Tag Archives: Security

Default Settings, and Why the Initial Configuration is not the Most Secure

It’s true that it’s easiest and most convenient to start using new devices or software with their default settings. But it’s not the most secure, not by a long shot. Accepting the default configuration without reviewing what it actually is could be dangerous to your company’s confidential information.

The default settings are predetermined by the manufacturer and basically put usability before all else. In the case of a router, for example, this could be a predefined password, or in the case of an OS it could be the applications that come preinstalled. The primary concern is for the ease of use when getting started with a new product, without having to perform the configuration yourself. With three or four clicks, you’re ready to enjoy the use of your new device and are probably barely aware of having accepted the default settings.

The problem is, in many cases, the default passwords for a slew of devices (everything from routers to POS terminals) are easy to find on forums and other easy-to-find places on the internet. Case in point, one POS manufacturer used the same password for 25 years: 166816. The credential was easy to find with a simple Google search. Any business that failed to change the password was unwittingly exposing themselves and their clients to cyberattacks.

And money isn’t the only thing at stake. We need look no further than the our own company’s wifi network to witness serious potential danger, namely that the default credentials it comes with could be easily compromised. The danger is that someone from outside could connect the corporate network and even make internal changes, possibly even locking the owners out of it. It wouldn’t take an evil genius. If your device’s default configuration hasn’t been change, all it would take is someone with some basic technical skills and access to the Internet.

More than a password change                                              

­­­Any IT department in any corporate environment should be aware that changing the default sittings isn’t just about changing the password. In fact, the best thing would be to personally configure all operating systems from the beginning to increase their security.

It should be up to the company, for example, which applications and programs will be installed on the devices that employees will use, removing or adding options from the predefined ones, thus avoiding any software that is not going to be used. Such software, it should be said, could also end up being an added vulnerability. If at some point the program stops receiving security updates, it could actually become a gateway for cybercriminals. If it is unnecessary, might as well get rid of it and save yourself from future hassles.

In short, any configuration that comes straight from the factory can pose a short- or medium- term risk for companies. The best thing to do is to create a customized configuration with which security and protection against possible attacks remains in the hands of the company’s IT experts.

The post Default Settings, and Why the Initial Configuration is not the Most Secure appeared first on Panda Security Mediacenter.

WordPress 4.7.3 Security and Maintenance Release

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

  1. Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
  2. Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
  3. Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by xuliang.
  4. Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
  5. Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
  6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.3.

Thanks to everyone who contributed to 4.7.3: Aaron D. Campbell, Adam Silverstein, Alex Concha, Andrea Fercia, Andrew Ozz, asalce, blobfolio, bonger, Boone Gorges, Boro Sitnikovski, Brady Vercher, Brandon Lavigne, Bunty, ccprog, chetansatasiya, David A. Kennedy, David Herrera, Dhanendran, Dion Hulse, Dominik Schilling (ocean90), Drivingralle, Ella Van Dorpe, Gary Pendergast, Ian Dunn, Ipstenu (Mika Epstein), James Nylen, jazbek, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Kelly Dwan, Marko Heijnen, MatheusGimenez, Mike Nelson, Mike Schroder, Muhammet Arslan, Nick Halsey, Pascal Birchler, Paul Bearne, pavelevap, Peter Wilson, Rachel Baker, reldev, Robert O’Rourke, Ryan Welcher, Sanket Parmar, Sean Hayes, Sergey Biryukov, Stephen Edgar, triplejumper12, Weston Ruter, and wpfo.

When cyber-security becomes an affair of state

http://www.pandasecurity.com/mediacenter/src/uploads/2017/03/IMG-MC-elecciones-300×225.jpg

The Netherlands, France and Germany will hold presidential elections in the coming months. A series of electoral processes that take place in the wake of the U.S. elections, during which, Russian cyber-attackers leaked thousands of Democratic National Committee emails which some claim may have affected the election result – a possibility ruled out by President Trump despite finally admitting the existence of said attacks.

Dutch authorities will count all

election ballots by hand to stop hackers.

Following the events on the other side of the pond, some European leaders are now worried that Russian cyber-espionage groups may try to influence their elections in order to help far-right candidates. European Security Commissioner Julian King has admitted that cyber-attacks could be used “to manipulate democratic processes.” More specifically, cyber-security experts fear the possibility that phishing attacks may be used to extract confidential information that tarnishes the reputation of certain candidates, as was the case with Hillary Clinton.

Growing cyber-security fears ahead of coming European elections 

The first elections will take place in the Netherlands, where voters will go to the polls on March 15. The Dutch government has resorted to extreme measures to combat cyber-attacks aimed at manipulating the general election. In fact, Dutch authorities have announced that they will count all ballots cast by hand, and will communicate the election results by phone to avoid any risk of hackers messing with the results. This announcement was made after a cyber-security expert stated that the software used at Dutch polling stations is vulnerable to hacking.

The two rounds of France’s 2017 presidential elections will take place on April 23 and May 7, and French authorities are warning political parties about the increased threat of cyber-attacks. French Defense Minister Jean-Yves Le Drian recently said that in 2016 about 24,000 external attacks against his ministry were blocked by security, and warned of a real risk of cyber-attacks on French civil infrastructure such as electricity, telecommunications and transport.

Germany will hold its federal election on September 24. According to Stefan Soesanto, cyber-security expert at the European Council on Foreign Relations, the German federal system could lead to communication failures among security teams. Just a few months ago, German Chancellor Angela Merkel expressed her concern that Russia could try to influence Germany’s general elections, and recently indicated that security will be a key issue in the election campaign.

Taking all of this into account, it seems clear that cyber-security will play a key role in order to stop cyber-attacks from having an impact on Europe’s upcoming elections.  However, it is not only political parties that must step up their defenses. The best way for your organization to protect itself against cyber-attaks, including phishing emails, is to have an advanced cyber-security solution in place, such as Panda’s Security Adaptive Defense 360. Prevention, detection, response and remediation becomes an affair of state.

The post When cyber-security becomes an affair of state appeared first on Panda Security Mediacenter.

Scout Explained: Avira Autopilot

Avira Autopilot Scout

What is Autopilot and where can I find it? Avira Autopilot is a browser extension exclusively for the Avira Scout browser. You can download Scout from here. Autopilot includes all the functions of the popular Avira Browser Safety (ABS) extension. Once you have downloaded, installed, and started Scout, you will see a green icon (see […]

The post Scout Explained: Avira Autopilot appeared first on Avira Blog.

Security tips to avoid becoming a victim of revenge porn

http://www.pandasecurity.com/mediacenter/src/uploads/2017/02/pandasecurity-MC-revenge-porn-300×225.jpg

Relationship break-ups have always been difficult, sometimes even acrimonious. Unfortunately a distressing new trend has emerged that can make the process even more hurtful.

Revenge porn – the process of sharing intimate, naked photos of an ex-lover online without permission – is being used by some jilted partners. By sharing these pictures on social media and other public websites, the person hopes to hurt and humiliate their victim, who they often blame for the collapse of the relationship.

Obviously revenge porn is illegal – but once those photos are ‘in the wild’, there is almost nothing the victim can do to prevent their spread. The only way to stop yourself from becoming a victim is to put protections in place in advance.

Here are 4 ways to help yourself:

1. Don’t take naked photos

By far the safest way to prevent intimate photos from being leaked online is not to take them in the first place. As soon as those images exist, even if you don’t share them, they are at risk of loss, theft or leakage.

The minute you take a photo on your phone, it is copied to the Cloud for instance – so now you need to protect two copies. And if you sync your phone with your computer, that then creates a third; three copies that provide points of vulnerability.

2. Don’t share naked photos

The second rule of protecting yourself against revenge porn is to ensure you never send naked pictures to anyone. No matter how much you love and trust your partner, you give up all control over that image the minute you pass it on.

Should your relationship hit the rocks, you will find it even harder to regain any control over those pictures.

3. Don’t be afraid to ask someone to delete pictures

If you go ahead and send an intimate picture to someone, you should always be ready to ask them to delete it – for any reason at all. You should also watch as the image is deleted to make sure it really is gone.

4. Protect your devices

Sometimes technology lets us down, and sensitive data is stolen or leaked directly from our computers and phones. Modern malware and computer viruses are exceptionally good at stealing our information.

This is just one of many reasons why you must install security software on your phone and PC to protect against hackers. Using an application like Panda Security prevents cybercriminals from accessing your pictures, protecting you against revenge porn leaks or blackmail attempts.

Use your head

Like most cybersecurity problems, applying your common sense could save you a great deal of embarrassment later. There is nothing “prudish” about refusing to take or share naked photos – in fact, protecting yourself in this way is extremely mature. So you should never feel pressured into sharing something you don’t want to.

And if you so choose to share an intimate image, make sure that your phone and PC are secured to minimise the risk of your selfie being leaked. You can download a free trial of Panda Security to get started.

The post Security tips to avoid becoming a victim of revenge porn appeared first on Panda Security Mediacenter.

Smart Meters Can be a Threat to Homes and Offices

http://www.pandasecurity.com/mediacenter/src/uploads/2017/02/light-100×100.jpg

For some time now, a large majority of buildings have made use of smart meters to record their electrical consumption. Besides the potential impact on the electric bill, which some consumer groups have already denounced, the widespread adoption of this apparatus carries along with it some lesser known security risks.

As researcher Netanel Rubin explained during the last edition of the Chaos Communications Congress held in Hamburg, Germany, these meters pose a risk on several fronts. First, these devices record all household and office consumption data and send it to the power company. An attacker with access to the device could see its data and use it for malicious purposes.

For example, a thief could find out whether a house or office is empty in order to burgle it. And since all electronic devices leave a unique footprint on the power grid, such a thief could even analyze variables to find out what valuable devices they could potentially have at their fingertips upon entry.

A thief could find out whether a house is empty or not, and what valuable objects it contains

 

In a few years, when smart homes become more widely popular, the scenario could end up being even more serious. The attacker could actually enter the home or office without having to force the lock. If there is a smart lock installed, all they would need is access to the system to enter the house.

As serious as this is, smart meters are open to even more grievous lines of attack. As Rubin explained, meters are at a critical point in the power grid because of the large amount of voltage they receive and distribute. An incorrect line of code could cause serious damage. For example, an attacker who took control of the device could “cause it to literally explode” and start a fire, according to the researcher.

This is all pretty alarming.  But the biggest weakness of smart meters is in the way they communicate with each other and with power companies. Normally they do it through the GSM protocol, the standard of 2G communications for mobile networks. The insecurity of this protocol has been well demonstrated.

According to Rubin, some companies are not using any sort of encryption in such communications. Among those that do, weak algorithms or very simple passwords are sadly run-of-the-mill. You might just as well serve it up to attackers on a silver platter.

The fact of the matter is many of these devices are insecure by default. As Rubin points out, they do not have a CPU with enough power and memory to use strong encryption keys.

The post Smart Meters Can be a Threat to Homes and Offices appeared first on Panda Security Mediacenter.

The Dangers of Using an Old Android are Real for Everyone (Even the President)

The presidency of Donald Trump kicked off with some controversy in the area of ​​cybersecurity. The NSA modified the BlackBerry of his predecessor, Barack Obama (who ended up having to part with it for security reasons), the new leader of the United States seems to be less concerned about the vulnerabilities of mobile devices and continues to use an old Android.

According to various reports, the real estate tycoon has a Samsung Galaxy S3 from 2012. The lack of caution on the part of the newly-inaugurated head of state holds a valuable lesson for any top manager of a company. Although Trump’s smartphone may not be the gateway to all the secrets of an entire nation, using a phone without proper security can be fatal to your company.

The main problem derived from the use of an old Android is the lack of updates. Although Google usually reacts quickly whenever a vulnerability is found in its operating system, security patches only come quickly to a few devices, including the company’s own Nexus.

Meanwhile, other smartphones, and especially older models, have to wait months until the patch arrives (if at all).

For this reason, to use an outdated phone in the corporate environment is to be exposed to all types of cyber threats. Everything from a phishing campaign to the installation of malware that takes advantage of an uncorrected vulnerability of the device.

That’s why it is essential to have the right protection and also to make sure that both the phone and its applications have the latest versions of the software installed.

That a cybercriminal can access the outdated telephone of someone in charge, be it the owner of a company or the leader of a country, can have more serious consequences than simply having access to the device itself. Through an unprotected smartphone, attackers could sneak into the networks to which the mobile is connected and steal valuable corporate information.

There are also known vulnerabilities that track what the phone’s owner is typing, take control of the camera, or listen through the device’s microphone. In short, it is too great a risk for the privacy of company data.

Private email should stay at home

Another lesson we can glean from recent US policy is that under no circumstances should a personal email account be used for professional matters. Hillary Clinton already made that mistake, and now Trump’s high-ranking officials seem to be following in her footsteps.

Using personal mail to send corporate information is risky indeed. Unlike corporate mail servers, whose protection is in in the hands of the company’s security department, the services that are usually used to send emails in the domestic sphere are beyond the control of the company.

This does not mean that they are unsafe, but ensuring the absolute privacy of corporate communications is impossible if those responsible for cybersecurity cannot control which accounts are used and how they are configured.

The post The Dangers of Using an Old Android are Real for Everyone (Even the President) appeared first on Panda Security Mediacenter.

If You Use Autofill, You Might As Well Give Away Your Info For Free

 

The autofill feature that many browsers offer is a useful time-saving tool that saves you from having to manually fill out forms with the same information every time. Programs include all the necessary information without the user having to go from one field to another to write information that is often repeated in most forms. However, what at first seems to have nothing but upsides for workers and individuals, does in fact carry with it some security risks.

Autofill can be used by cybercriminals to perpetrate phishing attacks in order to collect user data through hidden fields. When the Internet user allows the browser to fill in the form information, it would also fill in a number of spaces that the screen does not display. In this way, when the individual sends the document, she would also be sending her personal information to cybercriminals without realizing it.

Finnish developer Viljami Kuosmanen has revealed how such attacks work with a practical demonstration. He created a form in which only the fields “name” and “email” can be seen, along with a “send” button. However, the source code of the web page harbors some hidden secrets from the user: there are six other fields (phone, organization, address, postal code, city and country), which the browser also automatically populates if the user has activated the autofill function.

The method is a simple strategy to get all sorts of personal information that, according to Kuosmanen tests, can be used in both Chrome and Safari. Other browsers like Opera also offer the autofill feature and Mozilla Firefox is currently working to implement it.

Fortunately for users, it is possible to disable this option in the program settings without too much difficulty. Browsers have it activated by default without asking permission first, so the only way to turn it off is by taking a moment to change the setting manually.

This is a serious threat to the security of personal and corporate information and is difficult to detect because, unlike other types of attacks, the user does not see any links or other types of samples that might lead her to suspect anything is amiss.

It is therefore advisable to disable the option in your browser, even though this means that you’ll be spending a little more time filling out those pesky forms.

The post If You Use Autofill, You Might As Well Give Away Your Info For Free appeared first on Panda Security Mediacenter.

Access Cards Will Disappear from 20% of Offices within Three Years

 

You arrive at the office, you approach the security gates, you swipe your card and start the day. It’s one of the motions that a large percentage of the workforce goes through daily, because today, and it seems that for a while yet, the access card is still the reigning security device for entering corporate offices.

By 2016, less than 5% of organizations had incorporated the use of smartphones to access their facilities or restricted parts of them. By 2020, according to a report by the consultancy Gartner, this percentage will have tripled: 20% of companies will have replaced access cards with smartphones.

Although the vast majority of mobile phones on the market already have Bluetooth and NFC technologies, there are still few companies that have taken the next step and put these technologies to use. Which, to be fair, may be seen as a wasted opportunity, since the necessary devices are ever-present in the pockets of authorized employees.

The progressive replacement of access cards by smartphones will go hand in hand, according to Gartner, with the adoption of biometric systems such as fingerprint or iris scanners, or facial recognition, because it is much easier and safer to implement them if accompanied with a mobile phone.

“Rather than having to add biometric capture devices in or alongside readers, the phone itself can easily be used as a capture device,” said David Anthony Mahdi, director of research at Gartner. “This approach also mitigates the risks from an attacker who gains possession of a person’s phone.” If an intruder were to steal an employee’s device, biometric authentication would still have to be overridden.

Given its advantages (convenience, cost reduction, etc.), the only thing that stands between the smartphone and access to the vast majority of offices is a company’s willingness to implement the change – many of the access control systems and card readers installed today in companies require a major update to be compatible with smartphones that use wifi, Bluetooth, or NFC to establish identification parameters.

It’s just a matter of time. In a few years, if Gartner’s predictions are correct, many employees will have a new way to start their day at the office. They will arrive, they will approach the security gates, they will take their mobile out of their pocket and take a selfie, they will enter and begin the workday. They no longer have to worry about getting the card before leaving home. Their phone is always with them.

The post Access Cards Will Disappear from 20% of Offices within Three Years appeared first on Panda Security Mediacenter.