Tag Archives: News

Panda Security

New WhatsApp updates: how to keep your privacy.

pandasecurity-whatsapp-updates-privacy

As the World’s most popular messaging application, WhatsApp is constantly adding new features designed to delight their 1 billion registered users. And the latest update contains a number of goodies that will delight fans of picture messaging.

This all looks very familiar…
For anyone who uses the Snapchat app, the new WhatsApp features will seem very familiar. In fact, you might say that they are identical.

WhatsApp users can now take a photo, and quickly add a sketch or some text, before sending it as a message – just like Snapchat. Or they can add emojis – that look exactly the same as those in Snapchat. There’s even several navigation gestures (zooming in an out, or switching between cameras) that are exactly the same as those used in the Snapchat app.

The reason WhatsApp have borrowed so much from Snapchat is simple – to keep people engaged with their platform. The more that people use the platform, the better able WhatsApp (and their parent company Facebook) is to profile them for advertising purposes.

And obviously people want entertaining picture messaging services – so these new features are sure to be incredibly popular

Is there a potential security risk with the new WhatsApp app?

Because of its popularity, WhatsApp has been targeted by cybercriminals many times over the years. Several times researchers and hackers have uncovered flaws in the software that allow accounts to be compromised.

Every one of these breaches has the potential to expose personal information – or to give criminals useful information for identity theft.

WhatsApp has made significant efforts to improve security, although privacy still remains doubtful because of the new data sharing agreement with Facebook. However end-to-end encryption of messages – including the new photo options – should prevent people from “listening in”.

Better safe than sorry

No matter how trusted the developer may be, you should always treat each new app (or update) with some caution. Installing an antivirus and security tool will help you see what is going on behind the scenes, how the app is using your personal data.

The WhatsApp service is known to take a copy of your entire address book and upload it to their servers for instance. WhatsApp are relatively transparent about this (they can better identify your friends who are also using their service) – but other developers are not. You should always use a tool like Panda Mobile Security to monitor exactly what’s happening on your phone.

Otherwise you might be installing software that accesses much more personal data than you expect.

You can prevent data stored on your handset from being accessed by thieves too. Panda Mobile Security allows you to lock each app with a PIN, so if you don’t enter the right code, the app cannot be opened. If someone steals your phone, they cannot view your messages and pictures.

No less secure, but a useful reminder

Because the latest update is still very new, no one has yet exposed any new WhatsApp security vulnerabilities. And even if there aren’t any problems, the release is a useful reminder of the importance of scanning new apps from malware, loopholes and suspicious data access permissions.

Download your free copy of Panda Mobile Security now – then go get creative with the new WhatsApp picture features. Have fun!

The post New WhatsApp updates: how to keep your privacy. appeared first on Panda Security Mediacenter.

Panda Security

Got something to hide? Don’t pixelate it.

pixelate Many businesses share documents that are pixelated in order to protect private information, whether they be bank account numbers, photographs or other private information. Although pixelation used to be a simple and sufficient way to hide confidential information, now computers are smart enough to read these distorted images—even when your eye cannot. Pixelated documents are no longer safe!

Researchers from the University of Texas and Cornell Tech have developed software based on artificial intelligence that is capable of reading standard content-masking techniques (like blurring or pixelation) in order to read what was originally covered up.

One of the authors, Vitaly Shmatikov, warned that, aside from the complex technical developments, “the techniques we’re using in this paper are very standard in image recognition, which is a disturbing thought.”

But these researchers aren’t the only ones developing this type of software. More powerful object and facial recognition techniques already exist for those who want to use them. This means cybercriminals may already have the tools to unveil private information you thought was hidden.

pixelate

To carry out their research, the team fed neural networks images with faces, words and objects. The more times the neural networks “see” these images, the easier they can recognize them. After successfully memorizing the photos, the neural networks were able to successful defeat three privacy protection technologies including YouTube blurring technology, pixelation and Privacy Preserving Photo Sharing (P3).

In conclusion, pixelating or blurring information is no longer the best way to share confidential documents. After this research, the software was able to recognize 80% of the distorted images.

According to Lawrence Saul, a machine learning researcher at the University of California, San Diego, “For the purposes of defeating privacy, you don’t really need to show that 99.9 percent of the time you can reconstruct. If 40 or 50 percent of the time you can guess the face or figure out what the text is then that’s enough to render that privacy method as something that should be obsolete.”

To keep you corporate information safe, the best you can do is avoid sharing it (if you can) and above all, protect it with the appropriate protection for your company.

The post Got something to hide? Don’t pixelate it. appeared first on Panda Security Mediacenter.

Panda Security

Smart cities with Invisible Dangers

Smart-Cities

Smart cities are a real thing—could you live in one? Do you live in one?

Actually, a smart city is an “urban development vision” used to manage a city’s assets by integrating multiple information and communication technology (ICT) and Internet of Things (IoT) solutions within the city. A smart city’s ultimate goal is to improve the quality of life for its residents.

With just an internet connection and one of the endless number of devices available, residents can do a multitude of things like pay parking meters and purchase movie tickets.  Did your device run out of battery while you were on-the-go? Go ahead and hook up to one of your city’s many public charging stations.

Yes, a properly planned smart city can make life more convenient, but this is also a double ended sword. However convenient, in regards to internet security, it is very dangerous. At the end of any given day, there’s a high possibility that any one of these connected devices could be hacked, while criminals getaway with your top private information.

Danger wherever you look

City Bikes

The next time you take one of those public bikes for a spin, keep in mind that these electric bike stations are run by a computer… a computer that can be hacked like any other connected device. You’ll see that at each bike station there’s a small computer screen for riders to register, recharge passes, report incidents, and map the other stations in close proximity. But like any other computer, cybercriminals can use a lot of different techniques to take advantage of any vulnerability that these systems might have.

On these payment screens, in the maps section, there are various (public) sections on the platform, such as “Report an Error” “Privacy Policy” and “Terms of Use”. When these are tapped, an internet explorer window pops up. From there, the cybercriminals have access to a virtual keyboard—this will ultimately give them the power to execute those unwanted applications. This is the start of their hack—now they can access and collect info belonging to all those wanting to rent a city bike, getting their full names, verified email addresses and phone numbers. Some hackers will be able to steal customer payment data, too.

Taxis

New York City’s famous yellow taxi has jumped on the “smart experience” bandwagon. Aside from the tourist maps, Broadway ads and business cards that fill the back seat of the yellow cabs, passengers can use the tablet attached to the Plexiglas divider separating you from the driver. Go ahead and read the news during your commute, and when you arrive at your location, and make your payment from the same device.  Just remember, if a cybercriminal gets in the back of this cab he could successfully install malware and gain access to a lot of customer information. Likewise, remember to watch out for the public chargers in the taxi. Just imagine all the people whose privacy could be in danger.

We leave you with a last note, if a city wishes to become a smart city, installing these intelligent devices requires that all businesses commit to the necessary security measures to safeguard government and public privacy. Keep your citizens safe by following adequate security assurances.

 

The post Smart cities with Invisible Dangers appeared first on Panda Security Mediacenter.

Panda Security

“Securing a business involves so much more than plugging in various pieces of computer technology”, Simon Edwards

guest article panda

I met Simon Edwards in January 2007 at the first AMTSO meeting in Bilbao. For many years, Simon dedicated himself to testing security products for Dennis Publishing and, at the time, he was also the technical director of Dennis Technology Labs. The prestige gained over the years has made him a recognized authority in this sector.  Less than a year ago he began a new career path when he started his own business, SE Labs.

1 – Since your time as the editor of the Computer Shopper magazine, your life has been linked with computer security. What has your experience been like in such a changing and innovative industry?

simon-edwards-mediumres

Simon Edwards, founder of SE Labs

I have always approached the security business from an ethical position because we genuinely want to make a bad situation better. We do much more than testing anti-malware products. We provide threat intelligence to very large companies and, in the UK, the insurance industry uses our information to make important decisions. That is a new diversion from testing, but we do still test security products and that feeds back into the threat intelligence information we provide. We didn’t set out to create a security testing business from day one, though.

When I was first asked to write an anti-virus group test I thought about how to do it, but without any input from other testers or even the companies that made anti-virus programs. In complete isolation from the experts I came up with a method of testing and found that some well-known threats could bypass anti-virus, particularly those that were more like Trojans and hacking attacks rather than standard self-replicating ‘viruses’. That was interesting.

The response from the readers was fantastic and every time we published such a test we sold more magazines than in a usual month. The anti-virus industry was less pleased and I received aggressive phone calls from some people who, today, I actually count as very good friends. We just had to get to know each other and develop trust.

I think that the default position the security industries take, when confronted by challenging results from a new face, is to attack. “We don’t know this guy and he’s saying our product sucks? He must be an idiot, or corrupt!” Nothing much has changed on that front. At least now people know SE Labs creates useful tests and works ethically. Well, most people do. There are some companies, particularly new ones, who are still working out what’s what. They assume that if you don’t support their marketing message then you are an enemy with a biased agenda.

The default position the security industries take, when confronted by challenging results from a new face, is to attack.

One big change is that vendors are starting to see the usefulness of testers really attacking systems, rather than just scanning regular malware that exists on the general internet. We were running hacking attacks in tests back in the days of Back Orifice 2000  and we also used other tools that the bad guys had access to. At the time that was extremely controversial, as the industry had a general view that creating threats was taboo. Many still feel that way, but we’ve been crafting targeted attacks for testing purposes ever since, and it seems fair considering how many products claim to prevent such things.

2- What is like to be an entrepreneur? Are you still able to perform the tests yourself or has management become the main part of your day-to-day?

I personally review every set of data that powers the tests that we publish, and I also develop the test methodologies used by the talented testers who actually sit in front of the systems and put the products through their paces. The ongoing testing and general office tasks are managed by the SE Labs team in London. Once a test is up and running I trust the team and spend most of my time doing one of a million other things. What’s really cool about setting up a company from scratch is that there are so many creative tasks to carry out. But, as we’ll see, there’s also a load of nonsense to contend with too.

When you are running a company on your own you make decisions about literally everything. One day I would be negotiating six-figure finance deals and then I’d be fielding questions about teaspoons. I spent literally half a day in Ikea arguing with colleagues about which cutlery sets to buy.

There is a lot of emotion and some immaturity in this emerging ‘next-gen’ industry.

Back to testing, I have spent a large amount of time trying to work with the newer companies in the industry. Some of them can be reluctant and I understand why. Startups are vulnerable and a poor result could kill a business before it even starts. That said, some of the aggressive marketing we’ve seen very much invites testing to challenge quite extraordinary claims. There is a lot of emotion and some immaturity in this emerging ‘next-gen’ industry. That needs to stop, because it does not serve the customers.

3- As Director of SE Labs, does your work continue to surprise you on a daily basis? Do you have to adapt your tests to the type of attacks that appear frequently? 

A fundamental part of what we do is to seek out and use prevalent threats. Theoretically every product should score 100 per cent in our tests because we’re not using threats from the edges of the internet or zero day threats. So it’s always been quite surprising to me that most vendors don’t score 100 per cent. It’s well-known in the security world that a test in which everyone scores 100 per cent is useless. I don’t think that’s true, as long as the test comes with a good explanation of what it’s trying to achieve.

But regardless, if I throw 100 well-known threats at the leading anti-malware products I know there will be compromises. And that still surprises me. We work with many vendors to help them fix these issues.

4- In addition to traditional security solutions, in the past few years several new solutions have appeared on the market with names like “Next Gen AV” that use a different approach to protect businesses. Have you had the opportunity to try one of these solutions? What has your experience been like?

We have managed to gain access to some so-called ‘next-gen’ products and I know what you’re expecting me to say! But they are not the snake oil that their crazy marketing suggests. They are proving to be competent solutions. I don’t think I’d want to run many on my systems without some other form of anti-malware, but they are not the ‘smoke and mirrors’ fake solution I think many people assume. They are not perfect but neither are they rubbish.

It’s always been quite surprising to me that most vendors don’t score 100 per cent.

5- There are also solutions from “traditional” manufacturers within the EDR category (Endpoint Detection and Response). Have you had the opportunity to try out any of them? 

Indeed we have, and we even run one on these products alongside so-called ‘traditional’ AV on our own systems. Being able to track a breach if/when it happens could be useful. Although we’re a relatively small company, it would be naïve to think that no-one would ever mess with us. We take security seriously, especially considering the nature of some of our clients (we don’t just test anti-malware products, but also provide security advice to some of the largest companies in the world). Our influence extends beyond the basic ‘AV test’ world and, as such, we need to be very careful.

6- You have been involved in AMTSO since the very beginning, and in fact you are currently a member of the Board of Director. In your opinion, what are the major accomplishments AMTSO has achieved since its inception?

The relationship between testers of anti-malware products and the developers of those products is a million times better today than it was. This is important because a good relationship means a productive development cycle of the software that we all use to protect our computers. Once it was the case that vendors hated testers and treated their results as something to work around, rather than use to improve products. I think that AMTSO has largely fixed that problem.

7- What are the challenges that AMTSO has to face in the near future in the testing landscape?

The next-generation companies are opposed to testing. They might claim otherwise, but in my opinion they don’t want to be challenged. Their focus is investment and growth. AMTSO needs to bring these companies into the fold and help them understand that there is something more important than just raising investment funding. Customers count and they need to be protected. Testing actually plays a crucial part in that. They can’t expect to succeed if they operate in a vacuum.

8- In your opinion, what is the biggest challenge that institutions and corporations are up against today in regards to cybersecurity? Does that time lag really exist between adopting new technologies in businesses and applying the proper security measures?

I think the biggest challenge is that securing a business involves so much more than plugging in various pieces of computer technology. Users are potentially the strongest link in the chain, whereas often they are accused of being the weakest. Training can help a lot here. Going back to fundamentals and really understanding what security is would help. It’s easier to spend a few millions on some new types of firewalls, but that’s not going to do the job. CISOs need to understand that.

 

The post “Securing a business involves so much more than plugging in various pieces of computer technology”, Simon Edwards appeared first on Panda Security Mediacenter.

Panda Security

Links that endanger your cyber-security

panda security

On any given day, employees at your company click a multitude of links and many of them come from unknown sources. But clicking these mysterious URLs endangers more than your security, it can also threaten your business.

Curiosity can cost you. The sole purpose of these links is to transfer malware onto your system. What’s worse is that, as demonstrated in a recent study, the majority of internet users click these unknown links.

Zinaida Benenson, a professor from the University of Erlangen-Núremberg, and her team of investigators sent 1,700 students messages (from both Facebook and email) containing a shortened link in order to access a photo album. To do this they created fake accounts and profiles to see if the students trusted and clicked the unknown sources.

But, of course, a photo album did not appear when the link was clicked. Luckily for the study’s participants, there was only an error page that allowed for the investigators to count how many of them clicked the bait. The study’s results speak for themselves: 56% of those that received the link via email and 38% via Facebook clicked the links.

More than half of internet users click links without thinking.

Later on all of the study’s participants received a questionnaire. Once again, one of the conclusions drawn from the study was the most surprising: The number of those who clicked the unknown links totaled 78%. Why? For most participants, curiosity was to blame.

It is extremely important that employees are aware of the risks when clicking a link from an unknown source: this mistake can endanger all of the private data stored on company systems, including information stored in the Cloud.

However, if you see that curiosity takes flight, the best advice you can adopt is to begin using a solid protection service such as Panda Solutions for Companies, the only way to protect ourselves against these type of cyberattacks.

The post Links that endanger your cyber-security appeared first on Panda Security Mediacenter.