The latest Wikileaks dump of Apple hacking tools, the LastPass vulnerabilities, and a new Android security report are discussed.
Tag Archives: passwords
Jon Oberheide on Perimeter Security
Mike Mimoso talks to Duo Security co-founder and CTO Jon Oberheide at RSA Conference about Google’s BeyondCorp security model, enforcing perimeter security, how endpoint security has evolved through the years, and the future of passwords.
Default Settings, and Why the Initial Configuration is not the Most Secure
It’s true that it’s easiest and most convenient to start using new devices or software with their default settings. But it’s not the most secure, not by a long shot. Accepting the default configuration without reviewing what it actually is could be dangerous to your company’s confidential information.
The default settings are predetermined by the manufacturer and basically put usability before all else. In the case of a router, for example, this could be a predefined password, or in the case of an OS it could be the applications that come preinstalled. The primary concern is for the ease of use when getting started with a new product, without having to perform the configuration yourself. With three or four clicks, you’re ready to enjoy the use of your new device and are probably barely aware of having accepted the default settings.
The problem is, in many cases, the default passwords for a slew of devices (everything from routers to POS terminals) are easy to find on forums and other easy-to-find places on the internet. Case in point, one POS manufacturer used the same password for 25 years: 166816. The credential was easy to find with a simple Google search. Any business that failed to change the password was unwittingly exposing themselves and their clients to cyberattacks.
And money isn’t the only thing at stake. We need look no further than the our own company’s wifi network to witness serious potential danger, namely that the default credentials it comes with could be easily compromised. The danger is that someone from outside could connect the corporate network and even make internal changes, possibly even locking the owners out of it. It wouldn’t take an evil genius. If your device’s default configuration hasn’t been change, all it would take is someone with some basic technical skills and access to the Internet.
More than a password change
Any IT department in any corporate environment should be aware that changing the default sittings isn’t just about changing the password. In fact, the best thing would be to personally configure all operating systems from the beginning to increase their security.
It should be up to the company, for example, which applications and programs will be installed on the devices that employees will use, removing or adding options from the predefined ones, thus avoiding any software that is not going to be used. Such software, it should be said, could also end up being an added vulnerability. If at some point the program stops receiving security updates, it could actually become a gateway for cybercriminals. If it is unnecessary, might as well get rid of it and save yourself from future hassles.
In short, any configuration that comes straight from the factory can pose a short- or medium- term risk for companies. The best thing to do is to create a customized configuration with which security and protection against possible attacks remains in the hands of the company’s IT experts.
The post Default Settings, and Why the Initial Configuration is not the Most Secure appeared first on Panda Security Mediacenter.
Cloudflare, Cloudbleed – or 3,400 reasons of shit happens
Over the course of the last six months, Cloudflare bled a lot of sensitive data. The reason? A bug in its HTML-Parser that in the end impacted millions of websites. Beside other things, they offer DDoS protection and a CDN service. Due to the massiv amount of affected websites its a rather important issue and it’s […]
The post Cloudflare, Cloudbleed – or 3,400 reasons of shit happens appeared first on Avira Blog.
Two Step Verification, and How Facebook Plans to Overhaul It
http://www.pandasecurity.com/mediacenter/src/uploads/2017/02/facebook-two-step-verification-300×225.jpg
We’ve all been there. You get a new smartphone or computer, and you have to slog through all of your first-time logins by manually typing out usernames, passwords, etc. Sometimes it happens that one of your accounts has a particularly difficult password that you barely even remember creating and – yep, you get locked out of your account. You curse yourself for that distant day when you felt so ambitious about password security and created such a puzzle for your future self. But if you’re among the many who ordinarily aren’t too finicky about security, then you’ll probably have no qualms about recovering access to your account by requesting a password reset email from the company.
However, cases reminiscent of the recent data breach of the century at Yahoo that affected a billion accounts show the need for additional security measures. Attackers would be happy to use passwords and security questions collected from such breaches to access your current accounts. In fact, the password recovery link itself may be compromised.
The alternative standard procedure in these cases is the two step verification: associate a phone number with the account to add an extra layer of security. This option is available on a number of services, including Gmail, Facebook, Twitter, and Instagram. However, Facebook has just announced a new way to recover forgotten passwords safely and without the need of a phone.
Challenging email as the standard
Soon, the social network par excellence will allow third-party web users to recover their passwords through their own service. Internet users will be able to save an encrypted token on Facebook that allows them to retrieve their password on pages like GitHub. This way, if you lose your Github password, you can send the token from your Facebook account, thus proving your identity and regaining access to your GitHub profile.
The company has emphasized that the token’s encryption guarantees user privacy. Facebook can’t read the information stored in it and will not share it with the service you’re using it for without express permission from the user.
At the moment, the service, which has been called Delegated Recovery, is only available on GitHub. It has also been made available to researchers as an open source tool to be scrutinized for vulnerabilities before it is implemented to other websites and platforms.
With this new method, Facebook aims to eliminate the headaches of users who suffer theft or loss of their smartphones and can’t recover their accounts immediately. And while they’re at it, they’ll take the opportunity to offer themselves up as a safer alternative to email when it comes to recovering passwords. “There’s a lot of technical reasons why recovery emails aren’t that secure. Email security doesn’t have the greatest reputation right now. It’s the single point of failure for everything you do online,” said Brad Hill, security engineer at Facebook. Will Facebook succeed in becoming the hub of all of our accounts? Time will tell.
The post Two Step Verification, and How Facebook Plans to Overhaul It appeared first on Panda Security Mediacenter.
Entrust your security secrets to a safe pair of hands
Imagine: your security is flawless. Not a single other person can access your sensitive information or accounts. And then the unthinkable happens – you’re in an accident. How will your loved ones get past your security measures to tend to your affairs?
The post Entrust your security secrets to a safe pair of hands appeared first on WeLiveSecurity
Keychain, Apple’s Cloud-Based Tool That Safeguards Your Data
Safeguarding your company’s confidential information, in many cases, calls for having your employees create and properly manage a series of passwords. Not only should they choose complex credentials, but they should also vary among themselves. And they definitely should not be saved in easily accessible places, like a text document.
Password managers come in handy in this task that is so indispensable to corporate security. For their part, companies that have Apple devices for their employees have the Keychain as an ally: it is a password manager in the cloud that makes things really easy when defending corporate privacy via robust password selection.
Activating this tool is simple: just go to iCloud Settings from an iPhone or an iPad and activate the Keychain option. From a Mac you go to the “System Preferences” menu.
Once activated, all the passwords used by the employee will be stored in iCloud, with its own encryption. Once uploaded to the cloud, it will be possible to use those credentials on all devices that are synchronized and authorized to do so.
However, the Apple Keychain is much more than just a place to store passwords in the cloud. In fact, it allows users to completely forget about the clutter of having several passwords since, when they sign up for the service, the keychain suggests complex and distinct options to those already used and automatically saves it. No need to commit anything to memory.
It is also possible to store credit card data and certificates to sign documents digitally. Thus, Apple encryption and its cloud service are one hundred percent responsible for security on the platforms used by employees.
By combining this tool with the right protection to avoid threats, your company’s confidential information will be safer. It makes sure that your passwords are secure and that they will not be stored remotely in any place. And those who want to spice up their passwords can still edit them (or delete old ones) to make them even more complex. When corporate security is at stake, it can never hurt to add extra layers of protection.
The post Keychain, Apple’s Cloud-Based Tool That Safeguards Your Data appeared first on Panda Security Mediacenter.
Can a Hacker Guess Your Password in Only 100 Attempts?
Making sure that our employees use complex and diverse passwords, both in and out of the workplace, is of vital importance. Not least because multitudes of confidential data could be at risk because of flimsy credentials, ones that are obvious and oft-repeated.
To demonstrate the necessity of adequate protection that also allows for the handling of many distinct passwords, a group of researchers has created a software that is capable of guessing passwords with only a small number of attempts. Specifically, with a little bit of the victim’s personal information, the tool would be able to hit upon the correct password testing fewer than a hundred possibilities.
It’s called TarGuess and was created by researchers at the Universities of Beijing and Fujian in China, and the University of Lancaster in the UK. According to their study, an attacker with sufficient personal information (username, a pet, family members, date of birth, or the destination of their most recent vacations) has a one in five chance of guessing their password in fewer than a hundred attempts.
All they’ve done with TarGuess is to automate the process with a tool that scours social networks for personal information that could later be used in its attempts.
Using this tool, the researches successfully guessed 20% of passwords of those participating in the study with only one hundred attempts. More strikingly, the success rate increases proportionally with the number of guesses. So with a thousand attempts TarGuess is able to get 25% of passwords, and with a million the success rate can climb up to 50%.
Moving beyond the controversial data breaches of platforms such as Yahoo or Dropbox, the main conclusion that this study draws is that many users’ passwords are not robust enough to withstand this kind of attack. And as if that wasn’t enough, these breaches have brought to light another risk: TarGuess reportedly detected that many of these credentials are used in other services, or at best have many similarities (constituting what they call “sister passwords”).
This investigation demonstrates once again the necessity of controlling what kind of information is published on social networks. An employee that ‘shares’ every moment of their life may be inadvertently helping a cyber attacker to learn their password, putting corporate data at risk.
The post Can a Hacker Guess Your Password in Only 100 Attempts? appeared first on Panda Security Mediacenter.
No password? You’re asking to be hacked.
75 million smartphones in the US don’t have their passwords set on
TransUnion’s latest Cyber Security Survey confirmed that Americans who feel extremely or very concerned about cyber threats have increased 20 percent since last year – from 46 percent in 2015 to 55 percent in 2016. Fears are legitimate – hacking and cyber security have even become one of the main topics in the presidential debates between Donald Trump and Hillary Clinton.
If you think this is surprising keep reading, the most shocking part of the survey is not the fact that its’ findings confirm the notion that we are constantly under cyber danger/attack – we already know that. The most shocking part is the facts that despite the increasing fear, nearly 50% of the participants admit that they don’t take actions to protect their content.
Nearly half of the people who participated in the survey admitted they don’t lock their phones with a password.
Let us translate this for you – currently there are nearly 320 million people legally living in the USA with about 225 million of them being adults. More than two thirds of the adults living in the US have smartphones. If the statistics are right, a quick math shows there are more than 75 million people in the US whose smartphones don’t have their passcodes set on. This is scary! This means two out of the three Kardashians don’t have passcodes on their phones! What could go wrong? We will let Kim and Kanye tell you.
What should you do?
Setup a password on your cell phone.
We all know what the consequences of identity theft are – unless you want a stranger buying a car in your name, or leasing a property in a city you’ve never heard of using your SSN, you should go find your phone and setup your password on, right now. Then add a recurring reminder on your calendar to change it frequently!
Admit the problem.
The threat is real and hundreds of thousands of peoples’ lives are being ruined by hackers stealing their precious information. Having a lock on your phone might be a good beginning but it does not solve your problem entirely.
Find a solution that works best for you.
The option we recommend is Panda Security Antivirus.Downloading your copy of Panda Security antivirus will protect you from getting your email hacked, and it will keep your credit cards, personal information and cell phone safe.
According to TransUnion about 1 million people will call TransUnion Fraud Victim Assistance Department in 2016. Let’s hold hands together, be more protective of our personal information and decrease the number of calls they get by practicing common sense. It’s natural to want to protect ourselves, but it is hard to wish to protect what we have if we don’t realize that the threat is real. The most astonishing results come from taking practical, protective actions before things go wrong. Let’s not get to the point where we are in need of calling the fraud department by acting now and protecting our personal information early rather than late.
The post No password? You’re asking to be hacked. appeared first on Panda Security Mediacenter.
Almost half of companies save employee passwords in Word documents
There is a growing awareness of cybersecurity within companies, but are these companies taking action to improve their security? As seen in a recent study, 750 IT security decision-makers worldwide were surveyed to see whether they are “learning and applying lessons from high-profile cyber-attacks”, and if it influences their security priorities and decisions.
The study examined the contradictory situation that is currently present in a number of global businesses. On a positive note, 79% of those surveyed said that they learned their lesson after seeing cyberattacks jeopardize the IT security in other companies, and 55% confirmed that they have changed the way they manage corporate accounts in order to adapt to the current cybersecurity climate and avoid unnecessary risks.
Nevertheless, the survey also exposes a very different reality. Far different from those who are complying with security procedures, 40% of the survey’s participants stated that they just use a Word document or worksheet to manage their company’s credentials and 28% stated that they use a shared server or a USB stick, for the same purpose. What is obvious is that IT security is absent in almost half of the 750 businesses in the survey.
Of course the previously mentioned storage methods are all susceptible of suffering a cyberattack, especially if they fall into the hands of someone with the right know-how, but they can also be leaked by the company’s own employees. A Word document makes private information accessible for any employee in the company.
To ensure that employees only use their own password, companies should use a password manager that will also protect their company’s devices. This will also help keep documents and devices, like a Word document or USB memory stick that stores passwords, safe from a cyberattack or infection.
In terms of cybersecurity, there is still a long way to go in the business environment. IT security should be a priority. Although, 95% of these organizations have a plan in place in case of IT emergencies, only 45% of them periodically check that they are functioning properly.
Despite their carelessness, 68 % of those surveyed claim that their greatest concern and challenge is the data theft of their customers (but this percentage does not correspond with the cybersecurity mechanisms implemented by IT security heads).
The post Almost half of companies save employee passwords in Word documents appeared first on Panda Security Mediacenter.