Tag Archives: Security

Panda Security

The Cruelest Ransomware Propagates Like a Meme

Leave a comment

A link shows up in your inbox from a colleague that you never really hit it off with, or a cousin you’re on the outs with. You open it, and the cat’s out of the bag: you’ve been infected with a ransomware that has abducted all of the files on your computer.

This new malicious software is called Popcorn Time and its purpose is to get the victim to collaborate with the cybercriminal to infect new users. It is particularly cruel because, aside from demanding a 1 bitcoin payment (about $900 as of this writing) to return access to the encrypted files, the victim is offered the chance to recover the files for free if they contribute to its propagation.

Infecting Others to Free Yourself

The victim will be able to share the Popcorn Time download link with other users. If two of the newly infected decide to pay the ransom or pass the chain along, the accomplice will receive a code to unblock their files.

Essentially, Popcorn Time works like any other ransomware — it infects computers and encrypts its files. The twist lies in the morbid way it spreads itself that enables cybercriminals to take advantage of the word-of-mouth phenomenon.

“The model for getting it off your system is sort of a pyramid scheme, multi-level marketing style approach,” explains Kevin Butler, security expert at the University of Florida. “It could certainly make for some interesting discussions amongst one’s group of friends if you’re trying to figure out who infected you with this malware.”

How can you protect yourself from Popcorn Time?

Dissemination strategies like this one may not have such a significant impact as they seem to have at first glance. Is it easier to propagate a malware by asking for the collaboration of users, or by sending mass emails that get to many recipients quickly and at the same time?

One way or another, it’s crucial to be protected in the face of such dangerous threats as Popcorn Time, whether or not they propagate as a viral phenomenon. Keeping our operating systems updated, not clicking on suspicious links — even if an acquaintance has sent it — and keeping a good cybersecurity solution installed — this is some of the advice to be followed if you want to avoid having your files abducted by a cybercriminal.

The post The Cruelest Ransomware Propagates Like a Meme appeared first on Panda Security Mediacenter.

Wordpress

WordPress 4.7.1 Security and Maintenance Release

Leave a comment

WordPress 4.7 has been downloaded over 10 million times since its release on December 6, 2016 and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7 and earlier are affected by eight security issues:

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was reported to PHPMailer by Dawid Golunski and Paul Buonopane.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
  6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.

Thanks to everyone who contributed to 4.7.1: Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, bonger, Boone Gorges, Chandra Patel, David Herrera, David Shanske, Dion Hulse, Dominik Schilling (ocean90), DreamOn11, Edwin Cromley, Ella van Dorpe, Gary Pendergast, James Nylen, Jeff Bowen, Jeremy Felt, Jeremy Pry, Joe McGill, John Blackbourn, Keanan Koppenhaver, Konstantin Obenland, laurelfulford, Marin Atanasov, mattyrob, monikarao, Nate Reist, Nick Halsey, Nikhil Chavan, nullvariable, Payton Swick, Peter Wilson, Presskopp, Rachel Baker, Ryan McCue, Sanket Parmar, Sebastian Pisula, sfpt, shazahm1, Stanimir Stoyanov, Steven Word, szaqal21, timph, voldemortensen, vortfu, and Weston Ruter.

Panda Security

Update Right Away or Wait it Out? Android’s Big Dilemma

Leave a comment

If your employees are like most users, they most likely postpone updates for their OS. In other words, your company’s mobile fleet could be at risk. This is especially true if they are using Android devices. When the famous little green robot gives a notification of the update, a good deal of people wait for other users to try it first and then gauge their reaction.

It seems sensible enough, but this practice could put your company’s security in danger. First of all, phones with Android are more susceptible to break-ins than ones with iOS. Then there’s the fact that most corporate phones are equipped with Google’s software, which in itself involves a risk — the good people at Mountain View take longer than Apple to launch updates with security patches when a vulnerability is detected.

So Google lags in its response to threats, but the fragmentation of Android devices makes the response time even longer. It’s not enough for Google alone to launch its update, but will later have to be adapted to the specific make and model that your employees are using. Ultimately, an Android patch takes long enough to arrive without the added time of the user postponing an update.

On the other hand, it is true that some people recommend letting some time pass to see how each individual phone reacts to a new update. This advice, which in principle is completely inadvisable for corporate security, does in fact have a reason for being. Some mid-range models could potentially lose some performance or even some functions when a new OS is installed.

Tips on How to Safeguard Your Corporate Devices

The need to protect the confidentiality of corporate data is underscored by this seemingly quotidian matter. For one thing, it’s crucial that employees have a powerful and recent mobile device so as not to run any risks when updating. Also important is that they always have at their disposition the right protection.

The bottom line: your employees should update their mobile software as soon as it’s available. You should also recommend that they make backup copies beforehand. Doing so will reassure them that there is no risk of losing anything. Finally, they should delete cached data to prevent their device’s losing performance. No stone should go unturned in the protection and safeguarding of your company’s data.

The post Update Right Away or Wait it Out? Android’s Big Dilemma appeared first on Panda Security Mediacenter.

Panda Security

Attacks That Change the Course of History

Leave a comment

Data theft is steadily refashioning itself as a political weapon. This past December, Barack Obama took advantage of his final days in office to take retaliatory measures against Russia. The Obama administration attributes to its Muscovite counterpart the cyberattacks carried out over the course of the recent presidential elections whose goal it was to tip the scales in Donald Trump’s favor for the presidential bid.

In an official statement, Obama announced the measures that include the expulsion of 35 Russian operatives and the introduction of new sanctions against certain people and organizations, including the two primary governmental espionage agencies.

The still-president Obama made this decision despite the Kremlin’s denial of its participation in the cyberattacks against the Democratic National Committee and other organizations in the Democratic Party. These cyberattacks came in the form of a massive email leak (containing many messages that damaged Hillary Clinton’s image), divulged by WikiLeaks to the media and considered to be a crucial element in the results of the election.

Shortly after the White House announcement, the FBI and the NSA published a report accusing Russia of the leak, which affected not only the Democratic Party but also John Podesta, chairman of the Clinton campaign. The document includes technical details of the tools and infrastructure presumably used by Russian intelligence services to “to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities”. These latter victims remain unnamed.

According to the report, that initiative was part of a broader plan that included attacks against other political organisms, corporate infrastructures, data processing centers, universities, and big businesses.

What Targeted Attacks Came Into Play?

The analysis alludes to two kinds of “spear phishing” attacks, a term which refers to fraudulent emails sent from addresses that belong to or seem to belong to one of the victim’s contacts. The first of them came about in the summer 2015. It was directed toward at least one person from a “U.S. political party”, who received an email with attachments that activated a malware download. This was then able to spread itself throughout the system and “exfiltrate emails from several accounts”.

In September of this year, the FBI warned the DNC for the first time that their systems were under attack by a group known as “the Dukes”, with ties to the Russian government.

The second attack took place in the spring of 2016. This time, the report tells us, the attacks consisted of mass emails requesting a change of password from users, a strategy used to access partymembers’ email accounts. While the investigations are underway, Trump continues to deny that the Russian government had anything to do with the intervention made on his behalf.

There is no doubt that with these and other recent developments in the field of cyberattacks, protecting ourselves and our future is key. Over the coming months we will begin to see more and more news on this prickly subject, a clear example of the influence that hacktivism and cybercrime can have in the geopolitical sphere.

Targeted attacks are commonplace. The only way to face them down is with an advanced cybersecurity solution like Adaptive Defense, keeping your company safe from the sorts of silent breaches that can happen without anyone noticing. Until it’s too late.

The post Attacks That Change the Course of History appeared first on Panda Security Mediacenter.

Panda Security

Five Takeaways from the Security Crisis of 2016

Leave a comment

This year we have witnessed Yahoo acknowledge the greatest data breach in history. In September, the Internet giant admitted to the theft of at least 500 million email addresses, passwords, usernames, dates of birth, phone numbers, and, in some cases, security questions with their corresponding responses. Shortly thereafter, in December, the company announced that up to 1 billion accounts may have been compromised in a different breach.

This wasn’t the only major security crisis of 2016. The personal data of Snapchat employees (names, Social Security numbers, salaries…) fell in the wrong hands because of a con known as “whaling”. Cyber criminals impersonated Evan Spiegel, the company’s CEO, in order to obtain the data in question.

The credentials of 117 million LinkedIn users, 68 million Dropbox users, and 1.5 million Verizon customers also fell into the hands of cybercriminals, some of which went up for sale on the dark web. There are a few lessons we can learn from this and other unsettling news items we’ve seen in 2016.

1- No Password is Safe

At this point, following the theft of such an enormous quantity of information, one can assume that any password that is a couple years old is compromised. There is no service that is significantly safer to use than others, and none that we should trust blindly. It follows that the most sensible thing to do is to change all passwords that have been in use for a period of time. Reusing passwords unnecessarily puts the user at risk.

2- Security Questions Are Part of the Problem

As soon as they learned about their data breach, Yahoo disabled security questions like “when is your mother’s birthday?” and “what color was your first car?”. It’s no longer only a matter of whether the answers can be found by digging into potential victims’ profiles on social networks, but also of the fact that many answers have been directly stolen. Unlike passwords, this kind of data does not change. Substituting it for false data would be tantamount to creating a second password. In other words, the risk of forgetting it is still there, which obviously defeats its purpose as a means of password recovery. The remedy becomes worse than the original problem.

3- Delete Registration Emails

Cybercriminals place increasingly more value on web users’ emails and passwords. This comes as no surprise, since emails can be the door to many other things. If your password is stolen from one service, and you use the same one for email, intruders will have access to whatever recovery email they need for any other service you have an account at. What’s more, they can look through old messages for registration emails to find out where you’ve been signed up before. This is easily avoided by deleting registration emails as soon as you receive them.

4- Bigger Fish to Fry?

If you’re running a company, however small, don’t make the mistake of thinking that data theft only affects the giants. In fact, it’s easier and more profitable for cybercriminals to target small business. Not only have attacks on small businesses been on the rise, but also their consequences are much more severe. The smaller the company, the greater the risk of a security crisis wiping it out.

5- Be Transparent and React Quickly

If the worst should happen, notifying your customers or users that their confidential information has been stolen should not be taken lightly. It’s important to let them know right away, with as much detail as possible and without downplaying the potential risks. Hiding or disguising the truth can only make things worse. For starters, those who have been affected will not be able to change their passwords as quickly as they should. Finally, your credibility is at stake. The damages done to it will grow the more time that passes between the breach and your announcement of it.

 

The post Five Takeaways from the Security Crisis of 2016 appeared first on Panda Security Mediacenter.

Panda Security

How Fraudulent Advertising Could Be Costly to Your Company

Leave a comment

Your company may be losing money because of online advertising. Beyond the success of advertisements when it comes to converting marketing budgets into sales, a singular type of cyberattack threatens to directly affect your company’s accounts.

Namely, there exist networks of bots that are used to inflate the number of clicks that ads receive. These botnets enable fraudsters to manipulate web advertising metrics, which in turn leads advertisers to pay more than what they should for legitimate clicks.

A recent study reveals the worrying consequences of this subtle kind of fraud. All over the world it has already cost businesses more than $7 billion, bloating advertising figures spectacularly and making up 11% of banner impressions and 23% of video advertisement impressions.

The main problem of this cyberattack in relation to other threats on the web — such as phishing and ransomware — is that it goes completely unnoticed. After infecting devices, cybercriminals are able to discreetly redirect traffic to simulate ad clicks. Since these are real devices owned by real people, advertisers are unaware that behind their ads’ success lies an army of bots.

So, it seems like nipping the problem in the bud may be complicated (at least from the advertiser’s perspective, who is billed according to these metrics, rigged as they may be). However, there are several things that companies can do, such as using quality advertising platforms that offer certain guarantees and that have demonstrated their willingness to persecute those responsible for these botnets.

Beyond that, it’s important to use ad metrics to check the duration of the visit to the webpage and the geographic location from which the supposed clicks are originating. This could be used to expose the fraud. Visitors that enter the page for only a fraction of a second or that do so from a faraway country that has little reason to be interested in the product will, most likely, be infected devices in the botnet.

The same thing happens with botnets used to make social network ad campaigns more expensive. These campaigns are likely orchestrated by a competitor with the intention of making advertising more expensive. In fact, they are relatively easy to track. If a wave of phantom followers appears out of the blue (without profile photo and with strange names), it most likely fraudulent.

The post How Fraudulent Advertising Could Be Costly to Your Company appeared first on Panda Security Mediacenter.

Panda Security

Can a Hacker Guess Your Password in Only 100 Attempts?

Leave a comment

Making sure that our employees use complex and diverse passwords, both in and out of the workplace, is of vital importance. Not least because multitudes of confidential data could be at risk because of flimsy credentials, ones that are obvious and oft-repeated.

To demonstrate the necessity of adequate protection that also allows for the handling of many distinct passwords, a group of researchers has created a software that is capable of guessing passwords with only a small number of attempts. Specifically, with a little bit of the victim’s personal information, the tool would be able to hit upon the correct password testing fewer than a hundred possibilities.

It’s called TarGuess and was created by researchers at the Universities of Beijing and Fujian in China, and the University of Lancaster in the UK. According to their study, an attacker with sufficient personal information (username, a pet, family members, date of birth, or the destination of their most recent vacations) has a one in five chance of guessing their password in fewer than a hundred attempts.

All they’ve done with TarGuess is to automate the process with a tool that scours social networks for personal information that could later be used in its attempts.

Using this tool, the researches successfully guessed 20% of passwords of those participating in the study with only one hundred attempts. More strikingly, the success rate increases proportionally with the number of guesses. So with a thousand attempts TarGuess is able to get 25% of passwords, and with a million the success rate can climb up to 50%.

Moving beyond the controversial data breaches of platforms such as Yahoo or Dropbox, the main conclusion that this study draws is that many users’ passwords are not robust enough to withstand this kind of attack. And as if that wasn’t enough, these breaches have brought to light another risk: TarGuess reportedly detected that many of these credentials are used in other services, or at best have many similarities (constituting what they call “sister passwords”).

This investigation demonstrates once again the necessity of controlling what kind of information is published on social networks. An employee that ‘shares’ every moment of their life may be inadvertently helping a cyber attacker to learn their password, putting corporate data at risk.

The post Can a Hacker Guess Your Password in Only 100 Attempts? appeared first on Panda Security Mediacenter.

Panda Security

An Oversight in Online Payments Allows Cards to be Hacked in Seconds

Leave a comment

The countdown to year’s end almost inevitably means an increase in online purchases. On the heels of Black Friday and Cyber Monday, a full-blown consumerist race kicks off the goes until January. This 2016 will continue to show consumers turning more and more to e-commerce for their gift giving needs.

However, the convenience of paying by credit card online comes hand in hand with a real risk to our wallets. A recent study by investigators at the University of Newcastle revealed that the existence of a multitude of online payment systems, with their corresponding security measures, isn’t enough to guarantee consumer protection.  It’s more like the opposite — often, as a result of so much variety, we end up with a chaotic jumble that generates major vulnerabilities.

After analyzing several different payment methods, researchers discovered a new type of attack that allows cybercriminals to hack a credit card in only six seconds.

This kind of attack, which takes advantage of a couple of vulnerabilities with Visa cards, is already being used. In fact, it is believed to be the system used to steal money from 20,000 accounts of Tesco’s clients.

Actually, the attack is not very complex. It uses sheer brute force. Specifically, it exploits two oversights in online payment platforms. On the one hand, these platforms do not detect multiple erroneous payment requests when coming from different websites. On the other hand, they allow up to twenty erroneous payments for each credit card on each page. And as if that wasn’t enough, the payment system doesn’t refresh to request different information from the buyer after each failed attempt.

Thus, the attacker needs only a credit card number to start randomly guessing the CVV (Card Verification Value) and expiration date until it arrives at the right combination through brute force. Investigators tested this kind of attack on the 400 most popular e-commerce websites. They demonstrated that if we trust a credit card’s security as the sole safety measure, theft becomes a real possibility.

Platforms which use the Verified by Visa system or even payments with Mastercard actually escape these vulnerabilities. This shows that online credit card security by itself may, paradoxically, pose a serious risk.

The post An Oversight in Online Payments Allows Cards to be Hacked in Seconds appeared first on Panda Security Mediacenter.

Panda Security

Artificial Intelligence: the Future of Fighting Cybercrime

Leave a comment

The future of corporate security lies in artificial intelligence. In fact, for better or worse, algorithms will turn out to be crucial to the protection of corporate data. These two faces of the same coin will be nothing less than malware capable of mimicking human behavior and, on the flip side, solutions that can predict which threats will endanger your company’s networks.

To date, there are already algorithms capable of imitating writing styles, and this is precisely the key to the future of cyberattacks. Just imagine, for example, an employee who receives an email supposedly sent by a superior asking him to make a money transfer. The sender doesn’t arouse suspicion because the ill-intentioned algorithm has very believably mimic the superior in question’s writing style. This is a situation we are already seeing today.

According to the FBI, this sort of attack is not science fiction. There are already plenty of businesses that have fallen prey to these attacks, which have entailed losses of $23 million. As artificial intelligence makes headway and gains the ability to analyze more and more data of the person it plans to impersonate, so-called CEO fraud will become increasingly sophisticated and difficult to combat.

The Counterattack

However, all is not lost. As difficult as it may seem to counter these methods, businesses should take comfort in the upsides of artificial intelligence.

Indeed, the cybersecurity systems of tomorrow will come by way of algorithms that can prophesize future threats. To do this, they must first identify corporate system vulnerabilities that could give way to malicious software. The goal is for A.I. to be able to detect anomalies on company networks before it is too late.

For better or worse, companies will need to keep up with advances in A.I. to keep their confidential data confidential. It will be both the problem and the solution all at once. A new starting signal in the cybersecurity race that calls for the adequate protection of your company.

The post Artificial Intelligence: the Future of Fighting Cybercrime appeared first on Panda Security Mediacenter.

Panda Security

How a Smart Toy Could Get Hacked

Leave a comment

Almost a decade has passed since the arrival of Furby, which made quite a splash on the children’s toys market. That was just the beginning. Now, Christmas serves as a time to usher in new companions that, of course, come with their respective apps and are able to have full conversations, as though they were alive. The Internet of Things has come to the toy store.

This new brand of entertainment carries along with it certain privacy risks for children. In fact, a recent study carried out by the Scandinavian consultancy Bouvet demonstrates how certain technologies included in modern toys connected to the Internet could present some danger.

According to the study, the Cayla doll and the robot i-Que, two American toys that are also available in a few European countries, are far from being the ideal entertainment for the kids.

For starters, they come with a voice recognition system enabling them to hold a conversation with their young owners. Built by the American company Nuance Communications, this system records the children’s speech at all times and sends it to the company, which stockpiles the audio data.

Apart from this unsettling surveillance of children, these toys pose another risk. According to the study, these products employ surreptitious advertising. Bouvet discovered that, over the course of conversations, the toys talk about other products, such as specific animation films.

As if that wasn’t enough, the investigators also discovered that the toys are able to be manipulated and that cybercriminals could hack them to cut into conversations with children or steal the conversations being recorded.

However, these aren’t the first incidents that have triggered alarms when it comes to smart toys. In fact, some companies have been adapting children’s entertainment to devices for over half a decade, not without certain risks. Just a year ago, the seventh installment of Star Wars came to toy stores with the BB-8, a friendly robot that you could control from a smartphone. Shortly after, it was revealed that this toy could be hacked and hijacked by a cyber assailant.

Last Christmas, even Barbie herself was accused of posing a danger to children. An interactive doll able to converse with humans and improve itself with automatic learning, the Hello Barbie continuously listened to what children were saying in an espionage fluke that parents and associations didn’t find very funny.

Santa Claus will have to double check the things he places under the tree this year. For starters, we should assume that to some degree all smart toys collect at least some data from our children. Before purchasing a toy connected to the Internet of Things, check consumer reports to see if there are any known vulnerabilities. And most of all, enjoy your holidays without worry.

The post How a Smart Toy Could Get Hacked appeared first on Panda Security Mediacenter.