Tag Archives: Tony Anscombe

Shellshock vulnerability: should we be concerned?

We are continually hearing about bugs and vulnerabilities that could potentially be serious. The latest one named ShellShock can potentially be used to remotely take control of almost any system that is using a software component called Bash. This sounds devastating and it course of could be, but don’t start running for the hills or deciding to unplug from the Internet quite yet though.

Bash is a software component that exists on many Linux systems including Apple’s Mac OSX. As Linux is the operating system used on a large number of the web servers, a bug like this could mean cybercriminals have the potential to exploit the vulnerability and cause harm to users of the web server or indeed to the company whose web server it is. They do this by inserting malware on the server that could potentially collect data, cracks passwords or do something particularly malicious.

At the time of writing this blog there is already a large number of patches available that address this vulnerability for servers and reputable companies have teams in place that watch for these alerts and update their servers to protect them and the users of the services they offer. A good example is our own security team here at AVG who immediately ran an audit to see if we had any servers that may have this vulnerability, and they have already confirmed that our servers are safe.

 

If you are a Mac user should you be concerned and what do you need to do?

Apple has, as expected, reacted quickly and is releasing an automatic update to OSX that users will be prompted to install. They have also made it clear that the issue does not affect the majority and is an issue for power users that take advantage of the advanced UNIX services within OSX. If the previous sentence has baffled you then you are in the group that Apple say are not at risk.

Even as a power user at home you are likely to be sitting behind a firewall that would detect someone trying to execute commands on your machine and they would be blocked. However bad guys may well try and trick users to into installing files that could leave them more vulnerable to attack, a good rule is to not click something that you don’t recognize and remember the update will only come directly from Apple. When you see the update appear through on your Mac, install it immediately so that you stay safe.

There are also other devices in our homes that run Linux. Many of the routers and broadband modems we use to connect to the Internet also utilize Linux as an operating system and because of this we recommend you watch for updates from those vendors and take the action to install them. If your router is provided by your ISP then they should push the update to the router automatically.

It is good practice to allow the automatic updates on your devices so that they are maintained by the manufacturer of the device to protect you from issues like this. Having up to date anti-virus software installed and active is also of paramount importance in today’s environment where more of our data than ever before is held by us on our devices. The protection provided will detect and block an exploit such as this where cybercriminals attempt to install malware on your machine. AVG’s Free Antivirus is available for Mac and PC users and can be downloaded from www.avg.com

How to switch to AVG antivirus

Sometimes changing your security software can seem like a daunting and complicated task, especially if you’re not familiar with removing programs from your computer. There are many things to remember and check. It doesn’t always need to be complicated though, if you want to protect your Windows PC with AVG’s award winning security software, there are just a few steps you need to take to make sure it goes to plan.

Follow these five tips to help you avoid any complications when switching to AVG’s security software and have a hassle free experience:

Check your system specifications:

With any installation, you should check that your PC meets the minimum requirements for the software. This will ensure that it is compatible with your machine and that you have enough space and power to run it properly.

Action: You can find AVG’s requirements here: What are AVG system requirements and supported operating systems.

 

Ensure your system is up to date:

Security software can make alterations to your operating system, so it’s important to check that you are running the most current version of Windows. This will help prevent issues when AVG has to make changes to any system files.

Action:  Visit the Microsoft Windows Update page to make sure that you are running the most up to date version of Windows.

 

Remove other security software:

Before installing AVG security software, it’s important to check that you have removed any existing protection. It’s quite common for multiple installations of security software to conflict as they can both alter you system at the same time and also degrade performance.

Action: If you are having difficulty removing any existing security software, check out this How to remove conflicting anti-virus products article.

 

Check you are logged in as Administrator:

In order for AVG to install properly, it needs to be done by the system administrator. This will ensure that the AVG installer has access to all the files necessary for it to complete successfully.

Action: Read this How to check if I’m using an administrative account article to sure you are logged into Windows as an Administrator.

 

Install the latest version of AVG:

Whether you are reinstalling AVG or installing it for the first time, it is important to check that you are installing the latest version of our security software.

Action: For instructions on how to install the latest version of AVG, visit the How to download and install AVG article.

Tip: If you happen to experience any issues during installation, please refer to the article What to do when AVG installation is failing for help. 

Apple Pay and The New World of Mobile Digital Credit Cards

Amid the extravaganza of the Apple Watch and iPhone product launch this week, Apple also unveiled Apple Pay – a new mobile digital payment system, which is being touted by some as death for the “plastic” credit card.

By registering your MasterCard, Visa, and American Express cards to your Apple Pay wallet through iTunes, you will be able to use your Apple devices (the newly announced iPhone 6 and forthcoming iWatch) to make easy and secure mobile payments to merchants.

The payment system uses a one-time transaction-specific dynamic security code –meaning your actual credit card number never gets transferred to the merchant and reduces the chance of fraud. You can hear immediate analysis from our Tony Anscombe on Bloomberg TV here.

Lots of information around implementation remains to be seen. However, the Apple pay system does boast early support by major credit card companies and banks.

Apple is using short-range radio waves technology known as NFC (near-field communication), in both its smartwatch and the new iPhones in support of the application. NFC has been a feature in many other smartphones (including by Google) but has failed to take hold to date. Market researcher Gartner estimated NFC was used for just 2% of total mobile payments last year, though expected to nearly double to $8.2 billion this year. Up until now, analysts say banks couldn’t see a business case for NFC instead of simply issuing their own smart cards.

Smart cards aka EMV cards (an acronym for Europay MasterCard and Visa) are revamped credit cards with microchips that store your data on the card. This approach also limits the retailer from holding your data; data resides on your card and the embedded microprocessor chip encrypts transaction data differently for each purchase.

The catch with the chip cards, until now, is that most retailers don’t have the technology for them yet…But that is also expected to change quickly. Walmart is already there.  Major retailers like Target and Home Depot have announced plans to roll out the EMV payment systems. I just received replacement Amex card with the EMV technology.

(BTW, in other related news, Home Depot revealed this week that its payment systems had been hacked, possibly compromising customer data over its 2,000+ outlets in the U.S and Canada. This is potentially a bigger data breach than the one that unfortunately befell Target last December.)

There is also added incentive for EMV adoption: in October 2015, new standards will go into effect, changing how liability falls between credit-card issuers and retailers. While EMV compliance won’t be mandatory, liability for fraud will fall on the party that hasn’t upgraded their systems. You can read more about EMV and the upcoming so-called “liability shift” here.

In the meantime, what can you as a consumer do to keep your credit data safe?

Here are a few recommendations:

  • Report lost cards or discrepancies immediately.
  • Review your account often.
  • Keep your receipts, and match them against your credit card statement.
  • Shred your statements.

 

And what if you are a business owner? You should familiarize yourself with EMV, and the upcoming standards, and if possible, look to upgrading to a credit-card machine that is EMV capable.  (You can also take AVG’s data security Health Check to make sure you are on top of your responsibilities in the case of any data compromises.)

We in the industry are working to evolve data security and make it better.  In the meantime, as a consumer, an owner or an operator, stay alert and protect yourself.

One thing is for certain, we are on the verge of a whole new era of credit card security risks.

 

****

On a separate note: Congratulations to Megan Smith on her appointment as the US  CTO. Bravo!

California Earthquake serves up privacy reminder

This weekend’s earthquake near American Canyon has highlighted the risk of living in the Bay Area and also given us all insight to how people behave in today’s connected world.

The speed at which tweets started appearing of people sharing their experiences shows that many of us are sleeping with a connected device next to the bed that is the first thing we grab for when awoken in the middle of the night. Now though, our connected devices are no longer relegated to the nightstand, but instead are in bed with us.

After the quake, an interesting story emerged from Jawbone, the manufacturer of a fitness/sleep tracker UP. They have released data on the number of people that were woken by the earthquake based on location and the epicenter. The data is interesting, 93 percent of UP wearers in Napa, Sonoma, Vallejo and Fairfield woke up instantly, while just over half in the areas of San Francisco and Oakland. And 45 percent of those within 15 miles of the epicenter then remained awake for the remainder of the night. The data gives you some indication on the magnitude and effect the earthquake had on people.

jawbone

While the information is very interesting and offers fascinating insight into human behavior, it does also serve as a gentle reminder that as connect our lives to the Internet, that data takes on a life of its own.

I wonder if the users of fitness/sleep devices are aware that their data could be used for analysis such as this? While the data Jawbone shared was anonymous and pretty much harmless, it does make me think, what else is being collected? What other insights do they have into our daily lives?

Fitness/sleep trackers collect information about the user and most of it is of a very personal nature and includes name, gender, height, weight, date of birth and even what you eat and drink if you are logging this in the app. Now couple this with location data that is being collected and you may even be able to understand where people regularly work out or go to eat..

I use a fitness tracker and as a user I limit the sharing of my data, I have switched off the sharing through social media as I don’t think my friends and family really need to know how many steps I took today. But I do understand that many users bounce off their friends as motivation to do more exercise which is not a bad thing if that’s the way you get your motivation.

 

Checking privacy policies

It sounds boring but I would absolutely advise reading the privacy policy of a fitness tracker before purchasing/installing. It cannot hurt to be more informed about what you are agreeing to reveal about yourself and who you are happy to share that information with.

After all its your data, it should be up to you how it gets used.