For those of you keeping track, you can add high-tech sniper rifles to the growing list of Things That Can be Hacked. The vulnerability that allowed two security researchers to break into the computer guidance system of a sniper rifle is the same that allows hackers to access baby monitors and home routers. Simply put, the default Wi-Fi password, which was locked by the manufacturer, allowed anyone within range to connect. The typical range is up to 150 feet (46 m) indoors and 300 feet (92 m) outdoors.
In advance of the Black Hat conference this month, security researchers Runa Sandvik and Michael Auger, have demonstrated that they can hack TrackingPoint precision-guided firearms.
The TrackingPoint rifles can make a sharpshooter out of a novice. This is thanks to the computer-aided sensors including gyroscopes and accelerometers which take into account all the factors that a sniper scout would look for; wind, speed of the target, distance, snipers orientation, ammunition caliber, even curvature of the earth.
I asked Steve Ashe, a veteran of Desert Storm and Desert Shield, who collaborated closely with the sniper team what he thought about such technology. “Trained scouts and snipers must master a set of physical and mental skills that is beyond the reach of most people. This type of rifle can never replace that. Besides being crack shooters, they are in excellent physical condition, able to do complicated calculations in their heads and have mastered field craft such as land navigation, stalking and range estimation.”
One of the features of the TrackingPoint rifle is the ability to video stream your shot and share the view from the scope to another device connected via Wi-Fi. It’s this connection to Wi-Fi that turned out to be the weak point. The gun’s network has a default password that cannot be changed.
Driving under the influence of alcohol or texting while driving is still a bigger risk to your safety on the road, but the hacking experiments conducted on technology-heavy cars might be an indicator of break-downs to come.
Two security engineers proved that a car is not just a transportation device to get from point A to point B, but a vulnerable combination of individual software systems that can be hacked.
Back in 2013, Charlie Miller and Chris Valasek hacked a 2010 Ford Escape and a Toyota Prius. The two researchers demonstrated the ability to send commands from their laptop that did things like jerk the steering wheel, give false readings on the speedometer and odometer, sound the horn continuously, and slam on the brakes while going down the road.
They have done it again, this time with a 2014 Jeep Grand Cherokee.
Avast Software Updater helps you apply software updates.
Earlier this week, we told our readers about the three Flash Player zero-day vulnerabilities that were found in stolen files that were leaked from the Hacking Team. We advised Avast users to disable Flash until the bugs are fixed.
It doesn’t look good for Flash. Because of the continuing security problems facing the 20-year old platform, Google and Mozilla each announced this week that their Web browsers will eventually be dropping default support for Adobe Flash, and Facebook’s new security chief wants to kill Flash. For now you can still use it, but the reports of it’s death are not greatly exaggerated…
Last Friday, Adobe confirmed two new “critical” zero-day flaws in the Adobe Flash Player browser plugin 22.214.171.124 – and earlier versions – for Windows, Mac OS X, and Linux. Today, a third flaw was found. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages.
We recommend disabling Flash until the bugs are fixed.
Security experts say the two flaws were found in stolen files that were dumped earlier this month from Hacking Team, an Italian security firm that sells communication interception and surveillance software to governments around the world. The third one came from the same documents.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in their blog. “Depending on the privileges associated with the user account targeted, an attacker could install programs on the system, alter or delete data, create new accounts with similar user rights, or cause a denial-of-service.”
One of the largest e-commerce platforms, Magento, has been plagued by hackers who inject malicious code in order to spy and steal credit card data or any other data a customer submits to the system. More than 100,000+ merchants all over the world use Magento platform, including eBay, Nike Running, Lenovo, and the Ford Accessories Online website.
The company that discovered the flaws, Securi Security, says in their blog, “The sad part is that you won’t know it’s affecting you until it’s too late, in the worst cases it won’t become apparent until they appear on your bank statements.”
Data breaches are nothing new. The Identity Theft Research Center said there were 761 breaches in 2014 affecting more than 83 million accounts. You probably recall the reports of Sony, Target, Home Depot, and Chic Fil A.
We have heard lots about what we as individual consumers can do to protect ourselves: Use strong passwords, update your antivirus protection and keep your software patched, learn to recognize phishing software, and be wary of fake websites asking for our personal information.
But this kind of hack occurs on trusted websites and show no outward signs that there has been a compromise. The hackers have thoroughly covered their tracks, and you won’t know anything is wrong until you check your credit card bill.
So how do you minimize the risk of online shopping?
Here’s your wrap up of security and privacy related news from the June 17 – 27 posts on the Avast blog:
It’s summertime in the Northern Hemisphere and many people are going on or planning their vacation. Beware of fake vacation packages and beautiful rental properties that are not as they seem. These Vacation scams can ruin your holiday, so read up before you become a victim.
More than 600 million Samsung phones were reported to be at risk because of a vulnerability found in the keyboard app SwiftKey. The best way to protect yourself is to use a virtual private network (VPN) when using an unsecured Wi-Fi hotspot. If you have a Samsung S6, S5, or S4, you need to read Samsung phones vulnerable to hacker attack via keyboard update.
Cybercrooks run their organizations like businesses these days. They have multinational offices, marketing departments, business development, and technical support teams. Maybe they also need some security…
Malware entrepreneur sentenced to 57 months in prison
One such malware entrepreneur, Alex Yucel, sold malware through a website that he operated, to other hackers. The Blackshades malware allowed hackers to remotely control their victims’ computers. They could do such things as log the victim’s keystrokes, spy through webcams, and steal usernames and passwords for email and other services. They could also turn their computers into bots which were used to perform Distributed Denial of Service (DDoS) attacks on other computers, without the knowledge of the victim.
Manhattan U.S. Attorney Preet Bharara said: “Alex Yucel created, marketed, and sold software that was designed to accomplish just one thing – gain control of a computer, and with it, a victim’s identity and other important information. This malware victimized thousands of people across the globe and invaded their lives. But Yucel’s computer hacking days are now over.” See the Department of Justice press release here.
Yucel sold the software for as little as $40 on PayPal and various black market forums. Read more…
Last night the pilot episode of MR. ROBOT, a new thriller-drama series aired on USA Network.
The show revolves around Elliot who works as a cyber security engineer by day and is a vigilante hacker by night.
I watched the episode and then sat down with Avast security expert Pedram Amini, host of Avast’s new video podcast debuting next week, to find out if someone like you or me could be affected by the hacks that happened in the show.
In the second minute of the episode we see Elliot explaining to Rajid, owner of Ron’s Coffee, that he intercepted the café’s Wi-Fi network, which lead him to discover that Rajid ran a child pornography website.
Stefanie: How likely is it that someone can hack you while you’re using an open Wi-Fi hotspot?
Pedram: Anyone with a just a little technical knowledge can download free software online and observe people’s activities on open Wi-Fi. We went to San Francisco, New York, and Chicago for a Wi-Fi monitoring experiment and found that one-third of Wi-Fi networks are open, without password-protection. If you surf sites that are unprotected, meaning they use the HTTP protocol, while on open Wi-Fi, then anyone can see, for example, which Wikipedia articles you are reading, what you’re searching for on Bing, and even see what products you are browsing for on Amazon and eBay, if you do not log in to the site.
Stefanie: Wow! That’s a bit frightening… How can I protect myself then?
Forget about shoplifting or painting graffiti on the wall at midnight. Opportunistic teens are turning to cybercrime to get their kicks these days.
A 14-year old boy in Florida was recently arrested and charged with a felony offense for unauthorized access against a computer system. The 8th grader said he was playing a prank on his teacher when he used the teacher’s administrative password to log onto a school computer and changed its desktop background to an image of two men kissing. The password was the teacher’s last name, and the prankster said he figured it out by watching the teacher type it in.
Your router is one of the weakest links in your security, and researchers have proven once more that your home router puts you at risk.
Sixty security flaws have been identified in 22 router models that are distributed around the world, mostly by ISPs to their customers. These flaws could allow hackers to break into the device, change the password, and install and execute malicious scripts that change DNS servers to those the attacker wants. They do this so they can send your traffic through servers they control and direct you unwittingly to malicious sites or load malicious code on your machine when you visit a legitimate site.
Other flaws include allowing the hackers to read and write information on USB storage devices attached to the affected routers and reboot the devices.
The research report describes how the attackers can get in – through a backdoor with a universal password that is used by the ISP’s technical support staff to help troubleshoot for their customers over the phone. This second default administrator access is hidden from the router owner.