.

Avira

ErsatzPassword Gives Fake Passwords to Hackers

Leave a comment

The system, called ErsatzPasswords (German for: Replacement Password ), should make it much harder for hackers to crack passwords. That could especially come in handy with data breaches, where cybercriminals gain access to a lot of hashed passwords from the leaks.

Since passwords are normally encrypted (storing a plain-text password would be a huge security risk!) hackers need to decrypt them somehow. A common approach would be the brute-force attack, where one would try guesses repeatedly for the password and check them against the available cryptographic hash of it. Ordinary desktop computers can test over a hundred million passwords per second using password cracking tools like John the Ripper. And that’s where ErsatzPassword comes into play:

“[…] when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatz passwords — the “fake passwords”. When an attempt to login using these ersatz passwords is detected an alarm will be triggered in the system that someone attempted to crack the password file”, says Mohammed H. Almeshekah, one of the authors of the paper. “Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server.”

Sounds pretty cool and secure, right? If you want to find out more about the idea behind ErsatzPassword, take a look at the research paper or the code directly.

The post ErsatzPassword Gives Fake Passwords to Hackers appeared first on Avira Blog.

Avira

Hacker Hacked Into the Aircraft Engine Controls 20 Times

Leave a comment

Remember Chris Roberts? He was the hacker who wasn’t allowed to board his plane last month, when he talked on his Twitter account about the (lack) of airplane security and joked about hacking into the electronic control system.

It now turns out that while he might have been joking that one time, he actually hacked into IFE systems on aircrafts while in flight about 15 to 20 times, according to an FBI search warrant application filed in the U.S. District Court for the Northern District of New York. In the same warrant Roberts also claims that he was able to successfully command the system he accessed to issue the “CLB” (or climb) command. This caused one of the airplane engines to climb which resulted in a sideways movement of the plane during one of the flights.

He told WIRED: “That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about. It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.” And on his Twitter account he states:

Well, at least airlines seem to slowly wake up and confront reality now: United Airlines just started a bug bounty program that will award miles depending on the severity and impact of the reported bugs.

The post Hacker Hacked Into the Aircraft Engine Controls 20 Times appeared first on Avira Blog.