The Avast Mobile Security team demonstrated how easy it is to hack smartphones and tablets at the Mobile World Congress.
The sleekest smartphones, the coolest wearable devices, and the best in mobile security were debuted at the Mobile World Congress in Barcelona last week. But it was hacking user’s devices at the Avast booth that had the journalist’s buzzing.
Hacking unsecured Wi-Fi is easy enough for any IT college student
Filip Chytry, a mobile malware researcher that you are familiar with if you visit our blog, set up a wireless hotspot in the Avast booth that allowed visitors to track the online activity of any device that connects.
“The site will let Avast capture passwords, messages and other information people type on the websites, and Chytry can even create dead ringers for Gmail or Facebook sign-in screens – - down to the little green padlock icon that indicates a secure connection…,” reported Bloomberg Business in The Easiest Way to Get Hacked: Use Phone at Phone Show.
The hacking demonstration illustrated what Avast found out during a global Wi-Fi hacking experiment conducted right before MWC.
“The study found that people around the world overwhelmingly prefer to connect to unsecured and unprotected Wi-Fi networks instead of password-protected networks,“ wrote Help Net Security in Global experiment exposes the dangers of using Wi-Fi hotspots.
Security experts from Avast traveled to 9 cities on 3 continents, and found that Wi-Fi users in Asia are the most prone to attacks. Chicago and London are the most vulnerable in the USA and Europe. Avast’s spokesperson Marina Ziegler told E&T Engineering and Technology magazine, “…in London we found that 54 per cent of routers were weakly encrypted and easily accessible to hackers.”
“That means that if a hacker walks into a pub, he can access the router’s settings and for example reroute the traffic via another malicious server,” said Chytry. “That’s very easy. Every IT college student can do that.”
Small and medium-sized businesses face a challenge when it comes to keeping their data secure. Many companies don’t have the budget to hire a Managed Service Provider (MSP) to take care of their IT needs, and often, they think they do not have enough knowledge or time to handle it themselves, therefore the path of least resistance is to not have any security at all. At the very best SMBs use a consumer version of antivirus software.
But these days, neither of those options is a good idea. Having no protection leaves you too vulnerable, and the problem with using a consumer product in a work environment is whoever is managing the network cannot look across all computers at once and implement policy changes or updates.
Do hackers really target small businesses?
The media coverage of big time data breaches like Target, Neiman Marcus, and Home Depot may have many SMB owners thinking that they are not at risk, but even small and medium-sized businesses need to make sure that their data and that of their customers is protected.
Here’s a statistic that should get your attention: One in five small businesses are a victim of cybercrime each year, according to the National Cyber Security Alliance. And of those, nearly 60% go out of business within six months after an attack. And if you need more convincing, a 2014 study of internet threats reported that 31% of businesses with fewer than 250 employees were targeted and attacked.
Why do hackers target small businesses?
Hackers like small businesses because many of them don’t have a security expert on staff, a security strategy in place, or even policies limiting the online activity of their employees. In other words, they are vulnerable.
Don’t forget that it was through a small service vendor that hackers gained access to Target’s network. Hackers may get your own customer’s data like personal records and banking credentials and your employee’s log in information, all the while targeting the bigger fish.
While hackers account for most of the data lost, there is also the chance of accidental exposure or intentional theft by an employee.
What can I do to protect my small business?
For mom-and-pop outfits, Avast for Business, a free business-grade security product designed especially for the small and medium-sized business owner, offers tremendous value. The management console is quite similar to our consumer products meaning that the interface is user-friendly but also powerful enough to manage multiple devices.
“Avast for Business is our answer to providing businesses from startup to maturity a tool for the best protection, and there’s no reason for even the smallest of companies not to use it, because it starts at a price everyone can afford, free,” said Luke Walling, GM and VP of SMB at Avast.
Some companies may still opt to pay for a MSP, and in many cases, especially for medical or legal organizations, handing over administration to a third-party may be a good way to go. Either way, our freemium SMB security can be used, and if you use a MSP then the savings can be passed on to you.
Is free good enough for a business?
Many IT professionals have been using free security on their home computers for years. It’s not such a huge leap of faith to consider the benefits of making the switch in their businesses as well.
“I have been using Avast since 2003 at home, with friends, with family. You really come to trust and know a product over the years. It lends itself to business use really well, nothing held back,” said Kyle Barker of Championship Networks, a Charlotte-area MSP.
How do I get Avast for Business?
Visit Avast for Business and sign up for it there.
Not too many years ago we had phones that only made calls. Smartphones are the newest generation of phones that bring a lot of possibilities right to our fingers through the apps specifically designed for them. We all got used to the Windows (or Mac) world, but now we are witnessing a revolution from “standard” programs and some specialized tools to a world where every common thing can be done by our smartphones. Sometimes it seems, that the device is smarter than we are!
But can it protect itself from the increasing number of threats?
You’ll find a lot of articles on the Internet which state that security companies exaggerate the need for mobile security and antivirus protection. You’ll read that Google Play and the new security technologies of Android Lollipop are the only things necessary for security. I could post many examples of such (bad) tips, but I don’t want to waste your time or mine.
Do you use only Google Play as your app source?
A common (and wise) security tip is to stick with Google Play for downloading apps. This is good advice despite the fact that we see here in the Avast blog that Google Play fails to detect some apps as malware. Look for our mobile malware senior virus analyst Filip Chytry’s articles. He continuously discovers holes in Google Play security.
However, what if you want apps that have been banned from Google Play? No, I’m not talking about (just) adult apps. Google banned anti-ad apps, for instance. So where is a safe place to get them? The answer is simple: outside of Google Play. The Amazon Appstore for Android is quickly increasing the possibilities.
Do you think that clean apps can’t become bad ones?
Clean apps can become bad ones, and with the new Google Play permission scheme, you may not even notice. This makes updating your apps (another very common and wise hint) an additional complication.
As the apps we love can turn against us, the best tip of all is that you install a mobile security app that helps you know what it being added to your phone. Avast Mobile Security updates its virus database very often to detect the latest threats and allows you to install securely all the apps you love.
This makes you smarter than your smartphone!
Avast is pleased to offer the World’s First Free Business-Grade Security to small and medium-sized businesses.
In a move that will make a difference to the security of local businesses across the USA and the UK, Avast launches Avast for Business—a free, easy to use, cloud-managed security offering that protects small to medium-sized businesses (SMBs) from viruses and cyber attacks.
This is the first free information security product built specifically for businesses with cross-platform protection, meaning that it protects both PCs and Macs. It solves a problem that many businesses have: No IT staff, lean IT budgets, lack of know-how, or even any security at all.
“Since 2001 we’ve delivered great, free security products for home users,” said Vince Steckler, Chief Executive Officer of Avast. “We believe the time is right to provide great security that is not only free, but also simple for SMBs to implement and manage. A small business may not view their customer database or online orders at the same level as data of an enterprise. Avast for Business addresses the problem of those businesses using consumer products and not being adequately protected; it gives those enterprises a business-class solution they can grow with.”
Avast for Business is easy for SMB owners to install, configure and manage advanced security solutions with or without the help of a full-time IT manager. Users are able to effortlessly monitor, manage and protect devices anywhere, anytime from Avast’s cloud-management console.
“Anybody can use the interface,” said Kyle Barker of Championship Networks, an Avast partner in North Carolina, USA. “If you’ve ever seen a simple installment of Avast, you’ve seen the interface, you know the controls. Anybody that ever used the small office console already knows every feature that’s in this product. It’s a simple transition.”
From the easy-to-navigate console, users have the ability to configure robust reporting and alerting to easily stay on top of what is happening inside of their environment. Avast for Business features include:
- Free Essential Antivirus protection (File Shield, Web Shield, Mail Shield)
- HTTP and HTTPS Threat Scanning & Integrated Browser Protection
- A Web-based management console that is accessible anywhere, anytime.
- Robust reporting and alerting engine
- Cross-Platform Support including Windows and Mac OSX.
For advanced security requirements, Avast for Business also offers premium services. There are no limits on the number of protected devices, and businesses can activate and deactivate licenses as needed. This allows them to grow comfortably without the concern of overwhelming costs.
“It’s very easy to choose on a month to month basis the number of licenses you want. Any number of licenses can be mixed from free and premium and you can change this on a month to month basis,” said Barker.
Later in 2015, Avast will introduce programs for managed service providers and the reseller channel, to benefit from the power of free. In the spring, Avast will form its first ever partner advisory council in order to bring partners closer to Avast, to discuss features and functions specific to their needs.
Just because logging in with your finger is convenient doesn’t mean it’s the best method to use.
Some days ago we told you about increasing your security on sites and in services by using two-factor authentication. More and more services are using this two-factor log in method. They require that you use “something you know” like a PIN or a password, “something you have” like a token app in your smartphone, and even “something you are” like your fingerprints, for instance.
Many top smartphones – starting with iPhone 5s and newer Androids – are moving to fingerprint authentication technology. That means you can unlock your phone using your finger. It’s more convenient than typing a PIN or password because you always have your finger with you (we hope!). And you would think that it is more secure than using a gesture or pattern to unlock it.
Unfortunately, it’s not. Here’s why:
The authentication process requires that a site or a service (or your smartphone) could recognize you for a thing you know: A PIN or a password. This information must be stored in the service server (or hardware) and it must be matched, i.e., the combination of two pieces (generally username and password) must match to allow access to the right person.
Both you and the service must know this secret combination. But that’s the problem; nowadays, a lot of sites and services have been compromised and pairs of username/passwords have been hacked and sold on the black market.
But what about using your fingerprint? It’s the same scenario. The information about your finger and the technology to match your fingerprint is stored in servers. If they are hacked, your exact, and only, information would be in their hands.
It gets worse.
You can change your credentials to log into a site or service, but you can’t just change your finger! Well, most of us have 9 more chances after the first one is compromised, but still - there are more than just 10 services you want to use. You can change your passwords indefinitely, you can use a stronger password, you can use a password generation service - you’ve got the idea… But you don’t have that many choices with your fingerprint.
It gets even worse.
Everything you touch reveals you. You’re publishing your own secret.
Can you imagine banks or stores letting you use your fingerprint to gain access to your account without even a card? Coincidentally, just hours ago a news report was published saying the Royal Bank of Scotland and MasterCard recently made announcements regarding fingerprint authentication services. They announced that customers can log into the banks’ mobile banking app using their fingerprint. It’s interesting that this article says 16- to 24- years olds are driving this decision because
they want to avoid security slowing down the process of making a payment, with 64% of those surveyed saying they found existing security irritating.
This decision by major banks does not give us confidence in the security of the younger generation and their bank accounts. We venture to wonder about the police with their databases full of prints. What could be done with millions of fingerprints stored by the government?
By the end of last year, young researchers from the Chaos Computer Club showed that your fingerprints could be obtained by photos of your hands and from anything you touched. See the full presentation in this YouTube video. If you have the curiosity to see all the video, you’ll see that using your iris could also be simulated with high quality printed photos. At 30:40 starts the iPhone fingerprint hacking. They took 2 days to develop the method and presented it in a few minutes. Amazing and scary.
Here’s another video with a quick summary of the research.
How to make yourself and your phone more secure
This blog is a source of great information. Earlier this month, we shared 14 easy things you can do right now to make your devices more secure. Please read 14 easy tips to protect your smartphones and tablets – Part I and Part II.
As always, make sure your Android device is protected with Avast Mobile Security. Install Avast Mobile Security and Antivirus from the Google Play store, https://play.google.com/store/apps/details?id=com.Avast.android.mobilesecurity
More easy things you can do to secure your smartphone and tablet.
On our blog last week, we shared the first 7 easy security measures to protect your Android devices and the data stored there. But we haven’t finished them. Let’s go a little further.
8. Keep an eye in your phone or, if you can, set Geofencing protection
Don’t put your phone down and go somewhere else. And if you’re having fun in a bar and drinking a beer with friends, have a lucid thought before starting: Turn the Avast Geofencing module on. It’s easy. Open Avast Premium Mobile Security > Anti-Theft > Advanced Settings > Geofencing.
9. Be aware of what permissions apps require
Why should a flashlight app need access to your contacts? Why would a calculator need access to your photos and videos? Shady apps will try to upload your address book and your location to advertising servers or could send premium SMS that will cost you money. You need to pay attention before installing or, at least, uninstall problematic apps. It’s not easy to find a way (if any) to manage permissions in a non-rooted Android phone.
We have written about this before as apps could abuse the permissions requests not only while installing but also on updating. Read more to learn and be cautious: Google Play Store changes opens door to cybercrooks.
10. Keep your device up-to-date
Google can release security updates using their services running in your devices. Developers can do the same via an app update. Allow updates to prevent vulnerabilities, the same as you do in your computer. But pay attention to any changes. See tip #9.
You can encrypt your account, settings, apps and their data, media and other files. Android allows this in its Security settings. Without your lockscreen PIN, password or gesture, nobody will be able to decrypt your data. So, don’t forget your PIN! Nevertheless, this won’t encrypt the data sent or received by your phone. Read the next tip for that.
12. In open/public Wi-Fi, use a VPN to protect your communication
Cybercrooks can have access to all your data in a public, open or free Wi-Fi hotspot at the airport or in a cafe. Avast gives you the ability to protect all inbound and outbound data of your devices with a secure, encrypted and easy-to-use VPN called Avast SecureLine. Learn more about it here.
13. Set the extra features of Lollipop (Android 5)
If you’re with Android Lollipop (v5), you can set a user profile to allow multiple users of the same device. You can create a restricted user profile that will keep your apps from being messed with by your kids or your spouse.
You can also pin the screen and allow other users to only see that particular screen and nothing more. It will prevent your friends and coworkers from accidentally (or on purpose) looking into your device.
14. Backup. Backup. Backup.
Well, our last tip is common digital sense. If everything fails, have a Plan B, and C and D… With Avast Mobile Backup you can protect all your data: contacts, call logs, messages, all your media files (photos, musics and videos) and your apps (with their data if you’re rooted) in safe servers. If your device gets broken, lost or stolen, everything will be there, encrypted and safe, for you to restore to your new device.
Have you followed all our tips? Are you feeling safe? Do you have an extra protection or privacy tip? Please, leave a comment below.
A few precautions can make a huge difference in the safety of your phone and the important things you saved on it.
We talk a lot about protection and privacy here in our blog. It’s a bit obvious as our “life” is in our devices nowadays: Photos of our last trip or our loved ones, videos of our children playing and growing up, contacts both professional and personal. All our precious and irreplaceable data is stored in these little machines. Take a minute of your time and follow us in this easy tour to protect them and save a lot of time and headaches.
1. Set your lockscreen
You wouldn’t leave your home door unlocked, would you? Same goes for your phone with all your private data. Set a password or PIN to prevent direct and easy access to your phone. Gestures and face recognition are less secure, but are better than nothing.
2. Hide your passwords from nosy people
You will argue that people around you can look over your shoulder and see what PIN or password you’re typing or gesture you make. Generally, we’re not worried about trustworthy people around us, but what about strangers in a public place like a bus or train? Open your phone settings and hide your passwords by unchecking the option: Settings > Security > Make passwords visible.
3. Protect your apps with a PIN
Not all apps are equal when it comes to security and privacy. Probably the weather app or calculator won’t keep your personal info. However, your messages and banking apps will thank you if you help them to keep their data private. You can imagine what might happen if your kids to open a specific app while they’re playing in your devices. Use Avast Mobile Security to set a PIN to block access to your apps. As an extra security measure, it will be good that your lockscreen and Avast PINs are different ones.
4. Disable installation of apps from unknown sources
If you do not use other app stores besides Google Play, then uncheck the option “Unknown sources” in your phone’s Security Settings page. Even the Google Play Store sometimes allows malware to get by. It’s well known that most Android malware are fake apps disguised as legitimate apps, so double check the publisher. Be cautious of downloading from fake sites disguised as official ones – check the URL. Avoid completely pirated and cracked sources.
5. Set Avast Mobile Security to scan any app before installing
If you really need to use legal third party stores, like Amazon or F-Droid, please be careful: Keep Avast Mobile Security always on. You know that Avast scans any installed and running app. But do you know that you can set it to scan any app that is about to be installed? After you’ve installed Avast, when you’re about to install a new app, the phone will ask you if you want Avast or the default installer to handle the installation by default. Use Avast, it will scan and then release the app to the default installation process.
6. Disable USB Debugging
This tip is for advanced users. If you have enabled Developer options into your device (and you will know exactly if you did as you’re an advanced user!), please, turn USB debugging off. You will protect your device from outside abuse (via adb connections) if you do so. You don’t need it to be on all the time.
7. Install and set Avast Anti-Theft
This is an old tip, but it’s so important that it should be on all smartphone safety tips lists. Just note that installing is not enough. You need to properly configure Avast Anti-Theft (don’t worry, there is an easy wizard for it) step-by-step. It’s good to check if your location services are properly set also, otherwise, it will be difficult to track it. In other words, go to Settings > Location Access and set High accuracy mode.
We’ll talk about the other 7 tips in next days, so come back to the Avast blog.
Privacy plays a growing part in customer buying decisions. With every data breach, trust is eroded further.
Privacy and security are intertwined when it comes to our individual information. Consumers are becoming increasingly aware of the value of their personal data, so that means that businesses have to step up and do a better job of securing that data. Identity theft is the #1 fear of consumers, but for your business the risk is loss of trust and brand damage.
Since trust is the core of any transaction it’s important to know how privacy factors into your customer’s buying decisions. Research shows that almost 40% of consumers made buying decisions based upon privacy. When looking at who these people are, it was found that these individuals are aged 46-65 and have the highest incomes. But don’t rely on the business of the younger generation to supplant that once trust is lost; 27% of millenials abandoned an online purchase in the past month due to privacy or security concerns.
To mark Data Privacy Day on January 28, the following Privacy is Good for Business tips were created by privacy experts in civil-society, non-profit, government and industry and aspire to help business address the public’s growing privacy concerns:
- If you collect it, protect it. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access.
- Be open and honest about how you collect, use and share consumers’ personal information. Think about how the consumer may expect their data to be used.
- Build trust by doing what you say you will do. Communicate clearly and concisely to the public about what privacy means to your organization and the steps you take to achieve and maintain privacy.
- Create a culture of privacy in your organization. Explain to and educate employees about the importance and impact of protecting consumer and employee information as well as the role they play in keeping it safe.
- Don’t count on your privacy notice as your only tool to educate consumers about your data practices.
- Conduct due diligence and maintain oversight of partners and vendors. You are also responsible for how they collect and use personal information.
Losing contacts from your mobile phone is highly inconvenient. There’s seems to be a solution - You can find them online! The catch? Your contacts are in a publicly accessible place.
If you care for your privacy you should always be suspicious about “Cloud Backup” solutions you find in the Google Play Store. The solution that is being analyzed here backs up your personal contacts online. In public.
Upon starting the application, you will find a screen where you can put your mobile number and a password of your choice. Then you can upload your contacts in the cloud.
A brief analysis inside this application shows us how exactly it backs up your contacts in the cloud. The contacts are associated with the phone number that you have given in the previous step and they are sent through HTTP POST requests in a PHP page.
Further analysis through IP traffic capturing with Fiddler helped usdiscover the results in the pictures above; a page located online, for anyone to see, that contains thousands of un-encrypted entries of phone numbers and passwords. Using the info in the app you can retrieve personal private data (contacts) from another user.
We found log in data inside those entries from countries like Greece, Brazil, and others
The Play Store page says that this app has been installed 50.000-100.000 times. This is a big number of installations for an application that doesn’t deliver the basic secure Android coding practices. The developer must use technologies like HTTPS, SSL and encryption on the data that are transferred through the web and stored in the server. Nogotofail is a useful network security testing tool designed by Google to “to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way.“
Avast detects it as Android:DataExposed-B [PUP].
Cybercrooks believe that their attacks are more likely to succeed during the holiday shopping season.
Retailers have been “leaking” special Black Friday deals since before Buffalo got covered in a snow wall, and that flurry of sales results in the annual spike that carries them through the rest of the year. But analysts who study these things warn that cybercrooks are riding the sales wave with a surge in attacks due to relaxed security measures.
The Wall Street Journal quotes Gartner Inc’s vice president Avivah Litan,
Retail transaction volume increases by 50% during the holidays and retailers don’t want to stop to slow the pace of business, so they relax fraud controls to some degree. Criminals know they’re likely to get away with more.
Yikes! That’s not good news for consumers, especially since we are swiping our credit and debit cards at places like Target, The Home Depot, and Neiman Marcus – all victims of point-of-sale terminal hacks this year. Experts have advised retailers to take action, like upgrading terminals with new technology and enabling chip embedded cards, but all that takes time to implement.
It’s not much better online. Attacks during last holiday shopping season, November 14, 2013 through January 9, 2014 increased by 264% over the weeks prior to that time, says security company Imperva.The reason?
Cybercrooks believe that retail applications are more vulnerable during this time of the year, and that attacks are more likely to succeed. Isn’t that what the Gartner analyst said about brick-and-mortar retailers?
The reasoning is similar – in order not to annoy shoppers who can go elsewhere, online retailers relax strict security measures such as step-up authentication and Captcha. Add that easy check-out to all those new Black Friday and CyberMonday quick campaign webpages, (“bad design, unsafe coding, and usage of insecure third-party libraries”) and cybercrooks get an early Christmas present in the form of your credit card number and possible stolen identity.
How to protect yourself during Black Friday
- Stay home on Thursday Celebrate Thanksgiving with your family. That way you can safely eat too much and watch football and movies while avoiding the crazed crowds trying to jump the gun on Black FRIDAY sales.
- In God We Trust, All Others Use Cash Use cash or a credit card when paying for your purchases. With a credit card, you can dispute charges, if your financial data falls into the hands of cybercrooks.
- Change your passwords. Please don’t use the same password for online shopping sites that you use for your bank. When you do it’s like wrapping it in fancy paper and a bow – it’s that easy for a cybercrook to get to.
- Regularly monitor your bank and credit card statements to make sure all the transactions are legitimate. Monitor your credit report for any changes.