Gmail recently announced that they have approximately one billion active users per month.  That has made it possible for their other services like Android, Maps, YouTube, Chrome, and WhatsApp (owned by Facebook) to become widely popular.

Now, Google has another purpose: to make our emails safer. Google, Microsoft, Yahoo, LinkedIn, 1 & 1 Mail and Comcast (the leading provider of cable television in the United States) have joined forces to develop a new email protocol.

These companies have submitted a proposal to improve email security for the Internet Engineering Task Force (IETF), an organization that ensures that the network functions properly. The group of experts from these companies has proposed a new protocol, SMTP STS (Strict Transport Security).  But what’s the benefit of making it a standard?

In 1982, the world began using the Simple Mail Transfer Protocol (SMTP). This protocol sent all messages in plain text and did not include measures to prevent a cyber-criminal from intercepting emails.  In 2003 they presented SMTP STARTTLS to help improve security. Using this, the SMTP connections are secured by utilizing TLS protocol (Transport Layer Security) to encrypt messages, however, STARTTLS presents a security flaw: this protocol allows messages to be sent even though the server’s identity cannot be verified.

STARTTLS is vulnerable, especially with “man-in-the-middle” attacks, where the cyber-criminal is able to spy on messages sent between the mail’s sender and receiver without them knowing. For example, an attacker could convince the client that the server does not use SSL or could present a fake digital certificate, and by doing so, they could intercept emails.

Google just launched the new SMTP STS standard to prevent a cyber-attacker from committing these crimes. With this, all emails are encrypted when sent and no cyber-criminals can spy on the communications channel. This protocol is similar to HTTP Strict Transport Security (HSTS), designed for the server and the web browser to interact using only secure communications.

The new system checks if the recipient uses SMTP STS and if they have a valid and updated certificate of encryption.  This ensures that the email is being sent through a secure server.  If there is a flaw, it will be detected before the email is even out of the box.  In the case of a flaw, the email will not be sent and the sender will be informed why. Using this protocol, we can prevent a cyber-attacker from spying on us.

According to Google’s latest data, 83% of the messages sent from Gmail to other providers, and 70% of those sent from other providers to another service, are already encrypted using TLS.  The protocol aims to increase the privacy of our emails.  But for now, the new SMTP STS is only a proposal that the IETF has six months to test.    The fact that these tech giants have already developed this project  suggests that it may be a reality soon.

At the very least, it is always advisable to have some service that protects your company’s mailbox traffic  against “malware” and “spam”.  Especially since emails contain a large amount of confidential data, even more in the corporate field, making email privacy extremely important.

The post Internet giants join forces to reinforce email security with a new protocol appeared first on Panda Security Mediacenter.

This whole FBI-Apple debate has the technology world up in a frenzy about national security vs. personal security.  Apple’s refusal to give up classified information to a government agency tells us something about the current state of our online safety, and lots of tech companies are stepping up to fight for our privacy.

Recently, Google conducted a study to see if the most-popular websites follow something called HTTPS Protocol.  HTTPS (the added ‘S’ for secure) provides authentication of a website, ensuring its credibility for its users by encrypting the communication on its server.  This makes it so that important data like our usernames, passwords, or personal messages cannot be intercepted; kind of like having our own online-bodyguard who lets us know when we are browsing a trusted site.

The results of the study could not be more discouraging.

From the one hundred sites studied, 79 do not use HTTPS by default and 67 use an obsolete encryption technology, aka no security method at all.  “According to our calculations, the list of web sites that we have presented constitute about 25% of all global traffic”, a Google spokesperson stated.  Does this mean that these ultra-popular sites don’t worry about our online security?  It sure seems that way.

What’s even more shocking is the prestige of these sites; among them are pages like The New York Times or CNN, e-commerce platforms like eBay or Aliexpress, and well-known industry leaders such as Softonic.  Google has declared war with these non-users (it searches index sites that use HTTPS and crosses out the rest with a red x in the Chrome address bar) and offers tools so that any developer can easily implement this protocol.  This Mountain View company believes in “[making] the Web a safer place not only for Google users, but for everyone in general.”

Implementing this technology to add that ‘additional layer’ of security is extremely easy.  Maybe the reason companies aren’t using this protocol is due to a lack of interest rather than a technical issue.  Until recently, it took time and effort to develop a site with HTTPS but now there are platforms that facilitate the necessary certificates, for free.

Thankfully we have Google leading the crusade in making the Internet a safer place.  Let’s continue to do what we do from the comfort of our laptop, like filling up that online shopping cart or making that bank transfer, but make sure to protect yourself.  Always check for that extra ‘S’ and use a dependable antivirus service, like Panda, who will help you do it safely and smoothly.

The post Your favorite sites don’t use a secure connection appeared first on Panda Security Mediacenter.

Fit-bracelets, smart-watches, and other wearable technology have joined the “Internet of Things”, everyday objects that collect and exchange information (think: vehicles, smart thermostat systems, and any other device with online capabilities).   But did you know that there are much more advanced, health-monitoring, devices out there?

The high-tech pacemakers made today have a ton of benefits, especially for patients who require constant checks and intensive control of their health.  These machines have connections that allow them to exchange information with the hospital staff and doctors, as well as the machine’s vendor.  Although the pacemakers are not always active, these connections are used to configure and set the parameters of the devices, to remotely monitor its activity, and to transmit the data to its carrier.  So, what could be the downside?

Can a pacemaker be hacked?

Well, with any connected device we need to consider if and how it may be hacked.  Some researchers and ethical hackers have begun to work in this field to find potential vulnerabilities, but it hasn’t been easy. Manufacturers do not want to give details on the design nor on the specifications of the running software, making it difficult to follow through with research.

So what do we know so far?  In 2008, a team of researchers from Archimedes Center for Medical Device Safety at the University of Michigan in the United States confirmed that these pacemakers can be hacked, making it possible to extract personal information from devices or modify its configuration, further putting the patient’s life in jeopardy.

It was rumored that a well-known hacker named Barnaby Jack developed software to hack pacemakers, making it possible to kill anyone wearing one (no matter the distance).  He died shortly before he could prove it at the Black Hat conference in Las Vegas.  If there is a possible way to control the pacemaker through an internet connection, regardless of distance, there is still no published research that confirms or disproves it.

The most recent research has been done by PhD research scientist and security expert Marie Moe.  She has embarked on a new project to analyze the risks and weaknesses of these devices (pacemakers and other wearable technology in medicine) with the help of other professionals in the sector. Moe became very involved in the project after realizing the risks of her own pacemaker.

The aim of her project is to prove that these products are not always safe for patients, regardless of constant development.  Moe hopes her research will help prevent future attacks and allow manufacturers to fix any possible security errors on their devices.  Recently, the FDA has warned of vulnerabilities found in drug injection pumps, which administer controlled amounts of medicine at certain rates to patients.  The cracks in its system allow for unauthorized firmware updates; in theory, a hacker could alter the software and configure the machine however they want, even if that means setting the drug doses to lethal levels.

Keep in mind:

Information is free, protecting yourself is cheap, but no one can afford to lose a loved one because of a damaged device.

The post The Internet of Things: Pacemakers appeared first on Panda Security Mediacenter.

In order to secure and maintain an IT infrastructure, it is vital to know what is going on in the network that the Endpoint is running on. This means that managers and other stakeholders need to know if something unusual is happening within the corporate network. When we use the word “unusual” we mean any potential threat or suspicious activity that may have happened or is currently happening within the company infrastructure.

Until now, the main service that most security-intelligence businesses could offer us was a subscription alerting us of the latest threats, malware, IPs and URLs with malicious intent; etc.  Adding this information to an infrastructure’s perimeter security system has allowed engineers to proactively plan and prepare, and has helped them to detect and prevent any threats their company may otherwise be susceptible to. In the IT industry, these updates are very common and companies will not hesitate to pay a certain amount in exchange for the latest updates offered.

With this service, it’s easy to prevent malware vulnerabilities but can we fully protect our infrastructure? The answer is yes, but the value of these services is high and the lifetime of their deliverables, in general, is very short.  So, what can we do to boost our protection?

The next generation in threat detection.

Every day, security analysts piece together different events related to new threats. When it comes to cyber-security, these analysts need a faster way to share information regarding the incident and must have the fastest response time possible. These incidents can be a simple observable (an IP, URL, a hash…), or can be more complex, requiring advanced analysis and reverse engineering. When all of these patterns have been assembled, the result is what we call an Indicator of Compromise (IOC). This may sound foreign to most of us, but security analysts should be familiar with the concept of an IOC and all of its capabilities.

So what exactly is an IOC?

In computer forensics, an IOC is an activity and/or malicious artifact identified on a network or an Endpoint.  We can identify these IOCs and can thus improve our abilities to detect a future attack.

Seems simple, right?

If we focus on their use cases, you can be described from a list of indicators to a full incident cybersecurity for analysis, research and/or response and can get answers to ‘What, Who, Why, How, Where and When ‘of the incident. Some of these use cases might be:

• Inbox e-mails with falsified information (phishing)
• Malware behavior patterns
• Discovery of a specific vulnerability and actions to combat it
• The distribution of a list of IPs related to Command and Control
• Discovery of a specific vulnerability and actions to combat it
• Sharing policies and patterns of behavior related to a certain incident (automatically or manually) so they can be exploited by third parties.

We can also use a list of standards to discover the IOC based on its needs (e.g., subsequent detection, characterization or sharing).

This was a brief introduction to IOCs.  We will continue to investigate this issue in the articles we publish in the future and our goal is to help security analysts understand more about the following:

• What standards currently exist to help us find IOCs? State of the art, benefits, Use Cases…
• How can we characterize an Indicator of Compromise?
• How are we able to share Indicators of Compromise?
• IOC Accuracy: Quality, life-time…

The post IOC: a buzz word and a hot topic, but do we really know its capabilities? appeared first on MediaCenter Panda Security.

A very special museum has just opened its doors, albeit virtual ones. The gallery is online and its works aren’t paintings, nor sculptures, nor antiques: they are pieces of malware that during the 80s and 90s attacked the now defunct operating system MS-DOS (remember that?!).

The collection is hosted on the pages of the Internet Archive, the largest online library, and allows us to travel back in time to an era in which viruses were a new thing. As always, looking back on the past can help us learn in the present, even when it comes to IT security, as it helps us to see errors, solutions, and even tricks that we can apply to our present work.

Before stepping foot back in time, let’s reassure ourselves – the malware in this museum has been disabled by experts and can’t cause any harm now! Enjoy the journey without any fears over adverse effects.

So, here are things that we have learnt from the Malware Museum:

Viruses have existed for a long time…

It seems obvious, but younger people often forget how long different technology, and the associated risks and threats, have been around for. Malware has been infecting personal computers for the past 30 years, ever since the pioneering Brain for MS-DOS was developed by two Pakistani brothers. Of course, back then the objective of the malware was quite different.

… but shady business is a lot more recent.

Cybercrime mafias who today reap the benefits of data theft and computer kidnapping didn’t exist back then. The creators of viruses were introverted types who did it as a hobby or for fun, without the aim of a financial gain.

Malware wasn’t always so bad…

This is because money wasn’t at stake. By not looking for a profit with their creations, but rather personal satisfaction or infamy, the viruses were a lot less damaging for their victims. This, of course, doesn’t mean that they weren’t an annoyance all the same!

… but they were still pretty destructive

In fact, a lot of the malicious programs from the 80s and 90s that we can see in the Malware Museum left the infected computer unusable. They deleted the hard drive, placed a screen that was impossible to exit from, made working a nightmare… every annoyance possible. They may have had more innocent intentions, but they were still malware all the same.

It was easier to know if you were infected

Now the main objective for attackers is to go unnoticed by the victim, with it being a success for cyber-attackers if you don’t realize that there is a malware on your computer. However, in the past, the goal was to be as obvious as possible. Alarming sounds, bright colors, crazy animations… if you were a victim, it was impossible not to know about it. Nowadays it’s a totally different story.

Hackers were very creative…

In the effort to be noticed, many malware developers went full-on arty with their creations. In fact, many of the viruses that we can find in the museum could easily be used as screensavers.

… they also had a sense of humor

Overall, it seemed to be a game for them, and sometimes it literally was. One of the most unusual programs turned the victims’ computers into casinos. The victim had five chances to recover the information on the hard drive by playing a slot machine – if luck wasn’t on your side, you had a visit to a service technician waiting for you.

Viruses were a form of activism

Some malware developers used their works to defend causes in what we could consider a form of “hacktivism”. In this museum we can see, among other things, calls for a more equal world (praiseworthy, were it not a virus) or for the legalization of marijuana. There are even examples of fervent patriotism.

Famous films were a goldmine

If there is one thing which hasn’t changed over the years it has to be the old trick of taking advantage of big events (such as the release of a famous film) to make a larger number of victims download malware without knowing it. Recently, cybercriminals have used the release of Star Wars: The Force Awakens, but in the past there was already a virus that referenced the famous intergalactic saga. In the museum we can also find a malicious program that paid homage to The Lord of the Rings.

FOTO 3

The most important lesson: an antivirus has always been necessary

And it always will be. While there are viruses, users can only be safe if a good antivirus is there to protect them. Paradoxically, one of the malwares that we can see in the Internet Archive collection reminds us of this. So, there you have it – nearly all of the lessons that we must apply to the present have come from the past, you just need to know how to look for them.

The post 10 things we learnt from viruses of the past appeared first on MediaCenter Panda Security.

How many files have you got resting in your computer’s download folder? It’s normal that it gets filled with installation apps form all the different programs that we download from the Internet and then forget to delete. Although this seems harmless at first, what is certain is that it could lead to some serious problems for your computer.

A recently detected vulnerability in the Java installation program, a platform that many applications and websites need to function correctly, has put this seemingly innocuous area at risk.

The Java software needs to update itself periodically with new versions so as to be able to maintain the performance and security of the tools that it helps to run.

Its distributor, Oracle, has warned of a security issue that affects the installation programs of the platform’s 6, 7, and 8 versions. The company has therefore advised its users to delete these programs from the download folder and replace them with new ones if necessary.

The reason given is that the installation software is designed to automatically search and load a set of files that are included in the installation pack (including its own .exe file) and to the  store them in the same folder.

This procedure, which all installation programs carries out, shouldn’t pose a risk to your computer, as the majority of folders where they are stored aren’t vulnerable to attack. However, the “Downloads” directory is able to be modified.

If a cybercriminal manages to add this type of file (named Dynamic Link Library, or DLL), charged with malware, to the folder, the installation program will run it when the user wants to install Java for the first time, or if they manually update the tool by downloading a new installation program.

An added risk is that many browsers are set up to automatically download certain files, even if they don’t run later. Via an infected website, the attacker could use this feature to hide malware in the download folder without the user knowing about it. The files with malicious software would then be read to be executed by the installation program.

Deleting your browsing history would only help to eliminate the websites that you’ve visited, but not the programs that are already stored. Therefore, it is recommended that you delete the documents and software from your download folder every so often.

“Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system”, says Eric Maurice, Head of IT Security at Oracle.

The post Why we should pay more attention to our Download folder appeared first on MediaCenter Panda Security.

Even though it’s for our own good, we are still struggling to follow classic security recommendations when surfing the Internet. We know how to create a secure password and the best way to avoid IT attacks and theft, but we don’t always put these tips into practice.

To ensure that web users are up-to-date with the latest security measures available, Google has decided to motivate them with a gift: all users who look after the security of their account will receive 2 GBs of storage on Drive.

The initiative, which was launched by the company to celebrate International Safer Internet Day, is actually rather simple:  all anyone needs to do is check the security of their Google account via this website and they’ll get more space on the cloud.

In just a few minutes, users can test the configuration of the two-step verification process, the information necessary to recover the account, and the applications that have permission to access it.

That means that, apart from testing the key elements for a secure account, users will enjoy extra storage space on the cloud. However, it isn’t the only thing that Google has up its sleeve to keep web users safe and interested in their own security.

Locks and question marks

The owners of the popular search engine have decided to be brutal in showing us that not all services are as secure as theirs. As Gmail encrypts the content of sent emails, a small open lock will be shown every time that it isn’t possible to encrypt them, something which will happen when the platform used by the receiver doesn’t permit it.

Also, Gmail will now display a question mark in place of the photo that shows who has sent us an email. It will only do this if it isn’t possible to verify the email address of the person we are talking to.

However, this doesn’t mean that every email that Gmail users receive with the above features will be dangerous, but just that we should take extra caution before opening them.

What’s certain is that Google wants us to take the security of our data more seriously, and this time it’s going to offer us incentives to do so. Just remember, every little bit helps when it comes to staying safe on the Internet.

The post Google to offer rewards to users who follow its security advice appeared first on MediaCenter Panda Security.

You’re probably sick of hearing how important it is to follow certain steps when creating passwords, but we assure you that it really is vital to keep them in mind. We also recommend that you change them every so often, that you don’t use the same one for various accounts, and that they aren’t related to anything personal about you (birthday, favorite football team, pet, etc.).

This is all common sense and we won’t stop reminding you, but we are also aware that remembering so many different, complex passwords is difficult. Because of this, we have some little tricks to share with you that will help you remember all of those tough-to-guess passwords!

1. Think of a sentence

Think of a saying or sentence that means something to you and, if possible, only you. It shouldn’t be too short, as it shouldn’t be easily guessable, nor so long that you forget it. If it contains upper and lower case letters, great. Symbols? Even better. “In the local pub the beers are €4”, for example. Now, take the first letter from each word and you get “Itlptba€3”, which is a good password. If you can’t think of anything maybe use the title of your favorite song, for example.

2. Combine two words

Choose two words (again, best if they only mean something to you) and make a different word by mixing up the letters. If you have chosen “Beards” and “Lighters”, the base for your new password will be “BLeiagrhdtsrs”. It doesn’t contain any numbers or symbols, but you can easily strengthen it by following some more examples that we’ll tell you about below.

3. Turn vowels into numbers

This is a trick that cybercriminals already know about, but it could work well as an extra to a different password method. Taking the previous example, our password “BLeiagrhdtsrs” becomes “BL314grhdtsrs”. Adding a few symbols would make it perfect to use.

4. Remove the vowels

Instead of replacing them with number such as in the previous example, we can remove the vowels completely. If we use our invented word “BLeiagrhdtsrs”, the password would turn out to be “BLgrhdtsrs”. Just be sure to add some extra numbers and symbols to make it even more secure.

5. The keyboard trick

Once again, this one consists of removing something. First of all, choose a sequence of numbers that is easy to remember (a postal code, for example), so imagine that we end up with 28921. Now, look for the numbers on the keypad and instead of using numbers, use the letters just beneath them: “2wsx8ik9ol2wsx1qaz”. To make it a little more complicated, you can change one of the characters for a symbol and put some into upper case.

6. Mix a number and a word together

This one is easy, so let’s imagine we use the word “Beards” and the number “28921”. So if we join them together, one letter and number at a time, and in reverse, we end up with “B1e2a9r8d2s”. All that’s missing is a symbol and you’re good to go.

7. Use the account as a base

Using the same password for various accounts and websites is a terrible idea, but a simple trick could turn your go-to password into one that could work for different accounts. For example, if you want to sign up to Facebook you could add “FB” to the start or end of the password. You could also try a variation of the website’s name by mixing upper and lower cases, symbols, and numbers until you have a password that you like. If we stick with the examples from above, we would end up with these two versions:

ElbdJptga3€_FB

F4c3b00k_ElbdJptga3€

8. Roll a dice

This system is a little more elaborate, but if an 11-year-old girl can do it, there’s no reason why you can’t. The method used, known as Diceware, generates completely random passwords – which are very strong and secure – by rolling a dice and a list of words. You can check it all out here and see what you think.

9. Sudoku style

This will involve you getting creative, so grab a pen and paper and draw a 6×6 square, with random numbers in each of the blocks. Now think of how you move your finger on your phone’s screen when unlocking it, and move your fingers over the Sudoku that you’ve just drawn. The numbers that you’ve just traced over will form the basis for your password, which you can add some letters and symbols to.

This might just be the best method on the list. If you change the numbers that you have placed in the blocks, the same movement with your finger will give you a new code. So by just remembering the movement and keeping the innocent looking piece of paper, you’ll have an infinite source of passwords.

10. Final tip: don’t follow the crowd

Some attackers aren’t just clever, but they also dedicate a lot of time to thinking about how to guess passwords. They know all of these methods, so your ability to out-smart them depends on how you combine the different letters or numbers that form the base of your password. So, try to think a little outside the box, as the more unconventional your password, the harder it is for them to guess it.

The post 10 memory tricks for creating safe and easy-to-remember passwords appeared first on MediaCenter Panda Security.