Just about a year after a plethora of celebrities’ nude photos were leaked online, two homes in south Chicago have been raided and investigators have named one of the suspected hackers. As this controversial story and investigation continues to unfold, Avast researchers have come up with a few speculations regarding the origin and motivation behind the initial hack. We’ve discussed the case with one of Avast’s security researchers, Filip Chytry, who has put in his two cents about the situation:
GR: Why might have Apple not flagged or investigated an IP address’ 572 iCloud logins and attempted password resets?
FC: “Putting it simply, Apple just doesn’t have security implemented on this level. Even though they might sound large to us, attempting to track this number of logins and attempts to reset passwords is similar to discovering a needle in a haystack when it comes to Apple’s ecosystem. Read more…
Earlier this week, Microsoft confirmed that the Windows 10 official launch date will be on July 29 and will be available as a free upgrade to Windows 7 and Windows 8.1 users (for one year). This latest OS will be available to pre-order in the upcoming weeks when it launches in 190 different markets across the globe. In anticipation of Microsoft’s exciting new OS, this Techradar article takes a brief look at the operating system’s past:
With Windows 8 and today Windows 8.1, Microsoft tried – not entirely successfully – to deliver an operating system (OS) that could handle the needs of not only number-crunching workstations and high-end gaming rigs, but touch-controlled systems from all-in-one PCs for the family and thin-and-light notebooks down to slender tablets.
Now, Windows 10 has emerged as an operating system optimized for PCs, tablets and phones in unique ways – a truly innovative move from Microsoft’s side. Its big reveal is now quickly approaching, and tech enthusiasts everywhere are curious to see how this OS will measure up.
Will Avast be compatible with Windows 10?
By the end of the decade, everyone on Earth will be connected.
–Eric Schmidt, Google chairman
As a rule of thumb, it’s good to keep in mind that anything and everything that can be connected to the Internet can be hacked. Poorly designed or implemented systems could expose serious vulnerabilities that attackers can exploit. Now, most of us are fairly familiar with certain gadgets that can be connected to the Internet, such as mobiles devices and/or laptops, smart watches, and cars, but what about the things that are still emerging within the Internet-connected world? Some of these new items include routers, sensors, and everyday gadgets such as alarm clocks, wearables, microwaves, and grills.
For those of us who are self-employed and/or work from home, our houses are sacred spaces on both personal and professional levels. Although often overlooked, our routers hold the key to our productivity, as they provide the powerful and consistent network connection that we depend on in order to get our work done. Unfortunately, we often take these little guys for granted, and because of this, routers have become the weakest security point in many home and small business networks these days.
“Unsecured routers create an easy entry point for hackers to attack millions of American home networks,” said Vince Steckler, chief executive officer of Avast. “If a router is not properly secured, cybercriminals can easily gain access to an individual’s personal information, including financial information, user names and passwords, photos, and browsing history.”
Just because logging in with your finger is convenient doesn’t mean it’s the best method to use.
Some days ago we told you about increasing your security on sites and in services by using two-factor authentication. More and more services are using this two-factor log in method. They require that you use “something you know” like a PIN or a password, “something you have” like a token app in your smartphone, and even “something you are” like your fingerprints, for instance.
Many top smartphones – starting with iPhone 5s and newer Androids – are moving to fingerprint authentication technology. That means you can unlock your phone using your finger. It’s more convenient than typing a PIN or password because you always have your finger with you (we hope!). And you would think that it is more secure than using a gesture or pattern to unlock it.
Unfortunately, it’s not. Here’s why:
The authentication process requires that a site or a service (or your smartphone) could recognize you for a thing you know: A PIN or a password. This information must be stored in the service server (or hardware) and it must be matched, i.e., the combination of two pieces (generally username and password) must match to allow access to the right person.
Both you and the service must know this secret combination. But that’s the problem; nowadays, a lot of sites and services have been compromised and pairs of username/passwords have been hacked and sold on the black market.
But what about using your fingerprint? It’s the same scenario. The information about your finger and the technology to match your fingerprint is stored in servers. If they are hacked, your exact, and only, information would be in their hands.
It gets worse.
You can change your credentials to log into a site or service, but you can’t just change your finger! Well, most of us have 9 more chances after the first one is compromised, but still - there are more than just 10 services you want to use. You can change your passwords indefinitely, you can use a stronger password, you can use a password generation service - you’ve got the idea… But you don’t have that many choices with your fingerprint.
It gets even worse.
Everything you touch reveals you. You’re publishing your own secret.
Can you imagine banks or stores letting you use your fingerprint to gain access to your account without even a card? Coincidentally, just hours ago a news report was published saying the Royal Bank of Scotland and MasterCard recently made announcements regarding fingerprint authentication services. They announced that customers can log into the banks’ mobile banking app using their fingerprint. It’s interesting that this article says 16- to 24- years olds are driving this decision because
they want to avoid security slowing down the process of making a payment, with 64% of those surveyed saying they found existing security irritating.
This decision by major banks does not give us confidence in the security of the younger generation and their bank accounts. We venture to wonder about the police with their databases full of prints. What could be done with millions of fingerprints stored by the government?
By the end of last year, young researchers from the Chaos Computer Club showed that your fingerprints could be obtained by photos of your hands and from anything you touched. See the full presentation in this YouTube video. If you have the curiosity to see all the video, you’ll see that using your iris could also be simulated with high quality printed photos. At 30:40 starts the iPhone fingerprint hacking. They took 2 days to develop the method and presented it in a few minutes. Amazing and scary.
Here’s another video with a quick summary of the research.
How to make yourself and your phone more secure
This blog is a source of great information. Earlier this month, we shared 14 easy things you can do right now to make your devices more secure. Please read 14 easy tips to protect your smartphones and tablets – Part I and Part II.
As always, make sure your Android device is protected with Avast Mobile Security. Install Avast Mobile Security and Antivirus from the Google Play store, https://play.google.com/store/apps/details?id=com.Avast.android.mobilesecurity
Question of the week: I use two-factor authentication when logging into my accounts to keep them safe, but what happens if I lose my phone? Can I still access my accounts?
Security-minded individuals know the benefits of using two-factor authentication to keep their online accounts safe. For those of you who are not familiar with it, two-factor authentication is a security process which uses a combination of two different components, like something that you know, a master password or PIN, for instance, and something that you possess, like a token which can generate a number code or, more conveniently, your smartphone.
Using these two things in combination can provide unique identification when entering a site because you provide the password as well as a one-time use security code generated by your security token. If someone learns your password, your accounts are still protected because they need the security code too. Two-factor authentication can reduce the incidence of identity theft and phishing, and we suggest the use of it.
There are a number of authenticator apps made for Android smartphones. For example, Google Authenticator lets you use a security code and your own password for sites and services like Facebook, Dropbox, Evernote, and WordPress. The app creates a link between your account and your device.
I lost my phone. How do I access my accounts?
If you are so security-minded that you use two-factor authentication to begin with, then you have probably taken precautions before you lose your phone. The majority of authenticator services allow a way to recover your access and remove the authorized device from your account. That is, if you change your mobile device, then you can disable the two-factor authentication from your account before doing so. Most commonly, you would use backup codes, send the codes via SMS to a trusted backup phone, or use a trusted computer. Sometimes, the service providers take several business days to verify your identity and, if possible, grant you access again.
But, if you failed to plan ahead and you lose your phone or if you buy a new smartphone without disabling the account, to use two-factor authentication again, you’ll need to install an authenticator app on your new device. The old device and the old backup codes won’t work anymore. Some of the sites you have synced to may also have their own procedure, for example, Dropbox.
Recently, an app is making the use of this security measure much more convenient. Authy is an app that manages your two-factor accounts on Android devices, iPhones, and even your PC. Any of these devices could be used to generate tokens and sync with each other. One authorized device could de-authorize a stolen one. A master password could block the access to Authy in these multiple devices and your settings are all kept encrypted locally. Neither Authy’s developers nor hackers would be able to access the tokens.
Maybe this complex recovery process is what does not make two-factor authentication omnipresent. But, after all, you just need to take a few precautions to increase your security a lot.
Of course, it’s better not to lose your devices and for this, you should install and configure Avast Anti-Theft, which can help you find a lost device and even recover a stolen one with its tracking features. It can be downloaded and used for free from the Google Play Store.
One small Android application shows lots of determination and persistence. Too bad it’s evil.
The year 2014 was significant with a huge rise in mobile malware. One of the families impacting our users was malware Fobus, also known as Podec. This malware poses as a more or less useful application, but for sure it won’t be what the user expects. This malware usually has two language versions, English and Russian, and applications seem to be generated automatically.
All that, and a bag of chips
From the permissions in the manifest, we can see that once Fobus is installed on the victim’s device it cannot only send SMS and call premium numbers, which may cost a lot of money, but it also works as Spyware and can steal personal data from the infected device. That’s a lot of bad stuff packed into one small application.
Next up is a bit more technical stuff. If you are really eager, skip to Me thinks that something is amiss section to see how it works. Read more…
We simply need to follow some rules to control and prevent system penetration and also bandwidth theft (and losing money!). Safeguard your valuable information available through your home wireless connection and do not be easy target for hackers!
Here are 12 ways to boost your router’s security:
1. Install your router in a safe place where the wireless signal is available only inside your own house. Avoid placing it near to a window.
2. Turn off WPS, the automated network configuration method that makes your wireless password more vulnerable to hacker attacks.Turn on WPA2 encryption and, if you can, protect it with a strong password.
3. Change the default admin username and password to a strong password. Do not use default passwords because they’re generated from well-known algorithms that makes hacker attacks even easier. Do not use your name, date of birth, home address or any personal information as the password.
4. Upgrade your router firmware to fix known vulnerabilities of the router.
5. Don’t forget to log out after managing the router, avoiding abuse of the authenticated browser sessions.
6. Disable remote management of the router over the internet. In a business environment, if you need this management, it will be safer to use NAT rules allowing SSH or VPN access only.
7. To prevent CSRF attacks, don’t use the default IP ranges. Change the defaults 192.168.1.1 to something different like 10.8.9.7.
8. To prevent ROM-0 abuse of your router (i.e., access to the secret data stored in your router: your ADSL login/password combination and WiFi password), forward port 80 on the router to and non-used IP address on your network. Check how-to here.
9. Set your router DNS servers to automatic mode (or DHCP) or for a static value that you manually set exactly according to your ISP.
10. Disable IPv6 on the router or, if you really need IPv6 services, replace the router with a IPv6 certified one.
11. You can save bandwidth and allow only specific computers or devices to access your WiFi even if they have the security key to enter. Find the computer MAC address (the “physical address” listed with the command line ipconfig/all at a cmd window). Into your router settings, you should look for the Mac filtering settings to add this identifier there.
12. Use a secure VPN in open/public WiFi hotspots. You can read more on how Avast SecureLine can protect PC, Mac and Android devices in these situations. If you cannot avoid using public WiFi, then try not to log in or enter your credentials (specially banking or credit card ones), but also your email and phone number. If you really need it, always prefer the secure protocol HTTPS (check the browser address bar).
After the previous articles you should be convinced that router vulnerabilities are one of the major concerns in network security. As you already know, the new Avast 2015 version includes a security feature called Home Network Security (HNS) which scans your network and router for vulnerabilities and prevent threats.
One serious problem occurs when when IPv6 (Internet Protocol version 6) is enabled (both by the ISP and on the router), but there is no IPv6 firewall being used. Which means that anyone on the Internet can access devices on the network (like printers, network disks, etc.). This is often the case because the routers are small, embedded devices that cannot handle IPv6 firewalling.
The main advantage of IPv6 over IPv4 is its larger address space: it allows 2128 or approximately 3.4×1038 addresses (or sites) which is an enormous number! In addition to offering more addresses, IPv6 also implements features not present in IPv4: it simplifies address assignment, network renumbering and packets processing.
In fact, a proper IPv6 firewall requires quite some processing power and RAM, so it’s no wonder that many of the cheap routers don’t have that functionality at all (or it’s not working properly).
The remediation is relatively simple: Just disable IPv6 on the router. In most cases, this shouldn’t have any impact on other services, unless they require IPv6 (in which case, it would be good to replace the router with something better which is IPv6 certified).
Avast Internet Security and Premium products offer full support to IPv6 for your computer on our silent firewall. Take into account that other devices, like network drives connected to the router won’t be protected.
If your home router is hacked, you have a serious situation on your hands.
When an Avast Home Network Security scan finds that your router is already compromised, this notification will appear.
This means that the router has been hacked and the DNS settings have been modified to serve hacked contents to a cyberthief. This is a pretty serious situation. When hackers exploit router vulnerabilities, gain access to it, and modify the DNS servers settings, all your Internet traffic can be forwarded to rogue servers. This is called a man-in-the-middle attack.
The DNS or Domain Name System, is the “phone book” of the Internet, and an IP address is what’s listed in the book. DNS names computers, services, or any resource connected to the Internet or a private network. It translates easily memorized domain names, for instance, www.example.com, to the unique numerical IP addresses needed to locate the service worldwide.
What happens when your router is hacked?
Instead of connecting to a clean site or service, when your router is hacked, you’ll visit a rogue and hacked one. It’s obvious that your privacy will be violated, and your banking information could be captured – by the man-in-the-middle mentioned above. Even the usually secure SSL, the HTTPS protocol we have all been instructed to look for to indicate a secure site, won’t assure you’re protected. Instead, you’ll be proxied through malicious servers and the encrypted connection is cut in the middle. This illustration shows what happens.
This could also happen if your router is set to default/weak/factory password. So, the worst scenario of hacking is not that uncommon. See the latest news about webcams being hacked because of the owner’s using default passwords. Vincent Steckler, CEO of Avast, told VentureBeat that consumers are notorious for not updating default passwords, just as I’m talking about here. Some 63 percent of wireless routers run with default passwords, says Steckler.
The problem goes further than just one user or one device. The malicious effects can spread to all users in the local network, regardless of the operating system used.
How to protect ourselves against this plague?
First, scan your home network with Avast Home Network Security to verify if your device is compromised. If Avast alerts you, it’s already too late. You’ve already been compromised. You need to manually check the DNS servers in the router configuration.
By default, your router uses DNS servers automatically acquired from your Internet provider. All the devices on your network — PCs, smartphones, tablets, game consoles, and anything else connected to the network — get their DNS server from the router. You can change the DNS server on your router, therefore changing every other device on your network.
There are several good articles on the Internet about changing your DNS. Here’s one from howtogeek.com.
You also need to pay attention to your browser address bar. The HTTPS indicator should be there all the time. If it comes and goes, you may have already been compromised. In these cases, or for any other strange symptom you could be experiencing: Disable your Internet connection immediately and change the router username and password to unique ones (consult the router manual for instructions).
But, be warned, neither of these will be enough because if the router is vulnerable, it will take the attacker no time to change the settings back. Updating the router firmware or even changing it completely – as described in previous article – will be necessary.