Tag Archives: featured1

Panda Security

Passwords using emojis. Are they safer?

With SMS we saw how the language evolved in order to save characters, now the way we express ourselves through mobile devices has experienced a new transformation. With the arrival of instant messaging apps, with WhatsApp on top, there are people who are able to communicate exclusively with emoticons.

keyboard emojis

Humans move freely between images. This is why, we could not miss the innovation that would set aside the numbers and characters of our language to create new passwords based on illustrations. But these are not just any scribbles, these are precisely those emojis that are revolutionizing the way in which we express ourselves.

The company Intelligence Environment has developed the first password in which they don’t alternate numbers and letters, but emoticons. “Our research shows 64% of ‘millennials’ regularly communicate only using emojis” said David Webber, Manager Director of the company. “So we decided to reinvent the passcode for a new generation by developing the world’s first emoji security technology”.

In order to replace the passwords that we usually use to access applications and services via the Internet, this British developer has created a system in which the sequence of expressions, hand universal gestures and so many other visual realities make things more difficult for those trying to access what they shouldn’t.

The creators of this new way of composing passcodes claim that this system, as well as being more comfortable for the user, increases the security of passwords, since there are many more combinations based on emoticons. “There are 480 times more permutations using emojis over traditional four digit passcodes” says Webber.

Users will be able to choose from 44 emoticons, which are available on all operating systems. According to the British company’s estimates, these emojis can give up to 3,498,308 million unique permutations. In case of only using combinations with numbers from 0 to 9, as we do today for example with our credit card PIN, options are reduced to only 7,290 permutations.

This way we can create stories which are easier to remember and take advantage of one of the main benefits of this new access codes system. Rather than monotonous successions of letters and numbers which we repeat in several services to prevent our memory from playing us a dirty trick, with Emoji Passcode we will be able to create different passwords for different platforms.

emojis passwords

According to a study conducted by Intelligence Environment in United Kingdom, one third of the over 1,300 people who took part in a survey claimed to have forgotten the PIN for their credit cards recently. Therefore, this British company’s managers intend to implement their new creation, first of all, in the services offered by banks via the Internet.

Tony Buzan took part in the creation of this Emoji Passcode. He is a British memory expert memory who pointed out that this new method of passwords “plays to humans’ ability to remember pictures”. Something which as this educational consultant claims, “It is anchored in our evolutionary history. We remember more information when it’s in pictorial form”.

If within a few months we come across this new password method, we will possibly fail on our first attempts. However, as time goes by, remembering or forgetting our passwords will depend on the same factors as it does today: mainly, that our memory wants or not to play us a dirty trick.

The post Passwords using emojis. Are they safer? appeared first on MediaCenter Panda Security.

Avast

New Avast Hack Chat video series debuts

Remember when you used to make sure you were home at a certain time so you wouldn’t miss your favorite TV show? That was called “appointment television”, and those of you old enough to remember watching The X-Files or Friends when they originally aired know what I’m talking about. But, with the new USA Network show, Mr. Robot, it feels like those days are back again. Sure, I have my DVR set to record, but I will definitely watch it live. Since all my buddies are watching too,  I will be itching to talk about it the next day.

Avast’s new Hack Chat video series brings back that around-the-watercooler discussion. Watch our debut episode here (10:13).

Avast Hack Chat: Episode 1 “Hello Friend” Program Notes

In episode 1 of Avast Hack Chat, host Ariana welcomes special guest, security researcher and software developer, Pedram Amini.

In the first half of the show, they discuss the pilot episode of USA Network’s new show, Mr. Robot. Ariana walks us through the highlights of the cyberthriller, and Pedram explains if these hacks are real-world or just Hollywood magic. You can also read our interview with Pedram on Are the hacks on Mr. Robot real?

One of the earliest hacking movies, War Games, starred Matthew Broderick as a young computer wiz who inadvertently finds a backdoor into the U.S. military’s central computer. The technology he used is intriguing even now, and Ariana and Pedram discuss this old-school method in the Time Machine section.

Back to current day, Pedram answers Ariana’s question about why the NSA would want to reverse engineer Avast software and if the I-have-nothing-to-hide attitude is the wisest one to take. You can also read what Avast’s CEO, Vince Steckler has to say on the subject on Avast CEO speaks out about U.S. and U.K. spy agencies.

Subscribe to the Avast Hack Chat YouTube channel and don’t miss a single weekly episode.

Avast

Shopping online just got a little more risky

One of the largest e-commerce platforms, Magento, has been plagued by hackers who inject malicious code in order to spy and steal credit card data or any other data a customer submits to the system. More than 100,000+ merchants all over the world use Magento platform, including eBay, Nike Running, Lenovo, and the Ford Accessories Online website.

The company that discovered the flaws, Securi Security, says in their blog, “The sad part is that you won’t know it’s affecting you until it’s too late, in the worst cases it won’t become apparent until they appear on your bank statements.”

Minimize your risk for identity theft when shopping online

Minimize your risk for identity theft when shopping online

Data breaches are nothing new. The Identity Theft Research Center said there were 761 breaches in 2014 affecting more than 83 million accounts. You probably recall the reports of Sony, Target, Home Depot, and Chic Fil A.

We have heard lots about what we as individual consumers can do to protect ourselves: Use strong passwords, update your antivirus protection and keep your software patched, learn to recognize phishing software, and be wary of fake websites asking for our personal information.

But this kind of hack occurs on trusted websites and show no outward signs that there has been a compromise. The hackers have thoroughly covered their tracks, and you won’t know anything is wrong until you check your credit card bill.

So how do you minimize the risk of online shopping?

  • Use a payment service or your credit card– Experts agree that payment services like PayPal are safe because of their security practices and the encryption technology they use. Just don’t link it to your checking account. Link it to a credit card so you get your credit card’s fraud protections in addition to PayPal’s. If you only use a credit card, designate one card for online purchases so if something unusual happens, you don’t have to track down all your other cards.
  • Keep a paper trail – Once you place your order, print or save records of the transaction. Check your credit card statement to make sure transactions match and there were no unauthorized charges.
  • Avoid shopping while using public Wi-Fi – Unsecure public Wi-Fi hotspots do not give you any protection from hackers who want to monitor what you are doing online. It’s not difficult for someone to intercept and modify communications between you and another site. If you have to do it, then use a Virtual Private Network (VPN) so your communications will be encrypted.

What to do if you are caught in a data breach

  1. Get a new card – Either get a replacement card from the company or close your account.
  2. Change your passwords – If you have an account or have done business with any company that falls victim to a breach, then change your password ASAP. It’s a good idea to change all your passwords because hackers sell them to other cybercrooks.
  3. Monitor your bank and credit card statements – Don’t wait for your monthly statement to arrive in the mail. By then, a cybercrook could have done major damage. Check your online statement until your new card arrives. If you see any suspicious charges, report it immediately.
  4. Freeze your credit – you can request that your credit report be frozen from the three main credit bureaus; Equifax, Experian and TransUnion. This way, no one can access your credit report without your approval.

Panda Security

Trolls on Twitter. How to avoid them

twitter birds

“We suck at dealing with abuse and trolls on the platform”, said Dick Costolo, former CEO of Twitter, as he stepped down July 1, at the beginning of the year. This statement showed what any user of the social network already new: that Twitter regrettably fails to control harassment.

A recent study carried out by Pew Research Center showed that 40% of the Internet users surveyed claimed to have been victims of cyber harassment. That’s why, one of the purposes of the social network is implementing the necessary tools so that the users do not suffer the abuses of those who are hiding behind anonymity to insult and attack others.

The most recent attempt from Twitter to minimize its impact was allowing users to share with their friends their lists of blocked tweeters. Thus, you can already block several trolls at the same time. Mass-blocking.

“You can now export and share your block lists with people in your community facing similar issues or import another user’s list into your own account and block multiple accounts all at once, instead of blocking them individually”, explained from the social network’s blog.

lista

To use this new feature to import and export lists of blocked users, tweeters who want to avoid harassment on Twitter just need to follow a few simple steps, starting from the ‘Blocked accounts‘ section of the settings on Twitter:

How to export a block list on Twitter

  1. In the ‘blocked accounts settings’, click on ‘advanced options’ and select ‘export your list’.
  2. Twitter will ask you to confirm which accounts you want to export. In this intermediate step, you have two options: select all the accounts that you have blocked with a single click or uncheck those that you don’t want to share.
  3. Once you have selected the accounts that you want to incorporate to the file, click ‘Export’. It will generate a .csv file that will be downloaded automatically on your computer and which you can share with who you want.

exportar

How to import a block list on Twitter

  1. Before starting, you must have received from a contact the .csv file corresponding to their list of blocked accounts on Twitter.
  2. With the file already downloaded on your computer, go to ‘advanced options’, in the ‘blocked accounts settings’, and there select ‘Import a List’.
  3. In the pop-up, click on the paperclip icon on the option ‘attach a file’ to upload it. From there, you must select the .csv file you had downloaded.
  4. It will display the list of accounts blocked by your twitter friend that shared the file with you. It will be then when you will have to select if you want to block the whole list (with just one click) or if you prefer to give some of them a chance. To do so, you will have to uncheck those accounts which you don’t want to block.
  5. Click on ‘Block’ to confirm your selection and automatically, the marked accounts on that list will no longer be among the potential stalkers who someday may decide to attack you on Twitter.

With these simple tools, the lists of blocked users will be shared very easily, so that Twitter users may clip with hardy any effort the wings of several trolls simultaneously (and by recommendation the contact who has shared with us his list).

The post Trolls on Twitter. How to avoid them appeared first on MediaCenter Panda Security.

Panda Security

45% of ex-employees continue to have access to confidential corporate data

With the current situation experienced by the labor market, it is essential for companies to take steps in order to maintain their security in face of the movements which may occur in their workforces.

Employees looking for a change of scene, suppliers who do not pay on time, debts impossible to pay off that force companies to go out of business. There are numerous reasons that may cause changes between the team members and companies should control what information is taken by those who are leaving and how much may be known by those arriving.

computers offices

It seems that many companies don’t pay too much attention to this matter. There are few organizations that take the necessary precautions to prevent workers from taking with them information which belongs to the company or the passwords to access it. According to a study carried out by Osterman Research, 89% of the ex-employees keep the login and the password which gave them access to at least one of their former company’s services.

Of all the participants in the survey, 45% acknowledged that they continued to have access to sensitive or very sensitive confidential information and up to 49% claimed they had accessed some service after leaving the company. Therefore, organizations need to implement mechanisms and strategies that allow them to safeguard the privacy of their information from any changes in their workforce.

The most important thing is to take action before the employees leave. A basic requirement to avoid problems in the long term is to know all the accounts to which employees have access and, in addition, to register the credentials with which they can login to one service or another.

Without going any further, it would suffice to implement a single sign-on platform. A portal from which employees could access all the tools necessary to do their job, using their corporate email as user id. This way, if for any reason the employment relationship comes to an end, the organization will only have to delete that employee’s email to prevent the company’s information from falling into the hands of someone not related to the company.

In the event that the company has forgotten or discarded this first step, they will be able to establish a procedure which must be followed by the employees when they leave their jobs. In some cases security measures as simple as making sure ex-employees return  the tools provided for their work, such as a computer, a smartphone or the card giving access to the office.

This is as far as the physical world is concerned. In terms of digital tools, companies must not forget to close any access their former employees might have to their corporate accounts. In addition, they must prevent them from entering, in any way, the services, applications and any other channels used by the company to enable its workers to operate as a team.

man working

We must take into account a detail in this whole process: during the time a worker is part of the team and has the company’s trust, his actions cannot be controlled. That’s why, as the study of Intermedia exposed, 68% of the employees that took part in the survey claimed to have kept corporate information in one or another personal account in the cloud.

Employees who needed to check documents outside the office stored them in Dropbox, Google Drive or OneDrive. According to Michael Osterman, president of Osterman Research, “if an employee stores sensitive or confidential data in personal Dropbox or Google Drive accounts, then this data is potentially accessible by outsiders the day he or she becomes an ‘ex-employee’”.

For that reason, another recommendation is that organizations which can see their privacy compromised due to changes in their workforce should implement or hire their own cloud storage service. In this way, the company will always have access to that data and will prevent the employee who uploaded this information from accessing it if he leaves the team.

Furthermore, the management of the company should encourage employees to save the information there rather than leaving it on their computers, just in case on the last day, if they decide to erase everything they have stored, some sensitive information could disappear forever. In case they decide to act in this way, the company must also incorporate regular audits to check that everything goes as planned and all data is safe.

Following these recommendations, many companies could save themselves some headaches. With these guidelines they will not only prevent ex-employers from taking something that doesn’t belong to them, but also prevent the digital ghosts of people who one day worked for the company from continuing to swarm through those platforms and services to which one day they had access, sniffing around matters which no longer concern them.

The post 45% of ex-employees continue to have access to confidential corporate data appeared first on MediaCenter Panda Security.

Panda Security

Careful! Phishing Targeting Google Play Android Developers!

We have detected a phishing campaign targeting Android developers who are publishing their creations in Google Play, Android’s official app store. The from field in the email comes from “Play Developer Support”, with the subject “Update your Account Informations”, as you can see in the following screenshot:

phishing developers

If you click in the link provided, you are redirected to a web site that looks like Google, although obviously it isn’t:

phishing gmail

Phishing attacks are designed to steal credentials and users’ identity, that’s why they are extremely popular targeting financial entities and all kind of payment platforms’ customers. This case, however, it is different in the sense that they are not looking to syphon the victims account, the want those credentials because they can use them to spread malware through Google Play.

The most worrisome thing is how easy it would be to automate all the process for criminals. You just need to:

Phishing attacks are designed to steal credentials and users’ identity, that’s why they are extremely popular targeting financial entities and all kind of payment platforms’ customers. This case, however, it is different in the sense that they are not looking to syphon the victims account, the want those credentials because they can use them to spread malware through Google Play.

The most worrisome thing is how easy it would be to automate all the process for criminals. You just need to:

  • Build a crawler (there are a number of open source projects to help out in this task) to download information of all apps published in Google Play.
  • Parse that information to obtain developers’ email addresses.
  • Sent out a personalized phishing campaign, even the phishing page could be personalized for the specific developer so the “conversion rate” is better.
  • As the attacker has the information from the apps published by each developer, it could be built an alert system to warn him each time a developer with a popular (millions of downloads) app has fallen in the trap.

From here, one of the easier (and unsophisticated) attacks would be to publish malicious apps using that account. Imagine that someone gets to steal the developer credentials of Candy Crush and publish Candy Crush 2 on the developer behalf…

If the attackers were skilled enough, and find a way to modify the current app of the developer without using the private key (this one cannot be obtained with the stolen credentials), they could publish an updated version of any app. In the example above, imagine that the attackers create an update of Candy Crush with a hidden Trojan in it: hundreds of millions of users would download and install it without ever suspecting they are being compromised.

The post Careful! Phishing Targeting Google Play Android Developers! appeared first on MediaCenter Panda Security.

Avast

Weekend wrap-up: Cyber security news from Avast

Here’s your wrap up of security and privacy related news from the June 17 – 27 posts on the Avast blog:

 

cruise shipIt’s summertime in the Northern Hemisphere and many people are going on or planning their vacation. Beware of fake vacation packages and beautiful rental properties that are not as they seem. These Vacation scams can ruin your holiday, so read up before you become a victim.

samsung_swiftkeyMore than 600 million Samsung phones were reported to be at risk because of a vulnerability found in the keyboard app SwiftKey. The best way to protect yourself is to use a virtual private network (VPN) when using an unsecured Wi-Fi hotspot. If you have a Samsung S6, S5, or S4, you need to read Samsung phones vulnerable to hacker attack via keyboard update.

Hola logoAs we learned from the Hola VPN service revelations, any old VPN service will not do. Hola was selling their users’ bandwidth and installing and running code on their devices without their knowledge or permission. Find out the details in Hola, Hola VPN users, you may have been part of a botnet!, and please share with an Hola user.

1Mobile developer Martin Banas, attended Apple’s Worldwide Developers Conference in San Francisco. Besides spending lots of time standing in lines, he enjoyed meeting other developers and hearing the latest news about OS X El Capitan and Apple Pay. Weren’t able to attend, bit wish you could have? Martin’s conference report, Looking back at WWDC 2015, describes the event.

Jennifer Lawrence was victim of iCloud hack

Remember the iCloud celebrity photo hack? There have been many theories bandied about since nude photos of female celebrities were posted on the web. We add our own two cents into the conversation. Avast security researcher Philip Chytry explains what he thinks the origin and motivation behind the hack was in iCloud celebrity photo hack: What’s happening?!

Major cybercrooks get arrested

Major cybercrooks taken down

While the cybercrooks behind the iCloud hack have not been discovered, authorities had big wins this past week in other areas. The author and distributor of Blackshades malware was sentenced to nearly five years in a New York prison. A major cybercriminal organization responsible for banking Trojans Zeus and SpyEye was taken down. Read Businessman hackers brought down in USA and Europe.

Avast CEO Vince StecklerMore from the Edward Snowden files. It was revealed this week that U.S. and U.K. spy agencies were attempting to reverse engineer major antivirus companies software, including Avast’s.  CEO Vince Steckler spoke to RT News about government spying in the computer age. You can read the article, Avast CEO speaks out about U.S. and U.K. spy agencies, and watch the interview here.

Mr Robot TV shows about hackersAnd if the real world of cybercrime is not enough, our favorite new show of the summer Mr. Robot debuted on the USA Network this past week. We excitedly watched the first episode then talked to Avast security expert, Pedram Amini,  to find out Are the hacks on Mr. Robot real? or just Hollywood magic.

Follow Avast on FacebookTwitter and Google+ where we will keep you updated on cybersecurity news every day.

Avast

Businessman hackers brought down in USA and Europe

Cybercrooks run their organizations like businesses these days. They have multinational offices, marketing departments, business development, and technical support teams. Maybe they also need some security…

Major cybercrooks get arrested

Major cybercrooks taken down

 Malware entrepreneur sentenced to 57 months in prison

One such malware entrepreneur, Alex Yucel, sold malware through a website that he operated, to other hackers. The Blackshades malware allowed hackers to remotely control their victims’ computers. They could do such things as log the victim’s keystrokes, spy through webcams, and steal usernames and passwords for email and other services. They could also turn their computers into bots which were used to perform Distributed Denial of Service (DDoS) attacks on other computers, without the knowledge of the victim.

Manhattan U.S. Attorney Preet Bharara said: “Alex Yucel created, marketed, and sold software that was designed to accomplish just one thing – gain control of a computer, and with it, a victim’s identity and other important information. This malware victimized thousands of people across the globe and invaded their lives. But Yucel’s computer hacking days are now over.” See the Department of Justice press release here.

Yucel sold the software for as little as $40 on PayPal and various black market forums. The profits from sales of the malware is estimated to be at $350,000. Yusel plead guilty to computer hacking and was sentenced to almost five years in a New York prison. Last year more than 100 customers of Blackshades were arrested in massive raids in Europe and Australia.

Cybercrooks business dismantled in Ukraine

In Europe, a joint investigation team brought down a major cybercriminal group in Ukraine. These high-level cybercrooks are suspected of developing, exploiting, and distributing well-known banking Trojans Zeus and SpyEye. The malware they developed attacked online banking systems in Europe and elsewhere. The damages are estimated to be over 2 million euros.

Their business was organized into specialty groups. Some ran a network of tens of thousands of computers, others harvested victims banking credentials such as passwords and account numbers, and others laundered their ill-gotten gains through money mule networks. This group of cybercrooks also had a marketing team that advertised on underground forums, sold their hacking services to other cybercrooks, and had a business development department seeking cooperation partners.

It took investigators and judicial authorities from six different European countries, supported by Eurojust and Europol, to stop this major cybercrime organization.

“In one of the most significant operations coordinated by the agency in recent years Europol worked with an international team of investigators to bring down a very destructive cybercriminal group,” said Rob Wainwright, Director of Europol.

Avast

Avast CEO speaks out about U.S. and U.K. spy agencies

For as long as there have been governments, there have been spy agencies, and for as long as there have been spy agencies, they’ve done spying. Spy agencies are always looking for ways to get information. Information is valuable, always has been, always will be. ~Avast CEO Vince Steckler

New documents from the many that were leaked by former US intelligence analyst Edward Snowden were published this week in The Intercept. They reveal that the U.S.’s National Security Agency (NSA) and its British counterpart, Government Communications Headquarters (GCHQ), spied on security companies including Avast, AVG, Kaspersky Lab, and Antiy. The spy agencies seem to be targeting non-American security companies; Avast and AVG are based in Prague, Czech Republic; Kaspersky is based in Moscow, Russia; and Antiy is Chinese. Together, these companies have nearly a billion users. No U.S. or U.K. -based companies were included in the list.

“Geopolitically, it makes sense that the NSA and GCHQ are targeting products that are prevalently used by foreign governments, like Kaspersky in Russia or CheckPoint in Israel,” said Steckler in an interview with RT News. “On the flip side, Russian or Chinese spy agencies may be similarly targeting products that the American government heavily uses, for example Symantec and McAfee. We’re hearing just one side of the story.”

Reportedly, the NSA and GCHQ experts reverse engineered the antivirus software in order to exploit it and prevent detection of their own activities.

“It is difficult to tell if the NSA, the GCHQ, or other government agencies have ever tried to reverse engineer our software,” said Steckler. “Even if they did, they would only be able to do so on the client side, which includes simple pattern detection. However, they could not reverse engineer our backend, which includes our sophisticated machine-learning classification.”

The documents also say that the organizations recommended monitoring customers who reported malware “to see if they’re into more nefarious activity.”

While some companies most likely partner with the governments in their home countries, that’s not something Avast does.

“The fact that the NSA may be targeting us – while some major U.S. and British security companies are left out from their list proves that we don’t work with the NSA and GCHQ,” said Steckler. “Ones not on the list quite likely provide their source code and thus there is no need to reverse engineer. Our commitment to our customers is to provide protection from all forms of spying.

Mr. Steckler spoke to RT News, a Russian television network, about the new revelations. Watch the interview now,

Panda Security

Do you accept app permissions without reading them? You should be more careful!

A smartphone is nothing without its apps. Looking around the apps store is something we do quite frequently, either by necessity or to see what’s new or which game is most popular. And probably, while you are there browsing you end up downloading one or two.

That’s when Android users have to accept certain permissions of their new application. Apple users approve these permits the first time they use the app or certain features.

Applications request access to certain data and features of your device. As expected, maps apps ask for permission to use GPS and locate your device. However, most applications ask for more permissions than they should, which means that we are taking a few risks just by accepting them.

broken smartphone

One of the most shocking examples is the flashlight apps. For using them you don’t need to sing in and they are free. However, when installing the app we have to accept permissions which have nothing to do with the app’s purpose, as knowing their location thanks to GPS data, taking pictures, recording audio or even reading our text messages.

App Permissions – Read before accepting

Facing that avalanche of totally unnecessary permissions, the best thing users can do before installing an application is to look closely at what information the app wants to access.

Most of these times, these permissions do not respond to a real need for the application to function, but serve to create an advertising environment that adapts the location and the user’s interests. Hence a flashlight wants access to GPS or a QR code reader asks permission to view your browsing history and your web markers.

The users take several risks when they systematically accept these permissions. On the one hand, they are letting developers to know their location or their Internet habits, and the final destination of this information is not clear at all.

But the situation may be much more serious if there is a security breach in the application’s meat that allows cybercriminals to access your smartphone through these permissions.

So, giving full access to Internet could result in cybercriminals taking advantage of the connectivity to download malware to your device or to steal passwords transmitted through Wi-Fi.

However, security breaches and cybercriminals are not the only risks that a user may face when approving the requested permissions. In fact, they are not even the most common. The major risk is users handing over their data to apps development companies, and these companies end up sending their users’ private information to analysis or advertising companies.

These permissions can also lead, in the case of downloading malicious applications, to scams related with calling services and premium messages, which do not provide any service for the user but charge exorbitant prices for each message.

Finally, when you download and install an application, the best thing you can do is to stop and analyze if the permissions required are necessary and, especially, if the developer can be trusted.

Checking this before approving permissions willy-nilly can avoid any surprises, or at least, our data falling into anybody’s hands.

The post Do you accept app permissions without reading them? You should be more careful! appeared first on MediaCenter Panda Security.