Tag Archives: featured1

Avast

Find out if your home network is vulnerable with Wi-Fi Inspector

Leave a comment

That little black home router with the funny antennae and shiny lights could be part of an army of devices conscripted to take down the internet. It sounds dramatic, but regular people’s internet-enabled devices – routers, webcams, printers, and so on – were used in a massive online attack that shut down a huge part of the internet for hours one Friday morning last October. With the number of connected devices estimated to reach 50 billion by 2020, you can be guaranteed that cybercriminals will attempt it again.

Panda Security

Two Step Verification, and How Facebook Plans to Overhaul It

Leave a comment

http://www.pandasecurity.com/mediacenter/src/uploads/2017/02/facebook-two-step-verification-300×225.jpg

We’ve all been there. You get a new smartphone or computer, and you have to slog through all of your first-time logins by manually typing out usernames, passwords, etc. Sometimes it happens that one of your accounts has a particularly difficult password that you barely even remember creating and – yep, you get locked out of your account. You curse yourself for that distant day when you felt so ambitious about password security and created such a puzzle for your future self. But if you’re among the many who ordinarily aren’t too finicky about security, then you’ll probably have no qualms about recovering access to your account by requesting a password reset email from the company.

However, cases reminiscent of the recent data breach of the century at Yahoo that affected a billion accounts show the need for additional security measures. Attackers would be happy to use passwords and security questions collected from such breaches to access your current accounts. In fact, the password recovery link itself may be compromised.

The alternative standard procedure in these cases is the two step verification: associate a phone number with the account to add an extra layer of security. This option is available on a number of services, including Gmail, Facebook, Twitter, and Instagram. However, Facebook has just announced a new way to recover forgotten passwords safely and without the need of a phone.

Challenging email as the standard

Soon, the social network par excellence will allow third-party web users to recover their passwords through their own service. Internet users will be able to save an encrypted token on Facebook that allows them to retrieve their password on pages like GitHub. This way, if you lose your Github password, you can send the token from your Facebook account, thus proving your identity and regaining access to your GitHub profile.

The company has emphasized that the token’s encryption guarantees user privacy. Facebook can’t read the information stored in it and will not share it with the service you’re using it for without express permission from the user.

At the moment, the service, which has been called Delegated Recovery, is only available on GitHub. It has also been made available to researchers as an open source tool to be scrutinized for vulnerabilities before it is implemented to other websites and platforms.

With this new method, Facebook aims to eliminate the headaches of users who suffer theft or loss of their smartphones and can’t recover their accounts immediately. And while they’re at it, they’ll take the opportunity to offer themselves up as a safer alternative to email when it comes to recovering passwords. “There’s a lot of technical reasons why recovery emails aren’t that secure. Email security doesn’t have the greatest reputation right now. It’s the single point of failure for everything you do online,” said Brad Hill, security engineer at Facebook. Will Facebook succeed in becoming the hub of all of our accounts? Time will tell.

The post Two Step Verification, and How Facebook Plans to Overhaul It appeared first on Panda Security Mediacenter.

Avast

Why antivirus alone won't protect you: The anatomy of REAL security software

Leave a comment

When computers were still relatively new, antivirus software defended against the only existing threat at the time – viruses. Today, users must protect themselves and their devices from viruses and from malware such as ransomware, as well as malicious activities carried out by cyber crooks, including Wi-Fi snooping to steal personal information, account breaching, and infecting Internet of Things (IoT) devices to perform DDoS attacks. You may be wondering, then, how to protect yourself from so many – and such diverse – threats.

Avast

Targeting SMBs’ threat tolerance concerns

Leave a comment

While small and medium businesses don’t appear to be as concerned about their cybersecurity vulnerabilities as they should be – i.e. SMBs are the principal targets of cybercrime and as many as 60 percent of hacked SMBs go out of business after six months – the reality is that the growing and rapidly changing threatscape and limited resources are driving them to outside help to protect their businesses. That protection can include assessments, remote monitoring and management, and backup and disaster recovery, but one way to stand out from the competition is to focus on their risk tolerances and customize your offerings to their individual risk appetites.

Panda Security

4 Cybersecurity Risks We’ll Face With WhatsApp Status

Leave a comment

http://www.pandasecurity.com/mediacenter/src/uploads/2017/02/pandasecurity-MC-whatsapp-status-300×225.jpg

WhatsApp –the Facebook-owned giant that really needs no introduction– is seemingly on a mission for world domination, this time, taking on Snapchat.

The instant messaging company’s new WhatsApp Status feature will allow users to privately share edited photos, videos and GIFs, with their contacts, that will disappear after 24 hours.

It’s not the first Facebook-led Snapchat Stories copycat, but it’s perhaps the most ambitious. WhatsApp, with over a billion users, have really taken on the competition here.

One of the interesting points that Whatsapp have always made sure to emphasize in their blog is the “security by default” principle which will be upheld by Stories.

In the Status feature statement, Jan Koum has said “yes, even your status updates are end-to-end encrypted.

But Is It Really As Safe As They Say?

Hervé Lambert, Retail Global Consumer Operations Manager at Panda Security says that the use of Whatsapp Status is still not risk-free:

After having carried out various studies on the behavior of people on social media, we’ve detected a few potential risks that all users of this new version of WhatsApp Status should recognize.

Your Status Will Be “Public” By Default

The default setting on WhatsApp Status will be set to public. All of your statuses will be visible to any contact you have on your phone. To some, this may entail a real invasion of privacy as most people hand out their phone number much more readily than they accept someone on social media. Think of the amount of work acquaintances or casual contacts that will have access to potentially private posts.

We have to take into consideration that we can’t tell certain details of our private lives to all our contacts. We don’t know what these people could do with this information,” adds Hervé Lambert.

Hackers Can Breach WhatsApp’s Vulnerabilities

WhatsApp certainly prides itself on being a secure app with its end-to-end encryption, and rightly so. However, the fact that it boasts millions of users still makes it a target for hackers who seek to carry out cyber attacks on large amounts of people. For these attackers, it’s a probability game; the more users they try to attack the more likely they will succeed.

Apple’s, iOS Messenger, has recently been exposed by cybersecurity experts. Though the vulnerability in that app is by no means a cause for great concern in itself, it shows that encrypted messaging apps are not impenetrable.

Ransomware

Who are these types of features usually aimed at? It’s possible that Whatsapp Status could be a ploy to encourage less tech-savvy users to cross over to more involving social media, like Facebook itself, after having tried out the new Whatsapp feature for the first time.

However, it’s safe to say that features like Status, Snapchat Stories and Instagram Stories are most popular amongst young kids who enjoy the ability to post weird and wonderful images that won’t be saved on a profile indefinitely.

Unfortunately, young people are also perhaps the most vulnerable to ransomware attacks.

The very fact that the posted statuses are less permanent leads some young people to post photos or videos that are more risqué in nature. Cybercriminals look for this kind of content online to lead vulnerable young people into paying a ransom, or carrying out undesired actions if they don’t want the content shared with the public. Caution is always advised when posting online.

Pirate “Complementary” Apps

When a new feature comes out like Whatsapp Status, there’s usually a huge buzz, and a frenzied search for new functionalities. This is something that cybercriminals try to take advantage of.

It’s important to be weary of new apps claiming to add functionalities to Whatsapp Status. This is specially the case with apps that “promise” they can bypass important functionalities. With apps like Instagram and Facebook, they usually claim they will allow you to see who’s looked at your profile. With Whatsapp Status it would be unsurprising to see some that claim to allow you to still see photos after the 24 hours have passed.

These apps are largely malicious and they draw people in by claiming to be able to bypass an integral functionality of the app. As you try to use the pirate app it could be loading ransomware onto your device. Don’t be drawn in by desires to byspass main functions of an app.

As the new WhatsApp Status feature is rolled out, more possible risks will likely come to the attention of users and cybersecurity experts. Though WhatsApp is a safe app, relatively speaking, it’s important to be careful what you post online and where. It’s not always completely clear who has access to the data.

The post 4 Cybersecurity Risks We’ll Face With WhatsApp Status appeared first on Panda Security Mediacenter.

Panda Security

Your Virtual Assistant Knows Quite a Lot about You

Leave a comment

http://www.pandasecurity.com/mediacenter/src/uploads/2017/02/google-home-3-100×100.jpg

“OK, Google.” With this simple voice command, the Google Home smart speaker sprung to life in a recent Super Bowl ad for Mountain View’s virtual assistant. To the surprise of many viewers, so did the Google Home in their own living room. OK, indeed. Just one more reminder that virtual assistants, capable of turning on lights or putting together playlists or making purchases online, are also spies in our very own homes.

In fact, their gift for listening in on conversations and keeping them on file can make them a good helper for solving crimes as well. The local police in a US town asked Amazon if it would allow them to access the information of an Amazon Echo. The smart speaker may have stored information that could help clear up some points of their ongoing investigation. Ultimately, such a device will record anything that happens if prompted, and we’ve seen that sometimes its owner is not the only one to wake it up from its dormant state (OK, Google…). So, it begs the question: how can you wipe its memory?

Deleting the memory of Alexa and Google Assistant

Alexa, the virtual assistant that only speaks English (for now), is the brain of the Amazon Echo. She will be the brain behind other products, as well, it seems. In the last Consumer Electronic Show, Lenovo presented an affordable device that works with Alexa, and Huawei will integrate it into its Mate 9 smartphones. In order to protect our privacy, it will come in handy to know how to delete the information they keep squirrelled away on their servers.

For Alexa, you can do it either from the app itself, available for Android and iOS, or from the website. It’s as simple as going to Settings, History. From there, you can select the files you wish to delete permanently (or the, um, evidence you wish to destroy). From the website the process is slightly different, but just as simple. Just go to the menu that allows you to manage your content and devices. From there, select the Amazon Echo and request to delete recordings.

The procedure is similar for deleting data from Google Assistant, the virtual assistant that for now is only available for Google Home, Android Wear, Google Allo, and the Google Pixel. From My Activity, the page that allows you to see an overview of your activity on Google’s various services, you can filter results to only see the data kept by your virtual assistant, or Voice and Audio services. Once there, you can either delete all the files at once, or just start clicking away and have a field day deleting them one by one.

In culling as much information on us as possible, the obvious goal of these virtual assistants is to offer more personalized services. But it’s nice to know that the dirt they have on you can be swept under the rug without any hassle.

The post Your Virtual Assistant Knows Quite a Lot about You appeared first on Panda Security Mediacenter.

Panda Security

Smart Meters Can be a Threat to Homes and Offices

Leave a comment

http://www.pandasecurity.com/mediacenter/src/uploads/2017/02/light-100×100.jpg

For some time now, a large majority of buildings have made use of smart meters to record their electrical consumption. Besides the potential impact on the electric bill, which some consumer groups have already denounced, the widespread adoption of this apparatus carries along with it some lesser known security risks.

As researcher Netanel Rubin explained during the last edition of the Chaos Communications Congress held in Hamburg, Germany, these meters pose a risk on several fronts. First, these devices record all household and office consumption data and send it to the power company. An attacker with access to the device could see its data and use it for malicious purposes.

For example, a thief could find out whether a house or office is empty in order to burgle it. And since all electronic devices leave a unique footprint on the power grid, such a thief could even analyze variables to find out what valuable devices they could potentially have at their fingertips upon entry.

A thief could find out whether a house is empty or not, and what valuable objects it contains

 

In a few years, when smart homes become more widely popular, the scenario could end up being even more serious. The attacker could actually enter the home or office without having to force the lock. If there is a smart lock installed, all they would need is access to the system to enter the house.

As serious as this is, smart meters are open to even more grievous lines of attack. As Rubin explained, meters are at a critical point in the power grid because of the large amount of voltage they receive and distribute. An incorrect line of code could cause serious damage. For example, an attacker who took control of the device could “cause it to literally explode” and start a fire, according to the researcher.

This is all pretty alarming.  But the biggest weakness of smart meters is in the way they communicate with each other and with power companies. Normally they do it through the GSM protocol, the standard of 2G communications for mobile networks. The insecurity of this protocol has been well demonstrated.

According to Rubin, some companies are not using any sort of encryption in such communications. Among those that do, weak algorithms or very simple passwords are sadly run-of-the-mill. You might just as well serve it up to attackers on a silver platter.

The fact of the matter is many of these devices are insecure by default. As Rubin points out, they do not have a CPU with enough power and memory to use strong encryption keys.

The post Smart Meters Can be a Threat to Homes and Offices appeared first on Panda Security Mediacenter.