Category Archives: Panda Security

Panda Security

Panda Security

Spying on your company’s emails can be as easy as (literally) coupling into its optical fiber

router

Five minutes. That is the time needed for an attacker to intercept your company’s communications in the most simple and alarming way. Unfortunately, they don’t have to circumvent complex security measures, install malware on the employees’ computers or anything like that.

The legendary hacker Kevin Mitnick, once convicted cybercriminal and now renowned expert in computer security, has shown that coupling the optical fiber connection of a company or an individual is too easy for someone with evil intentions and the right skills.

Replicating the usual configuration of an office’s network, Mitnick simulates a daily situation: any employee sends an email that, before reaching its destination, will stop on a server (represented by a second laptop in the demo, for practical reasons).

Attackers do not require physical access to any of the two computers. Their task is limited to finding a point where they can intercept the optical fiber. As shown in the video, they can couple into any cassette or junction box carrying the cable before it reaches the victims office or home.

Probably you have seen these cassettes when the technician on duty went to install them. They are usually stacked in a box in the telecommunications room (RITI) of the building, a room that is usually in the garage or in the access floor – or maybe it is the same where the electricity meters are.

If the room is closed with a key, probably it won’t be the place chosen by an intruder to hack the connection. Still in the building, on the upper floors, he could tap the junction box where the cables which end in every home or office start. And also outside the building, on the street, the cybercriminal can find somewhere to couple the cable.

optical fiber

Once located the spot, the attacker will tap the communication thanks to a small ordinary device. Known as ‘clip-on coupler‘, is a device that technicians use for maintaining and identifying the cables. Mitnick used it on his show, and a specific software installed in the computer, to intercept data packets travelling by optical fiber.

This time is the email (and its content, an important password) that ends up in the hands of the fictional attacker. In a real scenario, the cybercriminal could spy any communication that is not encrypted. Moral: do not send passwords, confidential reports or other sensitive material unencrypted via e-mail.

How to prevent your optic fiber from being coupled

  • Restrict access to the optic fiber cabinets to authorized personnel.
  • Use secure tools for sharing files and information.
  • And common sense.

The post Spying on your company’s emails can be as easy as (literally) coupling into its optical fiber appeared first on MediaCenter Panda Security.

Panda Security

Panda’s Security 25th anniversary party

On June 25th, we celebrated the 25th anniversary of Panda Security. It is possible that you may be wondering how the celebration was so… here are some pictures!

diego navarrete

DIEGO NAVARRETE, PANDA SECURITY CEO, WELCOMING THE ATENDEES

 

panda awards

PANDA INNOVATION AWARDS

 

dj

LET’S GET THE PARTY STARTED!

 

party

WE COULD NOT HAVE HAD BETTER COMPANY!

 

brindis

HAPPY 25TH ANNIVERSARY!

If you wish to see more… here is the video!

The post Panda’s Security 25th anniversary party appeared first on MediaCenter Panda Security.

Panda Security

WhatsApp: read or unread?

blue double check

Did you know that WhatsApp may be developing a mark as unread feature? When most of us already got used to the double blue check and few others decided to remove it completely from their lives, everything points to the most popular messaging application has decided to implement this ‘unread’ function.

According to ADSL Zone, it will be the receiver who will be able to modify the status of the message. As has happened other times, they found this new feature in WhatsApp’s official translation center. Here is where the new features are translated before they are released to the public, and not long ago we could find: “mark as read” and “mark as unread”.

read whatsapp

For the moment, it seems to be only available for iPhone users. Now, the question is: how will this affect our privacy? Will the sender be able to see before if the message has been read?

We will keep an eye on it…

More | How to disable the WhatsApp blue double check on Android

The post WhatsApp: read or unread? appeared first on MediaCenter Panda Security.

Panda Security

3D printers: recognize the most popular frauds and their risks

3D printing has a great future, but also begins to be part of our present. For years, there were who anticipated the arrival of a third industrial revolution starring this technology. A new era in which companies from different sectors will need to reinvent their processes and look for new ways to add value, since customers will have in their hands the tools to manufacture (at home) tons of products that now have to buy from companies.

pc garaje

Uncomplicated access to manufacturing tools opens endless possibilities, but the popularization of 3D printers has made them desirable among cyber crooks. The attackers are looking for a way of taking advantage of this technology to achieve their malicious purposes.

The most alarming episode so far was the one starred by Cody Wilson, who shared the instructions to manufacture the first printed gun in 3D on the Internet. Just a few days after hanging his designs on the net, the US Department of State ordered him to remove those files and threatened him they would begin a judicial process that would include prison terms and multimillion-dollar penalties. Nevertheless, Wilson filed a lawsuit against this American authority alleging that such restriction violates his freedom of speech.

Beyond plans and weapons designs that even today we can find on the Internet, there are, unfortunately, many other alternatives for criminals. Without going any further, at the end of 2014, in a joint operation by Spanish police, the Bulgarian and the European Center of Europol cybercrime authorities, more than 30 people in Malaga (Spain) and in different city of Bulgaria were arrested accused of stealing data to make fake credit cards and mobile phone cards.

In the searches they found more than 1,000 devices. From camcorders for bars, credit card readers and magnetic strips as well as plastic cards ready to be encoded. Members of the criminal organization used a 3D printer to manufacture cloned cards from the stolen data.

police guns

One of the main advantages that comes with 3D printing is that it allows the user to make his own designs. However, this is one of the major drawbacks when talking about the wide range of possibilities opened for criminals. Now they have the ability to produce their own tools, without having to resort to the black market and without fearing the police detecting a suspicious package.

According to the experts, with these tools an attacker could cause chaos on an assembly line. They could, for example, design defective replicas of a piece, leaving the product assembled useless, and causing huge losses to the manufacturer. That, or infect such a part of the device with some malware in order to get information from the future user who will buy it and use it. The consequences would be disastrous.

3Dprint

3D printing offers so many possibilities that even to access the factory in which the thieves want to deposit these false or intoxicated parts, they could manufacture their own keys. Knowing the lock model and its weaknesses, they would just have to design a tool, which is able to activate the mechanism and open the door. Without forcing it and without attracting attention or leaving any trace.

3D printing, in a not-too-distant future, will play a decisive role in our lives and will eventually transform many industrial processes. And at the same time, will give criminals a new repertoire of tools to achieve their evil goals.

The post 3D printers: recognize the most popular frauds and their risks appeared first on MediaCenter Panda Security.

Panda Security

WhatsApp for Android: Always download it from Google Play!

By becoming popular, they turn into a real danger. The more famous an application is, the more likely it will be used by cybercriminals to carry out frauds, which may turn out very expensive for those distracted users.

The perfect example is WhatsApp. Each novelty announced by the instant messaging service is exploited immediately by the thugs on the network to deploy all kinds of social engineering techniques.

Without going any further, WhatsApp voice calls lead on to fraud via email: the victim is notified by email of a pending voice message and in order to for hear it he just needs to click on it. By doing so, it will not play any message, but actually it will download a malicious software on the user’s computer.

To generate this avalanche of fraudulent services, cybercriminals not only take advantage of WhatsApp’s latest features. Sometimes they create totally fake versions with presumed advantages as the possibility of customizing the app’s appearance. The most recent case is the one of the so-called Blue WhatsApp, it promised changing the famous app’s green to blue, although this version hides a poisoned apple: a subscription to a premium service which will increase, quite a bit, the victims’ phone bill.

whatsapp azul

In general, the desire of enjoying new features on an application as common as WhatsApp makes some users to accept these updates even if they do not come from an official supplier.

That is why, the best way of avoiding any kind of fraud from making a hole in our pocket or someone stealing our information stored in our Android is using Google Play (or the App Store in case of having an Apple device) at the time of downloading and update or any other application.

whatsapp google play

In this way, users can sort the Web woven by the crooks on the Internet. Furthermore, not only should be wary of those web pages that provide the so-called WhatsApp download with little credible characteristics: on other occasions, a platform which doesn’t belong to the official app nor to the corresponding applications market, will simply offer users to download WhatsApp as a way of attracting potential new victims.

Without false advantages but just as fraudulent, these downloads will fill your device with malware or subscribe you to an SMS premium service at a great cost. It is the case of a website that distributes a malware designed to steal data and it does it under the official WhatsApp appearance.

whatsapp

The web site does not promise any new features in the instant messaging service. It simply enables the download. When the user installs it and accepts all permissions requested, this false WhatsApp access the information stored on the users’ Android device.

That way, both downloading and updating an application, the safest way to do it is going to the corresponding official site. Even so, users can also find in places like Google Play some fraudulent applications hiding under the appearance of a popular service or that simply requires more permissions than the strictly necessary.

For this reason, before downloading an application for the first time you should read carefully its rating and some comments from other users: if it is a trap that has evaded Google’s Play security, the previous experience of others can serve you as warning.

The post WhatsApp for Android: Always download it from Google Play! appeared first on MediaCenter Panda Security.

Panda Security

Developers are neglecting the login security for both Android and iOS

mobile security

You open an application to read the news, check your e-mail or social networks and, on many occasions, it asks you for a username (which may be your email address) and a password. You must sign in to access the headlines which have been customized depending on your preferences, your Inbox where you receive your emails (and not those addressed to anyone else) or, to your personal, and supposedly non-transferable, account.

Technically, yes. A team of researchers from the University of Darmstadt (Germany) and the Fraunhofer Institute for Secure Information Technology scanned 750,000 applications for Android and iOS and discovered that the apps developers didn’t take as seriously as they should the security of this important step (login or authentication).

These experts claim that the analyzed apps, including very popular ones – although they didn’t give any names- and they detected vulnerabilities in all kinds of applications, from games to Instant Messaging, through social networks, financial services or even health-related software.

According to the findings of this research team, many programmers are managing the information needed for logging in, in a negligent or improper way, leaving user names, email addresses or passwords available to third parties with dubious intentions. During their analysis, they found 56 million ‘sets’ of unprotected data.

“App developers use cloud databases to store user data but apparently ignore the security recommendation given by the Cloud providers” says Prof. Eric Bodden, study’s lead author, regarding to the cloud databases offered by Facebook (Parse) and Amazon (AWS).

Storing the users data in third-party cloud it is easier for developers (for example, when it comes to synchronizing web services and applications for different operating systems), but it is a decision that should not be taken lightly. Our data’s security is at stake.

Why is there so much unprotected data?

Cloud vendors offer different security mechanisms to determine if a user is who he claims to be when he checks the database: the more sensitive the information, the higher the barriers. Bodden explains that “the weakest form of authentication, meant to identify rather than to protect the data, uses a simple API-token, a number embedded into the App’s code”.

Using the appropriate tools, an attacker could easily remove those tokens and access the data, read it or even manipulate it. There are endless ways of harming or cashing in for someone unscrupulous: from selling emails and passwords on the black market, to blackmailing the data owners, spreading malware or turning the cell phones of hundreds of users into soldiers of a bot army.

To prevent this, app developers should implement more sophisticated security measures, precisely, just what Facebook, Amazon and other cloud vendors recommend. As the research carried out by Darmstadt and Fraunhofer recommended, developers should implement an access-control scheme, which according to the test most of the 750,000 analyzed applications didn’t.

“Our findings and the nature of the problem indicate that an enormous amount of app-related information is open to identity theft or even manipulation” says Prof. Eric Bodden. “With Amazon’s and Facebook’s help we also informed the developers of the respective apps and they really are the ones who need to take action because they underestimated the danger”.

The post Developers are neglecting the login security for both Android and iOS appeared first on MediaCenter Panda Security.

Panda Security

Panda Mobile Security alerts you if someone picks up your device

Panda Security announced today the launch of a new version of Panda Mobile Security, the company’s solution to combat cyber threats on mobile devices.

The new Panda Mobile Security allows users to enjoy their devices with complete peace of mind, locate lost or stolen smartphones and tablets, and protect their private information thanks to the solution’s privacy auditor and anti-theft features. Additionally, the new version provides improved usability with a  streamlined user interface.

control, protection, android

 

Anti-theft alerts

Panda Mobile Security 2.3.2 includes a new feature designed to prevent loss and theft of mobile devices. The solution’s Motion Alert system sounds an alarm if someone picks up the user’s smartphone or tablet without authorization. Once enabled, the feature displays a countdown if someone moves the device. When the countdown finishes, a loud alarm is triggered even if the device is muted. To stop the alarm it is necessary to enter the device’s PIN or unlock pattern. Users can configure the Motion Alert feature by setting the countdown duration or adjusting the sensor’s sensitivity.

Geolocation and Privacy Auditor

Another key feature included in the new release is the use of geolocation to protect users and ensure the security of their devices. Panda Security’s Anti-Theft protection takes a picture of anybody trying to unlock the user’s device with the wrong code and emails it together with the device’s location. Additionally, it allows the user to lock or wipe the device in the event of loss or theft.

This is complemented with a Privacy Auditor, a new feature that indicates which apps can access personal data, contact lists and files, and allows users to uninstall them.

“Today, mobile devices have become the repositories of our digital lives, and Panda Security is fully committed to improving our customers’ security and user experience. The new version of Panda Mobile Security includes new features to protect users against external threats so that they can enjoy their devices with complete peace of mind,” explained Herve Lambert, Retail Product Marketing Manager at Panda Security.

The new solution is available in 16 languages and sports a new look and feel to mark the company’s 25th Anniversary and new corporate identity.

The post Panda Mobile Security alerts you if someone picks up your device appeared first on MediaCenter Panda Security.

Panda Security

Passwords using emojis. Are they safer?

With SMS we saw how the language evolved in order to save characters, now the way we express ourselves through mobile devices has experienced a new transformation. With the arrival of instant messaging apps, with WhatsApp on top, there are people who are able to communicate exclusively with emoticons.

keyboard emojis

Humans move freely between images. This is why, we could not miss the innovation that would set aside the numbers and characters of our language to create new passwords based on illustrations. But these are not just any scribbles, these are precisely those emojis that are revolutionizing the way in which we express ourselves.

The company Intelligence Environment has developed the first password in which they don’t alternate numbers and letters, but emoticons. “Our research shows 64% of ‘millennials’ regularly communicate only using emojis” said David Webber, Manager Director of the company. “So we decided to reinvent the passcode for a new generation by developing the world’s first emoji security technology”.

In order to replace the passwords that we usually use to access applications and services via the Internet, this British developer has created a system in which the sequence of expressions, hand universal gestures and so many other visual realities make things more difficult for those trying to access what they shouldn’t.

The creators of this new way of composing passcodes claim that this system, as well as being more comfortable for the user, increases the security of passwords, since there are many more combinations based on emoticons. “There are 480 times more permutations using emojis over traditional four digit passcodes” says Webber.

Users will be able to choose from 44 emoticons, which are available on all operating systems. According to the British company’s estimates, these emojis can give up to 3,498,308 million unique permutations. In case of only using combinations with numbers from 0 to 9, as we do today for example with our credit card PIN, options are reduced to only 7,290 permutations.

This way we can create stories which are easier to remember and take advantage of one of the main benefits of this new access codes system. Rather than monotonous successions of letters and numbers which we repeat in several services to prevent our memory from playing us a dirty trick, with Emoji Passcode we will be able to create different passwords for different platforms.

emojis passwords

According to a study conducted by Intelligence Environment in United Kingdom, one third of the over 1,300 people who took part in a survey claimed to have forgotten the PIN for their credit cards recently. Therefore, this British company’s managers intend to implement their new creation, first of all, in the services offered by banks via the Internet.

Tony Buzan took part in the creation of this Emoji Passcode. He is a British memory expert memory who pointed out that this new method of passwords “plays to humans’ ability to remember pictures”. Something which as this educational consultant claims, “It is anchored in our evolutionary history. We remember more information when it’s in pictorial form”.

If within a few months we come across this new password method, we will possibly fail on our first attempts. However, as time goes by, remembering or forgetting our passwords will depend on the same factors as it does today: mainly, that our memory wants or not to play us a dirty trick.

The post Passwords using emojis. Are they safer? appeared first on MediaCenter Panda Security.

Panda Security

Trolls on Twitter. How to avoid them

twitter birds

“We suck at dealing with abuse and trolls on the platform”, said Dick Costolo, former CEO of Twitter, as he stepped down July 1, at the beginning of the year. This statement showed what any user of the social network already new: that Twitter regrettably fails to control harassment.

A recent study carried out by Pew Research Center showed that 40% of the Internet users surveyed claimed to have been victims of cyber harassment. That’s why, one of the purposes of the social network is implementing the necessary tools so that the users do not suffer the abuses of those who are hiding behind anonymity to insult and attack others.

The most recent attempt from Twitter to minimize its impact was allowing users to share with their friends their lists of blocked tweeters. Thus, you can already block several trolls at the same time. Mass-blocking.

“You can now export and share your block lists with people in your community facing similar issues or import another user’s list into your own account and block multiple accounts all at once, instead of blocking them individually”, explained from the social network’s blog.

lista

To use this new feature to import and export lists of blocked users, tweeters who want to avoid harassment on Twitter just need to follow a few simple steps, starting from the ‘Blocked accounts‘ section of the settings on Twitter:

How to export a block list on Twitter

  1. In the ‘blocked accounts settings’, click on ‘advanced options’ and select ‘export your list’.
  2. Twitter will ask you to confirm which accounts you want to export. In this intermediate step, you have two options: select all the accounts that you have blocked with a single click or uncheck those that you don’t want to share.
  3. Once you have selected the accounts that you want to incorporate to the file, click ‘Export’. It will generate a .csv file that will be downloaded automatically on your computer and which you can share with who you want.

exportar

How to import a block list on Twitter

  1. Before starting, you must have received from a contact the .csv file corresponding to their list of blocked accounts on Twitter.
  2. With the file already downloaded on your computer, go to ‘advanced options’, in the ‘blocked accounts settings’, and there select ‘Import a List’.
  3. In the pop-up, click on the paperclip icon on the option ‘attach a file’ to upload it. From there, you must select the .csv file you had downloaded.
  4. It will display the list of accounts blocked by your twitter friend that shared the file with you. It will be then when you will have to select if you want to block the whole list (with just one click) or if you prefer to give some of them a chance. To do so, you will have to uncheck those accounts which you don’t want to block.
  5. Click on ‘Block’ to confirm your selection and automatically, the marked accounts on that list will no longer be among the potential stalkers who someday may decide to attack you on Twitter.

With these simple tools, the lists of blocked users will be shared very easily, so that Twitter users may clip with hardy any effort the wings of several trolls simultaneously (and by recommendation the contact who has shared with us his list).

The post Trolls on Twitter. How to avoid them appeared first on MediaCenter Panda Security.

Panda Security

45% of ex-employees continue to have access to confidential corporate data

With the current situation experienced by the labor market, it is essential for companies to take steps in order to maintain their security in face of the movements which may occur in their workforces.

Employees looking for a change of scene, suppliers who do not pay on time, debts impossible to pay off that force companies to go out of business. There are numerous reasons that may cause changes between the team members and companies should control what information is taken by those who are leaving and how much may be known by those arriving.

computers offices

It seems that many companies don’t pay too much attention to this matter. There are few organizations that take the necessary precautions to prevent workers from taking with them information which belongs to the company or the passwords to access it. According to a study carried out by Osterman Research, 89% of the ex-employees keep the login and the password which gave them access to at least one of their former company’s services.

Of all the participants in the survey, 45% acknowledged that they continued to have access to sensitive or very sensitive confidential information and up to 49% claimed they had accessed some service after leaving the company. Therefore, organizations need to implement mechanisms and strategies that allow them to safeguard the privacy of their information from any changes in their workforce.

The most important thing is to take action before the employees leave. A basic requirement to avoid problems in the long term is to know all the accounts to which employees have access and, in addition, to register the credentials with which they can login to one service or another.

Without going any further, it would suffice to implement a single sign-on platform. A portal from which employees could access all the tools necessary to do their job, using their corporate email as user id. This way, if for any reason the employment relationship comes to an end, the organization will only have to delete that employee’s email to prevent the company’s information from falling into the hands of someone not related to the company.

In the event that the company has forgotten or discarded this first step, they will be able to establish a procedure which must be followed by the employees when they leave their jobs. In some cases security measures as simple as making sure ex-employees return  the tools provided for their work, such as a computer, a smartphone or the card giving access to the office.

This is as far as the physical world is concerned. In terms of digital tools, companies must not forget to close any access their former employees might have to their corporate accounts. In addition, they must prevent them from entering, in any way, the services, applications and any other channels used by the company to enable its workers to operate as a team.

man working

We must take into account a detail in this whole process: during the time a worker is part of the team and has the company’s trust, his actions cannot be controlled. That’s why, as the study of Intermedia exposed, 68% of the employees that took part in the survey claimed to have kept corporate information in one or another personal account in the cloud.

Employees who needed to check documents outside the office stored them in Dropbox, Google Drive or OneDrive. According to Michael Osterman, president of Osterman Research, “if an employee stores sensitive or confidential data in personal Dropbox or Google Drive accounts, then this data is potentially accessible by outsiders the day he or she becomes an ‘ex-employee’”.

For that reason, another recommendation is that organizations which can see their privacy compromised due to changes in their workforce should implement or hire their own cloud storage service. In this way, the company will always have access to that data and will prevent the employee who uploaded this information from accessing it if he leaves the team.

Furthermore, the management of the company should encourage employees to save the information there rather than leaving it on their computers, just in case on the last day, if they decide to erase everything they have stored, some sensitive information could disappear forever. In case they decide to act in this way, the company must also incorporate regular audits to check that everything goes as planned and all data is safe.

Following these recommendations, many companies could save themselves some headaches. With these guidelines they will not only prevent ex-employers from taking something that doesn’t belong to them, but also prevent the digital ghosts of people who one day worked for the company from continuing to swarm through those platforms and services to which one day they had access, sniffing around matters which no longer concern them.

The post 45% of ex-employees continue to have access to confidential corporate data appeared first on MediaCenter Panda Security.