Tag Archives: Internet Security

Panda Security

The danger of shortened links: exposed personal information

Leave a comment

enlacesacortados_1Microblogging gives us the freedom to turn our thoughts or our status posts into conversations.  Social networks like Twitter have opened doors for this type of instant communication.  Even shorter than Twitter’s 140 characters is bit.Ly, an insanely popular platform for shrinking long URLs.  But as always, with Bitly’s effectiveness and convenience, comes great security risks.

Most of us are aware that these shortened links have the possibility of being dangerous because… we don’t really know what is behind “the link”.  All we see is a condensed URL (unless we click it).  We need to use a special service to see the original URL before “clicking” it. Browser extensions like Mozilla Firefox’s Unshorten.it (Mozilla Firefox) or Google Chrome’s LongURL were created to make this process easier.

 

Relying on shortened links can be dangerous

 

A recent study published by a group of researchers from the School of Technology at Cornell University in New York has demonstrated that the danger doesn’t only exist in the links themselves, but also, where-in-the-internet they might take you.  There also exists a possible threat to your private information stored in files on the Cloud. The bad guys have gained access to thousands of files in OneDrive, Google Drive and Google Maps from these shortened links.

 

The problem is that these reduced URLs are not only short but also very predictable. They all follow the same structure. It is extremely easy to see hundreds or thousands of possible variants, automatically and in a matter of seconds, by checking to see if the link is directed to a file in the cloud.

 

 

When links fall into the wrong hands

 

“OneDrive URLs have predictable structure.  From the URL to a single shared document (“seed”), one can construct the root URL and automatically traverse the account”, as explained in the study. Following this procedure, researchers have gained access to nearly a million and a half files, “including hundreds of thousands of PDFs and Word documents, spreadsheets, multimedia and executables”.

 

Once the appropriate links are discovered, an attacker could not only access sensitive information contained in the files, but they could also take advantage of the Cloud so they can infect devices like mobiles and desktops. “This means that anyone who randomly scans bit.ly URLs will find thousands of unlocked OneDrive folders and can modify existing files in them or upload arbitrary content, potentially including malware.” This way of distributing malware is worrisome because it is both quick and effective.

 

The post The danger of shortened links: exposed personal information appeared first on Panda Security Mediacenter.

Panda Security

Cyber-criminals really “Like” Facebook

Leave a comment

facebook-one

With 1,590 million active users per month, Facebook is the Social Network. In fact, they just posted their quarterly earnings and they are up 50%. Cyber-criminals are aware of their success.

These platforms are the ideal place to “phish” for information. 18% of companies infected by malware were infected through social networks. Attackers pass as part of a company’s customer service team in order to steal sensitive data from consumers.

A recent study was released by the RSA organization proving that cyber-crime on social networks is a “global epidemic”. The RSA organization was founded by the creators of the encryption algorithm that is used every time we make a bank operation online or digitally sign something.

Cyber-crime in social networks

is a “global epidemic”

These platforms are not only hot-spots for attacks but they have also become the perfect forum for scammers to communicate. According to the study, there are more than 500 online fraud related groups with more than 220,000 members. The majority of these groups are public and visible.

Uncovering Credit Card Data

Fraudsters share information like credit card numbers accompanied by personal information and authorization codes, cyber-crime tutorials and other malware tools.

Proving this, the investigation invites us to write our CVV or CVV2 numbers in the Facebook search bar (those verification numbers on the back of a credit card). The result will surely surprise you: it is easier to find data from a stolen credit card than find an old friend you are trying to reconnect with.

facebook-2

In total, the RSA detected some 15,000 compromised credit cards publicized on social networks in the six months that the study lasted. He also discovered that many of these criminal groups focus their attacks on shops, banks and accounts of consumers in their area.

In China and Russia, platforms QQ and VKontakte are preferred by the scammers, while in the rest of the countries, Facebook remains the favorite. Unfortunately for us, cyber-criminals really “Like” Facebook.

The post Cyber-criminals really “Like” Facebook appeared first on Panda Security Mediacenter.

Panda Security

It’s easy to fool CAPTCHA

Leave a comment

robot-captchaCAPTCHA: humans vs. computers

On some websites, you may have noticed that you are prevented from continuing your visit or purchase until you solve a puzzle of obscure letters or pictures. After staring at a few squiggly lines, deciphering the words, and typing the correct word in a blank space, you may finally continue. This process is done to verify that we are, in fact, humans accessing the site.

This test is called CAPTCHA (Completely Automated Public Turing Test to Tell Humans and Computers Apart) and is used all over the web. The ticket sales website, Ticketmaster, is an excellent example of CAPTCHA-in-use; without the human-verification test, a “robot” could potentially buy millions of tickets before a concert or event sells out, and then reap the benefits of scalping them for much higher prices.

Having to guess a combination of letters and numbers each time we do something on the web is definitely annoying. And time-consuming. Each time you solve a CAPTCHA, you waste 10 seconds of your life. That’s why CAPTCHA has earned a bad reputation among Internet users, despite the fact that it was created to guarantee our safety.

CAPTCHA prevents a cyber-criminal from raiding the internet

Captcha cares!

Luis von Ahn, one of CAPTCHA’s original creators, continues to make strides with the test alongside Google, its new developer. It has been reborn into reCAPTCHA, an extension of Captcha that takes words from page scans of old books—words that are harder for a computer to detangle.  Protecting our safety while helping to “digitize text, annotate images, and build machine learning datasets“… now those 10-precious-seconds are being used for something worthwhile.

It’s great that we are helping digitalize books, but when it comes to internet security,
are CAPTCHAs effective?

 

captcha

 

Bypassing Google’s CAPTCHA is dangerously easy

A trio of researchers from Columbia University (New York) proved how easy it is to bypass some CAPTCHAs. Programs like this, make it more difficult for attackers to use programmed bots to collect e-mail addresses, automatically and massively, for spam campaigns. But they are not foolproof. Processes like this can be automated, and eventually, computers will be able to solve reCAPTCHAs, just like you or me.

 

More and more, we are being engulfed in technology. Computers are becoming less and less dependent on humans, and robots are becoming more and more programmable to do human-like things. Although it’s a cat-and-mouse game, Google continues to design and conduct tests, like CAPTCHA, to keep robots from doing something that should only be done by humans.

The post It’s easy to fool CAPTCHA appeared first on Panda Security Mediacenter.

Panda Security

your smartphone is no longer the “smartest” option

Leave a comment

android2

Synching your smartphone and computer might increase your chances of being hacked

A classic piece of advice that helps keep email, social networks and other online services safe is by enabling something called two-step verification. This security mechanism makes it more difficult for a cyber-delinquent to access your account through two-step verification. When a different device from the “usual” one (different computer or smartphone) tries to access your account, they must enter a code that is sent to the mobile phone associated with the account in order to continue.

If a cyber-criminal is trying to get into your account, who in theory cannot access your smartphone, this two-step process makes it very complicated for him. Or so we thought.  A group of researchers from the Free University of Amsterdam showed us that this type of protection is becoming more and more flawed the better we communicate with each other using our different devices.  This means that the more computers, smartphones or devices that have access to your account and passwords, the higher your chances are of getting an account hijacked by a cyber-criminal.

The two-step verification is one of
the most popular security measures

In other words, because we are able to synchronize applications between two devices, like your computer and smartphone (and what you do in one can affect the other), the effectiveness of two-step verification decreases.

 

Computer android

 

Android and iOS, equally vulnerable

The study’s authors have showed us the possibility of installing apps offered through Android onto your smartphone remotely through the computer (accessing Google Play with the browser) or installing remotely through iTunes.

In both of the above cases, following slightly different strategies, they have managed to intercept the verification code that websites send to your smartphone through SMS when there is a two-step verification, so it is very possible that a hypothetical cyber-criminal could access your Facebook, Google or Amazon accounts—to cite just a few.

The verification code that websites
send you through SMS can be intercepted

 

Don’t stop doing what you’ve been doing

Just because you have found out about this vulnerability does not mean it is no longer advisable to activate this safety measure in all the services that offer it.  There will always be a few obstacles that you can put between the attackers and your personal information.

The post your smartphone is no longer the “smartest” option appeared first on Panda Security Mediacenter.

Panda Security

Facebook alerts you if someone tries to steal your identity

Leave a comment

Facebook-identity-theft-photo-1

Connections are made and maintained online via social media

You can get insight into the life of a stranger through their Instagram photos, Snapchats, or profile pages, but when does it become too much? Our names alone can connect the dots for a perpetrator, making it easy to know our whereabouts. Information about where we work, where we went to University, or where our favorite coffee shop is…it’s all online.  Everything you “share” can have serious backlash: identity theft.

Celebrities are commonly impersonated online, on fake Instagram and Facebook accounts, but they are not the only ones who need to keep track of their digital reputations. A stranger can copy your photos and concoct their own version of your life.  It could be very possible that someone has already impersonated you.

Fight the fakes

The social network created by Mark Zuckerberg is fighting these fake accounts. A tool has been created that automatically notifies users who may be victims of phishing. This feature is already available in 75% of the world’s countries.

When Facebook detects that another person may be posing as you, they automatically notify you about the potentially “fake” profile. After that, the user can confirm or deny whether the profile is a fake. If it’s confirmed, Facebook gets to work; more specifically, the team manually carries out this part of the notification system.

Although they say impersonation is not a widespread problem, Zuckberberg has added this to the list of harassment he doesn’t want associated with his company. To fight it, they will continue their strict and controversial naming policy (requiring users to identify themselves with their real names), but will also actively pursue phishers.

Facebook-identity-theft-clones

Using our photos without our consent

Facebook has also launched two other security features that are next in line. One is a new system that reports the existence of intimate photos shared without the user’s consent and the other is a tool that lets them check the security status of images uploaded to their accounts. They have also introduced a feature that gives users the ability to manage the privacy settings of their photos (Who can see them? Do you really want them to be public?).

Though security is always advancing, the bad guys of the Internet are closely following behind. Next time you decide to upload personal photos, “check-in” to a geographical location, or update your work history on LinkedIn, remember that someone, somewhere might use your identity for their own personal gain.

The post Facebook alerts you if someone tries to steal your identity appeared first on Panda Security Mediacenter.

Hackers News

WebUSB API — Connect Your USB Devices Securely to the Internet

Leave a comment

Two Google engineers have developed a draft version of an API called WebUSB that would allow you to connect your USB devices to the Web safely and securely, bypassing the need for native drivers.

WebUSB – developed by Reilly Grant and Ken Rockot – has been introduced to the World Wide Web Consortium’s Web Incubator Community Group (W3C WICG), is build to offer a universal platform that could

Panda Security

Five myths about security that most people still believe

Leave a comment

FOTO PRINCIPAL

Myth #1: “The network would be safer if we shut down the deep web”

Looking for the GOOD in goodbye 

Where can you go to escape the grasp of Google’s tentacles? Some go to the deep net, an elusive online-abyss, buried deep in the network. In the recent poll by the Centre for International Governance and Innovation (CIGI), 70% of the people interviewed believe that getting rid of the deep web would be a good way to combat cyber-crime and terrorism.

Shockingly, radical groups like ISIS rarely use the dark web, as shown in a recent study by researchers Daniel Moore and Thomas Rid. ISIS propaganda and recruitment is spread throughout the internet, on “traditional” websites and networks, so their message can be heard everywhere.

Eliminating the dark web doesn’t mean a peace-seed will be planted in its place. The dark web is often used as a platform for expression in countries where freedoms are limited regarding communication and Internet access. So in a way, sweeping away the deep web could actually kill activism instead of terrorism.

Myth #2: Software must have back doors for governments

When one door closes another one opens

No need to hide the key under the mat, anymore. Following Snowden’s revelations regarding the activities of secret service cyber-surveillance and the Apple-FBI-San Bernardino controversy, most of the participants (63%) think that government intelligence agencies should have unlimited access to devices (for reasons of national security, of course).

If this is permitted, then the government wouldn’t have to go through the hassle of breaking Cyphers, those super complicated codes used for encryption that are unbreakable unless a vulnerability exists in the algorithm. The problem with this solution is that it would leave users vulnerable, who, at the same time, would be the main beneficiaries of these protective measures. Without encryption and back doors, programs and applications we use every day could easily be at the mercy of cyber-criminals.

FOTO 2

Myth #3: Cybersecurity is not for everyone

How to cover your tracks

Many users think that those privacy-protecting programs and services (recommended by Snowden and other activists) are not available to us “common people” but there are many ways for anonymous communication online. Browsing through the free software program Tor (The Onion Router) or implementing something called PGP (Pretty Good Privacy) encryption in your email may seem extremely complex, but anyone can do it using the tutorials that are available online.

Myth #4: Who would want to attack me?

You’re the fish they want to fry

Maybe you think that you’re not a target. But you’re wrong. In fact, the most attractive victims for cyber-crooks aren’t the pretty pennies, but the ones that are the easiest to attack. If you haven’t budgeted for antivirus protection, then you are exactly the fish they want to catch!

FOTO 1

Myth #5: Phones don’t need antivirus software

My $700 phone is unstoppable!

So you think your phone can do-it-all? That slow-mo video function won’t prevent you from getting hacked. There’s a long list of reasons you should install a good security solution on your smartphone or tablet. That dough you dropped on your latest-generation smartphone could actually double if your phone isn’t protected with the right antivirus system. Ransomware (a virus that “kidnaps” info from you then requires you to pay it back) is one of the most common threats amongst those super popular Android or iOS smartphones (with a ransom payoff at around $350US).

Don’t stop protecting! Learn more about the internet’s cockroaches

The post Five myths about security that most people still believe appeared first on Panda Security Mediacenter.

AVG

Your money or your data!

Leave a comment

The scene unfolds like a cyber thriller. You fire up your PC and a message appears saying your files have been encrypted. Your screen looks like it’s from the FBI. Sometimes it identifies itself as malware. Sometimes it’s a plain-text message. When you click around in your PC (assuming you still can), you find that your photos and text files are indeed unavailable.

The screen also asks for money. To get the key to unencrypt your files, you must pay, usually in some form of untraceable currency, such as bitcoin. In most cases, there’s a firm deadline when payment must be made. If you miss it, the fees shoot up. At some point, your files are permanently encrypted.

Welcome to the world of ransomware.

While this form of malware can slip into devices in any number of ways, phishing is probably the most common vehicle. Basically, bad guys send innocent-looking emails that ask recipients to click on a link or download an attachment. (Phishing is also used to ask for money directly. A tiny piece of software infects the machine and goes about encrypting files before demanding cash. Sometimes the message pops up automatically. Sometimes there’s a time delay or a switch that lets hackers turn it on when it’s convenient to them.

And sometimes attacks are big and bold. Two assaults on major hospitals in the US, for instance, used multipronged ransomware infiltration to shutdown key networks and records. But experts largely agree that most attacks are on individuals. Mass emailing allows criminals to take advantage of long-tail effects and the fact that many people would rather just pay a few hundred (or thousand) dollars to have their data – which many consider their life – returned to them rather than fight back through various law enforcement channels.

Data hostage taking is on the rise

Given the efficacy of ransomware, the number of attacks is set to grow. In its annual Threat Landscape report, published in January 2016, the European Union Agency for Network and Information Security (ENISA) characterizes 2015 as “the year of ransomware”. According to the study, the number of reported incidences nearly doubled in 2015 compared to 2014, with aggressive phishing campaigns a hallmark of many attacks. Targets tended to be in North America and Western Europe, as residents are perceived to have the money to pay.

ENISA also notes that 2015 was a year of innovation in ransomware development and deployment. The number of new ransomware types quadrupled in the first half of the year alone. Criminals have set up service centers, allowing the non-technical to buy crimeware-as-a-service, further expanding the reach of ransomware. And stealthier delivery methods are still being developed.

Do I know you? Did I ask for this?

Phishing is still the most common delivery method. Which is convenient, in a way, as there are some practical steps you can take to avoid getting scammed. Probably the most important is to maintain an online “stranger danger” mindset. If an email looks even the slightest bit suspicious, don’t open it. If it’s from someone you don’t know, don’t open it. If it says you’ve won the lottery, are being watched by some security agency, asks about an order (you did not make), or promises rewards in some other way, don’t open it. (Similar phishing attacks also appear on Facebook.)

For emails you’ve opened, if they include links or attachments you weren’t expecting or didn’t ask for, don’t click or download. If you feel that you must do either, reply to the sender (if you know them), and ask if they did indeed send you something. If you do not know the sender – delete the email.

And of course, you should build a fortress around your device. This is where AVG can help. We provide antivirus, link scanners, attachment and download checkers, enhanced firewalls, spam blockers, and file encryption to help keep your photos, videos, files, contacts, and devices safer. If you haven’t done so already, give us a try on your PC or Android phone.

AVG

Top Facebook scams you need to know about

Leave a comment

Have you seen the “Most Used Words” quiz on Facebook? Chances are you probably have – because it shockingly accumulated close to 20 million shares in just a few days. It also gained access to the personal data of over 16 million users.

With this kind of virality, it’s little wonder a 2016 report from Cisco found that Facebook scams are the most common online attack method used by cybercriminals. With 1.6 billion users, the social media site serves as a cost-effective way of spreading scams on a large scale quickly and relatively easily.

To help you stay ahead of the bad guys, we’ve assembled a list of the top types of (often overlapping) scams to look out for on Facebook:

Sensational news stories

These have clickbait headlines to tempt you into clicking without first verifying the news. The problem is that they can lead to websites with viruses, ransomware, and other forms of malicious content and advertising. But the good news is that Facebook has made a lot of progress in preventing these kinds of posts from appearing in your News Feed.

Hidden content

An extension of clickbait headlines are sites that require you to enter details before certain content will be “revealed”. For instance, before a juicy celebrity video shows or the answer to a self-assessment quiz displays, you must enter an email address or agree to terms and conditions. This is simply a sneaky way for scammers to capture your information.

Like farming

This occurs when a page is set up by scammers with the purpose of artificially accumulating likes. This is so they can use the large number of likes to distribute additional scams or sell the page on the black market for profit (pages like these are highly valuable to unethical marketers). So think twice when you see one of those adorable cat memes – the source could be a scammer who’s hoping it’ll go viral for their benefit.

Quizzes that promise a prize or gift voucher

If something sounds too good to be true, it usually is. These kinds of quizzes are designed to phish for your personal details or have you fill in surveys that the scammers get paid for you to complete! You definitely won’t win a free business class air ticket or $100 grocery voucher.

Dodgy apps

Some third-party Facebook applications require you to grant unnecessary permissions, including access to your name, profile picture, list of friends, history of posts, and the devices you use. The terms and conditions you accept could even enable a scammer to sell your data or post directly to your timeline. “See who’s viewing your profile” is a classic example of an app created specifically for this (while Linkedin provides such functionality, Facebook currently doesn’t).

Questionable private messages

These are likely to include social engineering schemes, such as offers to work from home. They may even claim you’ve “won” a lottery; then ask for a small advanced fee so you can claim your prize. Hint: your prize will never be delivered!

So what can you do to protect yourself? 

Take note of the Facebook scams we’ve mentioned above, and always:

  • Be vigilant when it comes to entering any form of personal information online
  • Don’t share clickbaiting stories, memes, or videos
  • Install apps only from trusted developers that don’t ask for a stack of unnecessary permissions
  • Watch for strange posts and pages from friends – avoid clicking on them and then let your friend know that it’s likely a scam
  • Don’t respond to messages from people you don’t know, especially when they include offers that sound too good to be true

AVG

We Want to Embrace the IoT But Can We Trust It?

Leave a comment

We are in the midst of a rapid technology evolution. We’re only four months into 2016 and already we’ve seen two major industry shows dominated by the Internet of Things (IoT).

In January, at CES, the connected home stole the spotlight – highlights included a Family Hub fridge, a Wi-Fi water leak detector and an AR-equipped robot vacuum.

The trend continued at MWC where a smart air conditioner, 4G-enabled security camera, and smart shoes were on display. If these two major events are any indication, the horizon shows a hyper-connected future.  But what are the trust issues at hand?

AVG collaborated with the organization, MEF, on its global survey to take a look at consumers’ concerns around the future of IoT. According to the MEF survey findings, people are enthusiastic about a connected future – when asked about their concerns around IoT, only 1 in 10 said there would be no tangible benefits.  Yet, as the network of IoT devices grows, so too do consumers’ concerns about what this increased connectivity and data sharing means for security.

As a security company, it is our responsibility to recognize and unpack such concerns so we can use that insight to address fears and vanquish threats down the road.

The MEF study, which surveyed over 5,000 mobile users in eight markets, examined consumer perceptions about the future of a connected world. The findings are significant, and indicate tremendous worry about a world of inter-connectivity:

  • 60% said they worry about a world of connected things.
  • Privacy (62%) and security (54%) are seen as the biggest threats worldwide.
  • One third of respondents in all 8 countries don’t want to share personal information but know they must if they want to use an app (up to 41% from 33% in 2015).
  • Home security raises the most concern among connected devices and applications.

MEF’s research shows a consistent decline in consumer trust, which continues to dip as the war on privacy wages on, leaving consumers to decide what data tradeoffs are worthwhile.

If we, as an industry, don’t address these trust issues, consumers may disengage since they will no longer be willing to sacrifice their privacy for greater connectivity. Considering that 62% of consumers already name privacy as their top concern when it comes to the IoT, that tipping point is likely to arrive sooner than we expect.

In order to respond to consumer concerns and stop the erosion of trust, the industry has to act. And when we do, it is vital that we don’t let our desire to get products to this burgeoning market quickly trump the need for responsible and secure design. Security cannot become an afterthought as we innovate toward connectivity.

If we care about our consumers and about the potential and longevity of IoT, we need to make ‘security by design’ a fundamental approach, regardless of device.