STE WILLIAMS

Bracknell, Dec 16, 2013.

Panda Security, The Cloud Security Company, today announced the introduction of significant enhancements and new features to Panda Cloud Systems Management (PCSM), the company’s remote management and monitoring solution designed to help IT departments and service providers manage, monitor and support all types of devices on their computer networks.

In addition to enabling organizations to perform network audits, monitor computers and remotely control, deploy and update software, PCSM now incorporates Mobile Device Management (MDM) capabilities to control all types of mobile devices in the workplace centrally and easily.

With the introduction of these new features, Panda Cloud Systems Management further increases costs savings and simplifies IT processes significantly for customers.

“Thanks to PCSM’s new MDM feature, IT departments and service providers can now manage all mobile devices (laptops, tablets and smartphones), whether in the office or on the road, centrally from a single Web console accessible anytime, anywhere. In short, with this new functionality, IT administrators will be able to generate consolidated reports of all devices on their network, including smartphones, easily and quickly,” said Manuel Santamara, Product Manager Director at Panda Security.

Mobile Device Management

The mobility of today’s workforce and the wide variety of mobile device platforms available make control and management significantly more difficult. Panda Cloud Systems Management helps companies address this challenge with its new MDM feature. This tool allows administrators to centrally manage all of their Windows, Mac Linux laptops, desktops and servers, as well as Android and iOS tablets and smartphones, whether they are in the office or on the road, anywhere and anytime.

PCSM MDM also enables organizations to monitor the status of mobile devices. With PCSM, IT departments will know which computers are online/offline and their location. They will also have complete visibility into the hardware and software installed on their devices, system information and system changes. As for security and control, they will be able to enforce password policies, lock devices remotely, and perform a remote factory reset of the device, erasing all personal and confidential information stored on it in case of loss or theft. All this, plus the ability to generate consolidated reports showing the status of all devices on the network, including smartphones, simply and effectively.

Protecting Confidential Information On Mobile Devices

One of the major challenges that companies face today is how to prevent loss of confidential information in case of loss or theft of a mobile device. The increasing mobility of employees in corporate environments has extended the use of tablets, smartphones and laptop computers for handling all sorts of internal documentation. The loss or theft of one of these devices represents a serious breach of the company’s security and may expose valuable confidential information.

Panda Cloud Systems Management MDM helps organizations find and recover missing mobile devices, obtaining their coordinates and showing the devices’ location on a map. Additionally, it allows them to lock mobile devices remotely or restore them to their factory settings, preventing access to documentation, emails, phonebook contacts and any other type of confidential information. All these new features add to those already present in previous versions, including the ability to perform network audits, manage files, monitor systems, provide remote support and generate reports.

More information about Panda Cloud Systems Management here http://www.pandasecurity.com/uk/enterprise/solutions/cloud-systems-management/

About Panda Security

Founded in 1990, Panda Security is the world’s leading provider of cloud-based security solutions, with products available in more than 23 languages and millions of users located in 195 countries around the world. Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology. This innovative security model can automatically analyze and classify thousands of new malware samples every day, guaranteeing corporate customers and home users the most effective protection against Internet threats with minimum impact on system performance. Panda Security has 56 offices throughout the globe with US headquarters in Florida and European headquarters in Spain

Panda Security collaborates with The Stella Project, a program aimed at promoting the incorporation into the community and workplace of people with Down syndrome and other intellectual disabilities, as part of its Corporate Social Responsibility policy.

For more information, please visit http://www.pandasecurity.com

Article source: http://www.darkreading.com/mobile/panda-boosts-security-control-with-ios/240164803

Do your shoulders feel lighter?

They should if you’re a Gmail user, since Google just lifted from users what one assumes must have been the heavy burden of having to choose whether to display images in email.

You were relieved of this choice as of Friday, when Google announced that Gmail users will now see images automatically.

Automatic image viewing for desktops was enabled on Friday, and we’ll see it on Android and iOS apps in early 2014.

Up until now, we’ve had to mull whether or not we want to view images because all sorts of security sliminess and privacy pitfalls can lurk behind them.

Clicking on images is like leaving whatever fortress you’re holed up in and venturing out into the wide, open, scary world of somebody else’s HTTP territory.

That’s because emailed images, though they might look like they’re part of the email, are normally hosted on a web server controlled by the email sender.

As far as privacy issues go, when you load the images, you not only get to see whatever pretty picture the sender wishes to bestow upon your eyeballs; you’re also sending a message about yourself (an HTTP request) to the email sender.

First off, by clicking on an image, you’re giving the sender any cookies you might have previously received from their website. You’re also giving them your IP address, which can provide a rough idea of your location, and your user-agent string which is a brief description of the browser and operating system you’re using.

Also, unless you’re using a browser or a browser add-on that blocks the action, the sender will also get an HTTP referrer: an HTTP header field that shows the URL of the page that you are on.

Perhaps more useful than all of those though, you’re giving email marketers and spammers confirmation that their email has been read and that your email address is ‘live’.

As Ars Technica’s Ron Amadeo points out:

It’s even possible to uniquely identify each e-mail, so marketers can tell which e-mail address requested the images—they know that you’ve read the e-mail. And if it was spam, this will often earn you more spam since the spammers can tell you’ve read their last e-mail.

So if images are on by default then by the time you’ve looked at an email, determined it’s spam and hit the ‘junk’ button you’ve already told the spammers that you’ve opened the  email.

But wait, there’s more: given that the images are hosted on remote, third-party servers, there’s even the possibility that images themselves can be rigged to exploit security vulnerabilities and inflict malware on the computer systems of those who click.

Google aims to curtail the risks of clicking on remotely hosted images by henceforth serving all images from its own, secure proxy servers.

It will be great – just great! says Google:

Your messages are more safe and secure, your images are checked for known viruses or malware, and you’ll never have to press that pesky “display images below” link again. With this new change, your email will now be safer, faster and more beautiful than ever.

With Google serving as the image middleman marketers, spammers and phishers should be starved of all that leaky HTTP stuff but will they still know who’s opened their emails?

Up until now marketers have been able to look at how many times their images have been loaded and use it to work out, at least roughly, how many times their emails actually got opened.

Now that Google’s putting itself between you and the marketers’ servers they will presumably be requesting each image just once from the original server and then caching it for the benefit of all Gmail users.

That ought to mess up marketers’ “open rates” and prevent confirmation that your email address is active, right? Nope, it won’t help matters at all.

As a Google spokesperson acknowledged when CNET asked, senders can simply use a unique image URL per recipient.

Instead of requesting one image from the sender and caching it, Google would have to ask for each unique URL. This ought to make email open-rate tracking even more accurate than it is now because, thanks to this update, every email that’s opened will automatically download images.

This is, in fact, the conclusion reached by security researchers including H.D. Moore and Robert Hansen.

Moore told CNET that the proxy servers will turn on default “read tracking” for all Gmail users, which bestows power on people we don’t necessarily want to empower:

This would allow a stalker or other malicious entity to determine whether the e-mail they sent to a target is being read.

The Google spokesperson pointed out that the proxy server helps protect the recipient’s IP address, geographic location, browser user agent, and “other identifying information.”

OK. But Google could have given their users all that good stuff without taking away their ability to choose whether they want to see images or not.

Luckily, Gmail users can disable automatic image viewing – here’s how:

1. Open Gmail.
2. Click the gear icon in the top right.
3. Select Settings.
4. Stay in the General tab.
5. Scroll down to the Images section.
6. Choose “Ask before displaying external images”.
7. Click Save Changes at the bottom of the page.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IggbXOyB1ms/

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Watch the top news in 60 seconds, and then check out the individual links to read in more detail.

Monday 9 December 2013

• Top tech coalition demands limits on government surveillance
• Are contractors the weak link in your security chain?
• Serious Security: Google finds fake but trusted SSL certificates for its domains, made in France
• President Obama to propose “self-restraint” on NSA
• Microsoft’s anti-NSA encryption pledge raises questions

Tuesday 10 December 2013

• Patch Tuesday December 2013 – TIFF exploit patched, XP kernel flaw not fixed yet
• Agency spies snooped on online gaming worlds, including World of Warcraft, Second Life and Xbox Live

Wednesday 11 December 2013

• Revenge porn operator facing charges of conspiracy, extortion and identity theft
• For nearly 20 years, the launch code for US nuclear missiles was 00000000
• How Twitter tracks the websites you visit, and how to stop it
• “Smarter, shadier, stealthier” – Security Threat Report 2014 helps you understand the enemy
• Man fined $183k after joining Anonymous DDoS of Koch Industries for one minute

Thursday 12 December 2013

• US racketeering law enters the world of cybercrime
• TeamBerserk hacktivists use US judge’s credit card to buy sex toys for him
• Credit card data stolen from hundreds of attendees at Boston conventions

Friday 13 December 2013

• UK firms to be “encouraged” to adopt upcoming security standard
• Online bank thieves arrested with £80k and a grenade
• Nude Carla Bruni pics masking Trojan lured G20 attendees to click

Saturday 14 December 2013

• Patching by Microsoft, spoofing Google and launching nukes – 60 Sec Security [VIDEO]

Sunday 15 December 2013

• 93% of large organisations had a security breach last year

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Nsoh25EYeQI/

User outrage has forced Twitter to roll back a blocking policy change that would have allowed blocked users to continue to follow their targets, oblivious to the fact that they’d been blocked as they continued to interact with blockers’ Tweets, receive their timeline updates, and thereby, critics said, enable blocked users’ friends to continue harassment of victims.

Twitter had rolled out what was to be the short-lived policy change on Thursday.

The change turned the blocking feature into an ostrich’s head stuck in the sand (Ostriches don’t actually stick their heads in the sand. We need a better metaphor).

A blocked abuser could still see everything a Twitter user did, but the Twitter user wouldn’t see any of the blocked user’s activity – in essence, changing the “block” into a “mute”.

Twitter explained that the new policy was actually meant to help people from being trolled by people they’d blocked, given that upset blockees often troll the blocker in other, often aggressive, ways.

A large, vocal number of troll victims and others did not, however, see the policy change as being helpful – in fact, quite the opposite.

An online petition requesting a reversal of the blocking policy change went up on Thursday.

Within less than an hour, the petition had garnered nearly 600 signatures, according to CNET.

A common thread in signatories’ comments has been that the change empowered stalkers whose activity was then hidden from potential victims.

From the petition summary, written by Zerlina Maxwell:

Twitter is no longer a safe space. As a public person who uses the medium for my work, I am very concerned because stalkers and abusers will now be able to keep tabs on their victims, and while there was no way to prevent it 100% before, Twitter should not be in the business of making it easier to stalk someone.

Previously, Maxwell noted, blocking a harasser or troll would forbid a given offender from following the blocker and would also remove them from the blocker’s mentions and timeline.

The change was a “huge and very serious problem” for people like Maxwell, she wrote, who’ve received repeated rape and death threats on Twitter.

Twitter pointed out that it had always been possible for anyone – even someone who was blocked – to see the tweets on a public profile.

But at least the classic “block” kept harassers from following victims and, at worst, retweeting them into their feed, which would allow abusers’ followers to also harass victims.

It is this classic block that Twitter has now re-embraced because of the outcry.

Twitter vice president of product, Michael Sippey, announced in a blog post on Friday that the company was reversing the change:

We have decided to revert the change after receiving feedback from many users – we never want to introduce features at the cost of users feeling less safe.

Users will once again be able to tell that they’ve been blocked, Sippey said: not an ideal situation, given the retaliation by blockees and their friends that often occurs:

Some users worry just as much about post-blocking retaliation as they do about pre-blocking abuse.

This is not the first time that Twitter’s been taken to task over cyberbullying issues.

In July, following a vicious outpouring of trollery against UK journalist and feminist leader Caroline Criado-Perez and MP Stella Creasy, an online petition demanded that Twitter put a “Report Abuse” button on all messages.

In short order, Twitter complied, promising to roll out a new report abuse button, as well as to make it easier in other ways for people to report online bullying.

Twitter has a very good reputation for protecting its users against unreasonable privacy inquisitions by the courts, by it doesn’t have a stellar record when it comes to dealing with cyber-bullying.

At the very least, though, you have to give the company credit: it sometimes does pay attention, and respond quickly, to users when they cry out loud and fast in online petitions.

If you’re a tweeter then you might be curious to learn about another new feature rolled-out last week that will allow Twitter to track the websites that you visit.

Follow @LisaVaas
Follow @NakedSecurity

Image of ostrich courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p4_gaEWzgsI/

Email delivery: Hate phishing emails? You’ll love DMARC

Exclusive Noted security guru Bruce Schneier, who has devoted a great deal of attention and energy over recent weeks to analysing the Edward Snowden leaks into the activities of the NSA and allied spy agencies, is to leave UK telco BT.

A spokesman for BT said:

“We can confirm that Bruce Schneier, BT’s security futurologist, is leaving BT at the end of December 2013.”

News of the parting of the ways reached El Reg via a leaked internal email. Our source suggested that Schneier was shown the door because of his recent comments about the NSA and GCHQ’s mass surveillance activities.

BT denies this, saying that the working relationship had come to its “natural end”.

To: All people in BT Security

From: Mark Hughes, CEO, BT Security

Status: For information

Bruce Schneier to leave BT.

I would like to announce that Bruce Schneier, BT’s security futurologist, is leaving the company after eight years. Bruce joined BT in 2006 as part of the Counterpane acquisition and has been a great asset to the company.

I’d like to thank him for all of his contributions to BT and wish him success in his future endeavours.

Mark Hughes, CEO, BT Security

Hughes gave a keynote presentation about BT Security’s work securing the Olympics at the recent RSA Europe conference. During an accompanying question-and-answer session he downplayed suggestions that BT had a close working relation with GCHQ, saying that the telecoms giant was no different from any other large private sector firm in the UK.

Leaks from former NSA sysadmin Edward Snowden painted a different picture, however, including reports that BT, Vodafone and other carriers allowed GCHQ to tap their fibre-optic lines.

BT denied that Schneier leaving was anything to do with his recent critical commentaries on the dragnet surveillance tactics of Blighty’s GCHQ in partnership with the NSA:

We hired Bruce because of his thought leadership in security and as part of our acquisition of Counterpane. We have agreed to part ways as we felt our relationship had run its course and come to a natural end. It has nothing to do with his recent blogs. We hired Bruce because of his thought leadership in security, not because we agree with everything he says. In fact, it’s his ability to challenge our assumptions that made him especially valuable to BT.

We wish Bruce every success in his future endeavours and thank him for his contributions to the company and the industry.

We’ve invited Schneier himself to comment on his future plans and will update this story as and when we hear more. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/16/bruce_schneier_leaves_bt/

Email delivery: Hate phishing emails? You’ll love DMARC

CryptoLocker, the bitcoin thieving ransomware menace that has become 2013’s most infamous malware, was likely created by a single hacker crew in Russia or former Eastern bloc states and is heavily targeting US and UK systems, researchers have exclusively revealed to The Register.

Dell SecureWorks’ Counter Threat Unit (CTU) set up a sinkhole operation not long after the uber ransomware emerged in September, registering multiple domains from a pot of those used by CryptoLocker. Between October 22nd and November 1st, around 31,866 unique IP addresses contacted those CTU sinkhole servers, 22,360 from the US, 1,767 in the UK and 818 in India.

This provides a glimpse into the scourge that CryptoLocker has now become. But Keith Jarvis, a security researcher with Dell SecureWorks’ CTU, estimates the overall number of infected machines is now approximately 250,000.

“The actors infect machines in ‘waves’ so rates wax and wane between zero and around 5,000 a day,” he told El Reg.

Another Russian beastie?

Researchers have been rabidly delving through their CryptoLocker data in an attempt to determine its provenance. It first emerged in September, when early infections were found “disproportionately at financial institutions”, the CTU team said. Various industries have been targeted since then, from the hospitality sector to public utilities.

In the early days, the attackers solely went after businesses, sending out malicious ZIP archives in spam emails, but turned their attention to general PC owners soon enough.

Initial samples were downloaded from a server located in Missouri. Early versions included code to connect to an IP address located in a Phoenix NAP data centre in Arizona. The attackers have been hosting much of their activity on virtual private servers (VPS) located at different “bullet-proof” hosting providers across Russia and former Eastern bloc countries, who are either “indifferent to criminal activity on their networks or are complicit in its execution”, according to the CTU report.

This has led researchers to their suspicion that one gang of crooks based out of Eastern Europe or Russia are to blame.

“The majority of command and control servers hosting the CryptoLocker malware are located in the Russian Federation or the former Eastern bloc states, showing a knowledge of these infrastructure providers, and it is evident from the messages alerting the victims that English is not the CryptoLocker Group’s first language,” Jarvis added.

“This suggests that the threat actors behind CryptoLocker could be located somewhere in the Russian Federation or the former Eastern bloc states. Additionally, we have seen many hacker scams come out of this area of the world and target mainly English-speakers in the US and UK,” continued Jarvis. “We think it is wholly controlled and operated by a single crew, and not bought and sold on the underground.”

They’re using methods typical amongst Russian crooks, distributing it with the peer-to-peer (P2P) Gameover Zeus malware, in some cases via the Cutwail spam botnet or the Magnitude exploit kit.

Cryptolocker: In a class of its own

The reason why researchers are in such a spin about CryptoLocker is simple: it’s an advanced piece of ransomware, especially compared to the usual tripe that tells the user they’ve been caught doing nasty things and need to pay a fine. CryptoLocker follows through with its promise of encrypting users’ files, unlike other ransomware, and it does so with some finesse.

“This isn’t the first malware that destroys files, but it’s certainly in its own class,” Jarvis added.

Using the Microsoft CryptoAPI, Cryptolocker encrypts each file with a unique AES key, which is then encrypted with the RSA public key received from the crooks’ server. The malware has that public key, along with a small amount of metadata and the encrypted file contents, written back to disk, replacing the original files.

The only way to decrypt them is with the RSA private key held by the criminals, which can purportedly be acquired by handing over money, normally around 0.3 BTC. The CryptoLocker overlords also accept transfers over MoneyPak, another money transfer system.

Whilst some had suggested that payments did not result in decryption, victims have reported regaining access after coughing up. Sometimes, however, it takes weeks for the files to be unlocked. The crooks even created a “CryptoLocker Decryption Service” (see below) in early November, which gave people a chance to decrypt their docs even if they had not handed over the money before CryptoLocker’s ticking clock of doom hit 00:00. Early versions of this service charged 10 BTC, but then the value of a single bitcoin hit the $1000 mark, so the cost had to come down.

The masterminds have tried to avoid white hats by shifting around their CC infrastructure. They’ve been using a domain generation algorithm (DGA) to create 1,000 potential command and control domain addresses per day, to be used alongside static servers for their villainous campaign. This dynamism appears to be working. Dell SecureWorks is now struggling to get meaningful stats from its sinkhole operation.

Cryptolocker won’t be disappearing in 2014. Indeed, it looks set to grow only larger – thanks to the wherewithal and technical nous of the gang behind it. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/16/unlocking_cryptolocker_how_it_became_2013s_nastiest_threat/

While businesses continue to expand their use of social networking to manage their brands and increase productivity, only a minority of firms are attempting to offset the risks posed by these services.

The lack of focus on securing social networking is leaving companies vulnerable, say security experts. Only 18 percent of companies do a risk assessment of their use of social media, even though 84 percent worry about the risks, according to a recent survey.

Monitoring is an important part of detecting and responding to the business risks posed by social networks, says Bob Shaw, senior vice president for network-monitoring firm Net Optics, an Ixia company. Companies should monitor what customers are saying about their brands and what employees post under their corporate personas.

“There are no spots of the network that companies can leave as blind spots now,” says Shaw. “Businesses have to have visibility across their network and applications, including social media.”

Social networks pose three main threats. Because a business’ online presence and brand heavily rely on public postings, poor judgment on the part of employees or malicious postings by hacktivists or attackers can sully a company’s image. In addition, social networks are also a vector through which attackers can deliver attacks to specific employees. Finally, the networks also pose a data leakage risk, where workers can inadvertently or maliciously leak sensitive information about the company or themselves.

A good first step for most companies is to monitor social networks to gather information on the possible issues facing them and what the threats might be, says Caleb Barlow, director of security for IBM.

“If you are not monitoring both what your employees are saying and what your customers are saying, you run the risk of having your company debated and not having a seat at the table when that happens,” he says. Monitoring public posts to social networks can also help catch compromises of social networking accounts, albeit after the thief has caused problems.

While many companies are worried about the leakage of trade secrets or business data, they should also worry about the leakage of personal information about their employees, says Barlow. More than two-third of people share their birthdays online, and almost half reveal their hometowns, he says.

“You start taking all this information, and these are typically the challenge-response questions that protect many types of accounts,” Barlow says.

[Phishers favor emails that appear to be from LinkedIn friends or email systems, study says. See Study: Beware LinkedIn Invitations, Mail Delivery Messages.]

Yet the posting of proprietary data to social networking sites is perhaps the greater dangers, says Adam Ghetti, founder and chief technology officer of Ionic Security, which protects data in the cloud. And because they allow people to connect and share information, file-sharing services such as Box and Dropbox are another form of social networking that needs to be watched. When employees post information to those sites, they are adding a social aspect to the problem of data security, he says.

“They have made the data itself social because they have uploaded it to a service where it is out of the view and control of the enterprise,” says Ghetti.

Companies need to take a multilayer approach to defending against leaks to social networks and threats coming in from the networks, Ghetti says. Network-based monitoring is not enough because cloud providers are increasingly using SSL to protect communications between the end user and their servers, which makes it difficult for network-only monitoring to inspect the content going to those social networks. Ghetti argues that companies have to take a data-centric approach to protect sensitive information no matter where it goes.

“Monitoring has to happen well before content gets to a social-media destination,” says Ghetti. “That monitoring has to take place in a clearly defined way so that it is not intrusive to the end user, it is not violating their privacy or personal life, but it is under the scrutiny of the enterprise when it is in a business context.”

Finally, all the security measures should not add extra steps to employees’ work processes. Doing so only makes it more likely that the workers will try to work around the security, says Ionic’s Ghetti.

“Most circumvention is not maliciously intended — it’s purely just so that users can get their jobs done,” he says. “The security process in place is too high-friction, so they go around it, and in doing so, they are leaking information.”

Monitoring can give companies visibility while not getting in the way of business, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/protecting-brand-and-data-while-staying/240164774

Email delivery: Hate phishing emails? You’ll love DMARC

The fun folks at Kaspersky Labs’ Securelist blog have found something nasty in Apple’s Safari Browser, which they say lists user IDs and passwords in plaintext.

Detailed here, the problem derives from Safari’s retention of browser history as applied in the “Reopen All Windows from Last Session” feature that enables users to quickly revisit the sites they opened during a previous Safari session.

Sadly, however, Kaspersky has found that the document Safari creates to allow such restoration is in plaintext and contains user IDs and passwords. The file is hidden, but isn’t hard to find once you know what you are looking for.

As Kaspersky’s post helpfully points out, “You can just imagine what would happen if cybercriminals or a malicious program got access to the LastSession.plist file on a system where the user logs in to Facebook, Twitter, LinkedIn or their online bank account.”

We can indeed.

Kaspersky’s been kind enough to point out the problem to Apple, and also says it is not aware of any malware targeting the flaw. But the blog post was made last Friday, so perhaps some naughty malware-writers spent the weekend preparing just such a tool.

Apple’s Security feed is silent on the matter, but panic seems premature: Kaspersky says the problem only affects OSX10.8.5 running Safari 6.0.5 (8536.30.1) and OSX10.7.5 with Safari 6.0.5 (7536.30.1). ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/16/kaspersky_says_old_apple_safaris_expose_user_ids_and_passwords/

Do your shoulders feel lighter?

They should if you’re a Gmail user, since Google just lifted from users what one assumes must have been the heavy burden of having to choose whether to display images in email.

You were relieved of this choice as of Friday, when Google announced that Gmail users will now see images automatically.

Automatic image viewing for desktops was enabled on Friday, and we’ll see it on Android and iOS apps in early 2014.

Up until now, we’ve had to mull whether or not we want to view images because all sorts of security sliminess and privacy pitfalls can lurk behind them.

Clicking on images is like leaving whatever fortress you’re holed up in and venturing out into the wide, open, scary world of somebody else’s HTTP territory.

That’s because emailed images, though they might look like they’re part of the email, are normally hosted on a web server controlled by the email sender.

As far as privacy issues go, when you load the images, you not only get to see whatever pretty picture the sender wishes to bestow upon your eyeballs; you’re also sending a message about yourself (an HTTP request) to the email sender.

First off, by clicking on an image, you’re giving the sender any cookies you might have previously received from their website. You’re also giving them your IP address, which can provide a rough idea of your location, and your user-agent string which is a brief description of the browser and operating system you’re using.

Also, unless you’re using a browser or a browser add-on that blocks the action, the sender will also get an HTTP referrer: an HTTP header field that shows the URL of the page that you are on.

Perhaps more useful than all of those though, you’re giving email marketers and spammers confirmation that their email has been read and that your email address is ‘live’.

As Ars Technica’s Ron Amadeo points out:

It’s even possible to uniquely identify each e-mail, so marketers can tell which e-mail address requested the images—they know that you’ve read the e-mail. And if it was spam, this will often earn you more spam since the spammers can tell you’ve read their last e-mail.

So if images are on by default then by the time you’ve looked at an email, determined it’s spam and hit the ‘junk’ button you’ve already told the spammers that you’ve opened the  email.

But wait, there’s more: given that the images are hosted on remote, third-party servers, there’s even the possibility that images themselves can be rigged to exploit security vulnerabilities and inflict malware on the computer systems of those who click.

Google aims to curtail the risks of clicking on remotely hosted images by henceforth serving all images from its own, secure proxy servers.

It will be great – just great! says Google:

Your messages are more safe and secure, your images are checked for known viruses or malware, and you’ll never have to press that pesky “display images below” link again. With this new change, your email will now be safer, faster and more beautiful than ever.

With Google serving as the image middleman marketers, spammers and phishers should be starved of all that leaky HTTP stuff but will they still know who’s opened their emails?

Up until now marketers have been able to look at how many times their images have been loaded and use it to work out, at least roughly, how many times their emails actually got opened.

Now that Google’s putting itself between you and the marketers’ servers they will presumably be requesting each image just once from the original server and then caching it for the benefit of all Gmail users.

That ought to mess up marketers’ “open rates” and prevent confirmation that your email address is active, right? Nope, it won’t help matters at all.

As a Google spokesperson acknowledged when CNET asked, senders can simply use a unique image URL per recipient.

Instead of requesting one image from the sender and caching it, Google would have to ask for each unique URL. This ought to make email open-rate tracking even more accurate than it is now because, thanks to this update, every email that’s opened will automatically download images.

This is, in fact, the conclusion reached by security researchers including H.D. Moore and Robert Hansen.

Moore told CNET that the proxy servers will turn on default “read tracking” for all Gmail users, which bestows power on people we don’t necessarily want to empower:

This would allow a stalker or other malicious entity to determine whether the e-mail they sent to a target is being read.

The Google spokesperson pointed out that the proxy server helps protect the recipient’s IP address, geographic location, browser user agent, and “other identifying information.”

OK. But Google could have given their users all that good stuff without taking away their ability to choose whether they want to see images or not.

Luckily, Gmail users can disable automatic image viewing – here’s how:

1. Open Gmail.
2. Click the gear icon in the top right.
3. Select Settings.
4. Stay in the General tab.
5. Scroll down to the Images section.
6. Choose “Ask before displaying external images”.
7. Click Save Changes at the bottom of the page.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CSq74hxT33Y/

Email delivery: Hate phishing emails? You’ll love DMARC

Senior National Security Agency (NSA) officials have told US news magazine program “60 Minutes” that a foreign nation tried to infect computers with a BIOS-based virus that would have enabled them to be remotely destroyed.

NSA Director General Keith Alexander and Information Assurance Director Debora Plunkett both appeared on the program in an attempt to defend the many unsettling domestic espionage programs revealed by Edward Snowden.

During the interview, the transcript of which can be found here, the pair made the following allegations:

• A foreign country developed BIOS malware “disguised as a request for a software update” that would have turned PCs into “a brick.” Plunkett said “The NSA working with computer manufacturers was able to close this vulnerability”. 60 Minutes names China as the culprit
• The NSA is listening to “Less than 60 people globally who are considered U.S. Persons,”
• according to Alexander
• The NSA prefers to look at metadata rather than intercept communications, as the former is felt to be the “least intrusive” way of snooping
• Before 9/11 the USA lacked the capability to match metadata from multiple carriers that would allow understanding of conversations between two parties and it is felt the lack of such an ability helped the 9/11 plotters to evade detection

The segment appears to have been far from a terrifying experience for the interviewees: the tone is that the NSA is a misunderstood entity doing its best to defend the USA against terrorism and worse. It therefore includes lots of soft stuff about the super-clever folks who work at the NSA and the cryptographic feats performed by its interns. There’s also a quick primer on social engineering and how the bad guys use it to get the good guys clicking on bad things.

How much weight to give to “revelations” like the BIOS attack is therefore hard to assess. One thing seems certain: the NSA has decided it needs to play harder in the battle for hearts and minds in the USA and beyond. 60 Minutes seems to have decided to play along. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/16/nsa_alleges_bios_plot_to_destroy_pcs/