What you need to know about the OpenSSL vulnerability “heartbleed”

At the beginning of this week a new vulnerability in OpenSSL called Heartbleed was made public.

OpenSSL is the library used by most computers to encrypt data sent across the Internet and not only. OpenSSL is perhaps the most widely deployed SSL library and appears in a wide variety of applications, including a number of Linux distributions (see below).

The vulnerability has by now a dedicated ID CVE-2014-0160 (see references): essentially it lets an attacker pull the keys used to encrypt your data directly from the memory of a vulnerable web server, thereby letting him read any traffic sent from that server including usernames, passwords, financial information and more.

hearbleed

Some technical details

The vulnerability lies in the way that OpenSSL handles the heartbeat extension in the TLS protocol. OpenSSL replies a requested amount up to 64kB of random memory content as a reply to a heartbeat request. Sensitive data such as message contents, user credentials, session keys and server private keys have been observed within the reply contents. More memory contents can be acquired by sending more requests. The attacks have not been observed to leave traces in application logs.

To make it clear, this vulnerability does not hack the server and it does not extract from the server’s database usernames and passwords. It “only” reads chunks of 64 KB memory from the server’s RAM and it sends it to the attacker. If, in that very moment when the attacker reads the memory, also confidential data is in transit through the memory, then potentially that data gets to the attacker. Once the attacker gets the secret key, it also allows the attacker to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

What can you do?

Administrators

The worse part is that there is no way to tell if you have been exploited. There is no log, no error message, nothing.

For website administrators, check if the OpenSSL in use is vulnerable. OpenSSL versions from 1.0.1 to 1.0.1f are vulnerable.

Vulnerable Linux distributions include:

  • Red Hat Enterprise Linux 6.5 (OpenSSL 1.0.1e)
  • Debian Wheezy (before OpenSSL 1.0.1e-2+deb7u5)
  • Ubuntu 12.04 LTS, 13.04, 13.10

If it is, it means that the most prudent thing to do now is to update OpenSSL to v 1.0.1g and then revoke the server certificate used to encrypt the traffic and get a new one. This sometimes comes for free, but most of the time it costs, if you want to have an official certificate instead of a self-generated one.

 

Clients

As a client of an affected webserver, you can’t do much.  After the administrator fixed the problem, you should change your password.

Because this bug is already two years old pretty much anything can happen, so you maybe want to think better what you put online in the future.

If you are curious if your favorite website is or was affected, you can check it here:

https://lastpass.com/heartbleed

 

HINT:

Don’t change all your passwords now. It might be that some of the websites will need a while until they are able to do the above mentioned changes.

 

 

References

Sorin Mustaca
IT Security Expert

New case of identity theft – BSI in possession of 18 Million new accounts

The Federal Office for Security in Information Technology (BSI) has informed the press (in German) about a new case of identity theft. Also this time a lot of German users are affected, according to the source, more than 3 million email addresses. BSI is working with big telecom providers like Telekom, Freenet, GMX, Kabel Deutschland, Vodafone, Web.de in order to inform their customers that are affected.

For those that don’t want to wait for the official email coming from the above mentioned providers, BSI continues to support the website https://www.sicherheitstest.bsi.de where any user can check if his email address is affected by this incident.

The accounts were discovered as part of a police investigation and BSI assumes that the cybercriminals have used various sources to get access to the login data: infected computers that transmit the data to some servers in the world.

There are, however, other possible sources like phishing websites and social engineering schemes.

If you are one of the affected users, please take the following actions to make sure that you will no longer be affected:

- clean up your computer  using Avira’s PC Cleaner

More details about the PC Cleaner can be found in this TechBlog article: http://techblog.avira.com/2014/01/09/avira-pc-cleaner-a-second-opinion-scanner/en/

- Change all your passwords, especially those that were using the affected email address.

First, make sure you are still in possession of that email address. Try to login via webmail and change the password used to access the emails. If you can do this, means that you’re still owning that account. If not, try to recover the password and change the passwords as part of this process.

If you have used the email address to login to a website (e.g. Facebook, Twitter, Amazon, etc.) you must change those passwords as well, and make sure you are not using the same password used to access the email account. Here are good tips to create a good password.

- Use antivirus software like Free Antivirus and keep it up to date.

- Keep your system up to date because many viruses are making use of vulnerabilities in unpatched software

- Print these security tips and keep them at reach.

 

Avira has released recently its iOS security application which contains the feature Identity SafeguardAvira is the only security vendor to offer iOS users such a feature which ensures an individual’s personal email is not one of the 160 million that have been caught in security breaches in the last 6 months alone. Users can see if their personal identity details have been leaked in any security breaches, and an on demand scanner allows the user to scan their entire address book to detect any compromised contacts. If any contacts have been compromised, users can email any breached contacts directly to alert them about the danger. On average, between 5% and 10% of a typical user’s address book contains email addresses that have been compromised.

 

Sorin Mustaca

IT Security expert

 

New features in the Avira products for mobiles: Identity Safeguard, Browser Safety and more

Because of the growth of mobile commerce and the need to keep users safe as they increasingly use mobile devices, we are proud to announced today that we significantly upgraded the mobile solutions for iOS and Android.

 

Avira Mobile Security for iOS

The free app gets two new features:

  • Identity Safeguard

Avira is the only security vendor to offer iOS users a feature called Identity Safeguard, which ensures an individual’s personal email is not one of the 160 million that have been caught in security breaches in the last 6 months alone. Users can see if their personal identity details have been leaked in any security breaches, and an on demand scanner allows the user to scan their entire address book to detect any compromised contacts. If any contacts have been compromised, users can email any breached contacts directly to alert them about the danger. On average, between 5% and 10% of a typical user’s address book contains email addresses that have been compromised.

 

  • Locate Device (up to five iOS and/or Android devices)

iOS users get a new feature called Locate Device, which monitors and keeps track of up to five devices. Users can see at any time on a map where a specific iPhone, iPad, Android phone or tablet device is and those devices can be made to ring to help locate them. The app can be used on any iPhone or iPad to manage all the devices.

Cost and Availability

Avira Mobile Security for iOS v.1.4 is available for devices running iOS 7.0 and above and is optimized for iPhone 5. It is currently available for German and English language devices but other languages will be added as quickly as possible.

Click here to download it directly from the AppStore.

 

Avira Antivirus Security Pro for Android

Android gets a new premium app which is now available for every Android smartphone and tablet owner.  These are the premium features:

  • Browse Safely

Infectious websites are blocked using powerful real time URL monitoring technology so users will not be duped by fraudsters or phishing attacks.

  • Hourly Updates

Mobile devices are always at risk from the most recent malware attacks, so Avira will keep the device safe with frequent updates so users have confidence that they’re always protected.

  • Quick Support Access

If a user has a problem, Avira experts are just a call or a click away.

Click here to download it directly from the Google Play Store.

 

Cost and Availability

Avira Mobile Security for iOS is and remains free.

Avira Antivirus Security Pro upgrade costs $9.99 (€7.95). Both apps are available directly from Avira’s website http://www.avira.com/en/free-antivirus-android. The product is available for Android 2.2 and up and is currently localized for German, English, Italian, French, Spanish, Japanese, and Korean.

 

Links

  • Download Avira Antivirus Security Pro for Android here.
  • Download Avira Mobile Security for iOS here.
  • For more information on Avira’s new Avira Mobile Security for iOS v.1.4, please visit this site.
  • For more information about all the features included for Android users of Avira Antivirus Security Pro, please visit this site.
  • Join the Avira community on Facebook:  www.facebook.com/avira

 

 

Sorin Mustaca

IT security expert

 

 

Free Antivirus declared the winner in the Stiftung Warentest’s comparison test

The Stiftung Warentest just published the results of the test for the Internet security products.

stiftung

 

We are happy to announce that

freeav

Avira Free Antivirus 2014 has received the result GOOD (2..2) and is the winner of the category free antivirus.

 

iss

Avira Internet Security Suite 2014 has received the result

GOOD (2.1)  and reached the second place out of 13 products tested.

Both products were praised for

- a good usability

- a good user manual

- good performance (not overloading the computer)

- good detection

 

Sorin Mustaca

Product Manager and IT Security Expert

 

How to enable two-factor authentication for Tumblr

More and more social media websites and not only are enabling two-factor authentication in order to secure their users better. Following all other major portals, now also Tumblr allows users to enable it.

 

settings

 

Here is how to activate it in easy steps:

  1. Visit your account settings.
  2. Click the “Two-factor authentication” switch.
  3. Enter your phone number.
  4. Now decide whether you’d like to receive the code via text or through an authenticator app. We recommend both in case you need to use one as a backup.
  5. Follow the steps laid out in the settings page.

After you’ve enabled it, you need to login in the future  like this:

  1. Log in to your Tumblr account using your username and password.
  2. Once you’ve received the unique code (either via SMS or through an authenticator app), enter the code in the specified field.

By the way, did you notice that by default the website is not using SSL? Please click on the “Enable SSL security” switch to turn it on by default for future logins.

 

How will Two-Factor Authentication work when you log in through iOS or Android apps?

When you have two-factor authentication turned on, you’ll need to generate a special one-time-use password in order to log in through your mobile apps. You can generate one through your Account Settings page.

 

What happens if you disable Two Factor Authentication?

We strongly advise against this. But if you must, you’ll be asked  to enter your account password to make sure it’s really you. You’ll then be able to log in to your account without the extra verification step. If you would like to re-enable it at any point, you’ll have to go through the aforementioned setup process again.

 

Which authenticator apps to use?

Tumblr recommends Google Authenticator, which you can download for iOS and Android.

 

Learn here how to activate two-factor authentication for other services as well.
If you want to improve your overall security, check out our Improve Your Security series.

 

Sorin Mustaca

IT Security Expert

Goodbye, Windows XP?

Microsoft will end the support for Windows XP, but the world won’t end because of this.

In this article we will analyze what can happen, what you should do to avoid any damages and what you can do to continue to use Windows XP even after the support ends.
xp

 

 

 

No more technical updates

After April 8, 2014, technical updates for Windows XP will no longer be available, including automatic updates that help protect your PC. Microsoft will also stop providing Microsoft Security Essentials for download on Windows XP on this date. If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer be providing security updates to help protect your PC.

Microsoft released XP about 12 years ago and published also a lot of patches in this time. Does this mean that all vulnerabilities were found and fixed? Most definitely not. As a matter of fact, Microsoft Trustworthy Computing director, Tim Rains, said that the cybercriminals can go so far and even reverse-engineer patches for more modern and supported versions of Windows in order to see what remained unpatched in Windows XP. Even if Windows 7 and 8 are quite different than Windows XP, there is still a lot of code shared between these operating systems.

If you continue to use Windows XP after support ends, your computer will still work but it might become more vulnerable to security risks and viruses. You can even install a fresh copy of Windows XP even after April 8th.

 

Solutions

 

I hope it is clear by now that Microsoft is not going to go back and review their decision to kill the operating system. The only question now is: What to do ?

 

Migration

 

The best solution is clearly to move away from Windows XP. There are plenty of resources and tutorials in the Internet that explain how to migrate to Windows 7 or 8.  But be aware that this might come with additional costs, since these operating systems require better hardware than Windows XP.

 

Hardening

 

Hardening is the process applied to a computer to reduce its attack surface. Reducing the attack surface means identifying and reducing the available ways to attack the computer. Typically this includes the removal of unnecessary software, unnecessary logins and the disabling or removal of unnecessary services (file and print sharing, media center). On a lower level, it means also closing all non-critical ports, removing any not needed driver, ideally, removing the computer from the Internet completely.

Also the software that is used must be made as secure as possible. This means run it in a sandbox, run with minimum or completely without extensions, addons or plugins and in general, reduce the functionality which is not strictly needed.

Also the risk created by the one who stays in front of the monitor, the user, must be reduced. Create better passwords, change the default passwords, make them expire after a month. Use an account without administrative rights in order to reduce the damage of an attack happening under your account.

The software that users install must be checked thoroughly from now on, as there is no guarantee that they are backward compatible with an now obsolete operating system. Ideally, use only software created for Windows XP.

Speaking of software, make sure you keep your software (which is the bare minimum needed to do your job) up to date. Don’t use default installed programs like Outlook Express, Internet Explorer, Media Player as they might contain vulnerabilities that can get exploited. The best in this case are Mozilla Thunderbird as replacement for Outlook Express and Chrome or Firefox for replacing Internet Explorer. For Media Player there are thousands of replacements online.

Last, but definitely not least, install and keep updated a security product like Avira Free Antivirus.

If your Windows XP holds business critical information on it (but why would you trust an obsolete operating system with such a task?) then isolate the computer in the network. This means that you should filter the traffic coming from the exterior to your vulnerable computer using some gateway filtering product.

 

Virtualize

 

Another method to continue to run a Windows XP without having to expose it completely is to run it in a virtual machine on an up to date host operating system. This way you have a secure underlying operating system which you can easier protect than the XP.

If you have a PC with XP installed and there are your good old programs that run since many years, there is a solution to virtualize that as well.

Use Disk2VHD from Microsoft to create a virtual hard machine and play it with the free Microsoft Virtual PC under a safer operating system like Windows 7 or Windows 8. This program will create a snapshot of your installed Windows XP, including all programs, registries, files and will clone them in the virtual machine. The result is an identical environment with the real one, only that it is virtual.

In any circumstance, make sure though that even you harden the XP machine, no matter if it is real or virtual.

 

Our recommendation

 

We strongly recommend to migrate from Windows XP. There is no way to fully protect the operating system anymore. There is nothing (or at least nothing that is economic feasible) that you or security experts can do to protect it.

And don’t think that you necessary have to stick with Windows. If you don’t have to use some legacy software that runs only on XP, think about alternatives. Linux distributions like Ubuntu (and flavours) have become really good as a desktop operating system.

 

Sorin Mustaca

IT Security Expert

Avira Protection Cloud available now for Free Antivirus

In order to ensure that our customers are using the best protection available, we integrated the Avira Protection Cloud  in all our premium products (consumer and business) .

Avira takes now the next step and offers the best protection available to all its users: real-time scanning of programs with the Avira Protection Cloud.

We are proud to announce the integration of the Avira Protection Cloud in the Free Antivirus product.

settings

The goal is to check only unknown, new programs that come from potential dangerous sources. This way, the system is protected against the latest threats, even between regular product updates..

Read here  how this feature works and how it can be configured.

All existing Avira Free Antivirus installations will get this update for free, completely transparent for the user. Most of the time, the feature will remain unnoticed because the product is configured to bother the user as less as possible.

 

About Avira Protection Cloud:

EN: http://www.avira.com/en/avira-protection-cloud

About the Real-time protection with Avira Protection Cloud:

EN: http://techblog.avira.com/2013/10/14/advanced-real-time-protection-with-avira-protection-cloud/en/

 

Sorin Mustaca

Product manager, IT Security Expert

 

Thank you for reading this post on Avira TechblogFor latest news please follow us on FacebookTwitterGoogle+.

Avira Free Mac Security – Update 3 released

 The Free Mac Security gets the Update 3 bringing performance improvements together with some stability improvements and additional features.

The update comes automatically via the standard product update and it doesn’t require a reboot.

 

Screen Shot 2014-01-08 at 11.03.50  

Performance improvements

We know that the product had some performance issues when the Time Machine or another backup program was running.

The analysis allowed us to improve the overall performance of the system when backup programs like Dropbox, Avira Secure Backup and others run, but especially when the built-in Time Machine from Apple performs a backup.

During the backup, the product manages to intelligently avoid the intercepting of the file accesses produced by the backup programs.

 

Real-time protection Improvements

Due to several improvements in the scanning process, the on access scanning has been improved with about 5% when compared with the currently released version.

And this is just the beginning. Expect in the future versions to see even more such improvements.

The biggest advantage is seen when scanning either large files or when scanning complex documents (e.g.: embedded documents).

 

Apple Notification Center for Real-time notifications

Until now it, when the product detected some threats it blocked and quarantined them by default without visually reporting anything to the user. While this is enough for many users, we wanted to let the user know that the product is there and it protects continuously. In this version we included the Malware Detection Notification in the Apple Notification Center.

When the product protected you against a threat, you will see in the right side of the screen a notification like the one below:

notification1

If you click on the Notification Center, you see the list of events that were reported. The good part here is that the product doesn’t immediately report every single notification, so if you have multiple malware detected (like during a file copy operation) you will see only one event which contains multiple detections reported.

 

notification2

 

Help topics are now available via online help

In order to be able to help you better and faster with up to date information, we extended the help with an online help. But, don’t worry, if you are offline, you still get access to the offline help as before.

 

Along with these great additions, we performed a lot of improvements in:

-          Graphical User Interface stability

-          Quarantine management

-          Uninstallation procedure

-          Real-time detection

Are you convinced to give the product a try? Then download it from here.

 

 

Sorin Mustaca

Product manager, IT Security Expert

 

 

Thank you for reading this post on Avira TechblogFor latest news please follow us on FacebookTwitterGoogle+.

Apple fixes the SSL bug for MacOSX

Following the criticism from the media and security experts, Apple delivered what it promised: a fix to the already famous “goto fail” bug in the SSL implementation in their products.

Apple Logo

All MacOSX users should update their software accordingly.

Make sure you get the 10.9.2 update for MacOSX 10.9 and Security Update 2014-001.

Seeing how many fixes it contains, I am quite surprised that they managed to deliver the patch so quickly. This can only mean that this bug is well-known since quite a while to Apple, but they waited to deliver the fix it with the other fixes. It would make much more sense to deliver just this fix immediately to protect the customers.

Please visit the dedicated KB article to see what else was patched beside the epic “goto fail“.

gotofail

If you want a great protection for your Mac, consider installing our Free Mac Security product. We guarantee that we don’t have such bugs. :)

 

Sorin Mustaca

IT Security Expert

Thank you for reading this post on Avira TechblogFor latest news please follow us on FacebookTwitterGoogle+.

Apple patches a dangerous SSL bug in iOS

Apple released on Friday, February 21st, a software update with version 7.0.6 to fix a security issue in various iOS versions. This security bug allows attackers to act as a man-in-the middle: read and modify the encrypted communication on iPhone, iPad, iPod. The company says it is working also on the fix for OSX.

According to the KB article, the Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

What does this mean?

When a device talks SSL/TLS with a server, it must do several steps to make sure that the server is who it says it is. Because of this bug, the iOS device would blindly trust a server no matter what it pretends it is as long as it presents a valid SSL certificate (generated by a trusted certificate authority). For example, if you do your online banking, a man-in-the-middle attack would be successful if the fake server manages to present a certificate that impersonates the bank’s servers. With so many CAs hacked in the past, it is not impossible to impersonate pretty much any entity in the Internet.

 

What to do

You need to trigger an update of iOS.

If  you don’t see a message like the one below, go to Settings -> General -> Software Update and trigger the update manually.

ios-update2

 

This is what you should see when the device detects the update. Note that the update can only be done when the iOS device is connected to a wireless network.

ios-update

 

 

Other iOS Devices

Also other iOS devices got the update: Apple TV, iPad v2+, iPod last generation, iPhone 4+. For a complete list please check the dedicated support page.

Name and information link Released for Release date
Apple TV 6.0.2 Apple TV 2nd generation and later 21 Feb 2014
iOS 7.0.6 iPhone 4 and later, iPod touch (5th generation), iPad 2 and later 21 Feb 2014
iOS 6.1.6 iPhone 3GS, iPod touch (4th generation) 21 Feb 2014

 

Apple hasn’t fix the bug yet for MacOSX. Even though Avira can’t protect you against this issue, you should still install Avira Free Mac Security (if you haven’t done this yet).

 

Sorin Mustaca

IT Security Expert

Thank you for reading this post on Avira TechblogFor latest news please follow us on FacebookTwitterGoogle+.