Some time ago, the most common mechanism for getting into an office was a simple key. Simple but vulnerable. Conventional locks do not identify people and can be used by anyone. In addition, it is impossible to control the number of hours worked.

Technology has provided a solution to this issue. There are now different techniques not just for opening doors but also for identifying staff and recording the time they enter and leave the premises. From a card to the voice, through the flash on a phone. There are many alternatives, but are these systems secure?

Using radio frequency-based methods -such as Bluetooth, NFC (Near Field Communication) or RFID– is simple. In the first two cases, all you need is a cell phone with this technology that can be recognized by a sensor. RFID chips are inserted in cards or even wristbands that open turnstiles and provide the employee’s details.

However, wireless malware exists. Attacks can compromise the company’s computers and users’ phones. Criminals with enough skill can remotely access the handset and take control of its functions, listen to calls or intercept messages.

There is also a risk of traditional robbery. If the smartphone is stolen from the employee’s pocket, the thief could access the premises without any problems. The same applies to cards.

But nobody can steal a part of our body (and get it to still work). Biometric techniques are gaining importance in identification systems. The most widely used today are digital fingerprint scanners and, to a less extent, iris, voice and facial recognition sensors.

Voice recognition is based on comparing the unique mouth patterns and linguistic habits of each person. Something similar happens with the geometric variants of the face. The processing difficulty and the amount of patterns that the system must store mean that they are still minority systems.

Biometrics also has its drawbacks in terms of security. Remember that the fingerprint sensor on the iPhone (Touch ID) is vulnerable to certain types of attack. Criminals could make a replica of your finger or manipulate the sensors.

Other solutions admitted by phones are based on photonics or light recognition. The user simply needs to move the phone towards the lock, point the camera flash at the corresponding receiver and enter a password in an application. The door opens when the device detects the light signals, which form a regulated communication protocol and can transmit encrypted information.

One advantage of this technology is that only the receiver is placed at the entrance to the facilities. The data processing unit can be located inside, in a strategic place. Criminals will have to manipulate both devices in order to take total control of the system.

The majority of these techniques are still under development and they still have a long way to go before they become more widely used. The ideal solution would be to combine several of these to take advantage of the benefits of each one and reach a higher level of security.

The post Access control for companies: Which system is the most secure? appeared first on MediaCenter Panda Security.

The smartphone you keep in your pocket is amazing. It does everything. Despite all of the innovative things it does, one of the best features of smartphones is something as simple as it is old: the flashlight. Useful –in its own way– when taking pictures and even more so when you need to light up a dark corner.

There is no denying it. We have all used the flashlight on our phone to shake off the uneasiness (not to say fear) caused by the dark. However, and surprising as it may seem, perhaps we should not be so much afraid of the lack of light as of the app that we use on your phone to shed light.

Apps that control the flashlight on the phone – there are thousands in the app stores – are not as harmless as they may seem. It is true that you do not have to register or provide any data in order to use them but the flashlight on your phone knows a lot about you, which makes it an interesting target for cyber-crooks.

Flashlight 007, with a license for everything

As already mentioned, you do not tell your flashlight app anything but it is capable of shedding light on a good handful of conclusions about your movements. The worst thing is that if it does this, it is because you have allowed it to.

Before downloading any app you have to give it certain permissions. This gives many of the apps installed on smartphones permission to know your location using GPS data, to take pictures, record sounds and even read your text messages. This is particularly true of phones running Android as the operating system, because Windows and Apple restrict the capability of apps to spy on us (always with your permission, of course).

According to a report from SnoopWall, a company dedicated to smartphone security, flashlight apps are surprisingly quite demanding as regards permissions. A simple glance at the table compiled by SnoopWall could make your hair stand on end:

The apps included in the table are not selected at random. There is no need to rummage through tons of apps available on Google Play to find flashlights that want to find out everything about you. In fact, these ones in particular make up the top 10 flashlight apps for Android.

Of these, the least demanding asks for permission to read the phone status, take pictures and videos, view Internet connections and full network access. Other flashlight apps ask for permission for everything they can think of, GPS location included.

The problem, of course, is that we usually download and install apps in a hurry, accepting whatever the app asks for without thinking twice about it. By doing this you are practically handing the keys to your life – your digital life at least–  to any stranger.

The key lies in advertising

The time has come to answer the big question. Why does a flashlight want so many permissions? Firstly, in general there is no need to worry: if these apps ask for so much it is because of advertising.

Another thing flashlight apps have in common is that they are free. Therefore, developers seek to monetize every download through advertising. Flashlight apps need an Internet connection and know your location and other data that allows advertising to be adapted to your habits.

Consequently, downloading and using these apps is not necessarily dangerous, but it is better to err on the side of caution. To prevent a cyber-crook from tricking you into installing one of these apps and stealing your data, it is better to use trusted apps.

Even though the most trusted apps ask for information and control of some of the tools on the phone, it is better to use those with the best statistics: the most downloaded and the highest rated are the most trustworthy. However, now you know that for these flashlights to provide light, first of all you will have to give them permission to shed some light on the inside of your phone (and they take everything of interest to them).

The post If you have a flashlight app on your phone, be very careful! appeared first on MediaCenter Panda Security.

At some time in our (digital) lives, we’re bound to come across shortened links or URLs, on social networks, for example, you can’t avoid them.

There’s no doubting that they are highly useful. In a tweet, for example, characterized by the famous 140-character limit, a shortened URL creates space to write something else. Moreover, they offer other characteristics, though one of these has become a double-edged sword: You don’t know where it will take you.

This is where you have to tread carefully. A shortened link is really a mystery. You don’t know which website it will take you to or what might appear on the screen. As such, these shortened URLs are the perfect tool for malware and phishing. Click them at your peril.

Yet there’s no need to panic. Just because you come across them every day on Twitter and they could contain a nasty surprise doesn’t mean that every one is a booby trap. Some simple caution and common sense can prevent a catastrophe on your computer.

To start with, be careful with the source of the URL. If it’s an online media channel or blog that is tweeting the headline of an article and a link to it, it is reasonable to suppose that the link will take you to the article. So click away! However, if you find a message from a known (or unknown) contact saying, “Hey, you look great in this photo!” and with a shortened link, be very wary.

Among the numerous services used to shorten inks, some are more reliable than others. The Google and Bit.ly services are among the most secure, though not so much so that you can confidently click them if the source is unknown.

How can you tell if a shortened link is secure?

Using your common sense is a good initial filter to apply when deciding whether or not to click, though it is not infallible. Fortunately, there are quite a few tools that let you expand shortened links, or in other words, see what’s really behind each link and avoid disasters.

First, here’s a little trick if you come across Bit.ly or Google shortened links. Copy the link, paste it in your browser address bar and, before hitting ‘Enter’, add the “+” symbol. This way you can see the statistics associated with the URL, and more importantly, you can see which website it takes you to, among other things.

Apart from this useful trick, a browser extension or a visit to a certain website could also be enough to prevent any cyber-criminals from giving you a nasty surprise through an apparently interesting link.

Websites such as LongURL or Unshorten.it reverse the process of URL shorteners. Enter any suspect shortened URLs in these pages and you can see exactly where they take you.

As we said before, these are not the only ways of ensuring the security of the shortened URLs that you come across every day on social networks. Probably the most convenient way is to install an extension on your browser that tells you where these links point to without having to continually consult an external website as we described above.

Both for Google Chrome and for Mozilla Firefox, there is a solution to deal with the problem of shortened links.

• For Firefox, you can use the corresponding version of Unshorten.it. Whereas the website expands shortened links, the add-on for Firefox does so directly from the browser, thereby saving you a few seconds. Instead of having to open a new tab in the browser and cut and paste the URL, this extension means that you only have to right-click the shortened link and select the option: ‘Unshorten this link’.

• If you use Google Chrome, you also have plenty of options. For example, LongURL (that’s right, the Google browser version of the website we mentioned before), is an add-on that displays all the data regarding the shortened link – including the URL – when you pass the cursor over it.

Regardless of the method you choose, you’ll still have to employ some common sense to decide whether the page is bona fide or not. When you expand a link and the name of the website isn’t familiar or what you see is a completely incomprehensible Web address, you’d better be cautious and not go there. In this case, the saying is quite appropriate: ‘Better safe than sorry’.

The post How can you tell if a shortened link is secure? appeared first on MediaCenter Panda Security.

Attacks on Dropbox, leaks of Snapchat images, nude photos of celebrities published on the Internet… You’ve probably read about some of these high-profile IT attacks that have taken place over the last few weeks.

All websites that have carried these or similar stories have a ‘B-side’. Everything you see is built on a content management system, otherwise known as CMS. Today, the most popular of these is WordPress. No doubt you’ve heard of it, or perhaps you have even used it as a tool to venture into the blogosphere. There are now some 75 million pages running on WordPress. And of course, they are also vulnerable to cyber-attacks.

Being the most popular CMS also makes it the most vulnerable. Not because WordPress has more security holes than others, simply because it is the one that has been most targeted and researched by cyber-criminals.

In recent months, tens of thousands of pages built on WordPress have been hacked. Needless to say this CMS is not perfect and has vulnerabilities, but that still doesn’t explain these mass attacks. “WordPress has been around for a long time, and during that time they’ve had the chance to patch a lot of vulnerabilities and change the way that they develop software in a secure manner,” says researcher Ryan Dewhurst. “They’ve got a great team that knows what they’re doing, and even though vulnerabilities are still found in WordPress, it is less common for them to be found in their core code.”

Dewhurst has published a database of WordPress flaws over recent years, though don’t expect a long list of security holes.

So, what explains the hacking of 50,000 websites last summer? The answer lies not in the WordPress CMS, but in the seemingly inoffensive ‘plugins‘.

Plugins are small additional tools that add new functions to those offered by WordPress by default.

They have however become a real Trojan horse. The problem is similar to the one that has affected Snapchat or Dropbox in the last few weeks. As it is a third-party service, WordPress has no control over the security holes that could be present in the plugins.

There are more than 30,000 of them and monitoring all of them would be a Herculean task for the company. And this is where the cyber-criminals have entered the scene.

What’s the solution?

It would seem then that preventing future attacks is not in the hands of the CMS, though a bit of care on the part of the user could help avoid future problems

In theory at least, one of the solutions is to avoid WordPress altogether. If this CMS is being attacked due to its popularity (according to a report by Imperva, the number of attacks on WordPress websites is 24% greater than those on pages using other CMS), it may be sufficient to stop using it. However, don’t be fooled by the numbers: WordPress suffers more attacks, but other tools like Joomla or Drupal are just as vulnerable.

For now, the best thing is to tread carefully when using WordPress plugins (and other CMS): Running a search to check whether the plugin you want to use is secure or if it is prone to attacks could save you problems in the future.

The post Have you got a WordPress blog? Watch out, plugins are their Achilles’ heel appeared first on MediaCenter Panda Security.