Tag Archives: Hacking

Avira

Do Millennials Suck When It Comes To Security?

Millennials (or Generation Y) are those who were born from the early 1980s to the early 2000s. A study now looked at the impact which generational attitudes have toward security issues and compared Millennials Generation X/Gen X (those born between 1965 and 1980) and the “baby boomers” (born between 1946 and 1964).

You would normally think that the Millennials know what they are doing when it comes to technology, considering that most of them grew up with it. But while it is a big plus when it comes to handling devices and navigating around the net, the sense of well-being also seems to be their Achilles heel and leads them to being more careless with privacy concerns and a few other security aspects. The study backs this up with some key findings:

  • “Millennials have the worst password reuse habits of all demographics: 85 percent admit to re-using credentials across sites and services.
  • Risky behavior can be found across demographics: 16 percent of millennials and 14 percent of Gen-Xers accept social media invites from strangers “most of the time.”
  • Millennials are most likely to find security workarounds: A combined 56 percent admit they would “very” or “moderately likely” evade restrictive workplace controls. “

On the other hand, the paper also shows that the other included generations show risky behavior as well (though not in the same areas: Baby Boomers for example may pose a rather big BYOD risk; 48% use personal devices to access work related content).

Nonetheless it would seem that Millennials are easy prey for hackers: Reusing passwords and being too trusting on social media (which may or may not lead you to fall victim to social engineering) can lead to unwelcome results.

The post Do Millennials Suck When It Comes To Security? appeared first on Avira Blog.

Avira

100,000 Tax Accounts Breached Through IRS “Get Transcript” App

While nothing is impossible to breach you’d think that it would be really really hard to gain access to information like the one from the IRS. At least that’s what I thought – until I saw their press release today. According to the statement cybercriminals managed to illegally gain access to data from about 100,000 accounts by using the IRS’ very own “Get Transcript” app. Accessed data include things like addresses, birthdates, Social Security information, and the tax filing statuses.

Now don’t misunderstand the situation: The IRS has not been hacked. Well. Not in the usual sense of the word anyway. “These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer”, explains the IRS statement. What does that mean? The criminals collected a lot of data and information on a lot of unlucky people – be it through phishing of by buying data from shady online sources – and used them to actually access taxpayers past tax records.

According to the information supplied the attackers tried to access 200,000 accounts between February and mid-May which leaves them with a success rate of 50%.

Once the IRS identified the questionable attempts to gain access to its data it decided to shut down the “Get Transcript” app temporarily. The whole affair is now also under investigation of the Treasury Inspector General for Tax Administration and the IRS’ Criminal Investigation unit.

The IRS closes the statement with the following: “The IRS will be working aggressively to protect affected taxpayers and strengthen our protocols even further going forward.”

The post 100,000 Tax Accounts Breached Through IRS “Get Transcript” App appeared first on Avira Blog.

AVG

Has a plane been hacked mid-flight?

The FBI is investigating Chris Roberts, a security researcher, who claims to have taken control of an aircraft in midflight and made it drift sideways by controlling one of the engines. All this from a passenger seat and a connection through the entertainment system located under a seat.

Chris Roberts, who has demonstrated hacking many devices at Blackhat conferences, denies the claim and has tweeted

 

The FBI is reported to have interviewed Roberts a number of times in a recently published article on APTN, a Canadian news outlet. According to the article Roberts claimed he took control of an aircraft

Just one month ago, a GAO report warned of a vulnerability on aircraft where they claim that the avionics could be accessed through the entertainment system as they are connected through a common infrastructure. The GAO report was widely disputed by many industry experts as I detailed in a previous blog post.

This second incident has made me revisit the topic and makes me question whether or not I will be safe on my next flight. Once again, my conclusion is that I am. Here’s why:

  • The original conclusion that the two networks are not connected was based on expert commentary from Dr. Phil Postra a qualified pilot and professor of digital forensics at Bloomsburg University.
  • There is speculation that newer aircraft, specifically the Boeing 787 DreamLiner may have a single onboard network but experts say that even on these aircraft the flow of data is one way from the cockpit to the passenger network and that no traffic can fly in the opposite direction. This has been a speculative issue for the last 7 years, see this Fox news story.
  • The aircraft that Roberts reportedly hacked was ‘older’ and had the standard of separate networks for Avionics and Entertainment, which would imply that the hack may not have happened at all and may have just been a bit of bragging.
  • Since this story took to the mainstream press last month, I am certain that manufacturers of aircraft have tested and re-tested the security of the avionics systems and if necessary made the necessary changes. In fact, Roberts may have made the systems even more secure with just the rumor of a hack.
  • Lastly, aircraft are fitted with the ability for the pilot to take manual control and fly by wire, this is done through a disconnect switch in the cockpit. In the remote possibility someone did manage to mess with the avionics then I would trust one of the pilots to take control.

 

While there maybe doubt, speculation and differing views, there are many other systems that could potentially be hacked to disrupt a flight such as air traffic control systems or satellite positioning systems. These could be attacked from the ground and not require a hacker to be on board. It seems far more likely to me, that these would be the target of a person with malicious intent.

Will I be boarding an aircraft soon? Yes, next week. If the person sitting next to me gets out a screw driver and starts taking his seat apart to access networks cables I will call the crew over  and ask them to inform the pilot, I trust you will do the same.

Avira

Hacker Hacked Into the Aircraft Engine Controls 20 Times

Remember Chris Roberts? He was the hacker who wasn’t allowed to board his plane last month, when he talked on his Twitter account about the (lack) of airplane security and joked about hacking into the electronic control system.

It now turns out that while he might have been joking that one time, he actually hacked into IFE systems on aircrafts while in flight about 15 to 20 times, according to an FBI search warrant application filed in the U.S. District Court for the Northern District of New York. In the same warrant Roberts also claims that he was able to successfully command the system he accessed to issue the “CLB” (or climb) command. This caused one of the airplane engines to climb which resulted in a sideways movement of the plane during one of the flights.

He told WIRED: “That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about. It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.” And on his Twitter account he states:

Well, at least airlines seem to slowly wake up and confront reality now: United Airlines just started a bug bounty program that will award miles depending on the severity and impact of the reported bugs.

The post Hacker Hacked Into the Aircraft Engine Controls 20 Times appeared first on Avira Blog.

Avira

Was Sally Beauty Hacked Yet Again?

The cosmetic retailer states that it is investigating “reports of unusual activity” on payment cards used at some of their U.S. Sally Beauty retail stores.

“Since learning of these reports, we have been working with law enforcement and our credit card processor and have launched a comprehensive investigation with the help of a leading third-party forensics expert to aggressively gather facts while working to ensure our customers are protected,” the company says in a statement. “Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident, but we will continue to work vigilantly to address any potential issues that may affect our customers.”

In last year’s beach more than 25,000 records of Sally Beauty customers were affected, including sensitive information like payment card numbers and security codes. The data went on sale on Rescator, a rather popular underground crime store.

Customers who are concerned about the security of their payment cards are advised to call the companies Customer Service Hotline, where the individual concerns will be addressed. Once available further updates will also be released on sallybeautyholdings.com.

For further information read the companies official statement over here or find out more about last year’s hack.

The post Was Sally Beauty Hacked Yet Again? appeared first on Avira Blog.