Tag Archives: businesses

Update Right Away or Wait it Out? Android’s Big Dilemma

If your employees are like most users, they most likely postpone updates for their OS. In other words, your company’s mobile fleet could be at risk. This is especially true if they are using Android devices. When the famous little green robot gives a notification of the update, a good deal of people wait for other users to try it first and then gauge their reaction.

It seems sensible enough, but this practice could put your company’s security in danger. First of all, phones with Android are more susceptible to break-ins than ones with iOS. Then there’s the fact that most corporate phones are equipped with Google’s software, which in itself involves a risk — the good people at Mountain View take longer than Apple to launch updates with security patches when a vulnerability is detected.

So Google lags in its response to threats, but the fragmentation of Android devices makes the response time even longer. It’s not enough for Google alone to launch its update, but will later have to be adapted to the specific make and model that your employees are using. Ultimately, an Android patch takes long enough to arrive without the added time of the user postponing an update.

On the other hand, it is true that some people recommend letting some time pass to see how each individual phone reacts to a new update. This advice, which in principle is completely inadvisable for corporate security, does in fact have a reason for being. Some mid-range models could potentially lose some performance or even some functions when a new OS is installed.

Tips on How to Safeguard Your Corporate Devices

The need to protect the confidentiality of corporate data is underscored by this seemingly quotidian matter. For one thing, it’s crucial that employees have a powerful and recent mobile device so as not to run any risks when updating. Also important is that they always have at their disposition the right protection.

The bottom line: your employees should update their mobile software as soon as it’s available. You should also recommend that they make backup copies beforehand. Doing so will reassure them that there is no risk of losing anything. Finally, they should delete cached data to prevent their device’s losing performance. No stone should go unturned in the protection and safeguarding of your company’s data.

The post Update Right Away or Wait it Out? Android’s Big Dilemma appeared first on Panda Security Mediacenter.

How Fraudulent Advertising Could Be Costly to Your Company

Your company may be losing money because of online advertising. Beyond the success of advertisements when it comes to converting marketing budgets into sales, a singular type of cyberattack threatens to directly affect your company’s accounts.

Namely, there exist networks of bots that are used to inflate the number of clicks that ads receive. These botnets enable fraudsters to manipulate web advertising metrics, which in turn leads advertisers to pay more than what they should for legitimate clicks.

A recent study reveals the worrying consequences of this subtle kind of fraud. All over the world it has already cost businesses more than $7 billion, bloating advertising figures spectacularly and making up 11% of banner impressions and 23% of video advertisement impressions.

The main problem of this cyberattack in relation to other threats on the web — such as phishing and ransomware — is that it goes completely unnoticed. After infecting devices, cybercriminals are able to discreetly redirect traffic to simulate ad clicks. Since these are real devices owned by real people, advertisers are unaware that behind their ads’ success lies an army of bots.

So, it seems like nipping the problem in the bud may be complicated (at least from the advertiser’s perspective, who is billed according to these metrics, rigged as they may be). However, there are several things that companies can do, such as using quality advertising platforms that offer certain guarantees and that have demonstrated their willingness to persecute those responsible for these botnets.

Beyond that, it’s important to use ad metrics to check the duration of the visit to the webpage and the geographic location from which the supposed clicks are originating. This could be used to expose the fraud. Visitors that enter the page for only a fraction of a second or that do so from a faraway country that has little reason to be interested in the product will, most likely, be infected devices in the botnet.

The same thing happens with botnets used to make social network ad campaigns more expensive. These campaigns are likely orchestrated by a competitor with the intention of making advertising more expensive. In fact, they are relatively easy to track. If a wave of phantom followers appears out of the blue (without profile photo and with strange names), it most likely fraudulent.

The post How Fraudulent Advertising Could Be Costly to Your Company appeared first on Panda Security Mediacenter.

Can a Hacker Guess Your Password in Only 100 Attempts?

Making sure that our employees use complex and diverse passwords, both in and out of the workplace, is of vital importance. Not least because multitudes of confidential data could be at risk because of flimsy credentials, ones that are obvious and oft-repeated.

To demonstrate the necessity of adequate protection that also allows for the handling of many distinct passwords, a group of researchers has created a software that is capable of guessing passwords with only a small number of attempts. Specifically, with a little bit of the victim’s personal information, the tool would be able to hit upon the correct password testing fewer than a hundred possibilities.

It’s called TarGuess and was created by researchers at the Universities of Beijing and Fujian in China, and the University of Lancaster in the UK. According to their study, an attacker with sufficient personal information (username, a pet, family members, date of birth, or the destination of their most recent vacations) has a one in five chance of guessing their password in fewer than a hundred attempts.

All they’ve done with TarGuess is to automate the process with a tool that scours social networks for personal information that could later be used in its attempts.

Using this tool, the researches successfully guessed 20% of passwords of those participating in the study with only one hundred attempts. More strikingly, the success rate increases proportionally with the number of guesses. So with a thousand attempts TarGuess is able to get 25% of passwords, and with a million the success rate can climb up to 50%.

Moving beyond the controversial data breaches of platforms such as Yahoo or Dropbox, the main conclusion that this study draws is that many users’ passwords are not robust enough to withstand this kind of attack. And as if that wasn’t enough, these breaches have brought to light another risk: TarGuess reportedly detected that many of these credentials are used in other services, or at best have many similarities (constituting what they call “sister passwords”).

This investigation demonstrates once again the necessity of controlling what kind of information is published on social networks. An employee that ‘shares’ every moment of their life may be inadvertently helping a cyber attacker to learn their password, putting corporate data at risk.

The post Can a Hacker Guess Your Password in Only 100 Attempts? appeared first on Panda Security Mediacenter.

Artificial Intelligence: the Future of Fighting Cybercrime

The future of corporate security lies in artificial intelligence. In fact, for better or worse, algorithms will turn out to be crucial to the protection of corporate data. These two faces of the same coin will be nothing less than malware capable of mimicking human behavior and, on the flip side, solutions that can predict which threats will endanger your company’s networks.

To date, there are already algorithms capable of imitating writing styles, and this is precisely the key to the future of cyberattacks. Just imagine, for example, an employee who receives an email supposedly sent by a superior asking him to make a money transfer. The sender doesn’t arouse suspicion because the ill-intentioned algorithm has very believably mimic the superior in question’s writing style. This is a situation we are already seeing today.

According to the FBI, this sort of attack is not science fiction. There are already plenty of businesses that have fallen prey to these attacks, which have entailed losses of $23 million. As artificial intelligence makes headway and gains the ability to analyze more and more data of the person it plans to impersonate, so-called CEO fraud will become increasingly sophisticated and difficult to combat.

The Counterattack

However, all is not lost. As difficult as it may seem to counter these methods, businesses should take comfort in the upsides of artificial intelligence.

Indeed, the cybersecurity systems of tomorrow will come by way of algorithms that can prophesize future threats. To do this, they must first identify corporate system vulnerabilities that could give way to malicious software. The goal is for A.I. to be able to detect anomalies on company networks before it is too late.

For better or worse, companies will need to keep up with advances in A.I. to keep their confidential data confidential. It will be both the problem and the solution all at once. A new starting signal in the cybersecurity race that calls for the adequate protection of your company.

The post Artificial Intelligence: the Future of Fighting Cybercrime appeared first on Panda Security Mediacenter.

How to Bolster Security for Your Online Store This Holiday Season

tips-cybersecurity-panda-christmas

The gift giving season is just around the corner. With the frenzy of Black Friday and Cyber Monday already behind us, shops that conduct their sales online (and their clients) should be prepared for the most hectic weeks of the year still to come.

Unfortunately, this is also the busiest time of year for scammers that try their luck at fishing in frenzied waters. Cybercriminals are well aware of how many companies, regrettably, don’t invest enough in protecting their online sales platforms. Thus, cyberattacks and data breaches soar around the holidays. Luckily, if you run an e-commerce website, you’re still in time to follow these tips:

  • tips-online-salesDon’t cache your clients’ payment information. The best way to avoid problems is by thoroughly verifying that credit card numbers are never stored in your data base and never pass through your servers. It’s as easy as resorting to one of the many payment solutions on the market, such as PayPal or Braintree, which take it upon themselves to handle that sensitive data for you.
  • Make sure your website’s platform (Prestashop, Magento…) is up to date. Search the Internet for common vulnerabilities these tools may have and look for a way to remedy them. The same goes for plugins and extensions you may have installed.
  • Implement a secure SSL protocol. This is essential to your online store (especially when transmitting user information). In truth, it’s essential to any website, but customers perceive e-commerce platforms that don’t show the “http” in the address bar as insecure. And with good reason.
  • Be prepared for the flood of traffic. A large number of users will connect at the same time to make holiday purchases on your website. Check that your web hosting service is up to speed and can handle traffic peaks, that you are using a well-configured load balancing solution and a CDN to reduce the traffic that your server has to withstand. Not only will you avoid downtime, but also you will increase speeds and improve user experience.

From a vendor’s standpoint, these are some issues to be kept in mind to increase security for the holidays.

But there’s something else that businesses should keep in mind when it comes to protection at this time of year. Namely, that their employees, whether they like it or not, will be making purchases using company computers.

Among the precautionary measures that we would like to impart, these are especially pertinent. Before making a purchase, your employees should make sure:

  • That their system is up to date has the protection of a reliable advanced cybersecurity solution.
  • That they only make purchases on well-known websites that have a solid reputation, and that the webpage uses an SSL protocol with security certificates.
  • That they avoid bargains that seem implausible, especially if they appear in emails and the sender is not fully trustworthy.

With this advice and a bit of common sense, holiday preparations shouldn’t bring about any unpleasant surprises. Shopping online is quick, convenient, and easy, but we have to stay vigilant to avoid falling into scams.

 

The post How to Bolster Security for Your Online Store This Holiday Season appeared first on Panda Security Mediacenter.

Hijacking and Theft: The Dangers of Virtual Reality for Businesses

virtual reality panda

Tech giants such as Google, Facebook, or Samsung are betting heavily on virtual reality. As such, this technology has all the hallmarks of something that may soon revolutionize our lives. It may also revolutionize a multitude of business sectors. Tourism (traveling without getting up from the couch), education (seeing history instead of learning the bare facts or visiting the inside of the human body for your anatomy lesson), entertainment (movies starring you), and much more.

However, it is still very much in the early stages of its development. We’re not hearing much about the cybersecurity risks that come along with it. We should be aware that virtual reality, as with any innovation, carries with it some new threats, as well as some old ones that can reinvent themselves in light of new technology.

Virtual Theft

Imagine you’re participating in a virtual reality contest that promises to give you the house of your dreams if you succeed in building it in 100 hours using Lego blocks. You toil away on your house to meet the requirements and in the end you succeed, at which point the organizers grant you the property of the living space that fascinates you so. However, there’s a cybercriminal on the prowl. He sneaks into the application’s servers and modifies the ownership of the property. Of course you’ve lost nothing physical, but you have lost valuable time. And the company behind the app has lost even more than that. At the very least, they’ve lost your trust, as well as that of the rest of their users.

Identity Theft

As worried as we are about the massive credential data breaches that companies increasingly suffer during cyberattacks, in the virtual world things may get worse. Intruders will be able to get their hands not only on usernames and passwords, but also on the user’s physical identity (the hyperrealist avatar generated after scanning their own body).

With all of their biometrics data in your possession, it may end up being easy to steal an actual person. Companies that safeguard such information may therefore face greater risks than those found in the age of credential theft.

Reality Modification

Attackers can figure out how to modify a given application’s code to manipulate (virtual) reality as they please. The number of scenarios is infinite. Accessing the virtual offices of a company that works remotely, modifying information to harm a business’s reputation, altering user experience… There’s a whole world of potential risks waiting to be discovered that will bring about new challenges for cybersecurity experts.

Headset Security

In much the same way that malware can affect computers and mobile devices, it can affect virtual reality headsets. Cybercriminals can attack these headsets with a diversity (and perversity) of intentions. Everything from a keylogger able to track user activity to a ransomware that blocks access to a specific virtual world until the user shells out a ransom may be implanted.

The post Hijacking and Theft: The Dangers of Virtual Reality for Businesses appeared first on Panda Security Mediacenter.

Don’t Let Yahoo Happen To You: How to Protect Your Business from Large-Scale Data Theft

yahoo-data-theft

In 2016, the theft of passwords from internet titans is no longer an exception. Just when it seemed like the year was winding down, having left us with the surprising news of what until yesterday was considered the highest magnitude cyberattack in history suffered by Yahoo and reported three months ago, this same company returns to headlines after announcing the theft of data from 1 billion accounts.

This comes on the tail of some revealing figures. For example, massive data breaches have, amazingly, affected 97% of the 1000 largest companies in the world.

After admitting last September that in 2014 they had suffered a large-scale theft that affected 500 million users, Yahoo revealed today that in 2013 it suffered what is now considered the worst incident of information piracy in history with the theft of 1 billion accounts.

There’s a strong resemblance between this attack and the ones we’ve been analyzing over the past months. These recent attacks showcase the way cybercriminals gain access to names, email addresses, phone numbers, dates of birth, passwords, and in some cases clients’ encrypted and unencrypted security questions. The dimensions of the incident are truly staggering.

Yahoo disclosed that “an unauthorized third party” accessed the data and that at this time the culprit remains unnamed.

Economic repercussions aside, these incidents also call into question the issue of deteriorating user confidence. For example, Verizon’s initiative to integrate Yahoo into the AOL platform will certainly come under scrutiny.

How Should You Keep Your Business Safe?

There’s a legitimate reason to fear for your business’s confidential information. An outsider capable of getting the key to your company’s data, as happened at Yahoo, is a latent risk. Prevention has become the greatest asset in combating Black Hats and avoiding some of the dire consequences of these attacks.

To that end, we encourage you to turn to the advanced cybersecurity solution best suited to your company’s needs. Our Adaptive Defense 360 can offer you:

visbilidad- adVisibility: Traceability and visibility of every action taken by running applications.

 

deteccion- adDetection: Constant monitoring of all running processes and real-time blocking of targeted and zero-day attacks, and other advanced threats designed to slip past traditional antivirus solutions.

 

respuesta- adResponse: Providing forensic information for in-depth analysis of every attempted attack as well as remediation tools.

 

prevencion- adPrevention: Preventing future attacks by blocking programs that do not behave as goodware and using advanced anti-exploit technologies.

 

This is the only advanced cybersecurity system that combines latest generation protection and the latest detection and remediation technology with the ability to classify 100% of running processes.

The post Don’t Let Yahoo Happen To You: How to Protect Your Business from Large-Scale Data Theft appeared first on Panda Security Mediacenter.

Google to punish repeat offenders by marking their websites insecure

security warning google

 

Mountain View appears to be fully committed to web user security. In 2016, Google has already launched various initiatives to penalize poor website security practices (or, on the other hand, to reward users who follow their recommendations). Now they’ve proposed to clearly mark websites that not only pose a threat to web users, but are also repeat offenders.

In fact, both in Chrome (the company’s own browser) and in other browsers such as Firefox and Safari, the search engine will show a warning in front of websites that intentionally spread malware, as well as those that are, in reality, used as instruments of phishing.

This is actually something that Google does already. What’s new is that the company will begin to take decisive action against those who repeatedly attempt to skip over safety rules. Once a website is marked as dangerous, the admin can update the page to eliminate the infractions in question, at which point Google takes down the warning. If the search engine finds itself routinely notifying the admin to inspect the warning, in some cases their chance to have the warning removed will be rescinded for 30 days.

Specifically, the option to resolve these issues will be eliminated for websites that, after requesting a reappraisal, make a few changes to get up to code and then subsequently go back to carrying out practices that put users in danger. To combat these repeat offenders that modify their websites just for show, Google will crack down on them by keeping the warning message up for an entire month, with no possibility of turning over the ruling during this time.

This news is actually somewhat of a double-edged sword for companies. On the one hand, it’s undoubtedly beneficial that employees can know at a glance whether they are about to enter a website that could jeopardize the company’s security. But as the saying goes, all that glitters is not gold.

Google’s new measure cranks up the pressure on companies to make sure their corporate website does not pose a risk to users. Otherwise, the penalization issued by the good people at Mountain View could prove a real disaster for the business — beyond putting users at risk, it may end up scaring away future clients.

The post Google to punish repeat offenders by marking their websites insecure appeared first on Panda Security Mediacenter.

This palm-sized device will supersize your security.

Panda-Security-ORWLWouldn’t you like to get your hands on a tough little device that will boost your business’s security? Meet ORWL, a circular computer device that is engineered to top-off your computer’s security.

A great number of companies have been victims of data leaks because of an insider or cybercriminal who had physical access to their computers or devices. Once a cybercriminal entered your computer, they can access the internals of your computer, tap and leak information, and even hide malicious eavesdropping devices.

After two years of work and a successful crowdfunding campaign, the company Design Shift has designed a device that can identify attack attempts. It prevents undetected tampering of its electrical components and, if tampering is detected, the device immediately erases all data (even when the device is unplugged).

It also acts like a safe vault for your information, only allowing access to your system once the device is unlocked with both a physical key and a password. If the physical key is far from the device, the USB ports automatically deactivate, preventing a cybercriminal with physical access to infect it with malware. ORWL also verifies the integrity of all firmware prior to boot, using a battery-backed secure microcontroller. ORWL isn’t just robust, it’s pretty much impenetrable.

This super-secure computer is complex, but it’s also an open source product, and its inner workings are available for everyone to see.

We continue to witness a large number of sophisticated cyberattacks on banks and ATMs due to a combination of system vulnerabilities and insiders with physical access.  ORWL answers a large part of our problems in terms of physical attacks. In respect to software, which is always a weak point, you can ensure your security and make yourself indispensable with the right kind of solution.

 

 

 

 

The post This palm-sized device will supersize your security. appeared first on Panda Security Mediacenter.

Can we trust our computers? Many have been tampered with during the manufacturing process.

3How can you prevent a manufacturing sabotage from becoming an IT disaster? Securing your company’s network with the right protection measures isn’t always enough. Of course you should install an adequate protection system and ensure that your employees use robust passwords. However, there is something that we cannot control: the manufacturing process.

Did you know that your business’s computers can be manipulated during the manufacturing process? A cybercriminal’s network is very sophisticated. In fact, these hackers have accomplices allover the world, including in factories where parts are produced (like microchips). Since the products are tampered with before the computer is finished, no one really suspects that the pieces are infected after they’re installed.

Luckily, manufacturers have discovered a complex solution that can beat this scheme. A new system was proposed by Siddhard Garg, a computer engineering professor at NYU. He believes that for the tightest security the microchips should be strategically manufactured in different phases.

Garg’s proposal makes it so that cybercriminals never know exactly where the piece will be created, making it difficult or impossible to carry out their plans.

Math makes the difference

Garg’s proposal isn’t a new one. In fact, this idea of distributing the manufacturing process to various factories is already being practiced. However, this professor has gone a step further; his method requires advanced mathematics. Instead of randomly distributing the microchip production, this will ensure the greatest security without heavily increasing the production costs. Garg’s system doesn’t just aim to prevent microchip tampering, it will also stop the production of counterfeit parts that affects both manufacturers and buyers.

With this method, since you aren’t building an entire chip in a same factory, there is no finished design to steal and copy.

The post Can we trust our computers? Many have been tampered with during the manufacturing process. appeared first on Panda Security Mediacenter.