Tag Archives: Threats

Avira

New Study: 10 Out of 10 Smartwatches Vulnerable

A new study on the Internet of Things with focus on smartwatches released by HP revealed that of 10 smartwatches that were tested, all contain significant vulnerabilities and are a “risk that goes beyond the device”.

So what exactly are we talking about? According to the study (PDF) “the results of the research were disappointing, but not surprising.” There are deficiencies when it comes to authentication and authorization, privacy concerns, and problems with the implementation of SSL/TSL.

Their key takeaways are as following:

  • “Data collected initially on the watch and passed through to an application is often sent to multiple backend destinations (often including third parties)
  • Watches that include cloud interfaces often employed weak password schemes, making them more susceptible to attack
  • Watch communications are trivially intercepted in 90% of cases
  • Seventy percent of watch firmware was transmitted without encryption
  • Fifty percent of tested devices offered the ability to implement a screen lock (PIN or Pattern), which could hinder access if lost or stolen
  • Smartwatches that included a mobile application with authentication allowed unrestricted account enumeration
  • The combination of account enumeration, weak passwords, and lack of account lockout means 30% of watches and their applications were vulnerable to Account Harvesting, allowing attackers to guess login credentials and gain access to user account”

So yes, it’s basically the same cycle as with most of the ‘newer’ tech gadgets. They get released, there is a big hype, but security becomes only important after lots and lots of reports on hacks, vulnerabilities, and the inevitable bad press. Think nothing of it guys, everything is just the way it always was …

The post New Study: 10 Out of 10 Smartwatches Vulnerable appeared first on Avira Blog.

Avira

Hacked Car Is Driven Into Ditch

Why? Because cars are now definitely hackable. It has been proven. By driving a Chrysler Jeep Cherokee in a ditch. Let me tell you guys: It didn’t end well for the car!

What basically happened is this: Two security researchers, Charlie Miller and Chris Valasek, were asked by WIRED writer Andy Greenberg to hack his car.

“I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass,” he describes the experience.

But that was merely the beginning. After Greenberg entered the highway the two hackers cut the transmission. Yes, you’ve hear right. The results? The accelerator stopped working. The car got slower and slower. Cars were honking and driving by.  But “the most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch.”

Are you not sure whether to believe the tale or not? Then just take a look at his expercience yourself:

But how can something like that even happen? The issue apparently lies in a wireless service called Uconnect which connects these cars to the Sprint cellphone network. Uconnectis featured in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks. It not only controls the vehicle’s entertainment and navigation systems but also, enables phone calls, and offers a Wi-Fi hot spot! The researchers only had to find a vulnerability – which they did – to access and control the car’s system. Anyone who knows the IP address can gain access to it.

Luckily Chrysler released a patch – so make sure to apply it ASAP if you own one of the vulnerable cars. But while it fixes the described issue, how many others remain unfound, exploitable and dangerous?

The post Hacked Car Is Driven Into Ditch appeared first on Avira Blog.

Avira

Patch now: Microsoft Emergency Fix

Yesterday Microsoft released an emergency security update for all of the supported Windows version (this means Windows 7, Windows 8/8.1, Windows RT and apparently even the unreleased Windows 10). The patch is supposed to fix an exploit that would allow hackers to access another computer easily.  According to the company the flaw lies in the way the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts.

“An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft says in their security bulletin. “There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.“

Microsoft also says that while they had information that indicates that the issue was public there is no evidence that the vulnerability was used in any actual attack on customers.

The vulnerability itself was apparently found after going through loads of data from the Hacking Team email breach.

The post Patch now: Microsoft Emergency Fix appeared first on Avira Blog.

Avira

Adulterers Beware: Ashley Madison Hacked

Ashley Madison is a social network for people in relationship (mostly married I’d guess) who want to have an affair. Now, according to Krebs on Security, the page has been hacked by “an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information”. Large parts of stolen data have been posted online by The Impact Team, the people responsible for said hack.

Apparently The Impact Team decided to post the stolen data because while Avid Life Media (ALM), the company that owns Ashley Madison, says that they will delete user profiles permanently for $19 that’s not happening, at least not completely. While there has been some controversy concerning this topic before the reaction of The Impact Team seems rather extreme.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” the hacking group wrote.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

According to ALM CEO Noel Biderman the company’s investigation is ongoing. He also states that he believes that the breach was actually an inside job – perhaps by a former employee or contractor: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.“

The post Adulterers Beware: Ashley Madison Hacked appeared first on Avira Blog.

Avira

United Airlines & New York Stock Exchange Suffer From Tech Issues

At the height of the summer season, the shutdown is upsetting the travel plans of thousands of tourists. United Airlines flies to 235 airports within the US, making one out of every six commercial flights in the country. The shutdown was attributed to “automation information” issues.

Earlier this year something similar had happend to United Airlines already. Back then a passenger, the founder and CTO of the tech firm Cloudstitch, tweeted that his pilot told passengers that the grounding was due to a possible hack of United’s computer network and the flight plan-delivery protocol used by every airline.

What happened yesterday reminds of the May 31 issue of the Polish LOT airline in Warsaw – and the above mentioned earlier hack of the United Airlines system in the US. In the Polish attack, hackers caused the airline’s ground computer systems to issue bogus flight plans.

Just hours later the New York Stock Exchange ran into similar problems. “I have spoken to the CEO of United, Jeff Smisek, myself. It appears from what we know at this stage that the malfunctions at United and the stock exchange were not the result of any nefarious actor,” U.S. Homeland Security Secretary Jeh Johnson says.

But even if no hackers were involved it definitely is a wakeup call: If something like that happens without any involvement of cybercriminals, how much worse would it be once one of them actually manages to screw around with all the tech?

The post United Airlines & New York Stock Exchange Suffer From Tech Issues appeared first on Avira Blog.