For those of you keeping track, you can add high-tech sniper rifles to the growing list of Things That Can be Hacked. The vulnerability that allowed two security researchers to break into the computer guidance system of a sniper rifle is the same that allows hackers to access baby monitors and home routers. Simply put, the default Wi-Fi password, which was locked by the manufacturer, allowed anyone within range to connect. The typical range is up to 150 feet (46 m) indoors and 300 feet (92 m) outdoors.
In advance of the Black Hat conference this month, security researchers Runa Sandvik and Michael Auger, have demonstrated that they can hack TrackingPoint precision-guided firearms.
The TrackingPoint rifles can make a sharpshooter out of a novice. This is thanks to the computer-aided sensors including gyroscopes and accelerometers which take into account all the factors that a sniper scout would look for; wind, speed of the target, distance, snipers orientation, ammunition caliber, even curvature of the earth.
I asked Steve Ashe, a veteran of Desert Storm and Desert Shield, who collaborated closely with the sniper team what he thought about such technology. “Trained scouts and snipers must master a set of physical and mental skills that is beyond the reach of most people. This type of rifle can never replace that. Besides being crack shooters, they are in excellent physical condition, able to do complicated calculations in their heads and have mastered field craft such as land navigation, stalking and range estimation.”
One of the features of the TrackingPoint rifle is the ability to video stream your shot and share the view from the scope to another device connected via Wi-Fi. It’s this connection to Wi-Fi that turned out to be the weak point. The gun’s network has a default password that cannot be changed.
Nonprofit organizations operate on extremely tight budgets. Michael Hensley, Information and Facilities Officer at NeighborImpact doesn’t let that stand in the way of his organization’s mission. The Avast team recently spoke with Hensley about his work and how Avast for Business has helped him.
“We are a non-profit human-services agency serving 3 counties in central Oregon.” Hensley said, “Our staff is not very tech-savvy and we’ve had significant issues with that. We needed something simpler.”
Hensley recently switched NeighborImpact to Avast for Business security software and explained what made him choose the new cloud-based solution.
“The fact that it’s cloud-based is the primary feature that we needed. We have offices and classrooms distributed throughout the area. We are able to monitor all of our computers from the web-console which has shown consistent improvement.” Hensley went on to say that “viewing all of our devices from one place is really convenient.”
Hensley said that his nonprofit used to use Bitdefender but switched because it was too expensive.
“I was somewhat familiar with Avast. I knew it was a reputable company that had been around for a while. When I discovered Avast for Business and weighed the options it was the natural choice. It’s simple, cloud-based, and free.”
NeighborImpact was able to save enough of their precious budget by switching to Avast for Business to make a big impact on NeighborImpact’s server upgrade.
“The savings on software were extremely helpful in budgeting for our hardware upgrade. The extra money allowed us to get hardware in a different category than we otherwise would have been able to afford.”
Avast for Business can save your non-profit, company, or school money and time. Sign up on the Avast website.
After a while, your phones and tablets accumulate obsolete files and superfluous data, system caches, gallery thumbnails, and programs. This ‘junk’ slows down your device and eats up precious storage space.
Avast Cleanup identifies and cleans unwanted files from your Android device so it will run like a champ again.
Our new free app, Avast Cleanup & Boost for Android, cleans away all the unwanted files and programs so that your device is running smoothly and quickly with storage space to spare. But don’t take our word for it.
This week’s episode of Mr. Robot was an exciting one for us here at Avast – our product made an appearance on the show! In addition to the exploit Avast blocked, there were many other interesting hacks in this week’s episode, which I discussed with Avast security experts, Filip Chytry and Jiri Sejtko.
Minute 7:00: Elliot is in his apartment with Isaac and DJ. Something about Vera’s brother, Isaac, bugs Elliot and what does Elliot do when he is bugged by someone? He hacks them!
Stefanie: We see Elliot once again turn to the Linux distribution, Kali, to hack Isaac’s cell phone. He seems to do this within a matter of seconds, how easy is this to do? Later on, when Elliot visits Vera in prison, we learn what Elliot plans to auto-send information from Isaac’s phone to himself. This seems really intrusive and couldn’t Isaac just get a new phone?
Filip Chytry: This is a more advanced hack and unless Elliot had everything prepped before they entered his apartment, this would taken a lot more time to execute (but this is a TV show, so things sometimes happen faster on TV then they do IRL). The Linux distribution Kali, a popular tool for penetration testing, can be used to plant code on a device. But, Isaac’s phone would have had to be connected to either Elliot’s Wi-Fi network or Elliot could have set up a fake Wi-Fi hotspot using a popular network name like “Starbucks Wi-Fi” or “ATT Wi-Fi”, a Wi-Fi network Isaac’s phone had connected to before and would connect to automatically. Elliot would then use Kali to exploit a vulnerability in Isaac’s phone and plant code to send information from the phone to Elliot’s chosen destination. Since Elliot told Vera about this, Vera could have told Isaac and Isaac could have gotten a new phone, but Isaac was not given a happy end in this episode…
Earlier this week, security researchers unveiled a vulnerability that is believed to be the worst Android vulnerability yet discovered. The “Stagefright” bug exposes nearly 1 billion Android devices to malware. The vulnerability was found in “Stagefright”, an Android media library. Hackers can gain access to a device by exploiting the vulnerability and can then access contacts and other data, including photos and videos, and can access the device’s microphone and camera, and thus spy on you by recording sound and taking photos.
All devices running Android versions Froyo 2.2 to Lollipop 5.1.1 are affected, which are used by approximately 95% of all Android devices.
The scary part is that hackers only need your phone number to infect you. The malware is delivered via a multimedia message sent to any messenger app that can process MPEG4 video format – like an Android device’s native messaging app, Google Hangouts and WhatsApp. As these Android messaging apps auto-retrieve videos or audio content, the malicious code is executed without the user even doing anything – the vulnerability does not require the victim to open the message or to click on a link. This is unique, as mobile malware usually requires some action to be taken to infect the device. The malware could also be spread via link, which could be sent via email or shared on social networks, for example. This would, however, require user interaction, as the video would not load without the user opening a link. This exploit is extremely dangerous, because if abused via MMS, victims are not required to take any action and there are neither apparent nor visible effects. The attacker can execute the code and remove any signs that the device has been compromised, before victims are even aware that their device has been compromised.
A cybercriminal’s and dictator’s dream
Get your small business up and running with free software.
Getting a new business off the ground is not an easy task and can be quite costly, but there are a lot of free software and services available online that your new or small business can use as an alternative to paid-for products.
Here is a list (in alphabetical order, so no favorites ) of some you will find useful:
Avast for Business – cloud-managed security
Avast not only provides consumers with free security, but we also provide small and medium sized businesses with free cloud-managed protection. Avast for Business is easy to install and can be managed from anywhere and at anytime.
Facebook Page – alternative to building your own website
If you’re a restaurant owner or a small boutique you could also, either in addition to or instead of hosting your own website, create a Facebook page for your business. You won’t be able to sell items online, but you can add your business’ address and directions, opening hours, a description of your business and post images and status updates to inform your customers of new items on your menu or of new items available for sale in your store.
Fundera – loans for your business
Fundera is a free service that offers you loan options and lets you choose the one best suited for your small business. All you need to do is fill out a short questionnaire and then you are presented with loan products, lenders and rates and can apply to the lenders that fit you best with only one application.
Here’s your wrap up of security and privacy related news from the first half of July.
Every week we invite a security expert to talk us through the hacks on Mr. Robot, USA Network’s summertime hit TV show. We want to know if they are real or a Hollywood version of cybercrime? Read our weekly reviews of the hacks:
- Pilot episode 1: Are the hacks on Mr. Robot real?
- Episode 1.1: Mr. Robot Review: Ones and Zer0s
- Episode 1.2: Mr. Robot Review: d3bug.mkv
- Episode 1.3: Mr. Robot Review: da3m0ns.mp4
- Episode 1.4: Mr. Robot Review: 3xpl0its.wmv
It’s too bad that hacking is not just for TV and movies. Even trusted websites can fall victim to cybercrooks. Online shopping just got a little more risky when the largest e-commerce platform was hacked in order to spy on customers and steal credit card data.
A team of malware authors is playing a cat and mouse game with Google. The game goes like this: they upload their malware, Google Play quickly takes it down, they upload a new mutation and Google takes it down. Current status of the game: the malware is back on Google Play. So far, the malicious apps have infected hundreds of thousands of innocent victims.
In April, we discovered porn clicker malware on Google Play posing as the popular Dubsmash app.
Two days ago, we reported that a mutation of the porn clicker malware, created by a Turkish group of malware authors, made its way back onto Google Play, but have since been removed from the Play Store.
Once the apps were downloaded they did not do anything significant when opened by the user, they just showed a static image. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed. Fellow security researchers at Eset reported that more apps with this mutation were on Google Play earlier this week. Eset also reported that the original form of the malware was uploaded to Google Play multiple times in May. Our findings combined with that from Eset, prove that these malware authors are extremely persistent and determined to make Google Play a permanent residency for their malware.
I’ll be back…
Driving under the influence of alcohol or texting while driving is still a bigger risk to your safety on the road, but the hacking experiments conducted on technology-heavy cars might be an indicator of break-downs to come.
Two security engineers proved that a car is not just a transportation device to get from point A to point B, but a vulnerable combination of individual software systems that can be hacked.
Back in 2013, Charlie Miller and Chris Valasek hacked a 2010 Ford Escape and a Toyota Prius. The two researchers demonstrated the ability to send commands from their laptop that did things like jerk the steering wheel, give false readings on the speedometer and odometer, sound the horn continuously, and slam on the brakes while going down the road.
They have done it again, this time with a 2014 Jeep Grand Cherokee.
The rule of thumb for managing devices is one IT Administrator for every 100 computers or devices. Five hundred is difficult to manage for an entire IT department, let alone one IT Administrator. But, Gary Myers is up to the task.
The Avast team caught up with Myers recently to see what he thinks about the new Avast for Business product. “They say you should have one person for every 100 devices so it’s definitely a challenge.”
Gary explained how he chose new Avast for Business as his security solution. “I’ve been using Avast for a long, long time, so when I saw that there was a new business product, I knew I should give it a try.” Myers says that Avast is a step above the rest and he switched to Avast for Business because he wanted the new features of the cloud-based product.