McAfee Blogs https://www.mcafee.com/blogs Securing Tomorrow. Today. Tue, 03 Aug 2021 20:02:14 +0000 en-US hourly 1 https://wordpress.org/?v=5.6.3 https://www.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png McAfee Blogs https://www.mcafee.com/blogs 32 32 Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures https://www.mcafee.com/blogs/enterprise/hyperautomation-and-cybersecurity-a-platform-approach-to-telemetry-architectures/ Tue, 03 Aug 2021 19:46:45 +0000 /blogs/?p=125528

Hyperautomation is a process where artificial intelligence (AI), machine learning (ML), event-driven software, and other tools are used to automate...

The post Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures appeared first on McAfee Blogs.

]]>

Hyperautomation is a process where artificial intelligence (AI), machine learning (ML), event-driven software, and other tools are used to automate as many business and IT processes as possible.  Forecasted by Gartner to reach $596.6 billion by 20221, hyperautomation and the global software market that enables it show no signs of slowing.

The myriad of technologies used by a typical organization often are not integrated and exist as siloed disparate tools.  Hyperautomation aims to reduce this “organizational debt” to improve value and brand.  In the context of cybersecurity, a patchwork of stovepipe solutions not only exposes the environment to risk, but also impacts the cyber defender’s ability to fortify the environment and respond to threats at machine speed.  Our target is “shift-left” security — leveraging intelligence to enhance predictability and encourage proactive responses to cyber threats.

The rise of telemetry architectures, combined with cloud adoption and data as the “new perimeter,” pose new challenges to cybersecurity operations.  Organizations will be forced to contend with increased “security debt” unless we figure out how to optimize, connect, and streamline the solutions.  In some cases, we have technologies available to begin this journey (MVISION Insights, MVISION Extended Detection and Response (XDR), MVISION API).  In others, our customers demand more.  They challenge us to build next-generation platforms to see themselves, see their cyberspace, and understand their cyberspace.  Some cyber defenders need more than traditional cyber threat intelligence telemetry to make critical operational impact decisions.

MVISION Insights and MVISION XDR are great starts.  It all begins with the build-up of an appropriate telemetry architecture, and McAfee Enterprise’s billion-sensor global telemetry is unmatched.  Insights provides an automated means to fortify the environment against emerging threats, weaponizing threat intelligence to take a proactive stance in reducing your attack surface from device to cloud.  Why start engaging at an attack’s point of impact when an organization can begin its own awareness at the same point an attacker would?  MVISION XDR brings together the fragmented security solutions accumulated over the years, sharing information and coordinating actions to deliver an effective, unified response across every threat vector.  Workflows are effortless to orchestrate.  The powerful combination of Insights and XDR provides management and visibility of the complete attack lifecycle.  Open architectures reinforce our belief that we are better together and facilitate a cybersecurity ecosystem consistent with the concepts of hyperautomation enablement.

Figure 1 – Attack Lifecycle

Where can we go from here?  How do we secure tomorrow?  From my perspective, we should expand the definition and scope of cybersecurity.

The answer is to look beyond traditional cyber threat telemetry; external factors (environmental, social media, geolocation, law enforcement, etc.) truly matter and are vital in making business impact decisions.  Complete operational visibility, and the ability to investigate, research, and rationalize what matters most to make accurate, critical judgments, is the missing link.  This is a Cyber Common Operating Picture (COP).  A natural extension of our current initiatives within the industry, a COP answers the growing need to provide an integrated cyber defender’s visualization workbench that manages multiple data telemetry sources (beyond cyber threats) and delivers our customers wisdom – a true understanding – regarding their cyberspace on a local, regional, and global scale.

Telemetry data represents change, and telemetry architectures will require new forms of advanced analytics, AI, and ML to make sense of the vast sea of all-source intelligence flowing in from the environment to enhance observations and take definitive action.  If we can “shift-left” for cyber threats, we can leverage that same predictability to identify and prepare for the impact of peripheral threats.  Open source, custom, and third-party data feeds are widely available and create integration opportunities with emerging markets and capabilities to solve unique challenges typically not associated with our platform:

  • How do we identify network or infrastructure hardware (IoT, OT, Industrial Control System) that is on the brink of failing?
  • Can we identify the exact geolocation from which a current cyber-attack is being launched?
  • Does social media and law enforcement chatter indicate a physical threat could be imminent near our headquarters?
  • How do we fuse/correlate inputs from myriad sources to develop regional situational awareness in all layers of cyberspace?

Non-traditional sensor telemetry, a multitude of feeds, and threat intelligence must be overlayed across the Cyber COP to provide AI-driven predictability modeling for next-gen systems and actionable conclusions.  This is a potential future for how hyperautomation can impact cybersecurity; this is orchestrating beyond standard capabilities and expanding the definition and scope of how our complex environments are secured.  AI engineering strategies will continue to expand and deliver data analytics at machine speeds.

McAfee Enterprise has always been a proponent of a platform approach to cybersecurity, creating interoperability and extending the security investments its customers have made. Loosely coupled security systems introduce gaps, and hyperautomation aims to solve that at a much larger scale.  As we look toward the future, we can collectively build the requirements for the next generation of security solutions and broaden the scope of how we defend against our common adversaries. I am confident that the technologies currently exist to provide the framework(s) of a COP solution for enhanced cyber situational awareness.

 

Source: 1Gartner Press Release: Gartner Forecasts Worldwide Hyperautomation-Enabling Software Market to Reach Nearly $600 Billion by 2022 (April 28, 2021)

 

The post Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures appeared first on McAfee Blogs.

]]>
Data as a Strategic Asset – Securing the New Perimeter in the Public Sector https://www.mcafee.com/blogs/enterprise/data-as-a-strategic-asset-securing-the-new-perimeter-in-the-public-sector/ Tue, 03 Aug 2021 19:38:36 +0000 /blogs/?p=125519

Every organization has data moving to the multi-cloud; digital transformation is occurring rapidly, is here to stay, and is impacting...

The post Data as a Strategic Asset – Securing the New Perimeter in the Public Sector appeared first on McAfee Blogs.

]]>

Every organization has data moving to the multi-cloud; digital transformation is occurring rapidly, is here to stay, and is impacting every major industry.  Organizations are working hard to adopt Zero Trust architectures as their critical information, trade secrets, and business applications are no longer stored in a single datacenter or location. As a result, there is a rapid shift to cloud resources to support dynamic mission requirements, and the new perimeter to defend is data.  At its core, Zero Trust is a data-centric model and is fundamental to what McAfee Enterprise offers.  In the Public Sector, data has now been classified as a strategic asset – often referred to as the “crown jewels” of an organization. Reinforced by the publication of the DoD Zero Trust Reference Architecture, we have arrived at a crossroads where demonstrating a sound data strategy will be a fundamental requirement for any organization.

All DoD data is an enterprise resource, meaning data requires consistent and uniform protections wherever it is created or wherever it traverses. This includes data transmitted across multi-cloud services, through custom mission applications, and on devices.  Becoming a data-centric organization requires that data be treated as the primary asset. It must also be available so that it can be leveraged by other solutions for discovery and analytics purposes.  To achieve this, interoperability and uniform data management are strategic elements that underpin many sections of DoD’s official vision of Zero Trust.

Let us dissect how the DoD plans to create a data advantage and where McAfee Enterprise can support these efforts as we explore the four essential capabilities – Architecture, Standards, Governance, and Talent & Culture:

Figure 1 – DoD Data Strategy Framework

Architecture:

McAfee Enterprise’s open architectural methodology emphasizes the efficiencies that cloud adoption and open frameworks can offer.  The ability to leverage agile development and continuously adapt to dynamic mission requirements – faster than our adversaries – is a strategic advantage.  Data protection and cloud posture, however, must not take a back seat to innovation.

The rapid pace of cloud adoption introduces new risks to the environment; misconfigurations and mistakes happen and are common. Vulnerabilities leave the environment exposed as DevOps tends to leverage open-source tools and capabilities.  Agile development introduces a lot of moving parts as applications are updated and changed at an expedited pace and based on shorter, prescriptive measures. Customers also utilize multiple cloud service providers (CSP) to fit their mission needs, so consistent and uniform data management across all the multi-cloud services is a necessity.  We are at a pivotal inflection point where native, built-in CSP protections have introduced too much complexity, overhead, and inconsistency. Our data security solution is a holistic, open platform that enforces standardized protections and visibility across the multi-cloud.

Together with our partners, we support the architecture requirements for data-centric organizations and take charge as the multi-cloud scales.  Several items – visibility and control over the multi-cloud, device-to-cloud data protection, cloud posture, user behavior and insider threat – play into our strengths while organic partner integrations (e.g., ZTNA) further bolster the Zero Trust narrative and contribute to interoperability requirements.  We are better together and can facilitate an open architecture to meet the demands of the mission.

Standards:

DoD requires proven-at-scale methods for managing, representing, and sharing data of all types, and an open architecture should be used wherever possible to avoid stovepiped solutions and facilitate an interoperable security ecosystem.  Past performance is key, and McAfee Enterprise has a long track record of delivering results, which is crucial as the DoD moves into a hybrid model of management.

Data comes in many forms, and the growth of telemetry architectures requires machines to do more with artificial intelligence and machine learning to make sense of data.  How do we share indicators of compromise (IoCs) so multiple environments – internal and external – can leverage intelligence from other organizations?  How do we share risks in multi-clouds and ensure data is secured in a uniform manner?  How do we weaponize intelligence to shift “left of boom” and eliminate those post-compromise autopsies?  Let’s explore how McAfee Enterprise supports data standards.

Made possible by Data Exchange Layer (DXL) and a strategic partner, the sharing of threat intelligence data has proven successful.  Multiple environments participate in a security-connected ecosystem where an “attack against one is an attack against all” and advanced threats are detected, stopped, and participants are inoculated in near real-time.  This same architecture scales to the hybrid cloud where the workloads in cloud environments can benefit from broad coverage.

Furthermore, DXL was built as open source to foster integrations and deliver cohesive partner solutions to promote interoperability and improve threat-informed intelligence.  All capabilities speak the same language, tip and cue, and provide much greater return on investment. Consider the sharing of cloud-derived threats.  No longer should we be limited to traditional hashes or IoCs. Perhaps we should share risky or malicious cloud services and/or insider threats.  Maybe custom-developed solutions should leverage our MVISION platform via API to take advantage of the rich global telemetry and see what we see.

Our global telemetry is unmatched and can be leveraged to organizations’ advantage to proactively fortify the device-to-cloud environment, effectively shifting security to the “left” of impact. This is all done through the utilization of MVISION Insights.  Automated posture assessments pinpoint where potential gaps in an organization’s countermeasures may exist and provide the means to take proactive action before it is hit.  Through MVISION Insights, cyber operators can learn about active global campaigns, emerging threats, and whether an organization is in the path – or even the target.  Leadership can grasp the all-important risk metric and deliver proof that the security investments are working and operational.  Combined with native MITRE ATT&CK Framework mappings – an industry standard being mapped across our portfolio – this proactive hardening is a way we use threat telemetry to customers’ advantage.

Standardized data protection, end-to-end, across all devices and multi-cloud services is a key tenant of the DoD Data Strategy.  Protecting data wherever it lives or moves, retaining it within set boundaries and making it available to approved users and devices only, and enforcing consistent controls from a single, comprehensive solution spanning the entire environment is the only data security approach.  This is what Unified Cloud Edge (UCE) does. This platform’s converged approach is tailored to support DoD’s digital transformation to the multi-cloud and its journey to a data-centric enterprise.

Governance:

DoD’s data governance element is comprised of the policies, procedures, frameworks, tools, and metrics to ensure data is managed at all levels, from when it is created to where it is stored.  It encompasses increased data oversight at multiple levels and ensures that data will be integrated into future modernization initiatives.  Many organizations tend to be driven by compliance requirements (which typically outweigh security innovation) unless there is an imminent mission need; we now have the compliance requirement.  Customers will need to demonstrate a proper data protection and governance strategy as multi-cloud adoption matures.  What better way to incorporate Zero Trust architectures than by leveraging UCE?  Remember, this is beyond the software defined perimeter.

McAfee Enterprise can monitor, discover, and analyze all the cloud services leveraged by users – both approved and unapproved (Shadow IT) – and provide a holistic assessment.  Closed loop remediation ensures organizations can take control and govern access to the unapproved or malicious services and use the information to lay the foundation for building effective data protection policies very relevant to mission needs.

Granular governance and control – application-level visibility – by authenticated users working within the various cloud services is just as important as controlling access to them.  Tight API integrations with traditional SaaS services guarantee only permitted activities occur.  With agile development on the rise, it is just as important that the solution is flexible to control these custom apps in the same way as any commercial cloud service.  Legacy mission applications are being redesigned to take advantage of cloud scale and efficiency; McAfee Enterprise will not impose limits.

Governance over cloud posture is equally important, and customers need to ensure the multi-cloud environment is not introducing any additional source of risk.  Most compromises are due to misconfigurations or mistakes that leave links, portals, or directories open to the public.  We evaluate the multi-cloud against industry benchmarks and best practices, provide holistic risk scoring, and provide the means to remediate these findings to fortify an organization’s cloud infrastructure.

Unified data protection is our end goal; it is at the core of what we do and how we align to Zero Trust.  Consistent protections and governance over data wherever it is created, wherever it goes, from device to multi-cloud.  The same engine is shared across the environment and provides a single place for incidents and management across the enterprise.  Customers can be confident that all data will be tracked and proper controls enforced wherever its destination may be.

Talent and Culture:

Becoming a data-centric organization will require a cultural change.  Decision-making capabilities will be empowered by data and analytics as opposed to experienced situations and scenarios (e.g., event response). Machine learning and artificial intelligence will continue to influence processes and procedures, and an open ecosystem is needed to facilitate effective collaboration. Capabilities designed to foster interoperability and collaboration will be the future.  As more telemetry is obtained, solutions must support the SOC analyst with reduced noise and provide relevant, actionable data for swift decision-making.

At McAfee Enterprise, we hear this.  UCE provides simplified management over the multi-cloud to ensure consistent and unified control over the environment and the data.  No other vendor has the past performance at scale for hybrid, centralized management.  MVISION Insights ensures that environments are fortified against emerging threats, allowing the cyber operators to focus on the security gaps that can leave an organization exposed.  Threat intelligence sharing and an open architecture has been our priority over the past several years, and we will continue to enrich and strengthen that architecture through our platform approach.  There is no silver bullet solution that will meet every mission requirement, but what we can collectively do is ensure we are united against our adversaries.

Data and Zero Trust will be at the forefront as we move forward into adopting cloud in the public sector.  There is a better approach to security in this cloud-first world. It is a mindset change from the old perimeter-oriented view to an approach based on adaptive and dynamic trust and access controls.  McAfee’s goal is to ensure that customers can support their mission objectives in a secure way, deliver new functionality, improved processes, and ultimately give better return on investments.

We are better together.

The post Data as a Strategic Asset – Securing the New Perimeter in the Public Sector appeared first on McAfee Blogs.

]]>
3 Tips to Protect Yourself From XLoader Malware https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/3-tips-to-protect-yourself-from-xloader-malware/ Tue, 03 Aug 2021 16:50:52 +0000 /blogs/?p=125411

Picture this: you open your MacBook and see an email claiming to be from your favorite online store. In the email,...

The post 3 Tips to Protect Yourself From XLoader Malware appeared first on McAfee Blogs.

]]>

Picture this: you open your MacBook and see an email claiming to be from your favorite online store. In the email, there is an attachment with “important information regarding your recent purchase.” Out of curiosity, you open the attachment without checking the recipient’s email address. The next thing you know, your device is riddled with malware.  

Unfortunately, this story is not far from reality. Contrary to popular belief, Apple computers can get viruses, and XLoader has Mac users in their sights.  

Let’s break down XLoader’s ‘s origins and how this malware works.  

Where Did XLoader Come From? 

XLoader originated from FormBook, which has been active for at least five years and is among the most common types of malware. Designed as a malicious tool to steal credentials from different web browsers, collect screenshots, monitor and log keystrokes, and more, FormBook allowed criminals to spread online misfortune on a budget. Its developer, referred to as ng-Coder, charged $49, a relatively cheap price to use the malware, making it easily accessible to cybercriminals.  

Although ng-Coder stopped selling FormBook in 2018, this did not stop cybercriminals from using it. Those who had bought the malware to host on their own servers continued to use it, and in turn, quickly noticed that FormBook had untapped potential. In February 2020, FormBook rebranded to XLoader. XLoader can now target Windows systems and macOS devices.  

How XLoader Works  

Typically, XLoader is spread via fraudulent emails that trick recipients into downloading a malicious file, such as a Microsoft Office document. Once the malware is on the person’s device, an attacker can eavesdrop on the user’s keystrokes and monitors. Once a criminal has collected enough valuable data, they can make fake accounts in the victim’s name, hack their online profiles, and even access their financial information.  

Minimize Your Risk of macOS Malware Attacks 

According to recent data, Apple sold 20 million Mac and MacBook devices in 2020. With macOS’s growing popularity, it is no surprise that cybercriminals have set their sights on targeting Mac users. Check out these tips to safeguard your devices and online data from XLoader and similar hacks:  

1. Avoid suspicious emails and text messages  

Hackers often use phishing emails or text messages to distribute and disguise their malicious code. Do not open suspicious or irrelevant messages, as this can result in malware infection. If the message claims to be from a business or someone you know, reach out to the source directly instead of responding to the message to confirm the sender’s legitimacy.   

2. Avoid sketchy websites.  

Hackers tend to hide malicious code behind the guise of fake websites. Before clicking on an unfamiliar hyperlink, hover over it with your cursor. This will show a preview of the web address. If something seems off (there are strange characters, misspellings, grammatical errors, etc.) do not click the link.  

3. Recruit the help of a comprehensive security solution 

Use a solution like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor — a tool that identifies malicious websites.  

Regardless of whether you use a PC or a Mac, it is important to realize that both systems are susceptible to cyberthreats that are constantly changing. Do your research on prevalent threats and software bugs to put you in a great position to protect your online safety.   

 Put Your Mind at Ease With Security Best Practices 

XLoader is just the latest example of how the gap between the prevalence of PC versus macOS malware is steadily closing. To better anticipate what threats could be around the corner and how to best combat them, stay updated on all of the latest online safety trends and practice great security habits. This will not only help protect your devices and online accounts but also bring you greater peace of mind.  

Stay Updated  

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.   

 

The post 3 Tips to Protect Yourself From XLoader Malware appeared first on McAfee Blogs.

]]>
Introducing MVISION Private Access https://www.mcafee.com/blogs/enterprise/cloud-security/introducing-mvision-private-access/ Tue, 03 Aug 2021 03:00:53 +0000 /blogs/?p=125216

Enabling Zero Trust Access with End-to-end Data Security and Continuous Risk Assessment The current business transformation and remote workforce expansion...

The post Introducing MVISION Private Access appeared first on McAfee Blogs.

]]>

Enabling Zero Trust Access with End-to-end Data Security and Continuous Risk Assessment

The current business transformation and remote workforce expansion require zero trust access to corporate resources, with end-to-end data security and continuous risk assessment to protect applications and data across all locations – public clouds, private data centers, and user devices.  MVISION Private Access is the industry’s first truly integrated Zero Trust Network Access solution that enables blazing fast, granular “Zero Trust” access to private applications and provides best-in-class data security with leading data protection, threat protection, and endpoint protection capabilities, paving the way for accelerated Secure Access Service Edge (SASE) deployments.

We are currently operating in a world where enterprises are borderless, and the workforce is increasingly distributed. With an increasing number of applications, workloads and data moving to the cloud, security practitioners today face a wide array of challenges while ensuring business continuity, including:

  • How do I plan my architecture and deploy assets across multiple strategic locations to reduce network latency and maintain a high-quality user experience?
  • How do I keep a tight control over devices connecting from any location in the world?
  • How do I ensure proper device authorization to prevent over-entitlement of services?
  • How do I maintain security visibility and control as my attack surface increases due to the distributed nature of data, users, and devices?

Cloud-based Software-as-a-Service (SaaS) application adoption has exploded in the last decade, but most organizations still rely heavily on private applications hosted in data centers or Infrastructure-as-a-Service) IaaS environments. To date Virtual Private Networks (VPN) have been a quick and easy fix for providing remote users access to sensitive internal applications and data. However, with remote working becoming the new normal and organizations moving towards cloud-first deployments, VPNs are now challenged with providing secure connectivity for infrastructures they weren’t built for, leading to bandwidth, performance, and scalability issues. VPNs also introduce the risk of excessive data exposure, as any remote user with valid login keys can get complete access to the entire internal corporate network and all the resources within.

Enter Zero Trust Network Access, or ZTNA! Built on the fundamentals of “Zero Trust”, ZTNAs deny access to private applications unless the user identity is verified, irrespective of whether the user is located inside or outside the enterprise perimeter. Additionally, in contrast to the excessive implicit trust approach adopted by VPNs, ZTNAs enable precise, “least privileged” access to specific applications based upon the user authorization.

We are pleased to announce the launch of MVISION Private Access, an industry-leading Zero Trust Network Access solution with integrated Data Loss Prevention (DLP) and Remote Browser Isolation (RBI) capabilities. With MVISION Private Access, organizations can enable fast, ubiquitous, direct-to-cloud access to private resources from any remote location and device, allow deep visibility into user activity, enforce data protection over the secure sessions to prevent data misuse or theft, isolate private applications from potentially risky user devices, and perform security posture assessment of connecting devices, all from a single, unified platform.

Why does ZTNA matter for remote workforce security and productivity?

Here are the key capabilities offered by ZTNA to provide secure access for your remote workforce:

  • Direct-to-app connectivity: ZTNA facilitates seamless, direct-to-cloud and direct-to-datacenter access to private applications. This eliminates unnecessary traffic backhauling to centralized servers, reducing network latency, improving the user experience and boosting employee productivity.
  • Explicit identity-based policies: ZTNA enforces granular, user identity-aware, and context-aware policies for private application access. By eliminating the implicit trust placed on multiple factors, including users, devices and network location, ZTNA secures organizations from both internal and external threats.
  • Least-privileged access: ZTNA micro-segments the networks to create software-defined perimeters and allows “least privileged” access to specific, authorized applications, and not the entire underlying network. This prevents overentitlement of services and unauthorized data access. Micro-segmentation also significantly reduces the cyberattack surface and prevents lateral movement of threats in case of a breach.
  • Application cloaking: ZTNA shields private applications behind secure gateways and prevents the need to open inbound firewall ports for application access. This creates a virtual darknet and prevents application discovery on public Internet, securing organizations from Internet-based data exposure, malware and DDoS attacks.

Is securing the access enough? How about data protection?

Though ZTNAs are frequently promoted as VPN replacements, nearly all ZTNA solutions share an important drawback with VPNs – lack of data awareness and risk awareness. First-generation ZTNA solutions have categorically focused on solving the access puzzle and have left data security and threat prevention problems unattended. Considering that ubiquitous data awareness and risk assessment are the key tenets of the SASE framework, this is a major shortcoming when you consider how much traffic is going back and forth between users and private applications.

Moreover, the growing adoption of personal devices for work, oftentimes connecting over unsecure remote networks, significantly expands the threat surface and increases the risk of sensitive data exposure and theft due to lack of endpoint, cloud and web security controls.

Addressing these challenges requires ZTNA solutions to supplement their Zero Trust access capabilities with centralized monitoring and device posture assessment, along with integrated data and threat protection.

MVISION Private Access

MVISION Private Access, from McAfee Enterprise, is designed for organizations in need for an all-encompassing security solution that focuses on protecting their ever-crucial data, while enabling remote access to corporate applications. The solution combines the secure access capabilities of ZTNA with the data and threat protection capabilities of Data Loss Prevention (DLP) and Remote Browser Isolation (RBI) to offer the industry’s leading integrated, data-centric solution for private application security, while utilizing McAfee’s industry-leading Endpoint Security solution to derive deep insights into the user devices and validating their security posture before enabling zero trust access.

MVISION Private Access allows customers to immediately apply inline DLP policies to the collaboration happening over the secure sessions for deep data inspection and classification, preventing inappropriate handling of sensitive data and blocking malicious file uploads. Additionally, customers can utilize a highly innovative Remote Browser Isolation solution to protect private applications from risky and untrusted unmanaged devices by isolating the web sessions and allowing read-only access to the applications.

Fig. 1: MVISION Private Access

Private Access further integrates with MVISION Unified Cloud Edge (UCE) to enable defense-in-depth and offer full scope of data and threat protection capabilities to customers from device-to-cloud. Customers can achieve the following benefits from the integrated solution:

  • Complete visibility and control over data across endpoint, web and cloud.
  • Unified incident management across control points with no increase in operational overhead, leading to total cost of ownership (TCO) reduction.
  • Multi-vector data protection, eliminating data visibility gaps and securing collaboration from cloud to third-parties.
  • Defending private applications against cloud-native threats, advanced malware and fileless attacks.
  • Continuous device posture assessment powered by industry-leading endpoint security.

Additionally, UCE’s Hyperscale Service Edge, that operates at 99.999% service uptime and is powered by intelligently peered data centers, provides blazing fast, seamless experience to private access users. Authentication via Identity Providers eliminates the risk of threat actors infiltrating the corporate networks using compromised devices or user credentials.

What Sets MVISION Private Access apart?

With dozens of ZTNA solutions on the market, we’ve made sure that MVISION Private Access stands out from the crowd with the following:

  • Integrated data loss prevention (DLP) and industry-leading Remote Browser Isolation (RBI): Enables advanced threat protection and complete control over data collaborated through private access sessions, preventing inappropriate handling of sensitive data, blocking files with malicious content and securing unknown traffic activity to prevent malware infections on end-user devices.
  • SASE readiness with UCE integration: MVISION Private Access converges with MVISION UCE to deliver complete data and threat protection to any device at any location in combination with other McAfee security offerings, that include Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Endpoint Protection, while enabling direct-to-cloud access in partnership with leading SD-WAN vendors. This ensures a consistent user experience across web, public SaaS, and private applications.
  • Endpoint security and posture assessment: MVISION Private Access leverages industry-leading McAfee Endpoint Security powered by proactive threat intelligence from 1 billion sensors to evaluate device and user posture, which informs a risk-based zero trust decision in real-time. The rich set of telemetry, which goes well beyond the basic posture checking performed by competitive solutions, allows organizations to continuously assess the device and user risks, and enforce adaptive policies for private application access.
  • Securing unmanaged devices with clientless deployments: MVISION Private Access secures access from unmanaged devices through agentless, browser-based deployment, enabling collaboration between employees, external partners or third-party contractors in a most frictionless manner.

With MVISION Private Access customers can establish granular, least privileged access to their private applications hosted across cloud and IT environments, from any device and location, while availing all the goodness of McAfee’s leading data and threat protection capabilities to accelerate their business transformation and enable the fastest route to SASE. To learn more, visit www.mcafee.com/privateaccess.

 

 

 

The post Introducing MVISION Private Access appeared first on McAfee Blogs.

]]>
7 Safety Tips to Schooling in a Digital World https://www.mcafee.com/blogs/consumer/family-safety/7-safety-tips-to-schooling-in-a-digital-world/ Mon, 02 Aug 2021 13:02:52 +0000 /blogs/?p=124913

This fall, many students are headed back-to-school full time. However, just as workplaces now accommodate for remote work, schools are...

The post 7 Safety Tips to Schooling in a Digital World appeared first on McAfee Blogs.

]]>

This fall, many students are headed back-to-school full time. However, just as workplaces now accommodate for remote work, schools are accommodating hybrid learning environments. While this may signal the end of things like snow days, it’s also created a new, more flexible style of learning that relies on computers, online connectivity, and apps to connect students with teachers and learning resources. It’s also a trend that’s not without risk, as evidenced by the more than 900 cybersecurity incidents, including personal data breaches, since 2016, according to the K-12 Cybersecurity Resource Center. This new style of learning comes with many implications for cybersecurity that we’ll discuss below, along with ways to protect learners and students of all ages.

Digital School Safety Tips 

1. Set camera guidelines 

Cameras and video conferencing software have become an integral part of the online learning experience. In the early days of 2020, we saw growing pains in the form of Zoom bombing, unintended sharing, and, on the lighter side, people learning to use fake backgrounds with hilarious consequences. And while many of these wrinkles have been smoothed out, for online learners, the fact remains that privacy is at risk anytime they use a camera.  

Younger students:  

  • Work with your child and their instructors to figure out the most appropriate times to use the camera. When not using the camera on their device, teach your child how to cover it to ensure privacy. Many new laptops come with a manual switch that allows the camera to be blocked. 

Older students:  

  • Teens have more autonomy, and apps are probably a major part of their social and learning life. That’s why it’s a great idea to remind teens to never accept video chats, screen shares, instant messages, phone calls or files from strangers, even if it’s in an app they’re familiar with.

2. Use tools that protect your child while they’re learning online

The good news is that while we’re all navigating the new world of learning online, there are more tools than ever to help you do so safely. A comprehensive security suite, like one of McAfee’s products, contains many of these security tools in one package, including tools for:  

Younger students: 

  • Parental controls – A good parental controls suite allows you to not only restrict web site access, but also set limits on screen time and track activity on your child’s devices. McAfee offers parental controls in the form of McAfee Safe Family. 
  • Parent versions of learning apps – The app being used to teach an online classroom may offer a version for parents. It’s often a simpler version of the one your child is using, but it will allow you to become familiar with the software and may even offer some privacy settings. 

Older students: 

  • VPN – This is a powerful tool for protecting your privacy online. Teach your teens how to create a secure connection to the internet anytime they log in by using a VPN (virtual private network) to hide their activity and connection details from prying eyes. McAfee’s VPN uses bank-grade encryption to keep their private information secure. 

3. Invest wisely in your child’s learning tools 

Your child or teen’s portal to their online classroom is an important investment. After all, you’ll want them to be able to connect securely, communicate easily, and be able to handle any kind of online work they may need to do. Depending on the age of your child, this device may also have to be bomb-proof. Don’t worry some experts have already done the thinking for you with this list of computers for online learners. 

4. Recognize that some information should always stay private 

There are many apps being used to facilitate online learning. And chances are, students will have to register, log-in, and provide identification. Regardless of age, here’s what NOT to provide. 

  • Don’t sign up with a personal email address. Schools should provide an email address or a username and password. 
  • Don’t put too much personal information in the app profile. Keep location, phone number and dates of birth private if possible. 
  • Make sure your student always keeps their login info to education apps private and that they don’t share their account with anyone, including classmates. 

5. Online learning can be a family affair

Younger students: 

  • Create an online workspace that’s sufficiently quiet for your child to get their homework done, but also someplace that can be easily checked in on by you and other adults in your child’s life.  

Older students: 

  • Teens should expect that adults will be around and looking in on their activity online, whether they’re learning or talking to friends. You can model this with your own behavior by using devices openly and practicing good security habits. 

6. Introduce the concept of digital citizenship 

When students are learning in-person, the concept of being a good citizen is one that’s reinforced in the classroom and on the playground. Online, as students use forums, chats, and even social media to communicate, the concept of digital citizenship is just as important. 

  • Talk to your child and teen about what you expect from their conduct online. Monitor the apps they use for school and make sure they understand what is appropriate to write on them. After all, these messages may be visible to the school administrators, or even college admissions officials. Help them understand that creating a safe space to learn takes everyone’s effort, not just the teachers. 

7. In the brave new world of online learning, offline breaks are more important than ever. 

There’s a reason elementary schools have recess and high schools have lunch breaks. It gives kids time to step away from the books, stretch their legs, and refresh their minds. The same concept applies with online learning.  

Younger students:  

  •  Take a break at least every 30 minutes to stretch and walk around. 

Older students: 

  • A teen may have a longer attention span, but breaks are still important and, crucially, it’s important they don’t spend their break in front of another screen. 

More resources for improving digital wellness while learning online 

For more extensive information about any of the recommendations above, please visit these resources. 

Resources for parents 

Resources for all ages

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post 7 Safety Tips to Schooling in a Digital World appeared first on McAfee Blogs.

]]>
The New McAfee: A Bold New World of Protection Online https://www.mcafee.com/blogs/consumer/mcafee-consumer-news/the-new-mcafee-a-bold-new-world-of-protection-online/ Fri, 30 Jul 2021 18:30:27 +0000 /blogs/?p=125195 McAfee Update

This news has been some time in the making, and I’m terrifically excited to share it.   As of July 27th, we take a...

The post The New McAfee: A Bold New World of Protection Online appeared first on McAfee Blogs.

]]>
McAfee Update

This news has been some time in the making, and I’m terrifically excited to share it.  

As of July 27th, we take a decisive step forward, one where McAfee places its sole focus on consumers. People like you. This marks the day we officially divest our enterprise business and dedicate ourselves to protecting people so they can freely enjoy life online. 

McAfee is now focused solely on people. People like you. 

This move reflects years of evolution, time spent re-envisioning what online protection looks like in everyday life—how to make it stronger, easier to use, and most importantly, all the ways it can make you feel safe and help you stay that way.   

In the coming days, you’ll see your experience with us evolve dramatically as well. You’ll see advances in our online protection that look, feel, and act in bold new ways. They will put you in decisive control of your identity and privacy, all in a time where both are so infringed upon. And you’ll also see your protection get simpler, much simpler, than before. 

Today, I’d like to give you a preview of what’s ahead. 

You’re driving big changes 

First, these changes are inspired by you. From feedback, research, interviews, and even having some of you invite us into your homes to show us how you live life online, you’ve made it clear what’s working and what isn’t. You’ve also shared what’s on your mind—your thoughts on technology’s rapid growth, the concerns you have for your children, and the times where life online makes you feel vulnerable.  

We’re here to change things for the better. And here’s why …  

Our lives are more fluid and mobile than ever before. From the palm of our hand, we split the cost of dinner, purchase birthday gifts, dim the lights in our living room, warm up the car on a winter morning, and far more. In many ways, our smartphones are the remote control for our lives. From managing our finances to controlling our surroundings, we’re increasing our use of technology to get things done and make things happen. Could any of us have imagined this when the first smartphones rolled out years ago? 

Without question, we’re still plenty reliant on our computers and laptops too. Our recent research showed that we’re looking forward to using them in addition to our phones for telemedicine, financial planning, and plenty of personal shopping—each representing major upticks in usage than in years before, up to 74 percent more in some cases. 

Yet what’s the common denominator here? You. Whatever device you’re using, at the center of all that activity is you. You’re the one who’s getting things done, making things happen, or simply passing some time with a show. So, while the device remains important, what’s far more important is you—and the way you’re using your device for ever-increasing portions of your life. Safely. Confidently. Easily. 

Security is all about you 

Taken together, the time to squarely focus on protecting people is now. A new kind of online security is called for, one that can protect you as you go online throughout your day in a nearly constant and seamless fashion. We’ve dedicated ourselves to making that happen. And you’ll soon see what that looks like. 

So how can you expect this evolution to take shape? You’ll see it in three significant ways: 

1. Personalized experience. We’re building security that protects you effortlessly wherever your day takes you. From device to device, place to place, and all the experiences online in between. Think of our approach to online protection like Netflix, which used to be a physical service where you waited in queue for that next episodic DVD of Lost to get mailed to you. Now your shows follow you and stream anywhere, no matter what device you’re on. It’s the same thing with our security. It will recognize you and protect you whether you’re at home or by the pool on vacation, on your laptop, or your phone, with one consistent experience. Again, it’s all about you. Keeping you protected as you enjoy every perk and convenience of life online.

2. Intelligent experience. The next evolution builds on personalization and takes it a step further. This is security that understands when you and your personal info is at risk and then takes intelligent steps to protect you. This could be your smartphone automatically connecting to VPN when you’re at the airport, keeping you safe from prying eyes on public networks. It could also be alerts to you if your personal info is compromised so you can take steps to protect it. Or it could be a simple suggestion to help keep you safe while browsing, shopping, or banking online. In all, it’s intelligence that helps you stay safe and make safe choices.

3. Simpler experience. With this personalization and intelligence in place, you can protect everyone in your family far more easily than ever. It becomes practically automatic. Regardless of their age, interests, or how much they know about technology, this simplified approach to online security makes smart choices for you and your family wherever possible, steering them clear of threats and keeping everyone safer as a result. 

What won’t change? 

Us at your side. New and existing customers alike will still benefit from McAfee’s award-winning technology as you always have. Further advances and features will roll out to you as part of the regular updates as they become available for your subscription. In all, you’ll always have the latest and greatest benefits of your product with us 

As for our future, expect more to come. Your confidence in us both fuels and informs these leaps ahead. Thank you as always for choosing us for your protection. It allows us to invest in breakthroughs that keep you safe against new and evolving threats, just as we have as a market leader for years. 

A bold new world of protection online 

The new McAfee is focused on you. It’s a bold new world of protection online, where you are in control of your identity and privacy, where you have intelligence that offers right protection in the right moment, where you can simply feel safe, and where you’re ultimately free to enjoy your life online at every turn. 

Here’s to what’s next. And I can’t wait for you to experience it. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post The New McAfee: A Bold New World of Protection Online appeared first on McAfee Blogs.

]]>
Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols https://www.mcafee.com/blogs/enterprise/cloud-security/introducing-mvision-cloud-firewall-delivering-protection-across-all-ports-and-protocols/ Thu, 29 Jul 2021 15:17:11 +0000 /blogs/?p=125183

Architected for the cloud-first and remote-first deployments, MVISION Cloud Firewall secures access to applications and resources on the internet, accessed...

The post Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols appeared first on McAfee Blogs.

]]>

Architected for the cloud-first and remote-first deployments, MVISION Cloud Firewall secures access to applications and resources on the internet, accessed from every remote site and location, through a cloud-native service model. The solution inspects end-to-end user traffic – across all ports and protocols, enabling unified visibility and policy enforcement across the organizational footprint. Powered by McAfee Enterprise’s industry leading next-generation intrusion detection and prevention system, contextual policy engine and advanced threat detection platform, and supported by Global Threat Intelligence feeds, MVISION Cloud Firewall proactively detects and blocks emerging threats and malware with a high degree of accuracy, uniquely addressing the security challenges of the modern remote workforce. MVISION Cloud Firewall is an integral component of McAfee Unified Cloud Edge, offering organizations an all-encompassing, cloud-delivered Secure Access Service Edge (SASE) security solution for accelerating their business transformation.

Wherever networks went, firewalls followed

For a long time, firewalls and computer networks were like conjoined twins. Businesses simply could not afford to run an enterprise network without deploying a security system at the edge to create a secure perimeter around their crown jewels. The growing adoption of web-based protocols and their subsequent employment by cybersecurity adversaries for launching targeted malware attacks, often hidden within encrypted traffic, saw the emergence of next-generation firewall (NGFW) solutions. Apart from including stateful firewall and unified threat management services, NGFWs offered multi-layered protection and performed deep packet inspection, allowing organizations greater awareness and control over the applications to counter web-based threats.

Cloud computing changed the playing field

But things took a dramatic turn with the introduction of cloud computing. Cloud service providers came up with an offer the organizations could not refuse – unlimited computing power and storage volumes at significantly lower operating costs, along with the option to seamlessly scale business operations without hosting a single piece of hardware on-premises. Hence began the mass exodus of corporate data and applications to the cloud. Left without a fixed network perimeter to protect, the relationship between firewalls and networks entered complicated terms. While the cloud service providers offered a basic level of security functionality, they lacked the muscle power of on-premises firewalls, particularly NGFWs. This was further exacerbated by the ongoing pandemic and the overnight switch of the workforce to remote locations, which introduced the following challenges:

  • Remote users were required to backhaul the entire outbound traffic to centralized firewalls through expensive MPLS connections, impacting the network performance due to latency and degrading the overall user experience.
  • Remote users connecting direct-to-cloud often bypassed the on-premises security controls. With the firewalls going completely blind to the remote user traffic, security practitioners simply couldn’t protect what they couldn’t see.
  • Deploying security appliances at each remote site and replicating the firewall policies across every site significantly increased the capital and operational expenditure. Additionally, these hardware applications lack the ability to scale and accommodate the growing volume of user traffic.
  • On-premises firewalls struggled to integrate with cloud-native security solutions, such as Secure Web Gateways (SWG) and Cloud Access Security Brokers (CASB), creating a roadblock in Secure Access Service Edge (SASE) deployments.

Enter Firewall-as-a-Service

The distributed workforce has expanded the threat landscape at an alarming rate. According to the latest McAfee Labs Threats Reports, the volume of malware threats observed by McAfee Labs averaged 688 threats per minute, an increase of 40 threats per minute (3%) in the first quarter of 2021. While SWGs and CASBs could address the security challenges for web and SaaS traffic, respectively, how could organizations secure the remaining non-web traffic? The answer lies in Firewall-as-a-Service, or FWaaS. FWaaS can be defined as a firewall hosted in the cloud, offering all the NGFW capabilities, including deep packet inspection, application-layer filtering, intrusion prevention and detection, advanced threat protection, among others. While, at the onset, FWaaS may give the impression of lifting and shifting NGFWs to the cloud, their business benefits are far more profound and relevant for the modern workforce, some of which include:

  • Securing the remote workers and local internet breakouts, allowing direct-to-cloud connections to reduce network latency and improve user experience. Avoiding traffic backhauls from remote sites to centralized firewalls through expensive VPN and MPLS lines reduces the deployment costs.
  • Significant cost savings by eliminating hardware installation at remote branch offices.
  • Aggregating the network traffic from on-premises datacenters, clouds, remote branch offices and remote user locations, allowing centralized visibility and unified policy enforcement across all locations.
  • Seamless scaling to handle the growing volume of traffic and the need for inspecting encrypted traffic for threats and malware.
  • Centralizing the service management, such as patching and upgrades, reducing the operational costs for repetitive tasks.

Introducing MVISION Cloud Firewall

McAfee MVISION Cloud Firewall is a cutting-edge Firewall-as-a-Service solution that enforces centralized security policies for protecting the distributed workforce across all locations, for all ports and protocols. MVISION Cloud Firewall allows organizations to extend comprehensive firewall capabilities to remote sites and remote workers through a cloud-delivered service model, securing data and users across headquarters, branch offices, home networks and mobile networks, with real-time visibility and control over the entire network traffic.

The core value proposition of MVISION Cloud Firewall is characterized by a next-generation intrusion detection and prevention system that utilizes advanced detection and emulation techniques to defend against stealthy threats and malware attacks with industry best efficacy. A sophisticated next-generation firewall application control system enables organizations to make informed decisions about allowing or blocking applications by correlating threat activities with application awareness, including Layer 7 visibility of more than 2000 applications and protocols.

Fig. MVISION Cloud Firewall Architecture

What makes MVISION Cloud Firewall special?

Superior IPS efficacy: MVISION Cloud Firewall delivers superior IPS performance through deep inspection of network traffic and seamless detection and blocking of both known and unknown threats across the network perimeter, data center, and cloud environments. The next-generation IPS engine offers 20% better efficacy than competitive solutions than competitive solutions, while far exceeding the detection rates of open-source solutions. The solution combines with MVISION Extended Threat Detection and Response (XDR) to offer superior threat protection by correlating threat intelligence and telemetry across multiple vectors and proactively detecting and resolving adversarial threats before that can lead to any enterprise damage or loss. Additional advantages include inbound and outbound SSL decryption, signature-less malware analysis, high availability, and disaster recovery protection. and disaster recovery protection.

End-to-end visibility and optimization: The ability to visualize and control remote user sessions allows MVISION Cloud Firewalls to proactively monitor the end-to-end traffic flow and detect any critical issues observed across user devices, networks, and cloud. This offers network administrators a unified, organization-wide view of deployed assets to pinpoint and troubleshoot issues before the overall network performance and user productivity gets impacted. Optimizing network performance elevates the user experience through reduced session latency while keeping a check on the help desk ticket volumes.

Policy Sophistication: MVISION Cloud Firewall considers multiple contextual factors, such as the device type, security posture of devices, networks and users, and pairs that with application intelligence to define a robust and comprehensive policy lexicon that is more suitable for protecting the modern remote workforce. For example, most NGFWs can permit or block user traffic based on the configured rule set, such as permitting accounting users to access files uploaded on a Teams site. McAfee, on the other hand, utilizes its data protection and endpoint protection capabilities to create more powerful NGFW rules, such as permitting accounting users to access a third-party Teams site only if they have endpoint DLP enabled.

SASE Convergence

MVISION Cloud Firewall converges with MVISION Unified Cloud Edge to offer an integrated solution comprising of industry best Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), unified Data Loss Prevention (DLP) across endpoint, cloud and network, Remote Browser Isolation (RBI) and Firewall-as-a-Service, making McAfee one of the only vendors in the industry that solves the network security puzzle of the SASE framework. With the inclusion of MVISION Cloud Firewall, McAfee Enterprise customers can now utilize a unified security solution to inspect any type of traffic destined to the cloud, web, or corporate networks, while securing the sensitive assets and users across every location.

The post Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols appeared first on McAfee Blogs.

]]>
Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-biting-off-more-than-they-could-chew-by-aiming-to-encrypt-vm-and-nix-systems/ Thu, 29 Jul 2021 04:01:36 +0000 /blogs/?p=124754

Co-written with Northwave’s Noël Keijzer. Executive Summary For a long time, ransomware gangs were mostly focused on Microsoft Windows operating...

The post Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? appeared first on McAfee Blogs.

]]>

Co-written with Northwave’s Noël Keijzer.

Executive Summary

For a long time, ransomware gangs were mostly focused on Microsoft Windows operating systems. Yes, we observed the occasional dedicated Unix or Linux based ransomware, but cross-platform ransomware was not happening yet. However, cybercriminals never sleep and in recent months we noticed that several ransomware gangs were experimenting with writing their binaries in the cross-platform language Golang (Go).

Our worst fears were confirmed when Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems. Many core backend systems in companies are running on these *nix operating systems or, in the case of virtualization, think about the ESXi hosting several servers or the virtual desktop environment.

We touched upon this briefly in our previous blog, together with the many coding mistakes the Babuk team is making.

Even though Babuk is relatively new to the scene, its affiliates have been aggressively infecting high-profile victims, despite numerous problems with the binary which led to a situation in which files could not be retrieved, even if payment was made.

Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion.

Indeed, the design and coding of the decryption tool are poorly developed, meaning if companies decide to pay the ransom, the decoding process for encrypted files can be really slow and there is no guarantee that all files will be recoverable.

Coverage and Protection Advice

McAfee’s EPP solution covers Babuk ransomware with an array of prevention and detection techniques.

McAfee ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-Babuk!. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.

Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.

Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear.

However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other Ransomware-as-a-Service families.

In its recruitment posting Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behavior of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution, (e.g., ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack (Part1Part2).

Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common amongst ransomware criminals:

  • E-mail Spearphishing (T1566.001). Often used to directly engage and/or gain an initial foothold, the initial phishing email can also be linked to a different malware strain, which acts as a loader and entry point for the ransomware gangs to continue completely compromising a victim’s network. We have observed this in the past with Trickbot and Ryuk, Emotet and Prolock, etc.
  • Exploit Public-Facing Application (T1190) is another common entry vector; cyber criminals are avid consumers of security news and are always on the lookout for a good exploit. We therefore encourage organizations to be fast and diligent when it comes to applying patches. There are numerous examples in the past where vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.
  • Using valid accounts (T1078) is and has been a proven method for cybercriminals to gain a foothold. After all, why break the door if you have the keys? Weakly protected Remote Desktop Protocol (RDP) access is a prime example of this entry method. For the best tips on RDP security, we would like to highlight our blog explaining RDP security.
  • Valid accounts can also be obtained via commodity malware such as infostealers, that are designed to steal credentials from a victim’s computer. Infostealer logs containing thousands of credentials are purchased by ransomware criminals to search for VPN and corporate logins. As an organization, robust credential management and multi-factor authentication on user accounts is an absolute must have.

When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.

Summary of the Threat

  • A recent forum announcement indicates that the Babuk operators are now expressly targeting Linux/UNIX systems, as well as ESXi and VMware systems
  • Babuk is riddled with coding mistakes, making recovery of data impossible for some victims, even if they pay the ransom
  • We believe these flaws in the ransomware have led the threat actor to move to data theft and extortion rather than encryption

Learn more about how Babuk is transitioning away from an encryption/ransom model to one focused on pure data theft and extortion in our detailed technical analysis.

The post Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems? appeared first on McAfee Blogs.

]]>
It’s All About You: McAfee’s New All-Consumer Focus https://www.mcafee.com/blogs/consumer/mcafee-consumer-news/its-all-about-you-mcafees-new-all-consumer-focus/ Wed, 28 Jul 2021 14:06:47 +0000 /blogs/?p=125165 McAfee News

This week, McAfee took an exciting new step in our journey—we are now a pure-play consumer company. What does that...

The post It’s All About You: McAfee’s New All-Consumer Focus appeared first on McAfee Blogs.

]]>
McAfee News

This week, McAfee took an exciting new step in our journey—we are now a pure-play consumer company. What does that mean for consumers? It means that McAfee will be able to focus 100% of our talent and expertise on innovation and development that directly enables and improves the products and services that protect you and your family. 

It’s the right time to take that step. Today, we use technology in every aspect of our lives, from education to recreation and entertainment to transportation. We have connected devices in our cars, in our pockets, and in our houses. In fact, the average U.S. household has 25 connected devices, and this number will continue to grow as more connected devices hit the market.  We are also on the precipice of new connectivity technology, such as 5G, that will enable devices to access larger amounts of data, faster, and from more places. 

All this technology makes our lives easier and more enriching in some way, whether it’s the ability to do our banking online or ordering groceries online or even having a consultation with our physician online. Our behaviors have changed during the past sixteen months and our need for online protection has changed with the times.  

Our online world is rapidly evolving, and as McAfee’s Chief Technology Officer, part of my job is to ensure that you and your family can use the latest, cutting-edge technology with the confidence and peace of mind that you are protected.  

The technology required to defend consumers against the latest threats requires new levels of sophistication. It’s important that we don’t confuse sophistication with complexity. Part of my mission for McAfee is to package the world’s most effective, highly sophisticated cybersecurity technology in a form that is accessible, usable, and consumable by everyday users—people and their families 

So as McAfee places its entire focus on consumers, what that really means is that now the focus is on you. Your life online, and the ways you use it to run your home, keep tabs on your finances, split dinner with friends, chat with your children’s teachers, and binge on your favorite shows over a rainy weekend. More than that, we’re here to protect you, because you are at the center of all these things and more. Our aim is to bring you breakthrough advances in online protection so that you can freely enjoy life online. And everyone here at McAfee is looking forward to bringing them to you. 

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post It’s All About You: McAfee’s New All-Consumer Focus appeared first on McAfee Blogs.

]]>
What is a VPN and Can it Hide My IP Address? https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/what-is-a-vpn-and-can-it-hide-my-ip-address/ Tue, 27 Jul 2021 12:23:00 +0000 /blogs/?p=124973

There’s a lot of misinformation about Virtual Private Networks, what they do, and the security benefits they offer. For this article, I’d like to do...

The post What is a VPN and Can it Hide My IP Address? appeared first on McAfee Blogs.

]]>

There’s a lot of misinformation about Virtual Private Networks, what they do, and the security benefits they offer. For this article, I’d like to do some myth-busting about how a VPN actually works and why you should use one. 

What is a VPN and how does it protect me? 

VPN is an app that you install on your device to help keep your personal data safe as you browse the internet  

You may have heard that VPN apps live on your device and allow you to connect to the internet securely. What that means is, when you turn your VPN app on, your device makes a secure connection to a specialized computer that routes internet traffic, called a VPN server. You also may have heard that your connection is “wrapped in an encrypted tunnel” which means your device and the server share a secure connection so only you can see what you’re doing on the internet. 

Does a VPN change my IP address? 

Every internet connection (like your cable modem) is assigned a unique set of numbers called an IP address, which is tied to information such as geographic location, ISP, etc. A VPN replaces your actual IP address to make it look like you’ve connected to the internet from a different location: the physical location of the VPN server, rather than your real location. This is just one reason why so many people use VPNs. This can be handy when you want to hide from advertising trackers or protect your search history.  

How to use a VPN to change my IP address 

To change your IP address, you simply open your VPN app, select the server location you’d like to connect to, and you’re done. You’re now browsing with a new IP address. If you’d like to make sure your IP has changed, open up a browser and search for “What’s my IP address” and click on one of the results. 

When should I use a VPN? 

When to use a VPN really depends on what you want it for. For example, 39% of users understand public Wi-Fi is unsafe but still do sensitive things, like banking or shopping on public WiFi, so using a VPN when you’re at the airport, or a café is a great use case. 

As I mentioned before, a lot of people use a VPN for privacy reasons, like stopping advertisers from tracking them. Searches you perform, or websites you visit won’t be trackable, which means you’ll be able to surprise your spouse with a vacation you researched and planned on a computer you both use. Targeted ads could spoil things if your spouse is bombarded with ads for plane tickets and hotels while they browse. 

Can a VPN protect my search history? 

A VPN protects your search history through the secure connection you share. When you search for a website, or type a URL into your navigation bar, your device sends something called a DNS request, which translates the website into the IP address of the web server; this is how your browser can find the website and serve its content to you. By encrypting your DNS requests, a VPN can hide your search habits and history from those that might use that info as part of building a profile of you. This type of info could be used in a wide variety of ways, from legitimately serving targeted ads to nefarious social engineering.  

Can a VPN protect my identity? 

A VPN can protect your identity by blocking online trackers from following you around the internet. With your VPN on, trackers will think all of your browsing is coming from a different device in a different location. This throws off the profile advertisers try to build because they think you’re someone else. 

Another way a VPN can protect your identity is by preventing some types of hacking. Stopping attacks on public WiFi where a bad actor tries to get between you and the website you’re visiting, is just one way VPNs can help. It’s called a Man-in-the-Middle attack, but that’s a subject for another article. 

Does a VPN make me anonymous? 

No, a VPN cannot make you anonymous. They help secure what you’re doing, but your ISP still knows when you’re using the internet. They just can’t see what you’re doing, what sites you visit, or how long you’ve been on a site. 

Do I need a VPN if I use Incognito mode? 

Private browsing modes can help protect your privacy, but they’re useful if you share a device with other people and you don’t want them to see your search history. You can read all about the differences in the article I wrote a little while ago. 

What is Apple Private Relay? 

Apple’s Private Relay is currently in Beta and will be available with an iCloud+ subscription for Safari users on iOS and macOS soon. Private Relay is similar to a VPN in that it changes your IP address so websites you visit can’t tell exactly where you are.  

What does Apple Private Relay do? 

When you turn Private Relay on, your device connects to a server that sends your browsing data to a second server, before it travels through the internet. The reason for the double hop is that first server gives you a new IP address, to make you harder to track, while the second server hides that information from the website you’re browsing. The first server only knows your original IP address, while the second server only knows what you’re browsing, but not your IP. 

How to turn on Apple Private Relay on iPhone 

  1. Tap the iCloud tab in Settings 
  2. Tap Private Relay to turn it On 
  3. Scroll down and tap on Turn On for Safari 
  4. Tap IP Address Location to change Approximate or Broader Location 

How to turn on Apple Private Relay on Mac 

  1. Click on iCloud in the System Preferences menu 
  2. Click on the Private Relay box 
  3. Click on the Options button 
  4. Click on Private Relay for Safari 
  5. Choose your IP Address Location to change Approximate or Broader Location 

Do I need a VPN if I have Apple Private Relay? 

Private Relay only works with Safari on iOS and macOS. Even if you are using an Apple device, a VPN is still a good idea because it will protect the information that your device sends outside of Safari. 

How to get your own VPN 

If you’re already a McAfee Total Protection subscriber, you have access to unlimited VPN usage. Protect your personal information, like your banking information and credit cards, from prying eyes with McAfee Total Protection’s Secure VPN. If you haven’t already signed up, now’s the perfect time. McAfee Total Protection provides security for all your devices, giving you peace of mind while you shop, bank, and browse online. 

What is a VPN

What is a VPN

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post What is a VPN and Can it Hide My IP Address? appeared first on McAfee Blogs.

]]>
9 Tips to Help Kids Avoid Popular App Scams https://www.mcafee.com/blogs/consumer/family-safety/9-tips-to-help-kids-avoid-popular-app-scams/ Mon, 26 Jul 2021 12:22:03 +0000 /blogs/?p=125006

 There’s a lot of conversation going on right now around digital apps; only it’s not about TikTok or Twitch. Instead, it’s about the spike in the number...

The post 9 Tips to Help Kids Avoid Popular App Scams appeared first on McAfee Blogs.

]]>

 There’s a lot of conversation going on right now around digital apps; only it’s not about TikTok or Twitch. Instead, it’s about the spike in the number of app scams taking place every day—many of them impacting younger consumers. 

In a recent report from The Washington Post, nearly two percent of the apps downloaded from the Apple store in a single day were scams costing consumers an estimated $48 million. A similar report this week in Tech Republic estimates more than 170 Android apps, including 25 on Google Play, have attempted to scam people by offering cryptomining services for a fee but then failing to deliver. Scam reports can also be attributed to side-loaded apps, which are apps installed from unofficial sources online.  

While the scam structures vary, the most popular ones pose as legitimate brands such as Amazon or Samsung, persuading users to download apps they don’t need. Other scams use misleading tactics, manipulate ratings and reviews, and trick people into paying for something accidentally. 

Teens targeted  

Scams that target teens abound online because hackers assume younger consumers are more impulsive and casual about their online privacy. According to the Better Business Bureau, scams targeting teens include social media scams used to collect personal info for identity theft. Others include bogus auctions for luxury goods, scholarships and job offer scams, and promises of free items such as cell phones.  

Dating and Security Apps

Some of the most popular scams can be found in fraudulent dating apps, according to the report. The Federal Trade Commission stated that consumers reported a record $304 million lost to romance scams in 2020, a number that has spiked since the pandemic. While some scams look like legit dating apps, others surface in hangout apps such as Clubhouse, Google Hangouts, or seemingly harmless apps like Words with Friends. 

App scams have been discovered embedded in spying and internet security apps. Ironically, several of those have been in alleged VPN (Virtual Private Network) apps that promised privacy but instead collected sensitive user data.  

Cash and Gaming Apps 

Consumers, especially kids, can be scammed through peer-to-peer cash apps, such as Venmo or Zelle. Because cash apps require users to link to a personal bank account directly, scammers can easily sell you goods or befriend you to send money only to delete their accounts and disappear.  

Likewise, downloadable gaming apps can contain scams that offer free in-game currency. By clicking on a link and entering a username, password, gamers are promised free currency—only it never shows up in their account.   

While the debate continues over how to improve both Apple and Google Play’s app security standards, for now, anyone downloading an app is at risk to some degree.  

So how can you be sure your family’s apps are safe to use? While it’s getting harder to discern, there are some key steps you can take to reduce your risk.  

9 Tips for Avoiding an App Scams

  1. Understand the risk. Making the threat real and believing a scam can happen to you is a significant step in safeguarding your family. This includes taking the time to discuss current digital threats and leveling up mobile security wherever possible.  
  2. Do your homework. Read app reviews. If an app is sketchy in any way, users will be vocal in the app review section. In addition, do an online search of the app to see what consumers and other watchdog agencies such as the BBB say about the app. Check BBB Scam Tracker to see if others have been duped. 
  3. Safeguard personal data. Remind kids not to share their email, address, or other information. Pop-ups, trendy quizzes, and links websites can be ruses designed to steal bits and pieces of personal info that can be used as the basis of an attack. 
  4. Maximize security. When using cash apps, turn on additional security features such as multi-factor authentication, creating a PIN, or using fingerprint recognition. 
  5. Pay attention to permissions. Apps often ask for access to certain features on your device, such as the camera, phone, or your contacts. Sometimes the ask is legit; other times, it’s just a ruse to gain access to your personal information. Stop to examine the request and why the information is needed.   
  6. Subscribe to a mobile antivirus program. Just like computers, mobile devices can be infected with viruses and malware. Protect mobile devices by subscribing to a mobile antivirus product, such as McAfee Mobile Security, which includes safe browsing, scanning for malicious apps, and locating your device if it is lost or stolen.  
  7. Only connect with people you know. When using cash apps, only exchange money with people you know. Unlike an insured bank, P2P apps do not refund the money you’ve paid out accidentally or in a scam scenario and hold users 100% responsible for transfers. 
  8. Slow down and verify details of a transfer. There could be dozens of name variations to choose from in a cash app’s directory, so be sure to select the correct recipient. Also, verify with your bank that each P2P transaction registers. 
  9. Use a VPN. When using cash apps, or downloading any apps, avoid public Wi-Fi transfers. Public Wi-Fi is susceptible to hackers trying to access valuable personal information. If you must use public Wi-Fi, consider using a verified and trustedVirtual Private Network (VPN). 

No app is 100 percent safe. All have security loopholes and user behavior can make them vulnerable to a wide range of scams. However, by staying aware, using the right tools, and being wise with your clicks, your family can enjoy the fun of digital life without the fallout.  

Stay Updated

To stay updated on all things McAfee and top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.   

The post 9 Tips to Help Kids Avoid Popular App Scams appeared first on McAfee Blogs.

]]>
My Journey from Intern to Principal Engineer https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/my-journey-from-intern-to-principal-engineer/ Thu, 22 Jul 2021 17:43:28 +0000 /blogs/?p=125024

Written by Shuborno, Principal Engineer At McAfee, architects and engineers continuously have opportunities to make decisions that impact customers and...

The post My Journey from Intern to Principal Engineer appeared first on McAfee Blogs.

]]>

Written by Shuborno, Principal Engineer

At McAfee, architects and engineers continuously have opportunities to make decisions that impact customers and propel exciting and meaningful careers. They also work with leaders focused on supporting their learning and growth. These truths have been constant and driving forces for me throughout my 15+ years with the company.

Today, I am a Principal Engineer at McAfee. My job is to translate product and customer goals into the technology we must build to enable and sustain those goals. It is challenging, fulfilling work that impacts 40 million customers around the world and motivates me every day.

This role is also a high in my personal career journey, one that started with a McAfee internship while I was a student at the University of Waterloo in Ontario, Canada.

Leadership support fuels confidence and growth

Supportive leadership is an important, and differentiating, element of McAfee’s culture. Being promoted to Principal Engineer was, of course, an incredibly proud moment in my career, but the support and encouragement of my managers and mentors helped me get there.

When I moved into the Software Architect role, I met with the head of Consumer Engineering who — to my surprise — arranged for the Chief Architect to mentor me. Things took off from there.

Jeremy, one of my mentors, helped me realize the impact I could make by asking a simple question: “If there is something important that needs to be done, why aren’t you doing it?”

That encouragement, support, and coaching gave me the confidence and motivation to achieve the Principal Engineer career goal. It also helped me understand the importance of supportive leaders focused on helping their teams learn, grow, and succeed.

Thriving beyond office walls

Beyond the office, McAfee leaders supported my growth, too. Early on as an architect, my manager encouraged me to get involved with Toastmasters, an organization that teaches public speaking and leadership skills. I’ve used skills gained there when presenting to fellow architects and engineers, C-level executives including the CTO, as well as during my Principal Engineer Committee Panel presentation. (Today, I’m also the Vice President of Education for my local Toastmasters Club!)

The leadership support I’ve experienced at McAfee enabled me to learn, grow, and thrive, inside and outside the office. I know that the same support will be available for you — and anyone who joins the McAfee team — because when McAfee employees thrive, McAfee thrives, too.

Are you considering joining our team? McAfee takes great pride in a culture that promotes personal growth and professional success. Learn more about our jobs. Subscribe to job alerts.

The post My Journey from Intern to Principal Engineer appeared first on McAfee Blogs.

]]>
How to Secure Your Smart Home: A Step-by-Step Guide https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/how-to-secure-your-smart-home-a-step-by-step-guide/ Thu, 22 Jul 2021 13:56:26 +0000 /blogs/?p=124865

How many rooms in your home contain a smart device? From Peloton bikes to showerheads with Bluetooth speakers, smart home technology is rapidly making its way into every room in...

The post How to Secure Your Smart Home: A Step-by-Step Guide appeared first on McAfee Blogs.

]]>

How many rooms in your home contain a smart device? From Peloton bikes to showerheads with Bluetooth speakers, smart home technology is rapidly making its way into every room in every household. In fact, the number of smart households (those that contain smart home technology) in the U.S. is expected to grow to 77.05 million by 2025. But with new technology comes new challenges.  

Many product designers rush to get their smart devices to market, treating security as an afterthought and consequentially creating an easy access point for criminals to exploit. Once a hacker taps in to a user’s home network, they could potentially gain access to all the devices connected to the network. And many consumers, amazed by the appliances’ efficiency, are unaware of the risks of interconnectivity. So, how can families prevent criminals from taking peeks into their home? 

Let’s take a tour through an average smart home and uncover the security implications of the various devices in each room.  

Knock, Knock, Anyone Home?  

Believe it or not, the security risks of a smart home often apply before you even step foot inside the house. Approximately 21 million U.S. homes have professionally monitored security systems. However, these systems are not immune to hacks. One popular security camera system experienced a series of intrusions where hackers were able to communicate with residents, making inappropriate comments, taunting children, and even demanding a ransom payment for the hacker to leave the system. Some users of another security camera system experienced similar intrusions, with hackers playing vulgar music and cranking the homeowners’ heat up to 90 degrees.  

Security cameras are just the beginning. Users control mowers, smart sprinklers, and other outdoor devices remotely with smartphone apps. Although they are meant to make consumers’ lives more convenient, outdoor devices with embedded computers could be at the greatest risk of attack, according to professor of computer science and cybersecurity expert, Dr. Zahid Anwar 

Outdoor devices like garage door openers, wireless doorbells, and smart sprinklers are more vulnerable because they may be easily accessible to someone driving down the street with a computer or other Wi-Fi transmitter. Outdoor smart devices can be used as entry points, allowing hackers to access the entire smart home network. To prevent a stranger from spying on your network, it’s important to check how these products store your data. If the device’s system stores your personal information and is connected to the main home network, there is a possibility that a breach of one device on the network could reveal your data to a hacker.  

“Alexa, Who’s Spying on My Living Room?”  

Once you step foot into a smart home, you’ll likely find a variety of devices adopted by residents for added convenience, including smart TVs, Wi-Fi routers, smart speakers, thermostats, lightbulbs, and personal home assistants — the list goes on! But the fact that these devices are connected to the internet opens the door for cybercriminals to make themselves at home. For example, the FBI issued warnings about the risks of smart TVs, noting that hackers could potentially gain access to an unsecured television and take control by changing channels, adjusting volume levels, and even showing inappropriate content to children.  

Additionally, a recent study outlined multiple privacy concerns with a popular virtual assistant, ranging from misleading privacy policies to allowing third parties to change the code of their programs after receiving approval from the device’s parent company. Anupam Das, assistant professor of computer science at North Carolina State University, stated that third party software developers created many of the applications consumers interact with while using the virtual assistant. However, Das and their fellow researchers identified several flaws in the current vetting process that could allow those third parties to gain access to users’ personal information. The virtual assistant’s parent company does not verify the developer responsible for publishing the third-party program, so a cybercriminal could easily register under the name of a trusted developer and create a program that spreads malicious code. For these reasons, it is critical that consumers stay informed on potentially vulnerable entry points left open by device manufacturers so they can take action to better protect their smart home technology and their personal privacy. 

Grocery List: Eggs, Milk, Security Risks?  

Today, it is not so weird to talk to your refrigerator (well, maybe a little). Smart appliances are quickly making their way into consumers’ kitchens. You can control your blender or Instant Pot from your phone and use voice activation with various appliances, further blurring the lines between the physical and the digital. And while smart kitchen appliances empower you to do things like controlling your air fryer from an app and use voice activation to brew your coffee in the morning, living like a Jetson does come with potential security risks. In 2019, McAfee researchers discovered a vulnerability within a Mr. Coffee brand coffee maker that could allow a hacker to access the user’s home network. To prevent criminals from brewing up trouble in your home, ensure that you take measures to secure each of your devices and keep criminals from spying on your network.  

Protect Yourself From “Bed Bugs” 

For many people, the bedroom is more than just the place where they sleep at night — it is a relaxing sanctuary where they can unwind. It is no wonder that many people have adopted various gadgets to turn their sanctuaries into high-tech hubs for relaxation. Take a smart bed, for example. These mattresses incorporate biometric sensors to help you snooze better, and they connect to a smartphone app that tracks your sleep trends and health metrics. While this technology may provide insight on how you can sleep better, it is important to realize that these devices are collecting data and sending it back to the manufacturer. Often, consumers do not stop to research what specific data is being collected and how it is being used, placing a lot of trust in the device manufacturer to safeguard their private information. But what happens if the company suffers a data breach or ransomware attack? There is a chance that your data might fall into the hands of a hacker. To better protect your online security, understand that enjoying the convenience of connected IoT requires an assessment of where your information is being stored.  

Secure Your Smart Home with These Tips  

There is no denying that IoT devices have upped the convenience of tech users’ lives everywhere. But with these technological rewards comes added risk — cybersecurity risk, that is. The more connected devices you have in your home, the more opportunities criminals have to infiltrate your network and reach other data-rich devices. This can potentially put your private and financial information at risk, not to mention your privacy.  

As our reliance on IoT and smart home technology grows, so will the need for users to step up their cybersecurity practices. Follow these tips to help protect your personal data and privacy while still enjoying all that your smart home gadgets have to offer:  

1. Secure your Wi-Fi network 

Out of the box, most Wi-Fi routers are either not secured or use a default password such as “admin,” making it easy for hackers to poke around and access devices that are connected to your router. To prevent cybercriminals from snooping on your network and the gadgets that are attached to it, secure your Wi-Fi network with a strong password.  

2. Ensure all account and device passwords are strong and unique 

A password or passphrase that is long, complex, and unique will discourage attempts to break into your accounts. Try creating a string that is at least 12 characters long, contains a combination of uppercase letters, lowercase letters, symbols, and numbers, and that is unique to each account.  

3. Do your research 

Do your research before investing in a smart device. Ask yourself if the gadget is from a reputable manufacturer. Has the company had previous data breaches, or do they have an excellent reputation for providing secure products? Also, take note of the information your IoT device collects, how vendors use this information and what they release to other users or third parties.  

Above all, understand what control you have over your privacy and information usage. It is a good sign if an IoT device allows you to opt-out of having your information collected or lets you access and delete the data it does collect.   

4. Enable multi-factor authentication 

In addition to the password/username combo, multi-factor authentication requires that users confirm a collection of things to verify their identity — usually something they have, and a factor unique to their physical being — such as a retina or fingerprint scan. This can prevent a cybercriminal from using credential-stuffing tactics (where they will use email and password combinations to hack into online profiles) to access your network or account if your login details were ever exposed during a data breach.  

5. Regularly update your devices 

Stay on top of software updates from your device manufacturer. Available updates are not always advertised, so visit the manufacturer’s website regularly. Additionally, make sure to update mobile apps that pair with your IoT device. Adjust your settings to turn on automatic software updates, so you always have the latest security patches.   

6. Monitor and secure your network 

Your router is the central hub that connects all the devices in your home, so make sure that it’s secure. After you change the default password and name of your router, ensure that your network name does not give away your address, so hackers can’t locate it. Then check that your router is using an encryption method, like WPA2, which will keep your communications secure.  

Additionally, consider setting up a “guest network” for your IoT devices. This is a second network on your router that allows you to keep your computers and smartphones separate from IoT devices. So, if a device is compromised, a hacker still cannot get all the valuable information that is saved on your computers. Check your router’s manual for instructions on how to set up a guest network.  

7. Install comprehensive security software.  

You do not need to go it alone — employ the help of a security solution like McAfee Secure Home Platform, which provides smart security for your home network. By automatically protecting your connected devices through the router, you can feel confident that you have a solid line of defense against online threats.  

McAfee Total Protection also includes a robust password management system that creates and saves strong passwords across all your accounts in one centralized location. It also includes home network security to protect your firewall and block hackers from accessing your home network. McAfee Total Protection includes a home network map that allows you to easily identify trusted devices on your network and flag potential intruders.  

Secure Your Smart Home for Peace of Mind  

Recognize that every Wi-Fi connection, every Bluetooth connection, and every connection you make using a wireless connection is subject to hacking. This will help you better understand the risks associated with your smart home devices, and therefore will help you be more equipped to combat them. Remember: a secure home is the smartest home you can have! 

Stay Updated  

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.   

The post How to Secure Your Smart Home: A Step-by-Step Guide appeared first on McAfee Blogs.

]]>
Hybrid Workplace Vulnerabilities: 4 Ways to Promote Online Safety https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/hybrid-workplace-vulnerabilities-4-ways-to-promote-online-safety/ Wed, 21 Jul 2021 14:20:56 +0000 /blogs/?p=124961 online safety

Over the past year and a half, workers everywhere have gotten used to working from home. They have adopted an...

The post Hybrid Workplace Vulnerabilities: 4 Ways to Promote Online Safety appeared first on McAfee Blogs.

]]>
online safety

Over the past year and a half, workers everywhere have gotten used to working from home. They have adopted an entirely new work from home mindset and diverted their weekly commuting hours to other productive and more enjoyable pursuits. As parts of the world return to a “new normal,” another change is on the way: a gradual return to the office. 

The hybrid working model is met with mixed reviews from employees and business security teams alike. For some employees, a clearer separation between work and home is a welcome change. CTV News reports 66% of Canadian respondents to an International Workplace Group poll say they are looking forward to splitting their working hours between the office and home. 

For business security teams who are just catching their breath after the monumental shift to a remote workforce, they are now gearing up for the new online safety challenges posed by the hybrid work model. According to a VMware Canada Threat Report, 86% of security professionals agree that cyberattacks aimed at their organizations have become more sophisticated since the onset of the pandemic. Additionally, 91% of global respondents cite employees working from home as the cause of cyberattacks. Challenges of the hybrid workforce include the constant back-and-forth of company-issued devices, the lack of control over home office setups, and mixing personal and company devices with company and personal business respectively. For example, if you pay your bills or shop online using your work device, it opens several new avenues for a hacker to walk right onto the corporate network. When your guard is down even a little bit when you are off the clock, you could fall victim to e-skimmers, fake login pages, or phishing scams. 

Best Practices for Mitigating Attacks in the Hybrid Workplace 

No matter how advanced your company’s threat detection system, hackers know where vulnerabilities lie and are on the hunt to exploit them. Check out these tips to ensure you are not the weak link in your organization. 

1. Use a VPN

virtual private network (VPN) is a service that scrambles online browsing data, making it impossible for nefarious characters to decipher your activity. This is an excellent way to deter hackers from tracking your movements and picking up sensitive pieces of information. 

VPNs are essential if you are working in a public area, sharing a wireless network with strangers, or using a Wi-Fi connection that is not password protected. Public Wi-Fi networks are notoriously easy pickings for hackers seeking entry into unsuspecting users’ devices. On the days where you are not in the office, make sure your wireless connection is secure. 

2. Lockaway your passwords 

While a VPN is an excellent tool, security measures and your accounts are vulnerable without a strong and private password or passphrase to protect them. The gigantic Colonial Pipeline hack is being blamed on a hacker gaining entry through an unused VPN that was not secured with multifactor authentication. Multifactor authentication is an online safety measure where more than one method of identity verification is needed to access the valuable information that lies within password-protected accounts. 

Consider using a password manager to organize all your passwords and logins. Password managers remember each pairing so you don’t have to, plus most managers are secured with multifactor authentication. A password manager makes it easier to add variety to your passwords and prevents you from ever having to write them down.

3. Securework-issueddevices 

Professionals who travel between their home and an office are likely transporting their devices back and forth, increasing the number of opportunities for devices to be forgotten at either location or in transit. As convenient as it may be, never use your personal device for official business. Even if you pride yourself on sound online safety habits, your company device likely has more defenses ingrained in its hardware than your personal devices. 

With your personal devices, you should carefully vet everything you download. With your work-issued devices, this vetting process is even more important as company information is at stake. The Information and Privacy Commissioner of Ontario states that employees should never download applications to their work devices without permission from the IT team. Apps and programs often have security vulnerabilities that could open a gateway for hackers. 

4. Practice apersonal Zero Trust model 

Zero Trust is a security philosophy that is exactly what it sounds like: trust no one. Businesses are employing Zero Trust models to greatly limit who has access to sensitive data sources. Adopt your own personal Zero Trust philosophy concerning your passwords, logins, and device access. This means never sharing passwords or log in details, especially over email, instant messenger, or over a video conference. Hackers commonly eavesdrop on all three mediums. Also, even your most trusted coworker could mishandle your passwords and login details, such as writing them down and leaving them in a public place.  

A key aspect of the Zero Trust model is only granting employees access to platforms that are vital to their job. Sharing your logins with coworkers who may not be authorized for using that platform undermines all the hard work the IT team does to keep tabs on data access. 

Work Intelligently, Diligently, and Securely 

Every time you turn on the nightly news, another ransomware attack has hit another organization, each one bigger than the last. This heightened prevalence is a reflection on the wiliness of hackers, but also the number of security holes every company must plug.  

There are several vulnerable points of entry in every company, and some of those vulnerabilities are heightened by the hybrid work model. Always heed the advice of your company’s IT team, and make sure to do your part to keep your devices and work information secure. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Hybrid Workplace Vulnerabilities: 4 Ways to Promote Online Safety appeared first on McAfee Blogs.

]]>
Fighting new Ransomware Techniques with McAfee’s Latest Innovations https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fighting-new-ransomware-techniques-with-mcafees-latest-innovations/ Tue, 20 Jul 2021 04:01:28 +0000 /blogs/?p=124543

In 2021 ransomware attacks have been dominant among the bigger cyber security stories. Hence, I was not surprised to see...

The post Fighting new Ransomware Techniques with McAfee’s Latest Innovations appeared first on McAfee Blogs.

]]>

In 2021 ransomware attacks have been dominant among the bigger cyber security stories. Hence, I was not surprised to see that McAfee’s June 2021 Threat report is primarily focused on this topic.

This report provides a large range of statistics using the McAfee data lake behind MVISION Insights, including the Top MITRE ATT&CK Techniques. In this report I highlight the following MITRE techniques:

  1. Spear phishing links (Initial Access)
  2. Exploit public-facing applications (Initial Access)
  3. Windows Command Shell (Execution)
  4. User execution (Execution)
  5. Process Injection (Privilege escalation)
  6. Credentials from Web Browsers (Credential Access)
  7. Exfiltration to Cloud Storage (Exfiltration)

I also want to highlight one obvious technique which remains common across all ransomware attacks at the end of the attack lifecycle:

  1. Data encrypted for impact (Impact)

Traditional defences based on anti-malware signatures and web protection against known malicious domains and IP addresses can be insufficient to protect against these techniques. Therefore, for the rest of this article, I want to cover a few recent McAfee innovations which can make a big difference in the fight against ransomware.

Unified Cloud Edge with Remote Browser Isolation

The following three ransomware techniques are linked to web access:

  • Spear phishing links
  • User execution
  • Exfiltration to Cloud Storage

Moreover, most ransomware attacks require some form of access to a command-and-control server to be fully operational.

McAfee Remote Browser Isolation (RBI) ensures no malicious web content ever even reaches enterprise endpoints’ web browsers by isolating all browsing activity to unknown and risky websites into a remote virtual environment. With spear phishing links, RBI works best when running the mail client in the web browser. The user systems cannot be compromised if web code or files cannot run on them, making RBI the most powerful form of web threat protection available. RBI is included in most McAfee United Cloud Edge (UCE) licenses at no additional cost.

Figure 1. Concept of Remote Browser Isolation

McAfee Client Proxy (MCP) controls all web traffic, including ransomware web traffic initiated without a web browser by tools like MEGAsync and Rclone. MCP is part of McAfee United Cloud Edge (UCE).

Protection Against Fileless Attacks

The following ransomware techniques are linked to fileless attacks:

  • Windows Command Shell (Execution)
  • Process Injection (Privilege escalation)
  • User Execution (Execution)

Many ransomware attacks also use PowerShell.

Figure 2. Example of an attack kill chain with fileless

McAfee provides a large range of technologies which protect against fileless attack methods, including McAfee ENS (Endpoint Security) Exploit prevention and McAfee ENS 10.7 Adaptive Threat Protection (ATP). Here are few examples of Exploit Prevention and ATP rules:

  • Exploit 6113-6114-6115-6121 Fileless threat: self-injection
  • Exploit 6116-6117-6122: Mimikatz suspicious activity
  • ATP 316: Prevent PDF readers from starting cmd.exe
  • ATP 502: Prevent new services from being created via sc.exe or powershell.exe

Regarding the use on Mimikatz in the example above, the new McAfee ENS 10.7 ATP Credential Theft Protection is designed to cease attacks against Windows LSASS so that you do not need to rely on the detection of Mimikatz.

Figure 3. Example of Exploit Prevention rules related to Mimikatz

ENS 10.7 ATP is now included in most McAfee Endpoint Security licenses at no additional cost.

Proactive Monitoring and Hunting with MVISION EDR

To prevent initial access, you also need to reduce the risks linked to the following technique:

  • Exploit public facing applications (Initial Access)

For example, RDP (Windows Remote Desktop Protocol) is a common initial access used by ransomware attacks. You may have a policy that already prohibits or restricts RDP but how do you know it is enforced on every endpoint?

With MVISION EDR (Endpoint Detection and Response) you can perform a real time search across all managed systems to see what is happening right now.

Figure 4. MVISION EDR Real-time Search to verify if RDP is enabled or disabled on a system

Figure 5. MVISION EDR Real-time Search to identify systems with active connections on RDP

MVISION EDR maintains a history of network connections inbound and outbound from the client. Performing an historical search for network traffic could identify systems that actively communicated on port 3389 to unauthorized addresses, potentially detecting attempts at exploitation.

MVISION EDR also enables proactive monitoring by a security analyst. The Monitoring Dashboard helps the analyst in the SOC quickly triage suspicious behavior.

For more EDR use cases related to ransomware see this blog article.

Actionable Threat Intelligence

With MVISION Insights you do not need to wait for the latest McAfee Threat Report to be informed on the latest ransomware campaigns and threat profiles. With MVISION Insights you can easily meet the following use cases:

  • Proactively assess your organization’s exposure to ransomware and prescribe how to reduce the attack surface:
    • Detect whether you have been hit by a known ransomware campaign
    • Run a Cyber Threat Intelligence program despite a lack of time and expertise
    • Prioritize threat hunting using the most relevant indicators

These use cases are covered in the webinar How to fight Ransomware with the latest McAfee innovations.

Regarding the following technique from the McAfee June 2021 Threat Report:

Credentials from Web Browsers (Credential Access)

MVISION Insights can display the detections in your environment as well as prevalence statistics.

Figure 6. Prevalence statistics from MVISION Insights on the LAZAGNE tool

MVISION Insights is included in several Endpoint Security licenses.

Rollback of Ransomware Encryption

Now we are left with the last technique in the attack lifecycle:

  • Data encrypted for impact (Impact)

McAfee ENS 10.7 Adaptive Threat Protection (ATP) provides dynamic application containment of suspicious processes and enhanced remediation with an automatic rollback of the ransomware encryption.

Figure 7. Configuration of Rollback remediation in ENS 10.7

You can see how files impacted by ransomware can be restored through Enhanced Remediation in this video. For more best practices on tuning Dynamic Application Containment rules, check the knowledge base article here.

Additional McAfee Protection Against Ransomware

Last year McAfee released this blog article covering additional capabilities from McAfee Endpoint Security (ENS), Endpoint Detection and Response (EDR) and the Management Console (ePO) against ransomware including:

  • ENS Exploit prevention
  • ENS Firewall
  • ENS Web control
  • ENS Self protection
  • ENS Story Graph
  • ePO Protection workspace
  • Additional EDR use cases against ransomware

Summary

To increase your protection against ransomware you might already be entitled to:

  • ENS 10.7 Adaptive Threat Protection
  • Unified Cloud Edge with Remote Browser Isolation and McAfee Client Proxy
  • MVISION Insights
  • MVISION EDR

If you are, you should start using them as soon as possible, and if you are not, contact us.

The post Fighting new Ransomware Techniques with McAfee’s Latest Innovations appeared first on McAfee Blogs.

]]>
McAfee Partners with American Express to Provide Best-in-Class Security https://www.mcafee.com/blogs/consumer/mcafee-consumer-news/mcafee-partners-with-american-express-to-provide-best-in-class-security/ Tue, 20 Jul 2021 04:01:24 +0000 /blogs/?p=124895 online security

With the increase in online activities due to the COVID-19 pandemic, consumers are potentially becoming exposed to more online threats,...

The post McAfee Partners with American Express to Provide Best-in-Class Security appeared first on McAfee Blogs.

]]>
online security

With the increase in online activities due to the COVID-19 pandemic, consumers are potentially becoming exposed to more online threats, and nearly 1 in 3 Americans are not confident in their ability to prevent a cyberattack. Through a partnership with American Express via the Amex Offers Program, McAfee is delighted to offer eligible American Express Card Members personal online security by providing access to comprehensive solutions that protect online security 

“Despite the increase in potential risks, consumers plan to continue conducting more and more personal activities online as the post-pandemic new normal comes to fruition,” said Pedro Gutierrez, SVP Global Consumer Sales & Operations at McAfee. “Investing in personal security solutions to protect your online life is a simple way to think security-first, and we’re ecstatic we can now offer these solutions to add value to American Express Card Members.”

The COVID-19 pandemic has forced many regular activities online, with McAfee’s 2021 Consumer Security Mindset Report finding that internet providers saw household internet usage surge anywhere from 40% to 100% as people worked, studied, shopped and entertained themselves at home. Additionally, McAfee found that of consumers that purchased connected devices in 2020, only 50% acted by purchasing security software and only 1 in 4 checked if their security software is up to date. 

Through the Amex Offers program, eligible American Express Card Members can receive a statement credit of up to $15 if they spend $45 or more to purchase personal protection solutions at McAfee.com.  The statement credit is available to eligible American Express Card Members until August 24th, 2021 and Card Members should check their offers list for additional details on eligibility, offer redemption instructions and applicable limitations. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

 

The post McAfee Partners with American Express to Provide Best-in-Class Security appeared first on McAfee Blogs.

]]>
8 Signs It May Be Time for Parental Controls https://www.mcafee.com/blogs/consumer/family-safety/8-signs-it-may-be-time-for-parental-controls/ Mon, 19 Jul 2021 21:43:46 +0000 /blogs/?p=124853

Equipping and guiding your digitally connected child is one of the toughest challenges you will face as a parent. As...

The post 8 Signs It May Be Time for Parental Controls appeared first on McAfee Blogs.

]]>

Equipping and guiding your digitally connected child is one of the toughest challenges you will face as a parent. As your child grows and changes, so too will their online activities. Friend groups, favorite apps, and online interests can shift from one month to the next, which is why parental controls can be a parent’s best friend.  

According to a report from Common Sense Media, teens spend an average of seven hours and 22 minutes on their phones a day. Tweens (ages 8 to 12) spend four hours and 44 minutes daily. This is time outside of schoolwork. 

That is a lot of time to stroll the streets of cyberspace for entertainment purposes, and it’s only increased since the pandemic.  

Striking a balance between screen time and healthy device use is an always-evolving challenge. On the one hand, your child’s device is an essential channel connecting them to their self-identity, peer acceptance, and emotional well-being. On the other hand, that same device is also the door that can bring issues such as cyberbullying, predators, risky behavior, and self-image struggles into your child’s life.  

Raising the Safety Bar 

Parental controls are tools that allow parents to set controls on their children’s internet use. Controls include content filters (inappropriate content), usage limits (time controls), and monitoring (tracking activity). 

Many of the technology your family already owns or sites your kids visit have basic parental controls (i.e., built-in controls for android and iPhone and social networks such as YouTube). However, another level of parental control comes in software specifically engineered to filter, limit, and track digital activity. These consumer-designed parental controls offer families a higher, more powerful form of protection.  

 If you are like many parents who land on this blog, you’ve hit a rough patch. You have concerns about your child’s online activity but aren’t sure how to begin restoring balance. Rightly, you want to find the best parental control software and put digital safeguards in place.  

8 Signs Your Family Needs Parental Controls 

Every family dynamic is different, as is every family’s approach to online monitoring. However, most parents can agree that when a negative influence begins to impact the family’s emotional and physical health, exploring new solutions can help get you back on track.  

Depending on your child’s age, you may need to consider parental controls if:  

 1. They don’t respond when you talk to them  

If your child is increasingly engrossed in their phone and it’s causing communication issues in your family, you may want to consider software that includes time limits. Connecting with your child during device-free time can improve communication.  

2. They’ve started ignoring homework and family responsibilities  

There are a lot of reasons grades can plummet, or interests can fade. However, if your child is spending more and more time online, limiting or monitoring what goes on in that time can help restore emotional balance and self-discipline to meet responsibilities.  

3. Their browser history shows access to risky content  

Innocent online searches can lead to not so innocent results or children may go looking for content simply because they’re curious. Parental controls automatically block age-inappropriate sites and filter websites, apps, and web searches.  

4. They won’t give you their device without a fight  

If the phone has become the center of your child’s world at the cost of parental respect and family rules, they may be engaged in inappropriate behavior online, connecting with the wrong friends, or struggling with tech balance. With the proper parental controls, a parent can block risky content, view daily activity, and set healthy time limits.  

5. They’re losing interest in family outings and other non-digital activities  

Poor habits form quietly over time. If your child has dramatically changed their focus in the past three to six months, consider zooming in on why. It may not be technology use, but you may consider an additional layer of protection if it is.   

6. They go into another room to respond to a text  

While everyone deserves privacy, if constantly sneaking away to communicate with a friend is your child’s new norm, you may consider making some screen time adjustments.  

7. They are exhausted  

Unbeknownst to parents, kids might be exchanging sleep for screen time. Parental controls can help you nip this unhealthy habit. Setting time limits can help kids experience deeper sleep, better moods, more focus, and more energy. 

8. They overshare online  

If you browse through your child’s social media and notice their profiles are public instead of private, or if your child tends to overshare personal information, parental controls can help you monitor future activity. 

Ideally, we’d all prefer to live in a world where we didn’t need parental controls at all. Unfortunately, that is neither a present nor future reality. So, we recalibrate, keep learning, and keep adding to our parenting skills. As always, we believe the first go-to digital safety tool is investing in consistent open and honest conversation with your child. And the second tool? Yup, reach for the parental controls. While you may hear some hemming and hawing from your kids at first, the peace of mind you gain from having parental controls in place will be worth it.  

Stay Updated

To stay updated on all things McAfee and top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.   

The post 8 Signs It May Be Time for Parental Controls appeared first on McAfee Blogs.

]]>
An Overall Philosophy on the Use of Critical Threat Intelligence https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-overall-philosophy-on-the-use-of-critical-threat-intelligence/ Fri, 16 Jul 2021 20:15:22 +0000 /blogs/?p=124835

The overarching threat facing cyber organizations today is a highly skilled asymmetric enemy, well-funded and resolute in his task and...

The post An Overall Philosophy on the Use of Critical Threat Intelligence appeared first on McAfee Blogs.

]]>

The overarching threat facing cyber organizations today is a highly skilled asymmetric enemy, well-funded and resolute in his task and purpose.   You never can exactly tell how they will come at you, but come they will.  It’s no different than fighting a kinetic foe in that, before you fight, you must choose your ground and study your enemy’s tendencies.

A lot of focus has been placed on tools and updating technology, but often we are pushed back on our heels and find ourselves fighting a defensive action.

But what if we change?  How do we do that?

The first step is to study the battlefield, understand what you’re trying to protect and lay down your protection strategy.  Pretty basic right??

Your technology strategy is very important, but you must embrace and create a thorough Cyber Threat Intelligence (CTI) doctrine which must take on many forms.

First, there is data, and lots of it.  However, the data must take specific forms to research and detect nascent elements where the adversary is attempting to catch you napping or give you the perception that the activity you see is normal.

As you pool this data, it must be segmented into layers and literally mapped to geographic locations across the globe.  The data is classified distinctly as malicious and reputations are applied.  This is a vital step in that it enables analytical programs, along with human intelligence analysts to apply the data within intelligence reports which themselves can take on many forms.

Once the data takes an analytic form, then it allows organizations to forensically piece together a picture of an attack.  This process is painstakingly tedious but necessary to understand your enemy and his tendencies.  Tools are useful, but it’s always the human in the loop that will recognize the tactical and strategic implications of an adversary’s moves. Once you see the picture, it becomes real, and then you’re able to prepare your enterprise for the conflict that follows.

Your early warning and sensing strategy must incorporate this philosophy.  You must sense, collect, exploit, process, produce and utilize each intelligence product that renders useful information.  It’s this process that will enable any organization to move decisively to and stay “left of boom”.

The McAfee Advanced Programs Group (APG) was created eight years ago to support intelligence organizations that embrace and maintain a strong CTI stance.  Its philosophy is to blend people, processes, data and a strong intelligence heritage to enable our customers to understand the cyber battlefield to proactively protect, but “maneuver” when necessary to avoid an attack.

APG applies three key disciplines or mission areas to provide this support.

First, we developed an internal tool called the Advanced Threat Landscape Analysis System (ATLAS).  This enables our organization to apply our malicious threat detections to a geospatial map display to see where we’re seeing malicious data.  ATLAS draws from our global network of billions of threat sensors to see trillions of detections each day, but enables our analysts to concentrate on the most malicious activity.  Then we’re better able to research and report accurate threat landscape information.

The second leg in the stool is our analytical staff, the true cyber ninjas that apply decades of experience supporting HUMINT operations across the globe and a well-established intelligence-based targeting philosophy to the cyber environment.  The result is a true understanding of the cyber battlefield enabling the leadership to make solid “intelligence-based” decisions.

Finally, the third leg is our ability to develop custom solutions and interfaces to adapt in a very custom way our ability to see and study data.  We have the ability to leverage 2.8 billion malicious detections, along with 20 other distinct malicious feeds, to correlate many different views, just not the McAfee view.  We interpret agnostically.

These three legs provide APG a powerful CTI advantage allowing our customers to adapt and respond to events by producing threat intelligence dynamically. When using this service it allows the customer to be fully situationally aware in a moments notice (visual command and control). Access to the data alone is an immense asset to any organization.  This allows each customer not only to know what their telemetry is, but also provides real time insights into the entire world ecosystem. Finally, the human analysis alone is immensely valuable.  It allows for the organizations to read and see/understand what it all means (the who, what, where and why).   “The so what!!”

The post An Overall Philosophy on the Use of Critical Threat Intelligence appeared first on McAfee Blogs.

]]>
REvil Ransomware Uses DLL Sideloading https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading/ Fri, 16 Jul 2021 16:49:41 +0000 /blogs/?p=124778

This blog was written byVaradharajan Krishnasamy, Karthickkumar, Sakshi Jaiswal Introduction Ransomware attacks are one of the most common cyber-attacks among...

The post REvil Ransomware Uses DLL Sideloading appeared first on McAfee Blogs.

]]>

This blog was written byVaradharajan Krishnasamy, Karthickkumar, Sakshi Jaiswal

Introduction

Ransomware attacks are one of the most common cyber-attacks among organizations; due to an increase in Ransomware-as-a-service (RaaS) on the black market. RaaS provides readily available ransomware to cyber criminals and is an effective way for attackers to deploy a variety of ransomware in a short period of time.

Usually, RaaS model developers sell or rent their sophisticated ransomware framework on the black market. After purchasing the license from the ransomware developer, attackers spread the ransomware to other users, infect them, encrypt files, and demand a huge ransom payment in Bitcoin.  Also, there are discounts available on the black market for ransomware frameworks in which the ransom money paid is shared between developers and the buyer for every successful extortion of ransom from the victims. These frameworks reduce the time and effort of creating a new ransomware from scratch using latest and advanced programming languages.

REvil is one of the most famous ransomware-as-a-service (RaaS) providers. The group released the Sodinokibi ransomware in 2019, and McAfee has since observed REvil using a DLL side loading technique to execute ransomware code. The actual ransomware is a dropper that contains two embedded PE files in the resource section.  After successful execution, it drops two additional files named MsMpEng.exe and MpSvc.dll in the temp folder. The file MsMpEng.exe is a Microsoft digitally signed file having a timestamp of March 2014 (Figure 1).

Figure-1: Image of Microsoft Digitally signed File

DLL SIDE LOADING

The malware uses DLL side loading to execute the ransomware code. This technique allows the attacker to execute malicious DLLs that spoof legitimate ones. This technique has been used in many APTs to avoid detection. In this attack, MsMpEng.exe loads the functions of MpSvc.dll during the time of execution. However, the attacker has replaced the clean MpSvc.dll with the ransomware binary of the same name. The malicious DLL file has an export function named ServiceCrtMain, which is further called and executed by the Microsoft Defender file. This is a clever technique used by the attacker to execute malicious file using the Microsoft digitally signed binary.

Figure-2: Calling Export function

PAYLOAD ANALYSIS

The ransomware uses the RC4 algorithm to decrypt the config file which has all the information that supports the encryption process.

Figure-3: REvil Config File

Then it performs a UI language check using GetSystemDefaultUILanguage/GetUserDefaultUILanguage functions and compares it with a hardcoded list which contains the language ID of several countries as shown in below image.

Figure-4: Language Check

Countries excluded from this ransomware attack are mentioned below:

GetUserDefaultUILanguage Country name
0x419 Russian
0x422 Ukranian
0x423 Belarusian
0x428 Tajik (Cyrilic from Tajikistan)
0x42B Armenian
0x42C Azerbaijani (Latin from Azerbaijan)
0x437 Georgian
0x43F Kazakh from Kazakhastan
0x440 Kyrgyzstan
0x442 Turkmenistan
0x443 Latin from Uzbekistan
0x444 Tatar from Russia Federation
0x818 Romanian from Moldova
0x819 Russian from Moldova
0x82C Cyrilic from Azerbaijan
0x843 Cyrilic from Uzbekistan
0x45A Syriac
0x281A Cyrilic from Serbia

 

Additionally, the ransomware checks the users keyboardlayout and it skips the ransomware infection in the machine’s which are present in the country list above.

Figure-5: Keyboardlayout check

Ransomware creates a Global mutex in the infected machine to mark its presence.

Figure-6: Global Mutex

After creating the mutex, the ransomware deletes the files in the recycle bin using the SHEmptyRecycleBinW function to make sure that no files are restored post encryption.

Figure-7: Empty Recycle Bin

Then it enumerates all the active services with the help of the EnumServicesStatusExW function and deletes services if the service name matches the list present in the config file. The image below shows the list of services checked by the ransomware.

Figure-8: Service List check

It calls the CreateToolhelp32Snapshot, Process32FirstW and Process32NextW functions to enumerate running processes and terminates those matching the list present in the config file.  The following processes will be terminated.

  • allegro
  • steam
  • xtop
  • ocssd
  • xfssvccon
  • onenote
  • isqlplussvc
  • msaccess
  • powerpnt
  • cad
  • sqbcoreservic
  • thunderbird
  • oracle
  • infopath
  • dbeng50
  • pro_comm_msg
  • agntsvc
  • thebat
  • firefox
  • ocautoupds
  • winword
  • synctime
  • tbirdconfig
  • mspub
  • visio
  • sql
  • ocomm
  • orcad
  • mydesktopserv
  • dbsnmp
  • outlook
  • cadence
  • excel
  • wordpad
  • creoagent
  • encsvc
  • mydesktopqos

 

Then, it encrypts files using the Salsa20 algorithm and uses multithreading for fast encryption of the files. Later, background wallpaper will be set with a ransom message.

Figure-9: Desktop Wallpaper

Finally, the ransomware displays ransom notes in the victim’s machine. Below is an image of readme.txt which is dropped in the infected machine.

Figure-10: Ransom Note

IOCs and Coverage

Type Value Detection Name Detection Package Version (V3)
Loader 5a97a50e45e64db41049fd88a75f2dd2 REvil.f 4493
Dropped DLL 78066a1c4e075941272a86d4a8e49471 REvil.e 4493

 

Expert rules allow McAfee customers to extend their coverage. This rule covers this REvil ransomware behaviour.

MITRE

Technique ID Tactic Technique Details
T1059.003 Execution Command and Scripting Interpreter
T1574.002 DLL Side-Loading Hijack Execution Flow
T1486 Impact Data Encrypted for Impact
T1036.005 Defense Evasion Masquerading
T1057 Discovery Process Discovery
T1082 Discovery System Information Discovery

Conclusion

McAfee observed that the REvil group has utilized oracle web logic vulnerability (CVE-2019-2725) to spread the ransomware last year and used kaseya’s VSA application recently for their ransomware execution, with the help of DLL sideloading. REvil uses many vulnerability applications for ransomware infections, however the encryption technique remains the same. McAfee recommends making periodic backups of files and keeping them isolated off the network and having an always updated antivirus in place.

The post REvil Ransomware Uses DLL Sideloading appeared first on McAfee Blogs.

]]>
COVID-19 Vaccine Passports: 5 Security Tips for You and Your Family https://www.mcafee.com/blogs/consumer/mobile-and-iot-security/covid-19-vaccine-passports-5-security-tips-for-you-and-your-family/ Fri, 16 Jul 2021 13:30:21 +0000 /blogs/?p=124516 Vaccine Passport

Depending on where your travels take you, you might need a new passport—a COVID-19 vaccine passport.  In an effort to kickstart travel...

The post COVID-19 Vaccine Passports: 5 Security Tips for You and Your Family appeared first on McAfee Blogs.

]]>
Vaccine Passport

Depending on where your travels take you, you might need a new passport—a COVID-19 vaccine passport. 

In an effort to kickstart travel and local economies, these so-called vaccine passports are more accurately a certificate. Such a “passport” can offer proof that the holder has been fully vaccinated against the virus, and there are several of these passports developing in the wings. With all of this in motion, I wanted to give families a look at what’s happening so that they can protect their privacy and identity online. 

What is a COVID-19 vaccine passport? 

Broadly speaking, a vaccine passport works like this: information such as name, date of birth, date of vaccination, vaccination type, and vaccination lot number are used to create a digital certificate stored in a smartphone or a physical card. The holder can then offer up that proof of vaccination (or a recent negative test result) to businesses, travel authorities, and the like. 

The notion of a vaccine passport has actually been around for a while now, such as the “Yellow Card” issued by the World Health Organization (WHO), which documents vaccination against diseases like cholera and yellow fever for travelers. Note that currently there’s no widely accepted standard for COVID-19 vaccine passports. What’s more, conversations continue around the concerns that come with documenting and sharing vaccine information securely. Understandably, it’s a complex topic. 

Who is using COVID-19 vaccine passports? 

As of this writing, the European Union has started issuing the “EU Digital Covid Certificate,” which allows its holders to travel throughout the EU freely without quarantine restrictions. The UK has its own version in the works, as do other nations in Asia, along with airline carriers too. In the U.S., “passports” appear to be in development on the state levelrather than on the federal level. For example, the state of New York has its Excelsior Pass program and California has its Digital COVID-19 Vaccine Record available to residents. Private airlines and air travel industry groups have launched their own efforts as well, such as the International Air Travel Association’s IATA Travel Pass 

How these passports are rolled out and how they get used will vary, yet vaccine passports may have an impact on the way people can travel as we recover globally from the pandemic. In some cases, they may even determine if people can attend large events that can help localities reboot their economies and public life in general (i.e., concerts, sporting events, and so on). 

The development of vaccine passports and all the rules businesses and local authorities set around them may feel a bit out of our hands. However, in terms of your privacy and your family’s privacy, plenty is still very much in your hands. The common denominator across all these vaccine passports is the exchange of personal information—you and your family’s personal information. And where personal information is shared, hackers are sure to follow. This presents a perfect opportunity for you and your family to review your online privacy practices and close any gaps, whether you plan on traveling or not. 

Protect your privacy and identity along with your COVID-19 vaccination passport 

I put together a few things you can do to make sure that you and your family can navigate the future use of these passports with your privacy in mind: 

1. Don’t post pics of your vaccine card online: 

What seems like an innocent celebration of your vaccination could put your personal information at risk. The information captured on these cards varies by nation, region, and locality, with some of the cards containing more information than others. However, even basic info such as birthday, vaccine manufacturer and lot number, location of immunization, or doctor’s name can provide the basis of a scam, such as a phishing email or phishing text message. Likewise, such information could get scooped up by a hacker and  used to create phony vaccination credentials. Instead of posting that pic of you and your vaccine card, go with a happy selfie instead. And if you’ve already posted, go ahead and delete the image, better to remove it now and stay safe.  

2. Watch out for scammers asking for personal information: 

As mentioned above, the uncertainty around vaccine passports, and the general uncertainty around the latter days of the pandemic overall, creates opportunities for hackers and cybercrooks. Just as the early pandemic saw phony offers around miracle cures and today we’re seeing offers for phony vaccination cards, you can bet that scams revolving around vaccine passports will follow. The best advice here is to go to a trusted source for information, like the NHS in the UK or the American Medical Association in the U.S. Granted, cybercrooks will launch their phishing campaigns regardless. Here’s what to do if one heads your way: 

  • If you receive a request or offer via email or text from an unrecognized source, delete it.  
  • If you receive a request or offer that looks legitimate, don’t click any links. Instead, go directly to the organization and see if that same information is on its webpage too. 

In all, if someone is asking for any kind of personal or financial information via an email, text, instant message, or the like, chances are it’s a scam. For more, check out this article on how to spot the warning signs of a phishing attack. 

3. Check your credit report (and your child’s report too): 

In a time of data breaches large and small, checking your credit regularly is a wise move. Doing so will help you quickly spot issues and help you address them, as companies typically have a clear-cut process for dealing with fraud. You can get a free credit report in the U.S. via the Federal Trade Commission (FTC) and other nations like the UK have similar free offerings as well. 

Do the same for your children. They’re targets too. High-value targets at that. Their credit reports are clean, which gives cybercrooks a blank slate to work with. Even more attractive is that child identity theft often goes long unnoticed until years later when the child gets older and rents an apartment or applies for their first credit card. 

4. Protect your family by protecting your devices: 

It’s that simple. Given that these vaccine passports will likely involve a digital certificate stored on a smartphone, app, or possibly other devices, protect them so you can protect yourself. Select comprehensive security software that will protect multiple devices so that everyone in your home is covered. 

5. Keep tabs on what’s happening in your region: 

You can bet that rumors will abound as to who is issuing what “passport”, under what restrictions, and with what implications for traveling, dining out, and visiting shops. All of that amounts to plenty of falsehoods and scams that attempt to rob you of your privacy, identity, and even your money. Turn to trusted news sources known for their even-handed reporting, such as Reuters or the Associated Press, and get your information from there. Knowing what the facts about vaccine passports are in your locality will arm you against fear-based attacks. 

Your privacy is a puzzle to cybercrooks—keep it that way 

A few months back, the FTC posted its own blog about sharing vaccine card photos. It’s a great read, in part because they used a helpful analogy to discuss privacy and identity theft: 

Think of it this way — identity theft works like a puzzle, made up of pieces of personal information. You don’t want to give identity thieves the pieces they need to finish the picture. 

Likewise, any vaccine passport you acquire will become yet another puzzle piece that you have to protect. 

In all, with post-pandemic recovery measures evolving before our eyes, keep an eye on your family’s security. Don’t give away any snippets of info that could be used against you and stay on the lookout for the scams hitting the internet that play on people’s uncertainty and fears. COVID-19 passports may be entirely new, yet they give cybercrooks one more way they can play their old tricks. 

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post COVID-19 Vaccine Passports: 5 Security Tips for You and Your Family appeared first on McAfee Blogs.

]]>
Guide: Protecting Your Digital Identity https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/guide-protecting-your-digital-identity/ Thu, 15 Jul 2021 20:45:47 +0000 /blogs/?p=124805 digital identity

People in their 20s and 30s are losing it online. And by it, I mean money—thanks to digital identity theft.  In its...

The post Guide: Protecting Your Digital Identity appeared first on McAfee Blogs.

]]>
digital identity

People in their 20s and 30s are losing it online. And by it, I mean money—thanks to digital identity theft. 

In its simplest form, your digital identity is made up of a whole host of things that can be traced back to you and who you are. That can range anywhere from photos you post online to online shopping accounts, email accounts to telephone numbers, and bank accounts to your tax ID.  

In this way, your digital identity is like dozens upon dozens of puzzle pieces made up of different accounts, ID numbers, and so forth. When put together, they create a picture of you. And that’s why those little puzzle pieces of your identity are such attractive targets for hackers. If they get the right combination of them, you can end up a victim of theft or fraud.  

Millennials are major targets for fraud 

Here’s what’s happening: people in their 20s and 30s were twice as likely than people 40 and over to report losing money while shopping online. That’s according to recent figures from the U.S. Federal Trade Commission (FTC), which also found that people in their 20s to 30s are far more likely to report losing money to fraud. What’s more, they’re also 77% more likely than older people to lose it by way of an email scam. 

And it’s no surprise younger adults get targeted this way. They’re far more likely than any other age group to use mobile apps for peer-to-peer payments, transfer money between accounts, deposit checks, and pay bills. In short, there’s a lot of money flowing through the palms of their hands thanks to their phones, as well as their computers. 

Protecting yourself from hackers and fraud means protecting your digital identity. And that can feel like a pretty huge task given all the information your digital identity includes. It can be done, though, especially if you think about your identity like a puzzle. A piece here, another piece there, can complete the picture (or complete it just enough) to give a hacker what they need to separate you from your money. Thus, the way to stay safe is to keep those puzzle pieces out of other people’s hands.  

Six ways you can protect your digital identity from hackers and fraud 

It’s actually not that tough. With a few new habits and a couple of apps to help you out, you can protect yourself from the headaches and flat-out pain of fraud. Here’s a list of straightforward things that you can get started on right away: 

1. Start with the basics—security software  

Protect yourself by protecting your stuff. Installing and using security software on your computers and phones can prevent all kinds of attacks and make you safer while you surf, bank, and shop online. I should emphasize it again—protect your phone. Only about half of people protect their phones even though they use it to hail rides, order food, send money to friends, and more. Going unprotected on your phone means you’re sending all that money on the internet in a way that’s far, far less safe than if you use online protection. 

2. Create strong passwords  

You hear this one all the time and for good reason—strong, unique passwords offer one of your best defenses against hackers. Never re-use them (or slight alterations of them) across the different platforms and services you use. Don’t forget to update them on the regular (that means at least every 60 days)! While that sounds like a lot of work, a password manager can keep on top of it all for you. And if your platform or service offers the use of two-factor authentication, definitely make use of that. It’s a further layer of security that makes hacking tougher for crooks. 

3. Keep up to date with your updates  

Updates have a way of popping up on our phones and computers nearly every day, resist the urge to put them off until later. Aside from making improvements, updates often include important security fixes. So, when you get an alert for your operating system or app on your devices, go ahead and update. Think of it as adding another line of defense from hackers who are looking to exploit old flaws in your apps.   

4. Think twice when you share  

Social media is one place hackers go to harvest personal information because people sometimes have a way of sharing more than they should. With info like your birthday, the name of your first school, your mother’s maiden name, or even the make of your first car, they can answer common security questions that could hack into your accounts. Crank up the privacy settings on your accounts so only friends and family can see your posts—and realize the best defense here is not to post any possibly sensitive info in the first place. Also, steer clear of those “quizzes” that sometimes pop up in your social feeds. Those are other ways that hackers try to gain bits of info that can put your identity at risk. 

5. Shred it  

Even though so many of us have gone paperless with our bills, identity theft by digging through the trash, or “dumpster diving,” is still a thing. Things like medical bills, tax documents, and checks still might make their way to your mailbox. You’ll want to dispose of them properly when you’re through with them. First, invest in paper shredder. Once you’ve online deposited that check or paid that odd bill, shred it so that any personal or account info on there can’t be read (and can be recycled securely). Second, if you’re heading out of town for a bit, have a friend collect your mail or have the post office put a temporary hold on your mail. That’ll prevent thieves from lifting personal info right from your mailbox while you’re away. 

6. Check your credit  

Even if you don’t think there’s a problem, go ahead and check your credit. The thing is, someone could be charging things against your name without you even knowing it. Depending on where you live, different credit reporting agencies keep tabs on people’s credit. In the U.S., the big ones are Equifax, Experian, and TransUnion. Also in the U.S., the Fair Credit Reporting Act (FCRA) requires these agencies to provide you with a free credit check at least once every 12 months. Canada, the UK, and other nations likewise offer ways to get a free credit report. Run down your options—you may be surprised by what you find. 

How do I know if my identity has been stolen?  

As I just mentioned, the quickest way to get sense of what’s happening with your identity is to check your credit. Identity theft goes beyond money. Crooks will steal identities to rent apartments, access medical services, and even get jobs. Things like that can show up on a credit report, such as when an unknown address shows up in a list of your current and former residences or when a company you’ve never worked for shows up as an employer. If you spot anything strange, track it down right away. Many businesses have fraud departments with procedures in place that can help you clear your name if you find a charge or service wrongfully billed under your name. 

Other signs are far more obvious. You may find collection agencies calling or even see tax notices appearing in your mailbox (yikes). Clearly, cases like those are telltale signs that something is really wrong. In that case, report it right away: 

  • If you live in the U.S. and think that someone is using your personal information, visit IdentityTheft.gov. 
  • In Canada, visit antifraudcentre-centreantifraude.ca for help.  
  • And in the UK, check out CIFAS, the UK’s fraud prevention service, at cifas.org.uk. 

Likewise, many nations offer similar government services. A quick search will point you in the right direction. 

Another step you can take is to ask each credit bureau to freeze your credit, which prevents crooks from using your personal information to open new lines of credit or accounts in your name. Fraud alerts offer another line of protection for you as well, and you can learn more about fraud alerts here. 

Keeping your digital identity in your hands 

With so many bits and pieces of information making up your digital identity, a broader way of keeping it safe involves asking yourself a question: what could happen if someone got their hands on this info? Further realizing that even little snippets of unsecured info can lead to fraud or theft in your name helps—even that un-shredded bill or innocuous refund check for a couple of bucks could give a crook the puzzle piece they need. You can keep your digital identity safe by keeping those pieces of info out of other people’s hands.    

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Guide: Protecting Your Digital Identity appeared first on McAfee Blogs.

]]>
Small Businesses Save Up to 60% in McAfee and Visa Partnership https://www.mcafee.com/blogs/consumer/mcafee-consumer-news/small-businesses-save-up-to-60-in-mcafee-and-visa-partnership/ Wed, 14 Jul 2021 04:01:11 +0000 /blogs/?p=124504 McAfee Security

Small business owners are getting a special deal on their online protection through a partnership between McAfee and Visa. With new ways of working creating online opportunities and risks for...

The post Small Businesses Save Up to 60% in McAfee and Visa Partnership appeared first on McAfee Blogs.

]]>
McAfee Security

Small business owners are getting a special deal on their online protection through a partnership between McAfee and Visa. With new ways of working creating online opportunities and risks for small business owners, McAfee and Visa have come together to offer comprehensive protection for a changed business landscape. 

Designed to help you minimize costs and unexpected interruptions to your business, McAfee® Security for Visa cardholders provides award-winning antivirus, ransomware, and malware protection for all your company devices including PCs, smartphones, and tablets on all major platforms. Visa Small Business cardholders automatically save up to 40% with a 24-month package and up to 60% with a 12-month offer. 

Safety features include:  

  • Security for up to 25 Devices 
  • Antivirus 
  • Password Manager for up to 5 users 
  • Virtual Private Networks (VPN) for up to 5 devices 
  • Privacy Tools 

McAfee’s security savings bundle is also part of Visa’s commerce in a box initiative, which has launched in six U.S. cities (D.C., Detroit, Atlanta, Miami, Los Angeles and Chicago). This program features a curated selection of offers, discounts, and bundles from Visa’s Authorize.net and Visa partners designed to help small businesses with what they need to move their business forward digitally — from accepting digital payments and building an eCommerce site to marketing to their audience in new ways and providing online marketing tools to run and protect their business. 

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Small Businesses Save Up to 60% in McAfee and Visa Partnership appeared first on McAfee Blogs.

]]>
White House Executive Order – Removing Barriers to Sharing Threat Information https://www.mcafee.com/blogs/enterprise/white-house-executive-order-removing-barriers-to-sharing-threat-information/ Mon, 12 Jul 2021 15:00:51 +0000 /blogs/?p=124663

The latest guidance in the Executive Order on Improving the Nation’s Cybersecurity (EO), Section 2, discusses removing the barriers to...

The post White House Executive Order – Removing Barriers to Sharing Threat Information appeared first on McAfee Blogs.

]]>

The latest guidance in the Executive Order on Improving the Nation’s Cybersecurity (EO), Section 2, discusses removing the barriers to sharing threat information. It describes how security partners and service providers are often hesitant or contractually unable to share information about a compromise. The EO helps ensure that security partners and service providers can share intelligence with the government and requires them to share certain breach data with executive level departments and agencies responsible for investigating and remediating incidents, namely CISA, the FBI, and the IC.  This approach will enable better comprehensive threat visibility across the Executive Branch departments and agencies to promote early detection and coordinated response actions. Indeed, the threat information sharing section will help enhance the public-private sector partnership that McAfee, and our colleagues in the cyber security industry are committed to supporting.  To achieve this goal the EO requires:

  • Elimination of contractual barriers that limit sharing across agencies through FAR modifications
  • The expansion of log retention
  • Mandatory reporting requirements for government technology and service partners
  • Standards-based incident sharing
  • Collaboration with investigative agencies on potential or actual incidents.

The EO is a positive first step towards improving incident awareness at a macro level, though the EO would be even more impactful if it pushed government agencies to share more threat information with the private sector. The U.S. government represents an incredibly large attack surface and being able to identify threats early in one agency or department may very well serve to protect other agencies by enabling stronger predictive and more proactive defenses.  While a government-built threat intelligence data lake is a critical first step, I think a logical next step should be opening the focus of threat intelligence sharing to be both real-time and bi-directional.

The EO focuses on the need for the private sector to improve its information sharing and collaboration with the government. However, the guidance is focused more on “post-breach” and unidirectional threat sharing.  Real-time, not just “post-breach,” threat sharing improves the speed and effectiveness of countermeasures and early detection.  Bi-directional data sharing opens possibilities for things like cross-sector environmental context, timely and prescriptive defensive actions, and enhanced remediation and automation capabilities.  Harnessing real-time sector-based threat intelligence is not a unique concept; companies like McAfee have started to deliver on the promise of predictive security using historical threat intelligence to guide proactive security policy decision making.

Real-time threat sharing will make one of the EO’s additional goals, Zero Trust, ultimately more achievable.  Zero Trust requires a dynamic analysis layer that will continuously evaluate user and device trust. As environmental variables change, so should the trust and ultimately access and authorization given. If the intent of threat intelligence sharing is to identify potentially compromised or risky assets specific to emerging campaigns, then it stands to reason that the faster that data is shared, the faster trust can be assessed and modified to protect high-value assets.

McAfee has identified the same benefits and challenges as the government for targeted threat intelligence and has developed a useful platform to enable robust threat sharing. We understand the value of sector specific data acting as an early indicator for organizations to ensure protection.  Focusing on our own threat intelligence data lakes, we deliver on the promise of sector-specific intelligence by identifying targeted campaigns and threats and then correlating those campaigns to protective measures.  As a result, government agencies now have the advantage of predicting, prioritizing, and prescribing appropriate defense changes to stay ahead of industry-focused emerging campaigns. We call that capability MVISION Insights.

This approach serves to drive home the need for collaborative shared threat intelligence. McAfee’s broad set of customers across every major business sector, combined with our threat research organization and ability to identify sector-specific targeted campaigns as they’re emerging, allows customers to benefit from threat intelligence collected from others in their same line of business. The federal government has a wide range of private sector business partners across healthcare, finance, critical infrastructure, and agriculture, to name a few. Each of these partners extends the government attack surface beyond the government-controlled boundary, and each represents an opportunity for compromise.

Imagine a scenario where an HHS healthcare partner is alerted, in real-time across a public/private sector threat intelligence sharing grid, to a threat affecting either the federal government directly or a healthcare partner for a different government agency. This approach allows them to assess their own environment for attack indicators, make quick informed decisions about defensive changes, and limit access where necessary.  This type of real-time alerting not only allows the HHS partner to better prepare for a threat, but ultimately serves to reduce the attack surface of the federal government.

Allowing industry partners to develop and participate in building out cyber threat telemetry enables:

  • Automation of the process for predicting and alerting
  • Proactively identifying emerging threats inside and across industries
  • Sharing detailed information about threats and actors (campaigns and IOCs)
  • Real-time insight and forensic investigation capabilities

The U.S. government can begin to effectively shift focus from a reactive culture to one that is more proactive, enabling faster action against threats (or something like this). In the next EO, the Administration should bulk up its commitment to sharing cyber threat information with the private sector. The capability to exchange cyber threat intelligence data across the industry in standards-based formats in near real time exists today.  The collective “we” just needs to make it a priority.

 

 

 

The post White House Executive Order – Removing Barriers to Sharing Threat Information appeared first on McAfee Blogs.

]]>
How to Make Telehealth Safer for a More Convenient Life Online https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/how-to-make-telehealth-safer-for-a-more-convenient-life-online/ Sat, 10 Jul 2021 13:32:22 +0000 /blogs/?p=124531 telehealth

Among the many major shifts in lifestyle during the COVID-19 pandemic, the way we used healthcare was one of the...

The post How to Make Telehealth Safer for a More Convenient Life Online appeared first on McAfee Blogs.

]]>
telehealth

Among the many major shifts in lifestyle during the COVID-19 pandemic, the way we used healthcare was one of the most significant. Providers limited in-person visits, elective procedures were delayed, and we avoided hospitals. In response, we went online and started using telehealth and other virtual solutions in ways we never had before. 

Our latest consumer mindset survey confirms this was more than a passing trend, showing an almost 50% rise since the beginning of the pandemic in the use of PCs and Mobile devices to access health information, meet virtually with health care providers, and manage prescriptions. Survey respondents also showed they adapted by increasing their usage of smart fitness devices, like Fitbits, to track their personal health. 

The hidden cost of convenience  

Navigating the healthcare system and accessing more of our services through the web means more of our personal information is now online. From patient intake forms to test results, a great deal of data about our health, including confidential information like vaccination records, is potentially available. Survey respondents confirmed that they shared and accessed their personal health information across the internet, despite 1/3 or more of respondents having concerns for their privacy and security of their personal information. 

This trend hasn’t gone unnoticed by cybercriminals. In fact, the US Department of Health and Human Services is currently investigating nearly 800 health-related data breaches impacting nearly 60 million individuals. All of which is to say that telehealth advances may help us avoid sitting in a doctor’s office, but we need to be more mindful about our security when using these new online services. 

Maintaining your online wellness  

Despite the adoption of many telehealth and online health services, security was still a concern for many of our survey respondents. A majority said the primary reason they do not use smart devices for their personal health was because of privacy and security concerns. Fortunately, just as there is preventive medicine, there are also preventive cybersecurity measures we can take to keep our personal data safer online. Here are a few we recommend: 

  • Use a VPN when conducting a Telehealth video call with a physician, accessing your medical records, or managing your prescriptions 
  • A VPN is a Virtual Private Network, a service that protects your data and privacy online. It creates an encrypted tunnel to keep you anonymous by masking your IP address. This means you can keep prying eyes away from your confidential conversations. 
  • Use a proven security solution such as McAfee Total Protection on all devices 
  • All-in-one protection is a great way to keep your devices, identity, and privacy safer as you go about life online. 
  • Only use HTTPS connections when accessing an  telehealth website.  
  • Look at the web address in your browser to confirm it starts with HTTPS. These connections add security to your data transfers and help prevent data scraping. 
  • Use two-factor authentication when authenticating into important accounts. 
  • In addition to your password/username combo, you’re asked to verify who you are with something that you – and only you — own, such as a mobile phone. Put simply: it uses two factors to confirm it’s you. 
  • Practice safe password hygiene, don’t use the same passwords across your accounts and especially not for accessing your health information 
  • A password manager is a great way to organize and generate keys for your login.  

The shift to managing our health online comes with a few safety considerations, but by following the steps above, we can enjoy convenience and access to a healthier life online and off. 

Stay Updated  

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to ournewsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.   

The post How to Make Telehealth Safer for a More Convenient Life Online appeared first on McAfee Blogs.

]]>
Time to Batten the Cyber-Hatches https://www.mcafee.com/blogs/other-blogs/executive-perspectives/time-to-batten-the-cyber-hatches/ Fri, 09 Jul 2021 15:56:16 +0000 /blogs/?p=124688

We all like to think we’d know what to do if an emergency should occur. In split seconds, we try to...

The post Time to Batten the Cyber-Hatches appeared first on McAfee Blogs.

]]>

We all like to think we’d know what to do if an emergency should occur. In split seconds, we try to recall the ratio of chest compressions to breaths of air learned in bygone health classes or that summer spent lifeguarding. We recognize the importance of a “to go” bag those final few days of pregnant pauses and false alarms before a baby arrives. We have seen enough television shows and cooking competitions to know Gordon Ramsey or Guy Fieri will be the first to scold us if we try to put out an erupted kitchen grease fire with anything other than salt and smothering.  

We pick up a fair amount of knowledge and traits along the way to employ should disaster strike – and we absolutely take necessary precautions if we are knowingly in harm’s way. For example, those that live within a fault line’s reach are apt to prefer housing with stronger foundations and reinforced windowpanes. If you choose to live close to the warm waters of the Atlantic Ocean’s “hurricane alley,” you most likely know the fastest route to a causeway. An underground storm shelter to escape a tornado’s wily path can certainly come in handy.  

We are taught that “hindsight is 20/20,” and that harboring regret is top on the list of feelings to avoid most throughout life. We obey the mantra many scouts learn in youth – being prepared – to the best of our ability. While earth’s natural disasters may never be preventable, it is clear preparation and readiness to face the inevitable can be a key differentiator when it comes to damage that can be incurred.  

So far in 2021, we have witnessed major infrastructure impairments, interrupted supply chains, and havoc wreaked on local and federal economies.  

This did not happen due to volcanic eruptions, tsunamis, nor mudslides, but rather through security breaches and attacks. And despite headlines shouting and nearly every security vendor urging enterprises the world over that cyberattacks are posed to continue to increase both in frequency and sophistication, especially ransomware threats, organizations have more often than not found themselves on the receiving end of hindsight and regret when it comes to these man-made, modern-day disasters.  

So, the question begs to be asked, if the damages mentioned above could have been lessened or avoided through preparation and readiness, why is it still so difficult for CISOs to convince the c-suite that it’s better to be prepared for cyber-disaster, than sorry? 

Coulda, Woulda, Shoulda 

Staying safe and secure is the main goal in any disaster or emergency, but another less-talked-about goal is obviously to avoid what could have been prevented. The phrase, “I told you so,” will never land softly or kindly, especially when you are left surveying the ravaged ruins of what is left in the aftermath.  

Many CISOs and SOC workers have encountered this situation recently, mentally kicking themselves or expressing frustration analyzing and evaluating breaches or attacks after they have occurred. Of course, the vulnerabilities are crystal clear when security experts look back on what happened, but muddy and missed when they play out in real time.  

Scientists will inform us when a volcanic eruption may be imminent; a tornado will be prefaced with a loud siren meant to be heard throughout the county or immediate area; we often see tropical storms gain momentum and destructive qualities far before they transition to hurricanes and make landfall. This is to say, when it comes to natural disasters, they’re going to happen regardless, but damage prevention is dependent on prediction and experience.  

Carefully measured and monitored gaseous pressure under the earth’s surface will indicate when a volcano may be imminent. Because of this, volcanologists can attempt to forewarn residents to vacate an area before disaster hits. This outcome is expected, and systems and processes are in place to thwart damage as much as possible. I imagine along with scientists; we’d be quite surprised if a volcano suddenly started spewing mass quantities of water instead of magma and ash. 

We rely on patterns from previous incidents when it comes to geological acts of nature, but in the cybersecurity industry, disasters are man-made, and progressively more dangerous – created with motive, intent, and intelligence. 

With cybercriminals, attacks have been unpredictable and indiscriminate. They are infiltrating via multiple attack vectors; sitting unknowingly across networks and systems, leeching data from an organization; and altering entire courses of business as resources are used to bring systems back online, determine causes, and quickly implement solutions. In short, cybercriminals are serving up water when we expect magma nearly every single time and enterprises are struggling to keep up.   

XDR Is a Must for Readiness Kits 

The rulebook of what can be planned for and prevented has narrowed. Enterprises need to adopt an updated mindset, knowing that like a natural disaster, damage prevention from a cyber-disaster is dependent on prediction and experience.  

We are going to continue to get water when we expect magma, flames when we’re on the lookout for floods, and harsh winds when we anticipate rumbles. Powered by human intelligence, cybercriminals will continue to evolve threats, it will just be a matter of who can stay one step ahead – the good guys or the bad guys. The only constant isn’t a matter of if an attack will happen, but when.  

A movement toward proactivity instead of reactivity when addressing a breach or attack after it occurs is crucial against today’s cybercriminals. Organizations must recognize that no industry is immune to cybercriminals and get a better handle on SOC functions and processes, and control over where data travels and lies.  

This can mean a massive overhaul of a security stack to streamline solutions and expose manual or siloed processes that can lead to hidden vulnerabilities, evaluating security staff and talent to create better efficiencies, or embracing AI-guided tactics to automate activities and provide quick, actionable next steps should a breach occur.  

Early adopters of extended detection and response (XDR) technology are already seeing the benefits this proactivity can hold. The simple, unified visualization XDR provides is a strong vantage point for enterprises seeking greater situational awareness, enhanced insights, and faster time to remediate threats across all vectors from endpoint, network, and the cloud.  

Today, the warning siren that disaster is forthcoming has been sounding for a while. Enterprises need to take heed of the alarm to thwart as much damage as possible, as like natural disasters, a cyber-disaster can lead to massive destruction and upheaval.  

Want to learn more about McAfee’s XDR technology? Check out McAfee MVISION XDR 

The post Time to Batten the Cyber-Hatches appeared first on McAfee Blogs.

]]>
The Future of Mobile in a Post-COVID World & How to Stay Secure https://www.mcafee.com/blogs/consumer/mobile-and-iot-security/the-future-of-mobile-in-a-post-covid-world-how-to-stay-secure/ Fri, 09 Jul 2021 12:53:18 +0000 /blogs/?p=124270

The COVID-19 pandemic forced many of us to quickly adjust to the new normal — case and point,  admitted that...

The post The Future of Mobile in a Post-COVID World & How to Stay Secure appeared first on McAfee Blogs.

]]>

The COVID-19 pandemic forced many of us to quickly adjust to the new normal — case and point,  admitted that they switched to digital activities like online banking, social networking, and online shopping in 2020 out of convenience. Research now shows that consumers’ reliance on this technology is here to stay. PwC found that 44% of global consumers now shop more using their smartphones compared to when COVID-19 began. While having the world at your fingertips is convenient, how does this digital lifestyle change expose users to cyber threats, especially attacks on mobile devices?  

It’s no secret that cybercriminals tend to manipulate their attacks based on the current trends set by technology users. As you reflect on how increased connectivity affected your everyday life, it’s important to ask yourself what could be lurking in the shadows while using your mobile devices. With more of us relying on our devices there’s plenty of opportunities for hackers. This begs the question, what does mobile security look like in a post-pandemic world?  

Mobile Security Challenges in the New Normal  

In addition to the increased adoption of digital devices, we had to figure out how to live our best lives online – from working from home to distance learning to digitally connecting with loved ones.  And according to McAfee’s 2021 Consumer Security Mindset Report, these online activities will remain a key part of consumers’ post-pandemic routines. But more time spent online interacting with various apps and services simultaneously increases your chance of exposure to cybersecurity risks and threats. Unsurprisingly, cybercriminals were quick to take advantage of this increase in connectivity. McAfee Labs saw an average of 375 new threats per minute and a surge of cybercriminals exploiting the pandemic through COVID-19 themed phishing campaigns, malicious apps, malware, and more. New mobile malware also increased by 71%, with total malware growing nearly 12% from July 2019 to July 2020. As consumers continue to rely on their mobile devices to complete various tasks, they will also need to adapt their security habits to accommodate for more time spent online.  

The Future of Mobile Security: Tips for Staying Secure 

Here at McAfee, we recognize that the way you and your family live your digital lives has changed. We want to help empower you to protect your online security in your hyper-connected lifestyle. To help provide greater peace of mind while using your mobile devices, follow these tips to help safeguard your security.  

1. Protect your mobile devices with a password, PIN, or facial recognition.  

When setting up a new device or online account, always change the default credentials to a password or passphrase that is strong and unique. Using different passwords or passphrases for each of your online accounts helps protect the majority of your data if one of your accounts becomes vulnerable. If you are worried about forgetting your passwords, subscribe to a password management tool that will remember them for you.  

Remember to physically lock your mobile devices with a security code or using facial recognition as well. This prevents a criminal from unlocking your device and uncovering your personally identifiable information in the event that your phone or laptop is stolen.  

2. Use multi-factor authentication.  

Multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification like texting or emailing a secure code to verify your identity. Most popular online sites like Gmail, Dropbox, LinkedIn, Facebook, etc. offer multi-factor authentication, and it takes just a few minutes to set it up. This reduces the risk of successful impersonation by hackers who may have uncovered your credentials.  

3. Connect to a VPN.  

Hackers tend to lurk in the shadows on public Wi-Fi networks to catch unsuspecting users looking for free internet access on their mobile devices. If you have to conduct transactions on a public Wi-Fi network, use a virtual private network (VPN) like McAfee® Safe Connect to help keep you safe while you’re online.  

4. Be wary of SMiShing scams.  

Be skeptical of text messages claiming to be from companies with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the text, it’s best to go straight to the organization’s website to check your account status or contact customer service.  

Some cybercriminals send texts from internet services to hide their identities. Combat this by using the feature on your mobile device that blocks texts sent from the internet or unknown users. For example, you can disable all potential spam messages from the Messages app on an Android device by navigating to Settings, clicking on “Spam protection,” and turning on the “Enable spam protection” switch. Learn more about how you can block robotexts and spam messages on your device. 

5. Use a mobile security solution.  

Prepare your mobile devices for any threat coming their way. To do just that, cover these devices with an extra layer of protection via a mobile security solution, such as McAfee Mobile Security.  

COVID-19 changed our relationships with our digital devices, but that does not mean we have to compromise our online security for convenience. Incorporating these tips into your everyday life can help ward off mobile cyber threats and stay a step ahead of hackers.  

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post The Future of Mobile in a Post-COVID World & How to Stay Secure appeared first on McAfee Blogs.

]]>
Hancitor Making Use of Cookies to Prevent URL Scraping https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping/ Thu, 08 Jul 2021 22:15:53 +0000 /blogs/?p=124639 Consejos para protegerte de quienes intentan hackear tus correos electrónicos

This blog was written by Vallabh Chole & Oliver Devane Over the years, the cybersecurity industry has seen many threats...

The post Hancitor Making Use of Cookies to Prevent URL Scraping appeared first on McAfee Blogs.

]]>
Consejos para protegerte de quienes intentan hackear tus correos electrónicos

This blog was written by Vallabh Chole & Oliver Devane

Over the years, the cybersecurity industry has seen many threats get taken down, such as the Emotet takedown in January 2021. It doesn’t usually take long for another threat to attempt to fill the gap left by the takedown. Hancitor is one such threat.

Like Emotet, Hancitor can send Malspams to spread itself and infect as many users as possible. Hancitor’s main purpose is to distribute other malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware and Zeppelin Ransomware. The dropped Cobalt Strike beacons can then be used to move laterally around the infected environment and also execute other malware such as ransomware.

This blog will focus on a new technique used by Hancitor created to prevent crawlers from accessing malicious documents used to download and execute the Hancitor payload.

The infection flow of Hancitor is shown below:

A victim will receive an email with a fake DocuSign template to entice them to click a link. This link leads him to feedproxy.google.com, a service that works similar to an RSS Feed and enables site owners to publish site updates to its users.

When accessing the link, the victim is redirected to the malicious site. The site will check the User-Agent of the browser and if it is a non-Windows User-Agent the victim will be redirected to google.com.

If the victim is on a windows machine, the malicious site will create a cookie using JavaScript and then reload the site.

The code to create the cookie is shown below:

The above code will write the Timezone to value ‘n’ and the time offset to UTC in value ‘d’ and set it into cookie header for an HTTP GET Request.

For example, if this code is executed on a machine with timezone set as BST the values would be:

d = 60

n = “Europe/London”

These values may be used to prevent further malicious activity or deploy a different payload depending on geo location.

Upon reloading, the site will check if the cookie is present and if it is, it will present them with the malicious document.

A WireShark capture of the malicious document which includes the cookie values is shown below:

The document will prompt them to enable macros and, when enabled, it will download the Hancitor DLL and then load it with Rundll32.

Hancitor will then communicate with its C&C and deploy further payloads. If running on a Windows domain, it will download and deploy a Cobalt Strike beacon.

Hancitor will also deploy SendSafe which is a spam module, and this will be used to send out malicious spam emails to infect more victims.

Conclusion

With its ability to send malicious spam emails and deploy Cobalt Strike beacons, we believe that Hancitor will be a threat closely linked to future ransomware attacks much like Emotet was. This threat also highlights the importance of constantly monitoring the threat landscape so that we can react quickly to evolving threats and protect our customers from them.

IOCs, Coverage, and MITRE

IOCs

IOC Type IOC Coverage Content Version
Malicious Document SHA256 e389a71dc450ab4077f5a23a8f798b89e4be65373d2958b0b0b517de43d06e3b W97M/Dropper.hx

 

4641
Hancitor DLL SHA256 c703924acdb199914cb585f5ecc6b18426b1a730f67d0f2606afbd38f8132ad6

 

Trojan-Hancitor.a 4644
Domain hosting Malicious Document URL http[:]//onyx-food[.]com/coccus.php RED N/A
Domain hosting Malicious Document

 

URL http[:]//feedproxy[.]google[.]com/~r/ugyxcjt/~3/4gu1Lcmj09U/coccus.php RED N/A

Mitre

Technique ID Tactic Technique details
T1566.002 Initial Access Spam mail with links
T1204.001 Execution User Execution by opening link.
T1204.002 Execution Executing downloaded doc
T1218 Defence Evasion Signed Binary Execution Rundll32
T1055 Defence Evasion Downloaded binaries are injected into svchost for execution
T1482 Discovery Domain Trust Discovery
T1071 C&C HTTP protocol for communication
T1132 C&C Data is base64 encoded and xored

 

 

The post Hancitor Making Use of Cookies to Prevent URL Scraping appeared first on McAfee Blogs.

]]>
Zloader With a New Infection Technique https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ Thu, 08 Jul 2021 21:44:57 +0000 /blogs/?p=124564

This blog was written by Kiran Raj & Kishan N. Introduction In the last few years, Microsoft Office macro malware...

The post Zloader With a New Infection Technique appeared first on McAfee Blogs.

]]>

This blog was written by Kiran Raj & Kishan N.

Introduction

In the last few years, Microsoft Office macro malware using social engineering as a means for malware infection has been a dominant part of the threat landscape. Malware authors continue to evolve their techniques to evade detection. These techniques involve utilizing macro obfuscation, DDE, living off the land tools (LOLBAS), and even utilizing legacy supported XLS formats.

McAfee Labs has discovered a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro. The objective of this blog is to cover the technical aspect of the newly observed technique.

Infection map

Threat Summary

  • The initial attack vector is a phishing email with a Microsoft Word document attachment.
  • Upon opening the document, a password-protected Microsoft Excel file is downloaded from a remote server.
  • The Word document Visual Basic for Applications (VBA) reads the cell contents of the downloaded XLS file and writes into the XLS VBA as macros.
  • Once the macros are written to the downloaded XLS file, the Word document sets the policy in the registry to Disable Excel Macro Warning and calls the malicious macro function dynamically from the Excel file,
  • This results in the downloading of the Zloader payload. The Zloader payload is then executed by rundll32.exe.

The section below contains the detailed technical analysis of this technique.

Detailed Technical Analysis

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document.

After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.

Once the macros are written and ready, the Word document sets the policy in the registry to Disable Excel Macro Warning and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32.exe.

Figure-1: flowchart of the Infection chain

Word Analysis

Here is how the face of the document looks when we open the document (figure 2). Normally, the macros are disabled to run by default by Microsoft Office. The malware authors are aware of this and hence present a lure image to trick the victims guiding them into enabling the macros.

Figure-2: Image of Word Document Face

The userform combo-box components present in the Word document stores all the content required to connect to the remote Excel document including the Excel object, URL, and the password required to open the Excel document. The URL is stored in the Combobox in the form of broken strings which will be later concatenated to form a complete clear string.

Figure-3: URL components (right side) and the password to open downloaded Excel document (“i5x0wbqe81s”) present in user-form components.

VBA Macro Analysis of Word Document

Figure-4: Image of the VBA editor

In the above image of macros (figure 4), the code is attempting to download and open the Excel file stored in the malicious domain. Firstly, it creates an Excel application object by using CreateObject() function and reading the string from Combobox-1 (ref figure-2) of Userform-1 which has the string “excel. Application” stored in it. After creating the object, it uses the same object to open the Excel file directly from the malicious URL along with the password without saving the file on the disk by using Workbooks.Open() function.

Figure-5: Word Macro code that reads strings present in random cells in Excel sheet.

 

The above snippet (figure 5) shows part of the macro code that is reading the strings from the Excel cells.

For Example:

Ixbq = ifk.sheets(3).Cells(44,42).Value

The code is storing the string present in sheet number 3 and the cell location (44,42) into the variable “ixbq”. The Excel.Application object that is assigned to variable “ifk” is used to access sheets and cells from the Excel file that is opened from the malicious domain.

In the below snippet (figure 6), we can observe the strings stored in the variables after being read from the cells. We can observe that it has string related to the registry entry “HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM” that is used to disable trust access for VBA into Excel and the string “Auto_Open3” that is going to be the entry point of the Excel macro execution.

We can also see the strings “ThisWorkbook”, “REG_DWORD”, “Version”, “ActiveVBProject” and few random functions as well like “Function c4r40() c4r40=1 End Function”. These macro codes cannot be detected using static detection since the content is formed dynamically on run time.

Figure-6: Value of variables after reading Excel cells.

After extracting the contents from the Excel cells, the parent Word file creates a new VBA module in the downloaded Excel file by writing the retrieved contents. Basically, the parent Word document is retrieving the cell contents and writing them to XLS macros.

Once the macro is formed and ready, it modifies the below RegKey to disable trust access for VBA on the victim machine to execute the function seamlessly without any Microsoft Office Warnings.

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\AccessVBOM

After writing macro contents to Excel file and disabling the trust access, function ’Auto_Open3()’ from newly written excel VBA will be called which downloads zloader dll from the ‘hxxp://heavenlygem.com/22.php?5PH8Z’ with extension .cpl

Figure-7: Image of ’Auto_Open3()’ function

The downloaded dll is saved in %temp% folder and executed by invoking rundll32.exe.

Figure-8: Image of zloader dll invoked by rundll32.exe

Command-line parameter:

Rundll32.exe shell32.dll,Control_RunDLL “<path downloaded dll>”

Windows Rundll32 commands loads and runs 32-bit DLLs that can be used for directly invoking specified functions or used to create shortcuts. In the above command line, the malware uses “Rundll32.exe shell32.dll,Control_RunDLL” function to invoke control.exe (control panel) and passes the DLL path as a parameter, therefore the downloaded DLL is executed by control.exe.

Excel Document Analysis:

The below image (figure 9) is the face of the password-protected Excel file that is hosted on the server. We can observe random cells storing chunks of strings like “RegDelete”, “ThisWorkbook”, “DeleteLines”, etc.

These strings present in worksheet cells are formed as VBA macro in the later stage.

Figure-9: Image of Remote Excel file.

Coverage and prevention guidance:

McAfee’s Endpoint products detect this variant of malware and files dropped during the infection process.

The main malicious document with SHA256 (210f12d1282e90aadb532e7e891cbe4f089ef4f3ec0568dc459fb5d546c95eaf) is detected with V3 package version – 4328.0 as “W97M/Downloader.djx”.  The final Zloader payload with SHA-256 (c55a25514c0d860980e5f13b138ae846b36a783a0fdb52041e3a8c6a22c6f5e2)which is a DLL is detected by signature Zloader-FCVPwith V3 package version – 4327.0

Additionally, with the help of McAfee’s Expert rule feature, customers can strengthen the security by adding custom Expert rules based on the behavior patterns of the malware. The below EP rule is specific to this infection pattern.

McAfee advises all users to avoid opening any email attachments or clicking any links present in the mail without verifying the identity of the sender. Always disable the macro execution for Office files. We advise everyone to read our blog on this new variant of Zloader and its infection cycle to understand more about the threat.

Different techniques & tactics are used by the malware to propagate and we mapped these with the MITRE ATT&CK platform.

  • E-mail Spear Phishing (T1566.001): Phishing acts as the main entry point into the victim’s system where the document comes as an attachment and the user enables the document to execute the malicious macro and cause infection. This mechanism is seen in most of the malware like Emotet, Drixed, Trickbot, Agenttesla, etc.
  • Execution (T1059.005): This is a very common behavior observed when a malicious document is opened. The document contains embedded malicious VBA macros which execute code when the document is opened/closed.
  • Defense Evasion (T1218.011): Execution of signed binary to abuse Rundll32.exe and to proxy execute the malicious code is observed in this Zloader variant. This tactic is now also part of many others like Emotet, Hancitor, Icedid, etc.
  • Defense Evasion (T1562.001): In this tactic, it Disables or Modifies security features in Microsoft Office document by changing the registry keys.

IOC

Type Value Scanner Detection Name Detection Package Version (V3)
Main Word Document 210f12d1282e90aadb532e7e891cbe4f089ef4f3ec0568dc459fb5d546c95eaf ENS W97M/Downloader.djx 4328
Downloaded dll c55a25514c0d860980e5f13b138ae846b36a783a0fdb52041e3a8c6a22c6f5e2 ENS Zloader-FCVP 4327
URL to download XLS hxxp://heavenlygem.com/11.php WebAdvisor

 

Blocked N/A
URL to download dll hxxp://heavenlygem.com/22.php?5PH8Z WebAdvisor

 

Blocked N/A

Conclusion

Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload as we discussed in this blog. Usage of such agents in the infection chain is not only limited to Word or Excel, but further threats may use other living off the land tools to download its payloads.

Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is safe to enable them only when the document received is from a trusted source.

The post Zloader With a New Infection Technique appeared first on McAfee Blogs.

]]>
Microsoft Urges Customers to Update Windows as Soon as Possible https://www.mcafee.com/blogs/consumer/cyberthreat-news/microsoft-urges-customers-to-update-windows-as-soon-as-possible/ Thu, 08 Jul 2021 20:35:33 +0000 /blogs/?p=124555 Zero day vulnerability

What happened   Microsoft has shipped an emergency security update affecting most Windows users. This update partially addresses a security vulnerability known as PrintNightmare that could allow...

The post Microsoft Urges Customers to Update Windows as Soon as Possible appeared first on McAfee Blogs.

]]>
Zero day vulnerability

What happened  

Microsoft has shipped an emergency security update affecting most Windows users. This update partially addresses a security vulnerability known as PrintNightmare that could allow remote hackers to take over your system.  

How does this affect you?  

PrintNightmare could allow hackers to gain control of your computer. This means hackers could perform malicious activities like installing their own apps, stealing your data, and creating new user accounts.  

How to fix the issue

Microsoft recommends Windows 10, 8.1, and 7 users update their computers through Windows Update as soon as possible. Note that an additional patch will likely be required to fully fix the issue, so expect another update prompt from Microsoft in the days to come. 

Additional protection 

For extra protection against malware that may result from a hack like this one, we recommend an all-in-one security solution, like McAfee Total Protection or McAfee LiveSafeIf a hacker takes advantage of the exploit and tries to install additional malware, McAfee Total Protection/LiveSafe can help protect against those attempts. Learn more about our online security products here. 

An alternate solution for tech-savvy Windows users 

PrintNightmare exploits a vulnerability in the Windows Print Spooler service. The step-by-step instructions below will guide you through turning off the service to ensure hackers can no longer exploit the security flaw. The Print Spooler will remain off until the PC is rebooted.   

Step 1: Press the Windows key, and type Services, clicking on the Services App 

Zero Day Vulnerability

Step 2: Scroll down to the Print Spooler Service 

Zero Day Vulnerability

Step 3: Right-click on the Print Spooler Service and click Stop. 

Zero Day Vulnerability

Stay Updated   

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.   

The post Microsoft Urges Customers to Update Windows as Soon as Possible appeared first on McAfee Blogs.

]]>
Adding Security to Smartsheet with McAfee CASB Connect https://www.mcafee.com/blogs/enterprise/cloud-security/adding-security-to-smartsheet-with-mcafee-casb-connect/ Thu, 08 Jul 2021 15:00:13 +0000 /blogs/?p=124405

The Smartsheet enterprise platform has become an essential part of most organizations, as it has done much to transform the...

The post Adding Security to Smartsheet with McAfee CASB Connect appeared first on McAfee Blogs.

]]>

The Smartsheet enterprise platform has become an essential part of most organizations, as it has done much to transform the way customers conduct business and collaborate, with numerous services available to increase productivity and innovation. Within the McAfee customer base, customers had expressed their commitment to Smartsheet, but wanted to inject the security pedigree of McAfee to make their Smartsheet environments even stronger.

In June 2021, McAfee MVISION Cloud released support for Smartsheet – providing cornerstone CASB services to Smartsheet through the CASB Connect framework, which makes it possible to provide API-based security controls to cloud services, such as:

  • Data Loss Prevention (find and remediate sensitive data)
  • Activity Monitoring & Behavior Analytics (set baselines for user behavior)
  • Threat Detection (insider, compromised accounts, malicious/anomalous activities)
  • Collaboration Policies (assure sensitive data gets shared properly)
  • Device Access Policies (only authorized devices connect)

How does it work?

Utilizing the CASB Connect framework, McAfee MVISION Cloud becomes an authorized third party to a customer’s Smartsheet Event Reporting service. This is an API-based method for McAfee to ingest event/audit logs from Smartsheet.

These logs contain information about what activities occur in Smartsheet. This information has value; McAfee will see user logon activity, sheet creation, user creation activity, sheet updates, deletions, etc. Overall, over 120 unique items are stored in the activity warehouse where intelligence is inferred from it. When an inference is made (example: Insider Threat), the platform can show all the forensics data that lead to that conclusion. This provides value to the Smartsheet customer since it shows potential threats that could lead to data loss, either unintended by a well-meaning end-user or not.

Policies for content detection are another important use-case. Most McAfee customers will utilize Data Loss Prevention (DLP) across their endpoint devices as well as in the cloud utilizing policies that are important to them. Examples of DLP policies could be uncovering credit card numbers, health records, customer lists, specific intellectual property, price lists, and more. Each customer will have some kind of data that is critical for their business, a DLP policy can be crafted to support finding it.

In Smartsheet, when an event from the Event Reporting service is captured that relates to DLP – a field is updated, a file is uploaded, or a sheet is shared, the DLP service in MVISION Cloud will perform an inspection of the event. Should the content or sharing violate a policy, an incident will be raised with forensic details describing what user performed the action and why the violation was flagged. This is important for customers because it operationalizes security in Smartsheet and other cloud applications that MVISION Cloud protects. The same DLP policies can be utilized across all of their critical cloud services, including Smartsheet.

Lastly, MVISION Cloud integrates with most popular Identity Providers (IDP). Through standards-based authentication, MVISION Cloud can enforce policies such as location and device policies that assure that only authorized users connect to Smartsheet; for regulated industries this can be important to ensure no compliance issues are violated as they conduct business.

Summary

Smartsheet enterprise customers benefit significantly from MVISION Cloud’s support. Visibility of user activity, threats and sensitive data give users a chance to further entrench their business processes in a cloud app they want to use. Adding security tools to an enterprise platform like Smartsheet reduces overall risk and gives organizations the confidence to more deeply depend on their critical cloud services.

Next Steps:

Trying out Smartsheet and McAfee MVISION Cloud is easy. Contact McAfee directly at cloud@mcafee.com or visit resources related to this blog post:

 

 

The post Adding Security to Smartsheet with McAfee CASB Connect appeared first on McAfee Blogs.

]]>
The Ultimate Guide to Safe Sharing Online https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/the-ultimate-guide-to-safe-sharing-online/ Wed, 07 Jul 2021 13:01:57 +0000 /blogs/?p=124282 Safe Sharing

We live in a world that thrives on digital connectivity. According to We Are Social, Canadians are now spending half a day more...

The post The Ultimate Guide to Safe Sharing Online appeared first on McAfee Blogs.

]]>
Safe Sharing

We live in a world that thrives on digital connectivity. According to We Are Social, Canadians are now spending half a day more a month online than they did a year ago. Also, 33 million Canadians logged on to the internet at least once a month in 2020. As more people every year are spending hours upon hours online, they are knowingly (and sometimes unknowingly) unsafely releasing their personal information into the digital ether, making them vulnerable to all sorts of cybercrimes. The ramifications range anywhere from malware infection to identity fraud. Better understanding the best practices for online sharing will ensure users can navigate online dangers and safely connect with others. 

Here are three ways online users share too much information and how they are placing themselves at risk. 

1. Autosaving and Sharing Personal Details 

Think about how many websites you visit regularly. How many of these have access to your personal information, such as your email, credit card numbers, and shipping address? Before accepting the option to save your information on file for a “faster checkout experience,” consider the following: A Canadian Internet Registration Authority polled 500 IT security professionals, and a quarter of them experienced a breach of customer data in 2020. Online users cannot afford to take liberties with the information they hand over to online companies, especially if they subscribe to numerous sites.  

On a similar note, it is equally inadvisable to hand over information about yourself. Although seemingly harmless, online quizzes may not be as safe as you think. Some quiz questions sound more like security questions such as, “What was the first car you owned?” or “Where did you grow up?” Hackers using spyware can access these answers and anything else you enter on quiz sites to formulate informed guesses at your passwords.  

2. Oversharing on Social Media 

It may seem counterintuitive not to share information on social media, seeing as the purpose of these platforms is to share. However, the problem with social media is that too many people are leaving themselves exposed to hackers due to the specificity of the information they share. More than two-thirds of Canadians are on social media, according to Statista, meaning there are millions of user profiles and newsfeeds brimming with personal information. Specific information such as company details in a new job announcement or your birth date in a celebration post are details hackers can use to impersonate you or break into your accounts. Additionally, cybercriminals can impersonate people in your network or pose as average users and add you as a friend. Hackers will often use this tactic to get close to someone and gather intel to formulate a targeted phishing attempt or identity theft. 

While you can take proper precautions to safeguard your personal information, you cannot guarantee that others will do so with the same vigilance. Many do not realize there is more at stake than a loss of privacy when intentionally sharing information, usually login credentials, with others. If your friend you shared your password with is hacked, then a cybercriminal can now access your information as well as theirs. Cybercriminals can then use this information to break into your accounts, hold your data for ransom, and even steal your identity. 

How to Safely Share Online 

Knowing what is safe to share online and how to protect the information that is not is the first step to safeguarding your online presence. Here are four tips to consider before sharing your personal details on websites, social media, and with others: 

1. Verify website and online security 

Always err on the side of caution whenever you visit unknown sites or download applications on your devices. Be aware of what you click on, the ramifications of clicking on a malicious link, or handing over information on an unsecured website. One way to ensure you are visiting a secure website is to look for the padlock icon in the top left corner of your browser. This icon indicates the site and your connection are secure.  

Take your internet protection one step further and avoid saving your information on file. If possible, use an alternate payment gateway with verified encryption that does not require inputting your credit card information. This way, your data does not become a liability in the event of a company data breach.  

2. Rethink your privacy on social media 

There’s a fine line between sharing too much and sharing just enough on social media. Start taking control of your privacy on social media by adjusting your privacy settings. Unless you are an aspiring social media influencer, it is best to keep your account private and limit your followers to only people you know personally. Do not follow strangers and reject friend requests from strangers. They could turn out to be a hacker.  

Take advantage of platform security controls that allow you to control your visible information. For example, you can disable your activity status or geolocations to block other people from tracking your every move or manage the personal data these platforms are allowed to share. Keep in mind that any third-party app with access to these platforms will have varied privacy policies. Read the fine print on their user agreements, as these policies differ depending on the app.

 3. Use a VPN  

Before hopping online, consider using a virtual private network (VPN) to secure your connection. A VPN allows you to browse the internet with the confidence that your Wi-Fi and any sensitive information you send through this connection is encrypted. In other words, if a hacker intercepts this data, they won’t be able to make any sense of it. 

4. Leverage a reliable authentication system 

Enabling multi-factor authentication adds an extra layer of protection that makes it nearly impossible for hackers to bypass even if they do manage to steal your credentials.  

Also, make sure you create strong passwords or passphrases by following password best practices and ensuring they are long, complex, and varied. Use a password manager with a generator to help you create strong passwords and store them, so you do not have to memorize them. This method also makes it easier and more secure than saving passwords on internet browsers. Further, password managers, like McAfee True Key, make it easy to securely share your credentials with others. 

Prioritize Online Safety and Connectivity 

From social media to work to daily activities, peoples’ lives are centralized around their digital devices and online access. Users must learn to care for their information to the same degree one would manage their physical IDs or credit cards. Only then can they carry on their online activities, confident in the knowledge they are doing so securely.  

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post The Ultimate Guide to Safe Sharing Online appeared first on McAfee Blogs.

]]>
New Ryuk Ransomware Sample Targets Webservers https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-ryuk-ransomware-sample%e2%80%aftargets-webservers/ Wed, 07 Jul 2021 04:01:34 +0000 /blogs/?p=123847

Executive Summary Ryuk is a ransomware that encrypts a victim’s files and requests payment in Bitcoin cryptocurrency to release the...

The post New Ryuk Ransomware Sample Targets Webservers appeared first on McAfee Blogs.

]]>

Executive Summary

Ryuk is a ransomware that encrypts a victim’s files and requests payment in Bitcoin cryptocurrency to release the keys used for encryption. Ryuk is used exclusively in targeted ransomware attacks.

Ryuk was first observed in August 2018 during a campaign that targeted several enterprises. Analysis of the initial versions of the ransomware revealed similarities and shared source code with the Hermes ransomware. Hermes ransomware is a commodity malware for sale on underground forums and has been used by multiple threat actors.

To encrypt files Ryuk utilizes a combination of symmetric AES (256-bit) encryption and asymmetric RSA (2048-bit or 4096-bit) encryption. The symmetric key is used to encrypt the file contents, while the asymmetric public key is used to encrypt the symmetric key. Upon payment of the ransom the corresponding asymmetric private key is released, allowing the encrypted files to be decrypted.

Because of the targeted nature of Ryuk infections, the initial infection vectors are tailored to the victim. Often seen initial vectors are spear-phishing emails, exploitation of compromised credentials to remote access systems and the use of previous commodity malware infections. As an example of the latter, the combination of Emotet and TrickBot, have frequently been observed in Ryuk attacks.

Coverage and Protection Advice

Ryuk is detected as Ransom-Ryuk![partial-hash].

Defenders should be on the lookout for traces and behaviours that correlate to open source pen test tools such as winPEAS, Lazagne, Bloodhound and Sharp Hound, or hacking frameworks like Cobalt Strike, Metasploit, Empire or Covenant, as well as abnormal behavior of non-malicious tools that have a dual use. These seemingly legitimate tools (e.g., ADfind, PSExec, PowerShell, etc.) can be used for things like enumeration and execution. Subsequently, be on the lookout for abnormal usage of Windows Management Instrumentation WMIC (T1047). We advise everyone to check out the following blogs on evidence indicators for a targeted ransomware attack (Part1, Part2).

  • Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common among ransomware criminals:
  • E-mail Spear phishing (T1566.001) often used to directly engage and/or gain an initial foothold. The initial phishing email can also be linked to a different malware strain, which acts as a loader and entry point for the attackers to continue completely compromising a victim’s network. We have observed this in the past with the likes of Trickbot & Ryuk or Qakbot & Prolock, etc.
  • Exploit Public-Facing Application (T1190) is another common entry vector, given cyber criminals are often avid consumers of security news and are always on the lookout for a good exploit. We therefore encourage organizations to be fast and diligent when it comes to applying patches. There are numerous examples in the past where vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.
  • Using valid accounts (T1078) is and has been a proven method for cybercriminals to gain a foothold. After all, why break the door down if you already have the keys? Weakly protected RDP access is a prime example of this entry method. For the best tips on RDP security, please see our blog explaining RDP security.
  • Valid accounts can also be obtained via commodity malware such as infostealers that are designed to steal credentials from a victim’s computer. Infostealer logs containing thousands of credentials can be purchased by ransomware criminals to search for VPN and corporate logins. For organizations, having a robust credential management and MFA on user accounts is an absolute must have.

When it comes to the actual ransomware binary, we strongly advise updating and upgrading endpoint protection, as well as enabling options like tamper protection and Rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.

Summary of the Threat

Ryuk ransomware is used exclusively in targeted attacks

Latest sample now targets webservers

New ransom note prompts victims to install Tor browser to facilitate contact with the actors

After file encryption, the ransomware will print 50 copies of the ransom note on the default printer

Learn more about Ryuk ransomware, including Indicators of Compromise, Mitre ATT&CK techniques and Yara Rule, by reading our detailed technical analysis.

The post New Ryuk Ransomware Sample Targets Webservers appeared first on McAfee Blogs.

]]>
The Industry Applauds MVISION XDR – Turning Raves into Benefits https://www.mcafee.com/blogs/enterprise/security-operations/the-industry-applauds-mvision-xdr-turning-raves-into-benefits/ Tue, 06 Jul 2021 15:00:56 +0000 /blogs/?p=124399

Do you usually read what critics say before deciding to see a movie or read a book? We believe these...

The post The Industry Applauds MVISION XDR – Turning Raves into Benefits appeared first on McAfee Blogs.

]]>

Do you usually read what critics say before deciding to see a movie or read a book? We believe these McAfee MVISION XDR reviews were worth the wait. But rather than simply share a few top-tier analyst blurbs with you, we’d like to walk through what these insights mean to our growing set of customers and how their sec operations will evolve with greater efficiencies.

Extended Detection and Response products, better known as XDR, not only extended the capabilities of EDR platforms, but according to Gartner[1] “ XDR products may be able to reduce the complexity of security configuration and incident response to provide a better security outcome than isolated best-of-breed components.”

Rave 1: Be more proactive vs reactive

Our Enterprise Security Manager (ESM)/SecOps team briefed a top-tier analyst firm on ESM product execution and the MVISION XDR platform in particular. His reaction to our use cases? “These are great and it is useful to have examples that cut across different events, which is illustrative more so than anything. The response to the cuts across various tools, and the proactive configuration aspect with the security score type analysis, is also pretty rare in this market.”

The takeaway: Preventing an incident is much better than cleaning up after the fact. MVISION XDR powered by MVISION Insights offers a unified security posture score from endpoint to cloud, delivering a more robust and comprehensive assessment across your environment. It allows you to drill down on specifics to enhance your security.

“The vendor has stolen a march on some of its competitors, at least in the short term, with this offering. A lot of vendors are aiming to get to an offering comprising threat intel + prioritization + recommendations + automation, but few if any have actually reached that point today.” – Omdia

Rave 2: Open to easily unite security

A top-tier analyst firm mentioned that many EDR vendors today call themselves “Open XDR” vendors, but they do not offer a fully effective XDR product. The analyst sees XDR as a significant opportunity for McAfee to expand the breadth of our product portfolio.

The takeaway: A fully effective XDR product unites security controls to detect and assess comprehensively and prevent erratic movement of advanced threats. A robust product portfolio with an integrated service offering from a platform vendor with a proven track record of integrating security (McAfee) is critical to achieve this.

Rave 3: Data-aware to prioritize organizational impact

Noted by a top-tier analyst firm, only McAfee and one other offers data-awareness in the XDR offering. This XDR capability alerts the analyst that the threat impact is targeted at sensitive data.

Rave 4: Automatic analysis across the vectors accelerate investigations and response

The takeaway: Many SOCs have siloed tools that hinders their ability to detect and respond quickly and appropriately. SOC’s must prioritize threat intelligence to rapidly make critical decisions.

Rave 5: Improving the SOC

A top-tier analyst firm believes the primary segments for XDR capabilities are in the three groups to solve problems: 1) Workspace 2) Network 3) Cloud workloads. Giving hardening guidance is good for customers, so any vulnerability exposure and threat scoring are good priorities for MVISION Insights.

The takeaway: McAfee MVISION XDR provides automation that eliminates many manual tasks but more importantly, it empowers SOC analysts to prioritize the threats that matter and stay ahead of adversaries.

Rave 6: Efficiently cloud-delivered

A top-tier analyst firm likes our product direction. “Where you’re going with XDR, and with the cloud console — that’s the way to go. It feels like we have crossed the Rubicon of cloud-delivered.”

The takeaway: By going cloud-native, MVISION XDR enables more efficient, better, and faster decisions with automated investigations driven by correlation analysis across multiple vectors. We can provide unified visibility and control of threats across endpoints, networks and the cloud.

To discover why McAfee MVISION XDR earns rave industry reviews, see our resources on XDR to evolve your security operations to be more efficient and effective.

Resource: [1] Gartner Innovation Insight for Extended Detection and Response, Peter Firstbrook, Craig Lawson , 8 April 2021

 

 

 

The post The Industry Applauds MVISION XDR – Turning Raves into Benefits appeared first on McAfee Blogs.

]]>
Travel Smart: Protecting Your Family’s Smartphones While on Vacation https://www.mcafee.com/blogs/consumer/mobile-and-iot-security/travel-smart-protecting-your-familys-smartphones-while-on-vacation/ Tue, 06 Jul 2021 13:50:39 +0000 /blogs/?p=123979

Families are hitting the road again. And it’s absolutely no surprise that they’re taking their smartphones with them. Perhaps what is surprising is that so many of them may be hitting the...

The post Travel Smart: Protecting Your Family’s Smartphones While on Vacation appeared first on McAfee Blogs.

]]>

Families are hitting the road again. And it’s absolutely no surprise that they’re taking their smartphones with them. Perhaps what is surprising is that so many of them may be hitting the road without any digital or mobile protection. 

Our recent research shows that 68% of people in the U.S. said that they’re planning to travel for leisure this year, slightly higher than the international average of 64%.1 However, our research also discovered that nearly half of them don’t use mobile security software to protect themselves or their smartphones.  

That lack of protection is a concern, particularly as our April 2021 Threats Report detected a more than 100% increase in attacks aimed at mobile devices. It makes sense that such is the case, as the pandemic led to increased adoption of online activities like banking, shopping, and even doctor visits via telemedicine—often straight from our smartphones.  

However, our smartphones can be as vulnerable as any other device (like our computers). Accordingly, with the volumes of valuable data that those activities create on our smartphones, cyber crooks were sure to follow.  

The good news is that you can indeed enjoy all of that mobile convenience without worry, even on vacation. No doubt many travelers will do some online banking or even some online food ordering while they’re out and about. Likewise, their kids will be online for stretches of that time too, whether it’s on chat apps like Snapchat, social media like Instagram and TikTok, games like Fortnite and Among Us, or streaming videos. Go ahead, do it all. Just make sure you’re protected before you hit the road.  

With that, add mobile protection to your packing list. I’ve put together a shortlist of straightforward things you can do that will help you and your kids stay safe online while on the road this summer.  

Quickly protect your smartphone 

  1. Protect your devices: Just as we’ve learned to protect our computers and laptops from threats, the same holds true for our smartphones and tablets. Whether you protect yours through a mobile security app or as part of the multi-device coverage that comes with your comprehensive security software, mobile protection can alert you of threats and unsecured networks while also adding in the protection of a VPN. 
  2. Use a VPN: A virtual private network (VPN) protects you in two ways. It increases security on public connections, and it increases the protection of your private information while you’re online—particularly important when you shop and bank. Strong VPN protection is a must when you connect to public Wi-Fi while traveling like at airports, hotels, and other vacation rentals where your online activity could be subject to prying eyes. 
  3. Lock up your devices: We talk a great deal about digital security, yet there’s also the physical security of your devices to consider too. After all, devices can get lost or stolen. Take steps to protect your devices by ensuring they’re locked with a PIN or other protection like facial recognition. For your apps, use two-factor authentication wherever possible for extra protection should your device end up in someone else’s hands. 
  4. Enable device tracking: Whether you do this through your phone’s operating system or through a mobile security app, this will help you quickly locate the device’s whereabouts. Additionally, enabling tracking can also give you the power to erase a phone’s data should you have reason to fear that it has really fallen into the wrong hands. 

Special travel advice for the kiddos 

While the tips above are great for the  whole family, the following additional steps are what you can take to protect your children even further:

Online Privacy

Review the location settings on the phone 

Tracking your child’s smartphone not only allows you to find it easily if it’s lost or stolen but can also put you at ease by knowing where your child is.  Yet it’s important to use location tracking selectively. Not every app needs location tracking to work as intended, even though many apps ask for permission to enable it. Go into the phone’s settings and disable the location features on an app-by-app basis.  For example, a weather app doesn’t need your child’s second-by-second location information to work properly, nor should a gaming app need it at all. Likewise, photos taken on a phone can embed location information that can be easily read when shared, revealing plenty about when and where it was taken. In all, enable the location services for only the most necessary of apps like maps. 

Use travel as a time to reset

Recent research shows that tweens spend nearly five hours on their screens each day, while teenagers push that up to more than seven hours a day. Some staycation time is a good time to pare back those hours and enjoy the local scenery, even if for a short stretch. You can use your travel time as well to re-establish your phone rules. That way, vacation stays entertaining but doesn’t affect the habits you set into effect back home. 

Keep tuned in 

Above and beyond security settings and software, there’s you. Get in the habit of talking with your child for a sense of what they’re doing online. As a mom, I like to ask them about their favorite games, share some funny TikTok clips or cute photos with them, and generally make it a point to be a part of their digital lives. It’s great, because it gives you peace of mind knowing what types of things they are doing or interactions they are having online. 

For those of you hitting the road in the coming weeks, enjoy your travels, wherever they take you! 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Travel Smart: Protecting Your Family’s Smartphones While on Vacation appeared first on McAfee Blogs.

]]>
Identity Protection Service: The Best Solution to a Growing Problem https://www.mcafee.com/blogs/consumer/mcafee-consumer-news/identity-protection-service-the-best-solution-to-a-growing-problem/ Mon, 05 Jul 2021 12:44:53 +0000 /blogs/?p=123811 identity protection

I’m about to tell you an extraordinary fact about cybercrime. Some of the most significant data breaches in internet history...

The post Identity Protection Service: The Best Solution to a Growing Problem appeared first on McAfee Blogs.

]]>
identity protection

I’m about to tell you an extraordinary fact about cybercrime. Some of the most significant data breaches in internet history weren’t after bank account numbers, cryptocurrency, or even credit card numbers. They were, in fact, after YOU. That’s right, the most valuable data on the internet is the data that comprises your identity. Let’s take a look at what that data is, how it gets leveraged by cybercriminals, and how you can get the online identity protection you deserve.  

Identity exposure in the news 

1 billion is a big number. In the case of a recent CVS database leak, reported on in June of this year, that’s how many user records were accidently released online, including details like email addresses and even searches about Covid vaccines. This is just one of the dozens of breaches that have occurred this year and will continue to happen as personally identifiable information becomes more valuable to cybercriminals. Just as remarkable as the huge volume of user data being exposed online is the speed with which compromised data is used by hackers online. Cybersecurity researchers recently discovered that cybercriminals access leaked or stolen credentials within 12 hours to exploit them as soon as possible. These circumstances beg the question, why has your personally identifiable information has become so valuable lately? 

Why your Personally Identifiable Information is worth so much to criminals online  

While the value of some information, like a credit card number, is obvious, you may think your name and date of birth aren’t that big of a deal. After all, it wasn’t so long ago that you could find all that information in a phone book. In fact, personally identifiable information (PII), also known as data used to identify a specific individual, is what many data breaches are after.   

Armed with just a mailing address, a phone number, and a date of birth, a cybercriminal can begin constructing a fake identity to take out loans and disguise many kinds of criminal activities. With a social security number and a few personal details from a social media account, they could take over a bank account. When it comes to your PII, any information is as good as gold to cybercriminals.  

Your PII may not be as safe as you think.

If our PII were treated like actual gold and held in a safe location like Fort Knox, I wouldn’t be writing this post. But in fact, it’s the currency we use to obtain many services in our connected lives. Social media sites are massive repositories of PII, and their access to our most personal details and the ability to sell it to marketers is the reason the service remains free. Free email services are the same. Now consider all the other accounts we may have created to, say, try out a streaming service for free, or even old accounts we no longer use. From that perspective, you can see how much of your data is being used by companies, may not be very well protected, and is a tempting target for cybercriminals. Fortunately, there are many things you can do to keep your identity safer online. 

Learn to spot a breach and to keep your identity safer

When it comes to protecting your PII, knowledge is power. Let’s start by identifying if you’ve been the target of a data breach. Here are a few tell-tale signs:  

  • You receive a bill for a credit card account that, though in your name, is not yours. This probably means a thief opened the account in your name.  
  • Unfamiliar purchases on your credit card, even tiny ones (crooks often start out with small purchases, and then escalate). Challenge even a $4 purchase.  
  • You receive a credit card or store card without having applied for one. If this happens, immediately contact the company.  
  • Your credit report has suspicious information, like inquiries for credit that you didn’t make.  
  • Collectors are calling you to collect payments you owe, but you owe nothing.  

Be stingy when it comes to PII 

Okay, now that you know the signs of a data breach, let’s look at how you can take action to protect yourself. The best way to avoid being the victim of identity theft is by limiting the amount of PII you provide. There are some easy ways to do this.   

1. Avoid giving out your social security number whenever possible

Only a few types of organizations legitimately need your social security number. These include: employers or when contracting with a business, group health insurance, financial and real estate transactions, applying for credit cards, car loans, and so forth.  

2. Stay away from online quizzes

Quizzes, social media games, and other kinds of interactive clickbait are often grifting pieces of your PII in a seemingly playful way. While you’re not giving up your SSN, you may be giving up things like your birthday, your pet’s name, your first car … things that people often use to compose their passwords or use as answers to common security questions on banking and financial sites.   

3. Watch out for phishing scams 

A phishing email poses as a real email from known or trusted brands and financial institutions. These emails attempt to trick you into sharing important information like your logins, account numbers, credit card numbers, and so on under the guise of providing customer service. Here are some more ways to spot a phishing email.  

4. Free yourself from PII worries with a new kind of identity protection

Clearly, we’re in a new era when it comes to securing our identities online. In response, McAfee has created a new kind of identity protection.  

We knew from the outset Identity Protection Service had to be proactive, holistic, and accessible. We also wanted it to follow the timeline for how cybercrime actually affects your identity.  When it comes to PII, the breach is just the first step for cybercriminals. The 10 months following a breach is when cybercriminals will use your PII to commit fraudulent acts using your data.   

To address this, your new Identity Protection Service will monitor more personally identifiable information than other leading competitors. It will alert you of stolen personal info an average of 10 months ahead of other monitoring services. And it’s accessible anywhere via mobile app, browser, and the web. 

In practice, McAfee’s Identity Protection Service protects all your online accounts by doing the following:   

  • Monitors your PII  
  • If detected, alerts you 
  • Offers quick and guided help to neutralize the threat  
  • Provides educational content to help prevent future issues  
  • Offers insurance and agent-assisted remediation, available for select plans 
identity protection identity protection

 

Enjoy your life online again with a holistic approach to security 

As we spend more of our lives online, we need an approach to security that reflects this new reality. Identity protection is part of it. VPN is part of it. Antivirus is part of it. They are all pieces of a puzzle that we solve with products like McAfee Total Protection. Our premier security service is comprehensive, affordable, and, with the new Identity Protection Service, an indispensable part of your life online. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Identity Protection Service: The Best Solution to a Growing Problem appeared first on McAfee Blogs.

]]>
The Future of Mobile: Trends from Mobile World Congress 2021 https://www.mcafee.com/blogs/consumer/mobile-and-iot-security/the-future-of-mobile-trends-from-mobile-world-congress-2021/ Thu, 01 Jul 2021 12:30:37 +0000 /blogs/?p=124294 Mobile World Congress

Today we wrap up Mobile World Congress (MWC) 2021. Whether you joined online or attended the hybrid conference in person, one...

The post The Future of Mobile: Trends from Mobile World Congress 2021 appeared first on McAfee Blogs.

]]>
Mobile World Congress

Today we wrap up Mobile World Congress (MWC) 2021. Whether you joined online or attended the hybrid conference in person, one thing is certain: today’s groundbreaking technology is paving the way for our future connectivity. Fittingly, the theme of this year’s event was Connected Impact, representing the role mobile connectivity plays in an ever-changing world, where flexibility and adaptability are critical. Here are four of the key consumer takeaways from this year’s conference:   

1. 5G Is Connecting Our World  

COVID-19 truly put the power of online connectivity to the test. While 2020 was supposed to be the year of 5G connectivity, this was put on pause as the world faced social and financial uncertainty. Instead, the spotlight fell on legacy technologies to create a new normal for users. Consumers quickly had to figure out how to live their best lives online — from working from home to distance learning to digitally connecting with loved ones.  

To help foster online connectivity for all, 5G must step back into the spotlight. Although publicly available 5G networks have been around for two years, it is unlikely that many users see much of a difference between 5G and LTE. For users to feel the impact of 5G, mobile carriers must expand the frequencies at the low and high ends of the spectrum, which is where 5G networks operate.   

Qualcomm led the 5G announcements on Monday with the unveiling of its second-generation Qualcomm 5G RAN Platform for Small Cells (FSM200xx). This platform brings major enhancements to radio frequencies and is designed to take millimeter wave performance to more places: indoors, outdoors, and around the globe. According to Qualcomm, these advancements aim to facilitate greater mobile experiences and accelerate 5G performance and availability to users everywhere— thus reshaping opportunities for homes, hospitals, offices and more.  

2. New Wearables to Watch   

Technology and connectivity played a crucial role in our daily lives in 2020—and therefore, unsurprisingly, spending on health and wellness tech grew by 18.1%.  But now, we must ask ourselves what role technology will play post-lockdown.   

While they did not have a physical appearance at MWC this year, Samsung provided a sneak of their new wearables: they introduced the One UI Watch user experience, a new interface designed to make the Galaxy Watch and smartphone experience more deeply connected. Samsung also announced its expanded partnership with Google, promising to deliver better performance, longer battery life, and a larger ecosystem of apps to the Galaxy Watch. Although they did not unveil any hardware at MWC, Samsung did ensure that users can expect to see new devices like the Galaxy Z Fold 3 and the Galaxy Watch 4 at their Galaxy Unpacked event happening in July/August of 2021.  

3. A Welcomed Distraction: Tablets for Entertainment   

2020 also shone a bright light on the key role technology plays in the consumption and distribution of creative arts and entertainment. Lockdown put an even greater responsibility on streaming platforms — and the devices they are accessed on — to deliver content right to people’s homes. 

 To help meet entertainment consumption needs, Lenovo announced not one, not two, but five new Android tablets during MWC. Its largest tablet is the Yoga Tab 13, which features a built-in kickstand, 13-inch display with 2,160 x 1,350 resolution, up to 12 hours of battery life, and more. Lenovo is pitching this model as its “portable home cinema,” perfect for streaming on the go. It also unveiled the Yoga Tab 11 and the Tab P11 Plus, which are expected to be available in EMEA in July following the Yoga Tab 13’s June release date. For users hoping for a more compact, budget-friendly device, Lenovo also announced the Lenovo Tab M8 and the Lenovo Tab M7. Whichever model you select, one thing it certain — digital devices have and will continue to be instrumental in consumer entertainment.   

4. Mobile Security in a More Connected World  

These exciting announcements are a great representation of what the future holds for mobile technology and greater connectivity. The advancements in mobile connectivity have already made a positive impact on consumer lifestyles, but the rise in popularity of these devices has also caught the attention of cybercriminals looking to exploit consumers’ reliance on this technology.   

More time spent online interacting with various apps and services simultaneously increases your chance of exposure to cybersecurity risks and threats. Unsurprisingly, cybercriminals were quick to take advantage of the increase in connectivity throughout 2020. McAfee Labs saw an average of 375 new threats per minute and a surge of hackers exploiting the pandemic through COVID-19 themed phishing campaigns, malicious apps, malware and more. For users to continue to live a connected life, they will need to take greater care of their online safety and ensure that security is top-of-mind in any given situation. Taking these precautions will provide greater peace of mind in the new mobile-driven world.   

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post The Future of Mobile: Trends from Mobile World Congress 2021 appeared first on McAfee Blogs.

]]>
Fuzzing ImageMagick and Digging Deeper into CVE-2020-27829 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fuzzing-imagemagick-and-digging-deeper-into-cve-2020-27829/ Wed, 30 Jun 2021 15:00:42 +0000 /blogs/?p=124102

Introduction: ImageMagick is a hugely popular open source software that is used in lot of systems around the world. It...

The post Fuzzing ImageMagick and Digging Deeper into CVE-2020-27829 appeared first on McAfee Blogs.

]]>

Introduction:

ImageMagick is a hugely popular open source software that is used in lot of systems around the world. It is available for the Windows, Linux, MacOS platforms as well as Android and iOS. It is used for editing, creating or converting various digital image formats and supports various formats like PNG, JPEG, WEBP, TIFF, HEIC and PDF, among others.

Google OSS Fuzz and other threat researchers have made ImageMagick the frequent focus of fuzzing, an extremely popular technique used by security researchers to discover potential zero-day vulnerabilities in open, as well as closed source software. This research has resulted in various vulnerability discoveries that must be addressed on a regular basis by its maintainers. Despite the efforts of many to expose such vulnerabilities, recent fuzzing research from McAfee has exposed new vulnerabilities involving processing of multiple image formats, in various open source and closed source software and libraries including ImageMagick and Windows GDI+.

Fuzzing ImageMagick:

Fuzzing open source libraries has been covered in a detailed blog “Vulnerability Discovery in Open Source Libraries Part 1: Tools of the Trade” last year. Fuzzing ImageMagick is very well documented, so we will be quickly covering the process in this blog post and will focus on the root cause analysis of the issue we have found.

Compiling ImageMagick with AFL:

ImageMagick has lot of configuration options which we can see by running following command:

$./configure –help

We can customize various parameters as per our needs. To compile and install ImageMagick with AFL for our case, we can use following commands:

$CC=afl-gcc CXX=afl=g++ CFLAGS=”-ggdb -O0 -fsanitize=address,undefined -fno-omit-frame-pointer” LDFLAGS=”-ggdb -fsanitize=address,undefined -fno-omit-frame-pointer” ./configure

$ make -j$(nproc)

$sudo make install

This will compile and install ImageMagick with AFL instrumentation. The binary we will be fuzzing is “magick”, also known as “magick tool”. It has various options, but we will be using its image conversion feature to convert our image from one format to another.

A simple command would be include the following:

$ magick <input file> <output file>

This command will convert an input file to an output file format. We will be fuzzing this with AFL.

Collecting Corpus:

Before we start fuzzing, we need to have a good input corpus. One way of collecting corpus is to search on Google or GitHub. We can also use existing test corpus from various software. A good test corpus is available on the  AFL site here: https://lcamtuf.coredump.cx/afl/demo/

Minimizing Corpus:

Corpus collection is one thing, but we also need to minimize the corpus. The way AFL works is that it will instrument each basic block so that it can trace the program execution path. It maintains a shared memory as a bitmap and it uses an algorithm to check new block hits. If a new block hit has been found, it will save this information to bitmap.

Now it may be possible that more than one input file from the corpus can trigger the same path, as we have collected sample files from various sources, we don’t have any information on what paths they will trigger at the runtime. If we use this corpus without removing such files, then we end up wasting time and CPU cycles. We need to avoid that.

Interestingly AFL offers a utility called “afl-cmin” which we can use to minimize our test corpus. This is a recommended thing to do before you start any fuzzing campaign. We can run this as follows:

$afl-cmin -i <input directory> -o <output directory> — magick @@ /dev/null

This command will minimize the input corpus and will keep only those files which trigger unique paths.

Running Fuzzers:

After we have minimized corpus, we can start fuzzing. To fuzz we need to use following command:

$afl-fuzz -i <mincorpus directory> -o <output directory> — magick @@ /dev/null

This will only run a single instance of AFL utilizing a single core. In case we have multicore processors, we can run multiple instances of AFL, with one Master and n number of Slaves. Where n is the available CPU cores.

To check available CPU cores, we can use this command:

$nproc

This will give us the number of CPU cores (depending on the system) as follows:

In this case there are eight cores. So, we can run one Master and up to seven Slaves.

To run master instances, we can use following command:

$afl-fuzz -M Master -i <mincorpus directory> -o <output directory> — magick @@ /dev/null

We can run slave instances using following command:

$afl-fuzz -S Slave1 -i <mincorpus directory> -o <output directory> — magick @@ /dev/null

$afl-fuzz -S Slave2 -i <mincorpus directory> -o <output directory> — magick @@ /dev/null

The same can be done for each slave. We just need to use an argument -S and can use any name like slave1, slave2, etc.

Results:

Within a few hours of beginning this Fuzzing campaign, we found one crash related to an out of bound read inside a heap memory. We have reported this issue to ImageMagick, and they were very prompt in fixing it with a patch the very next day. ImageMagick has release a new build with version: 7.0.46 to fix this issue. This issue was assigned CVE-2020-27829.

Analyzing CVE-2020-27829:

On checking the POC file, we found that it was a TIFF file.

When we open this file with ImageMagick with following command:

$magick poc.tif /dev/null

As a result, we see a crash like below:

As is clear from the above log, the program was trying to read 1 byte past allocated heap buffer and therefore ASAN caused this crash. This can atleast lead to a  ImageMagick crash on the systems running vulnerable version of ImageMagick.

Understanding TIFF file format:

Before we start debugging this issue to find a root cause, it is necessary to understand the TIFF file format. Its specification is very well described here: http://paulbourke.net/dataformats/tiff/tiff_summary.pdf.

In short, a TIFF file has three parts:

  1. Image File Header (IFH) – Contains information such as file identifier, version, offset of IFD.
  2. Image File Directory (IFD) – Contains information on the height, width, and depth of the image, the number of colour planes, etc. It also contains various TAGs like colormap, page number, BitPerSample, FillOrder,
  3. Bitmap data – Contains various image data like strips, tiles, etc.

We can tiffinfo utility from libtiff to gather various information about the POC file. This allows us to see the following information with tiffinfo like width, height, sample per pixel, row per strip etc.:

There are a few things to note here:

TIFF Dir offset is: 0xa0

Image width is: 3 and length is: 32

Bits per sample is: 9

Sample per pixel is: 3

Rows per strip is: 1024

Planer configuration is: single image plane.

We will be using this data moving forward in this post.

Debugging the issue:

As we can see in the crash log, program was crashing at function “PushQuantumPixel” in the following location in quantum-import.c line 256:

On checking “PushQuantumPixel” function in “MagickCore/quantum-import.c” we can see the following code at line #256 where program is crashing:

We can see following:

  • “pixels” seems to be a character array
  • inside a for loop its value is being read and it is being assigned to quantum_info->state.pixel
  • its address is increased by one in each loop iteration

The program is crashing at this location while reading the value of “pixels” which means that value is out of bound from the allocated heap memory.

Now we need to figure out following:

  1. What is “pixels” and what data it contains?
  2. Why it is crashing?
  3. How this was fixed?

Finding root cause:

To start with, we can check “ReadTIFFImage” function in coders/tiff.c file and see that it allocates memory using a “AcquireQuantumMemory” function call, which appears as per the documentation mentioned here:

https://imagemagick.org/api/memory.php:

“Returns a pointer to a block of memory at least count * quantum bytes suitably aligned for any use.

The format of the “AcquireQuantumMemory” method is:

void *AcquireQuantumMemory(const size_t count,const size_t quantum)

A description of each parameter follows:

count

the number of objects to allocate contiguously.

quantum

the size (in bytes) of each object. “

In this case two parameters passed to this function are “extent” and “sizeof(*strip_pixels)”

We can see that “extent” is calculated as following in the code below:

There is a function TIFFStripSize(tiff) which returns size for a strip of data as mentioned in libtiff documentation here:

http://www.libtiff.org/man/TIFFstrip.3t.html

In our case, it returns 224 and we can also see that in the code mentioned above,  “image->columns * sizeof(uint64)” is also added to extent, which results in 24 added to extent, so extent value becomes 248.

So, this extent value of 248 and sizeof(*strip_pixels) which is 1 is passed to “AcquireQuantumMemory” function and total memory of 248 bytes get allocated.

This is how memory is allocated.

“Strip_pixel” is pointer to newly allocated memory.

Note that this is 248 bytes of newly allocated memory. Since we are using ASAN, each byte will contain “0xbe” which is default for newly allocated memory by ASAN:

https://github.com/llvm-mirror/compiler-rt/blob/master/lib/asan/asan_flags.inc

The memory start location is 0x6110000002c0 and the end location is 0x6110000003b7, which is 248 bytes total.

This memory is set to 0 by a “memset” call and this is assigned to a variable “p”, as mentioned in below image. Please also note that “p” will be used as a pointer to traverse this memory location going forward in the program:

Later on we see that there is a call to “TIFFReadEncodedPixels” which reads strip data from TIFF file and stores it into newly allocated buffer “strip_pixels” of 248 bytes (documentation here: http://www.libtiff.org/man/TIFFReadEncodedStrip.3t.html):

To understand what this TIFF file data is, we need to again refer to TIFF file structure. We can see that there is a tag called “StripOffsets” and its value is 8, which specifies the offset of strip data inside TIFF file:

We see the following when we check data at offset 8 in the TIFF file:

We see the following when we print the data in “strip_pixels” (note that it is in little endian format):

So “strip_pixels” is the actual data from the TIFF file from offset 8. This will be traversed through pointer “p”.

Inside “ReadTIFFImage” function there are two nested for loops.

  • The first “for loop” is responsible for iterating for “samples_per_pixel” time which is 3.
  • The second “for loop” is responsible for iterating the pixel data for “image->rows” times, which is 32. This second loop will be executed for 32 times or number of rows in the image irrespective of allocated buffer size .
  • Inside this second for loop, we can see something like this:

  • We can notice that “ImportQuantumPixel” function uses the “p” pointer to read the data from “strip_pixels” and after each call to “ImportQuantumPixel”, value of “p” will be increased by “stride”.

Here “stride” is calculated by calling function “TIFFVStripSize()” function which as per documentation returns the number of bytes in a strip with nrows rows of data.  In this case it is 14. So, every time pointer “p” is incremented by “14” or “0xE” inside the second for loop.

If we print the image structure which is passed to “ImportQuantumPixels” function as parameter, we can see following:

Here we can notice that the columns value is 3, the rows value is 32 and depth is 9. If we check in the POC TIFF file, this has been taken from ImageWidth and ImageLength and BitsPerSample value:

Ultimately, control reaches to “ImportRGBQuantum” and then to the “PushQuantumPixel” function and one of the arguments to this function is the pixels data which is pointed by “p”. Remember that this points to the memory address which was previously allocated using the “AcquireQuantumMemory” function, and that its length is 248 byte and every time value of “p” is increased by 14.

The “PushQuantumPixel” function is used to read pixel data from “p” into the internal pixel data storage of ImageMagick. There is a for loop which is responsible for reading data from the provided pixels array of 248 bytes into a structure “quantum_Info”. This loop reads data from pixels incrementally and saves it in the “quantum_info->state.pixels” field.

The root cause here is that there are no proper bounds checks and the program tries to read data beyond the allocated buffer size on the heap, while reading the strip data inside a for loop.

This causes a crash in ImageMagick as we can see below:

Root cause

Therefore, to summarize, the program crashes because:

  1. The program allocates 248 bytes of memory to process strip data for image, a pointer “p” points to this memory.
  2. Inside a for loop this pointer is increased by “14” or “0xE” for number of rows in the image, which in this case is 32.
  3. Based on this calculation, 32*14=448 bytes or more amount of memory is required but only 248 in actual memory were allocated.
  4. The program tries to read data assuming total memory is of 448+ bytes, but the fact that only 248 bytes are available causes an Out of Bound memory read issue.

How it was fixed?

If we check at the patch diff, we can see that the following changes were made to fix this issue:

Here the 2nd argument to “AcquireQuantumMemory” is multiplied by 2 thus increasing the total amount of memory and preventing this Out of Bound read issue from heap memory. The total memory allocated is 496 bytes, 248*2=496 bytes, as we can see below:

Another issue with the fix:

A new version of ImageMagick 7.0.46 was released to fix this issue. While the patch fixes the memory allocation issue, if we check the code below, we can see that there was a call to memset which didn’t set the proper memory size to zero.

Memory was allocated extent*2*sizeof(*strip_pixels) but in this memset to 0 was only done for extent*sizeof(*strip_pixels). This means half of the memory was set to 0 and rest contained 0xbebebebe, which is by default for ASAN new memory allocation.

This has since been fixed in subsequent releases of ImageMagick by using extent=2*TIFFStripSize(tiff); in the following patch:

https://github.com/ImageMagick/ImageMagick/commit/a5b64ccc422615264287028fe6bea8a131043b59#diff-0a5eef63b187504ff513056aa8fd6a7f5c1f57b6d2577a75cff428c0c7530978

Conclusion:

Processing various image files requires deep understanding of various file formats and thus it is possible that something may not be exactly implemented or missed. This can lead to various vulnerabilities in such image processing software. Some of this vulnerability can lead to DoS and some can lead to remote code execution affecting every installation of such popular software.

Fuzzing plays an important role in finding vulnerabilities often missed by developers and during testing. We at McAfee constantly fuzz various closed source as well as open source software to help secure them. We work very closely with various vendors and do responsible disclosure. This shows McAfee’s commitment towards securing the software and protecting our customers from various threats.

We will continue to fuzz various software and work with vendors to help mitigate risk arriving from such threats.

We would like to thank and appreciate ImageMagick team for quickly resolving this issue within 24 hours and releasing a new version to fix this issue.

The post Fuzzing ImageMagick and Digging Deeper into CVE-2020-27829 appeared first on McAfee Blogs.

]]>
Protect Your Social Media Accounts from Hacks and Attacks https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/protect-your-social-media-accounts-from-hacks-and-attacks/ Wed, 30 Jun 2021 13:00:17 +0000 /blogs/?p=123823 social media day

Here’s to the hashtags, the likes, the followers, the DMs, and the LOLs—June 30th marks Social Media Day, a time to celebrate...

The post Protect Your Social Media Accounts from Hacks and Attacks appeared first on McAfee Blogs.

]]>
social media day

Here’s to the hashtags, the likes, the followers, the DMs, and the LOLs—June 30th marks Social Media Day, a time to celebrate and reflect on how social media has changed our lives over the years. 

Started in 2010 by media and entertainment company Mashable, celebrations have taken on all kinds of forms. Meetups, contests, calls to increase your social circle by one meaningful connection have all marked the date in the past. Yet this year feels like an opportunity to consider just how heavily so many of us have leaned upon social media these past months, particularly in a world where nearly 50% of the global population are social media users to some degree or other. 

What’s more, people worldwide spend an average of 145 minutes a day on social media. With users in the Philippines spending three hours and 53 minutes a day and users in the U.S. spending just over two hours a day, that figure can vary widely, yet it’s safe to say that a good portion of our day features time browsing around on social media. 

With that, Social Media Day is also a good day to give your social media settings and habits a closer look, all so that you can get the most out of it with less fuss and worry. Whether you’re using Facebook, Instagram, TikTok, or whatnot, here are several things you can do that can help keep you safe and secure out there: 

1. Go private

Social media platforms like Facebook, Instagram, and others give you the option of making your profile and posts visible to friends only. Choosing this setting keeps the broader internet from seeing what you’re doing, saying, and posting, which can help protect your privacy. 

2. Say “no” to strangers bearing friend requests

Be critical of the invitations you receive. Out-and-out strangers could be more than just a stranger, they could be a fake account designed to gather information on users for purposes of cybercrime, or they can be an account designed to spread false information. There are plenty of them too. In fact, in Q1 of 2021 alone, Facebook took action on 1.3 billion fake accounts. Reject such requests. 

3. Think twice before checking in

Nothing says “there’s nobody at home right now” like that post of you on vacation or sharing your location while you’re out on the town. In effect, such posts announce your whereabouts to a broad audience of followers (even a global audience, if you’re not posting privately, as called out above). Consider sharing photos and stories of your adventures once you’ve returned.  

4. The internet is forever

It’s a famous saying for a reason. Whether your profile is set to private or if you are using an app with “disappearing” messages and posts (like Snapchat), what you post can indeed be saved and shared again. It’s as simple as taking a screenshot. If you don’t want it out there, forever or otherwise, simply don’t post it. 

5. Watch out for phishing scams

We’re increasingly accustomed to the warnings about phishing emails, yet phishing attacks happen plenty on social media. The same rules apply. Don’t follow any links you get from strangers by way of instant or direct messengers. And keep your personal information close. Don’t pass out your email, address, or other info as well. Even those so-called “quiz” posts and websites can be ruses designed to steal bits and pieces of personal info that can be used as the basis of an attack. 

6. Review your tags

Some platforms such as Facebook allow users to review posts that are tagged with their profile names. Check your account settings and give yourself the highest degree of control over how and where your tags are used by others. This will help keep you aware of how you’re being mentioned by others and in what way. 

7. Protect yourself and your devices

Security software can protect you from clicking on malicious links while on social media, strengthen your passwords so your social media account doesn’t get hacked, and boost your online privacy as well. With identity theft a sadly commonplace occurrence today, security software is really a must. 

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Protect Your Social Media Accounts from Hacks and Attacks appeared first on McAfee Blogs.

]]>
3 Canadian Real Estate Scams You Should Know About https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/3-canadian-real-estate-scams-you-should-know-about/ Tue, 29 Jun 2021 16:00:28 +0000 /blogs/?p=123793 real estate scams

Across the country, Canadians are moving out of cities in droves to stretch their legs and call a larger plot...

The post 3 Canadian Real Estate Scams You Should Know About appeared first on McAfee Blogs.

]]>
real estate scams

Across the country, Canadians are moving out of cities in droves to stretch their legs and call a larger plot of land home. For those embracing the work-from-home lifestyle, they no longer need to live near metro-area offices in expensive shoebox apartments and condos. According to Statistics Canada, 50,000 people moved out of Toronto and nearly 25,000 people migrated from Montréal to suburban areas from July 2019 to July 2020. 

The increased demand for suburban housing is making the Canadian real estate market a mad dash for limited supply. Additionally, some families who are out of work are struggling to keep their homes and are resorting to unsafe measures to keep a roof over their heads. 

Leave it to scammers and identity thieves to pounce on a vulnerable situation. Scammers and identity thieves are increasingly taking advantage of unsuspecting homeowners, and in some cases, selling homes without the rightful owners even realizing it. 

Be on the lookout for these three Canadian real estate scams. 

1. Loan Fraud 

Foreclosure occurs when a homeowner can no longer afford to pay their mortgage, so the lending institution takes over homeownership with the right to sell it. When homeowners are facing the prospect of having to move out, they may seek dubious loans to help them bridge the gap. Loan fraud is when a scammer pretends to extend a gracious loan. In exchange for the loan, the scammer may ask for the title of the home. With the title in hand, the thief may stop sending loan payments to the homeowner and instead resell or remortgage the property.  

Not being able to make mortgage payments is a desperate situation, which causes struggling homeowners to make dramatic decisions. Before agreeing to any type of loan, homeowners must ask themselves if the terms of the loan are too good to be true. In cases of fake loans, they often advertise an incredibly low-interest rate. It is best to trust your financial matters to accredited institutions.

2. Title Fraud

Title fraud is when someone steals the title of the home, usually by impersonating the homeowner. Once they have the title, the thief may attempt to sell the home or apply for a mortgage against it. In March 2021, the Times Colonist reported that a thief impersonated a British Columbian homeowner in order to transfer the home’s title to someone else’s name. Then, the thief tried to sell the home behind the rightful homeowner’s back. It was only when a neighbor alerted the real homeowner about the for-sale sign that they realized that their home could have been sold without their permission. 

The best way to defend against title fraud is to keep your personal information as private as possible. Title fraud is closely related to identity theft, and fraudsters may gain access to your personal information through phishing methods. Phishing is a tactic where cybercriminals trick people into giving up personal details, including full names, birthdays, and financial information. Statistics Canada calculates that 34% of Canadians have experienced a phishing attempt since the beginning of the pandemic. This statistic emphasizes the importance of constant vigilance concerning your most sensitive personal information. 

3. Mortgage Fraud 

Mortgage fraud is a term that can apply to untruthful lenders who attempt to swindle cash from unsuspecting buyers or pitch mortgage terms that fall outside of the buyer’s means. The Financial Services Commission of Ontario lists several warning signs of mortgage fraud. For example, lenders who do not have your best interests in mind may ask for cash fees and upfront payments. 

Again, it is best to only trust accredited financial institutions with your mortgages and loans. Research the institution before signing any contract. If the mortgage terms are too good to be true, it probably is. There are several online mortgage calculators that can give you an idea of the type of mortgage you can afford. Before entering any talks with a lender, conduct some research beforehand so you can spot unreasonable terms.   

Also, an unscrupulous lender may try to hurry you along but also take a long time responding to your calls and emails. If you feel pressured or unsure at any point, remember that there are plenty of fish in the sea. Ask your friends or family for lender recommendations to make sure that you are not tricked into mortgage fraud, the consequences of which could follow you for years. 

How to Protect Your Real Estate Investments

  • Invest in title insurance. To protect yourself from fraud involving the title of your house, consider investing in title insurance. Title insurance usually protects homeowners from the transgressions of past owners, but it also protects against fraud. 
  • Don’t fall for phishing. If you receive a suspicious message that asks for personal details, there are a few ways to determine if it was sent by a phisher aiming to steal your identity. Before clicking on any links, hover over it with your cursor to reveal the full website. If there are typos in the URL or it redirects to anyplace other than where it advertises, do not click on it. Also, phishers often send messages with a tone of urgency, and they try to inspire extreme emotions such as excitement or fear. If an unsolicited email urges you to “act fast!” slow down and evaluate the situation. 
  • Remain calm. Staying cool under pressure is easier said than done concerning matters about your home. Down-on-their-luck homeowners can be too quick to jump at too-good-to-be-true loan offers that turn out to be scams. There is often a time crunch in making mortgage payments, but take your time to review contracts and research the lender to make sure that your home and finances are in competent hands. 
  • Report scams. To prevent others from enduring the same headache and uncertainty of real estate scams, you can report suspicious messages and instances of fraud and other cybercrimes to the Canadian Anti-Fraud Centre. 
  • Sign up for an identity theft alert service. An identity theft alert service warns you about suspicious activity surrounding your personal information, allowing you to jump to action before irreparable damage is done. McAfee Total Protection not only keeps your devices safe from viruses but gives you the added peace of mind that your identity is secure, as well. 

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post 3 Canadian Real Estate Scams You Should Know About appeared first on McAfee Blogs.

]]>
How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence https://www.mcafee.com/blogs/enterprise/security-operations/how-to-proactively-increase-your-protection-against-ransomware-with-threat-intelligence/ Tue, 29 Jun 2021 15:00:34 +0000 /blogs/?p=123748

As Ransomware continues to spread and target organizations around the world, it is critical to leverage threat intelligence data. And...

The post How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence appeared first on McAfee Blogs.

]]>

As Ransomware continues to spread and target organizations around the world, it is critical to leverage threat intelligence data. And not just any threat intelligence but actionable intelligence from MVISION Insights. Fortunately, there are several steps you can take to proactively increase your Endpoint Security to help minimize damage from the next Darkside, WannaCry, Ryuk, or REvil

Which Ransomware campaigns and threat profiles are most likely going to hit you?

MVISION Insights provides near real time statistics on the prevalence of Ransomware campaigns and threat profiles detections by country, by sector and in your environment.

Above you can see that although 5ss5c is the most detected ransomware worldwide, in France Darkside and Ryuk have been the most detected campaigns in the last 10 days. You can also sort top campaigns by industry sector.

How to proactively increase your level of protection against these ransomwares?

As you can see above, MVISION Insights measures your overall Endpoint Security score and provides recommendations on which McAfee Endpoint Security features should be enabled for maximum protection.

Then, MVISION Insights assesses out-of-the-box the minimum version of your McAfee Endpoint Security AMcore content necessary to protect against each campaign. As you can see above, two devices have an insufficient coverage against the “CISA-FBI Cybersecurity Advisory on the Darkside Ransomware”. You can then use McAfee ePO to update these two devices.

Below, MVISION Insights provides a link to a KB article for the “Darkside Ransomware profile” with detailed suggestions on which McAfee Endpoint Security rules to enable in your McAfee ePO policies. First, the minimum set of rules to better protect against this ransomware campaign. Second, the aggressive set to fully block the campaign. The second one can create false positives and should only be used in major crisis situations.

How to proactively check if you have been breached?

MVISION Insights can show you whether you have unresolved detections for specific campaigns. Below you can see that you have an unresolved detection linked the “Operation Iron Ore” threat campaign.

MVISION Insights provides IOCs (Indicators of comprises) which your SOC can use with MVISION EDR to look for the presence of these malicious indicators.

If your SOC has experienced threat hunters MVISION Insights also provides information on the MITRE Tactics, Techniques and Tools linked to this threat campaign or threat profile. This data is also available via the MVISION APIs to integrate with your other SOC tools. In fact, several integrations are already available today with other vendors from the McAfee SIA partnership.

Finally, the ultimate benefit from MVISION Insights is that you can use it to show to your management whether your organization is correctly protected against the latest ransomware attacks.

In summary, you can easily leverage MVISION Insights to proactively increase your protection against ransomware by:

    • Identifying which ransomware are most likely going to hit you
    • Adapting your McAfee Endpoint Security protection against these campaigns using McAfee’s recommendations
    • Proactively checking whether you might be breached
    • Showing your protection status against these threats to your management

 

 

 

The post How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence appeared first on McAfee Blogs.

]]>
5 Ransomware Threats Canadians Need to Know https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/5-ransomware-threats-canadians-need-to-know/ Mon, 28 Jun 2021 20:00:16 +0000 /blogs/?p=123613 Ransomware

Every day you place your personal information in the hands of companies and trust that it will remain safe. However,...

The post 5 Ransomware Threats Canadians Need to Know appeared first on McAfee Blogs.

]]>
Ransomware

Every day you place your personal information in the hands of companies and trust that it will remain safe. However, what happens when external threats jeopardize your personal data security, especially while working remotely? 

The transition to remote work environments and consumers’ online habits have made it more difficult for Canadian employees and consumers to protect their personal information. This challenge is primarily due to ransomware. To protect yourself, you need to first understand how cybercriminals take advantage of users’ online behaviors to launch strategic attacks against employees and consumers through the information they glean from stolen company data. 

How Your Personal Actions Can Impact Corporate Systems 

Ransomware has been on the rise this past year with attacks increasing 62% in 2020 according to Statista. In fact, 78% of Canadian cybersecurity professionals said that attacks increased due to employees working remotely in a recent VMware report. Cybercriminals target remote workers primarily through malicious links sent through phishing emails — in fact, over one third of Canadian respondents in a recent survey said they experienced at least one phishing attempt in the last year.   

Hackers pose as legitimate organizations and prompt individuals to take action: say you decide to check your personal email on your work laptop during your lunch break. You open a message that claims to be from one of your favorite retailers claiming that you just won $500 in shopping credit – all you need to do is click on the link and fill out your banking information. This is an example of a phishing attack that could not only wreak havoc on your personal security, but your company’s as well. If the link in the message downloads a credential-stealing malware on your work laptop, there is a good chance that your organization’s private data or network could be compromised.  

Knowing that many employees will be communicating virtually instead of face-to-face, hackers can take advantage of the remote work environment by posing as employees from finance departments and sending fake invoices for products or services. The goal of these fake invoices is for employees to call a support phone number to investigate, whereby hackers attain credit card numbers or other information they can leverage in spear-phishing scams. Hackers can also spoof phone calls to make it look like it is coming from a legitimate number within the organization. Revealing too much information to an unverified contact is a risk that remote workers must learn to identify and avoid. 

Ransomware is always evolving, making it critical to understand the nature of these threats so you can better avoid them.  

The 5 Most Dangerous Ransomware Scams  

Cybercriminals are constantly finding new ways to automate their attacks and increase their profits. Here is a look at five active ransomware variants cybercriminals use today—and how they deploy them. 

1. CryptoDefense 

By the end of 2020, McAfee Labs observed a 69% increase in new ransomware, which Cryptodefense largely drove. This virus is similar to CryptoLocker, a trojan virus that spreads through email phishing to infiltrate hard drives and files. Both spread ransomware, use high levels of encryption to compromise users’ files, and claim that these files cannot be decrypted without a decryption key.  

2. Maze 

Maze ransomware has been active since November of 2019 and is operated by hackers notorious for leaking victim data upon non-payment. Maze operators first gain access to a network by using valid credentials. It will then scan the network for user devices, check these devices for additional credentials, and compromise user files.  

3. REvil/Sodinokibi 

In a Ransomware Task Force interview with an affiliate of the REvil/Sodinokibi syndicate, the interviewee revealed that companies with cyber insurance are prime targets since the chances of a payout are high. This ransomware spreads through software vulnerabilities, phishing scams, and exploit kits. Once it infiltrates a device, it spreads through escalated privilege to compromise user files and systems.  

4. Ryuk 

Ryuk has been around since August of 2018 and targets large companies, critical infrastructure, and hospitals. This ransomware is almost always spread through a banking trojan called Trickbot, used by hackers to steal financial and banking credentials. The operators behind this ransomware demand higher ransoms compared to other groups. They also use opensource tools and manual hacking techniques to bypass detection and infiltrate private networks. 

5. SamSam 

The operators behind SamSam ransomware gain access through Windows servers using a Microsoft protocol that allows remote connections to other computers. Operators will then elevate their privilege to include admin rights once inside a network to infect servers with malware, requiring no action or authorization on the victim’s part. 

How to Reduce the Risk and Impact of Ransomware 

Ransomware can affect anyone, regardless of whether you are an employee or a customer of a targeted company. Keep these tips in mind to reduce your risk of a ransomware attack and know what steps to take if you fall victim.   

1. Don’t click on malicious links 

Phishing emails are one of the most common methods a hacker will use to infect devices and spread ransomware. They will send links through seemingly legitimate emails to trick users into clicking on them and downloading malicious files. Knowing how to spot one is the first step to prevent infection. If you receive an email you suspect is a phishing scam, start by analyzing its structure: common indicators of a phishing scam may include: 

  • Grammatical errors with poorly written wording 
  • Pressure to take immediate action or confirm personal information 
  • Link addresses that do not match the anchor text in the email body 
  • Inconsistent sender name and email address 
  • Suspicious attachments  

Once you identify a phishing email, don’t click on any links or download attachments. Simply delete it and carry on with your day.  

2. Use multi-factor authentication and strong passwords 

Keep in mind that the cybercriminals behind Maze ransomware gained access to private networks through valid credentials. Hackers typically obtain these credentials through a “password spray” technique where they attempt to log in to accounts using a list of commonly used passwords. However, hackers have a higher chance of guessing valid passwords if they are too short or not complex enough. Additionally, a hacker is more likely to infiltrate multiple accounts if they share the same password. 

Strong passwords help ensure that a hacker cannot access your private network, gain administrative rights to your device, or infect another device you are connected to. Create a password that is strong enough to withstand simple guess-and-check attempts by making them long, difficult, and unique. Multi-phrased passwords or passphrases also help to prevent hackers from breaking into your accounts, such as “P3anutbutter&J3lly.” Avoid reusing passwords across multiple accounts and change them periodically, especially after an account has been breached. Even if a hacker does steal your credentials, multi-factor authentication adds an extra validation layer to prohibit unauthorized sign-in attempts.  

3. Use security software to monitor threats 

Your device is more susceptible to ransomware and viruses without the right security tools to help mitigate the chances of infection. Avoid the risk of a ransomware attack by employing a quality security solution like McAfee Total Protection. A holistic security solution can help you stay vigilant of cyber threats by monitoring for ransomware viruses in addition to malware and spyware. Security software can also monitor your internet connection and network traffic through regular scans to flag malicious activity and provide guidance on how to sidestep these threats. If a hacker attempts to launch an attack on your device, you can rest assured your security software will promptly alert you of the intrusion. 

 4. Regularly update devices 

In addition to social engineering tactics, hackers will leverage vulnerabilities in software to create a back door through which they can infiltrate user devices. A way to keep cyber criminals out is to keep your software applications and devices up to date. This includes the apps on your mobile device as well as apps on your desktop. Regular updates ensure that the proper security patches are implemented, the right bugs are fixed and that hackers cannot exploit these vulnerabilities. 

5. Remediate and restore files and systems 

If worse comes to worst and your device is infected with ransomware, the first thing to do is isolate the device and disconnect from shared networks. Disconnecting the infected device ensures that ransomware cannot spread to other devices on that same network.  

Immediately gather evidence on what type of malware you are dealing with so you can accurately report it to authorities and determine what your options are for remediation. You can then choose to remove it or wipe your system completely which is the most assured way to eliminate ransomware from your device. Afterwards you can reinstall your operating system and, provided you perform regular backups, restore your files to a previous version.  

Defeat Ransomware Threats    

No one is truly out of the danger zone when hackers strike. Ransomware is on the rise, and online users must understand how to bypass these viruses to avoid the ramifications of a compromised device. By understanding online security best practices, users can safeguard their online presence and defend against ransomware threats.  

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post 5 Ransomware Threats Canadians Need to Know appeared first on McAfee Blogs.

]]>
How I Seized McAfee’s Opportunities to Realize My Potential https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/how-i-seized-mcafees-opportunities-to-realize-my-potential/ Mon, 28 Jun 2021 19:49:59 +0000 /blogs/?p=120445

This post was written by Emmanuel Making the most of opportunities and putting in the work with an employer who...

The post How I Seized McAfee’s Opportunities to Realize My Potential appeared first on McAfee Blogs.

]]>

This post was written by Emmanuel

Making the most of opportunities and putting in the work with an employer who invests in you is a powerful combination. My journey at McAfee would not be complete had it not been for the chance to prove myself.

McAfee Rotation Program (MRP) program helps candidates find the right fit within the organization. MRP consists of five month-long placements within Professional Services, Pre-Sales Engineering, Security Operations and Sales Operations. To be accepted, candidates must complete and score well during three rigorous days of evaluation.

There is no promise you’ll be hired, only the promise that McAfee will give you every chance to prove your worth. And when you succeed, the benefits are far greater than just a paycheck.

In 2018, about a year after earning my Bachelor’s Degree in Mechanical Engineering and Mathematics, I learned about the program while looking for work. Even though cybersecurity wasn’t my background, I decided to take a chance.

The path to a rewarding career

McAfee flew me from my home in New Jersey to Dallas to complete an intensive course consisting of 10- to 12-hour days of interviews, presentations, logic tests, and team building exercises. One of the toughest parts was presenting on McAfee products, something I knew very little about, and having only a few hours overnight to prepare once given the assignment.

Those days were extremely challenging and tested me in ways that I didn’t think possible. Even though it wasn’t really tailored to my area of studies, the program was an opportunity to work for one of the largest global corporations. I was resolved to stay focused and make an impression.

And I was hungry. Failing wasn’t an option. I had done my research and wanted the opportunity to work for McAfee.

About two weeks after the course, McAfee informed me that I was one of six candidates to be accepted into the MRP. The journey to help me find the best position soon began.

For the next two years, I worked five rotations or positions within the program’s designated areas. It wasn’t long before I began charting my path to what interested me most.

Last year, I achieved my goal of becoming an Enterprise Security Engineer.

Succeeding through a culture of ongoing development

I could not have achieved success without God, the help of a lot of people, and a diverse culture that embraces personal and professional growth.

McAfee gives you the opportunity to not just find what you do best but fulfill your passions. Along the way, you are recognized and mentored – a great achievement was receiving the “Who’s Doing This” award based on performance within my first year at McAfee.

The company invests in you personally and professionally, not just through training opportunities, but by encouraging healthy lifestyles and work-life balance. When we’re not working remotely, every Friday employees can bring their dogs to work through the Pups at Work Program. Some people have actually become attached to their coworkers’ pets!

Building connections has helped launch my career, understand where I want to go and how to get there. Like any new hire, you have to develop into your role, and that is only made possible with the right direction and encouragement. Coworkers and leadership have continually helped me along my journey.

Even through a period of remote working, McAfee has developed an online culture which makes you feel as though everybody is collaborating in person.

And the learning never stops. My mentor spends time each month guiding me down my career path, which is a huge plus.

A sweet experience

What I like about McAfee is you are given every chance to succeed, which instills a strong work ethic and the ability to give back. I was fortunate to help lead another MRP soon after completing my rotation. Leadership entrusted me to coordinate the program from start to finish, and it was rewarding to watch the development of those who succeeded.

My time here has been sweet, and I could not pick a better company to launch my career. I’ve gone from somebody with no background in information technology and security to being a subject matter expert.

Those three days in Dallas were tough, but sometimes you have to put in a little sweat equity to reach your goal. They are among the greatest days of my career and make working for McAfee that much sweeter.

Are you thinking about joining our team? McAfee takes great pride in providing candidates every opportunity to show their true value. Learn more about our jobs. Subscribe to job alerts.

Stay Connected
For more stories like this, follow @LifeAtMcAfee on Instagram and  @McAfee on Twitter to see what working at McAfee is all about. 

Search Career Opportunities with McAfee
Interested in joining our team? We’re hiring!  Apply now.

The post How I Seized McAfee’s Opportunities to Realize My Potential appeared first on McAfee Blogs.

]]>
Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-cve-2021-1665-remote-code-execution-vulnerability-in-windows-gdi/ Mon, 28 Jun 2021 19:44:00 +0000 /blogs/?p=123988 Consejos para protegerte de quienes intentan hackear tus correos electrónicos

Introduction Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video...

The post Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+ appeared first on McAfee Blogs.

]]>
Consejos para protegerte de quienes intentan hackear tus correos electrónicos

Introduction

Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video displays as well as printers. Windows applications don’t directly access graphics hardware such as device drivers, but they interact with GDI, which in turn then interacts with device drivers. In this way, there is an abstraction layer to Windows applications and a common set of APIs for everyone to use.

Because of its complex format, GDI+ has a known history of various vulnerabilities. We at McAfee continuously fuzz various open source and closed source software including windows GDI+. Over the last few years, we have reported various issues to Microsoft in various Windows components including GDI+ and have received CVEs for them.

In this post, we detail our root cause analysis of one such vulnerability which we found using WinAFL: CVE-2021-1665 – GDI+ Remote Code Execution Vulnerability.  This issue was fixed in January 2021 as part of a Microsoft Patch.

What is WinAFL?

WinAFL is a Windows port of a popular Linux AFL fuzzer and is maintained by Ivan Fratric of Google Project Zero. WinAFL uses dynamic binary instrumentation using DynamoRIO and it requires a program called as a harness. A harness is nothing but a simple program which calls the APIs we want to fuzz.

A simple harness for this was already provided with WinAFL, we can enable “Image->GetThumbnailImage” code which was commented by default in the code. Following is the harness code to fuzz GDI+ image and GetThumbnailImage API:

 

As you can see, this small piece of code simply creates a new image object from the provided input file and then calls another function to generate a thumbnail image. This makes for an excellent attack vector and can affect various Windows applications if they use thumbnail images. In addition, this requires little user interaction, thus software which uses GDI+ and calls GetThumbnailImage API, is vulnerable.

Collecting Corpus:

A good corpus provides a sound foundation for fuzzing. For that we can use Google or GitHub in addition to further test corpus available from various software and public EMF files which were released for other vulnerabilities. We have generated a few test files by making changes to a sample code provided on Microsoft’s site which generates an EMF file with EMFPlusDrawString and other records:

Ref: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emfplus/07bda2af-7a5d-4c0b-b996-30326a41fa57

Minimizing Corpus:

After we have collected an initial corpus file, we need to minimize it. For this we can use a utility called winafl-cmin.py as follows:

winafl-cmin.py -D D:\\work\\winafl\\DynamoRIO\\bin32 -t 10000 -i inCorpus -o minCorpus -covtype edge -coverage_module gdiplus.dll -target_module gdiplus_hardik.exe -target_method fuzzMe -nargs 2 — gdiplus_hardik.exe @@

How does WinAFL work?

WinAFL uses the concept of in-memory fuzzing. We need to provide a function name to WinAFL. It will save the program state at the start of the function and take one input file from the corpus, mutate it, and feed it to the function.

It will monitor this for any new code paths or crashes. If it finds a new code path, it will consider the new file as an interesting test case and will add it to the queue for further mutation. If it finds any crashes, it will save the crashing file in crashes folder.

The following picture shows the fuzzing flow:

Fuzzing with WinAFL:

Once we have compiled our harness program, collected, and minimized the corpus, we can run this command to fuzz our program with WinAFL:

afl-fuzz.exe -i minCorpus -o out -D D:\work\winafl\DynamoRIO\bin32 -t 20000 —coverage_module gdiplus.dll -fuzz_iterations 5000 -target_module gdiplus_hardik.exe -target_offset 0x16e0 -nargs 2 — gdiplus_hardik.exe @@

Results:

We found a few crashes and after triaging unique crashes, and we found a crash in “gdiplus!BuiltLine::GetBaselineOffset” which looks as follows in the call stack below:

As can be seen in the above image, the program is crashing while trying to read data from a memory address pointed by edx+8. We can see it registers ebx, ecx and edx contains c0c0c0c0 which means that page heap is enabled for the binary. We can also see that c0c0c0c0 is being passed as a parameter to “gdiplus!FullTextImager::RenderLine” function.

Patch Diffing to See If We Can Find the Root Cause

To figure out a root cause, we can use patch diffing—namely, we can use IDA BinDiff plugin to identify what changes have been made to patched file. If we are lucky, we can easily find the root cause by just looking at the code that was changed. So, we can generate an IDB file of patched and unpatched versions of gdiplus.dll and then run IDA BinDiff plugin to see the changes.

We can see that one new function was added in the patched file, and this seems to be a destructor for BuiltLine Object :

We can also see that there are a few functions where the similarity score is < 1 and one such function is FullTextImager::BuildAllLines as shown below:

Now, just to confirm if this function is really the one which was patched, we can run our test program and POC in windbg and set a break point on this function. We can see that the breakpoint is hit and the program doesn’t crash anymore:

Now, as a next step, we need to identify what has been changed in this function to fix this vulnerability. For that we can check flow graph of this function and we see something as follows. Unfortunately, there are too many changes to identify the vulnerability by simply looking at the diff:

The left side illustrates an unpatched dll while right side shows a patched dll:

  • Green indicates that the patched and unpatched blocks are same.
  • Yellow blocks indicate there has been some changes between unpatched and patched dlls.
  • Red blocks call out differences in the dlls.

If we zoom in on the yellow blocks we can see following:

We can note several changes. Few blocks are removed in the patched DLL, so patch diffing will alone will not be sufficient to identify the root cause of this issue. However, this presents valuable hints about where to look and what to look for when using other methods for debugging such as windbg. A few observations we can spot from the bindiff output above:

  • In the unpatched DLL, if we check carefully we can see that there is a call to “GetuntrimmedCharacterCount” function and later on there is another call to a function “SetSpan::SpanVector
  • In the patched DLL, we can see that there is a call to “GetuntrimmedCharacterCount” where a return value stored inside EAX register is checked. If it’s zero, then control jumps to another location—a destructor for BuiltLine Object, this was newly added code in the patched DLL:

So we can assume that this is where the vulnerability is fixed. Now we need to figure out following:

  1. Why our program is crashing with the provided POC file?
  2. What field in the file is causing this crash?
  3. What value of the field?
  4. Which condition in program which is causing this crash?
  5. How this was fixed?

EMF File Format:

EMF is also known as enhanced meta file format which is used to store graphical images device independently. An EMF file is consisting of various records which is of variable length. It can contain definition of various graphic object, commands for drawing and other graphics properties.

Credit: MS EMF documentation.

Generally, an EMF file consist of the following records:

  1. EMF Header – This contains information about EMF structure.
  2. EMF Records – This can be various variable length records, containing information about graphics properties, drawing order, and so forth.
  3. EMF EOF Record – This is the last record in EMF file.

Detailed specifications of EMF file format can be seen at Microsoft site at following URL:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-emf/91c257d7-c39d-4a36-9b1f-63e3f73d30ca

Locating the Vulnerable Record in the EMF File:

Generally, most of the issues in EMF are because of malformed or corrupt records. We need to figure out which record type is causing this crash. For this if we look at the call stack we can see following:

We can notice a call to function “gdiplus!GdipPlayMetafileRecordCallback

By setting a breakpoint on this function and checking parameter, we can see following:

We can see that EDX contains some memory address and we can see that parameter given to this function are: 00x00401c,0x00000000 and 0x00000044.

Also, on checking the location pointed by EDX we can see following:

If we check our POC EMF file, we can see that this data belongs to file from offset: 0x15c:

By going through EMF specification and manually parsing the records, we can easily figure out that this is a “EmfPlusDrawString” record, the format of which is shown below:

In our case:

Record Type = 0x401c EmfPlusDrawString record

Flags = 0x0000

Size = 0x50

Data size = 0x44

Brushid = 0x02

Format id = 0x01

Length = 0x14

Layoutrect = 00 00 00 00 00 00 00 00 FC FF C7 42 00 00 80 FF

String data =

Now that we have located the record that seems to be causing the crash, the next thing is to figure out why our program is crashing. If we debug and check the code, we can see that control reaches to a function “gdiplus!FullTextImager::BuildAllLines”. When we decompile this code, we can see something  like this:

The following diagram shows the function call hierarchy:

The execution flow in summary:

  1. Inside “Builtline::BuildAllLines” function, there is a while loop inside which the program allocates 0x60 bytes of memory. Then it calls the “Builtline::BuiltLine”
  2. The “Builtline::BuiltLine” function moves data to the newly allocated memory and then it calls “BuiltLine::GetUntrimmedCharacterCount”.
  3. The return value of “BuiltLine::GetUntrimmedCharacterCount” is added to loop counter, which is ECX. This process will be repeated until the loop counter (ECX) is < string length(EAX), which is 0x14 here.
  4. The loop starts from 0, so it should terminate at 0x13 or it should terminate when the return value of “GetUntrimmedCharacterCount” is 0.
  5. But in the vulnerable DLL, the program doesn’t terminate because of the way loop counter is increased. Here, “BuiltLine::GetUntrimmedCharacterCount” returns 0, which is added to Loop counter(ECX) and doesn’t increase ECX value. It allocates 0x60 bytes of memory and creates another line, corrupting the data that later leads the program to crash. The loop is executed for 21 times instead of 20.

In detail:

1. Inside “Builtline::BuildAllLines” memory will be allocated for 0x60 or 96 bytes, and in the debugger it looks as follows:

2. Then it calls “BuiltLine::BuiltLine” function and moves the data to newly allocated memory:

3. This happens in side a while loop and there is a function call to “BuiltLine::GetUntrimmedCharacterCount”.

4. Return value of “BuiltLine::GetUntrimmedCharacterCount” is stored in a location 0x12ff2ec. This value will be 1 as can be seen below:

5. This value gets added to ECX:

6. Then there is a check that determines if ecx< eax. If true, it will continue loop, else it will jump to another location:

7. Now in the vulnerable version, loop doesn’t exist if the return value of “BuiltLine::GetUntrimmedCharacterCount” is 0, which means that this 0 will be added to ECX and which means ECX will not increase. So the loop will execute 1 more time with the “ECX” value of 0x13. Thus, this will lead to loop getting executed 21 times rather than 20 times. This is the root cause of the problem here.

Also after some debugging, we can figure out why EAX contains 14. It is read from the POC file at offset: 0x174:

If we recall, this is the EmfPlusDrawString record and 0x14 is the length we mentioned before.

Later on, the program reaches to “FullTextImager::Render” function corrupting the value of EAX because it reads the unused memory:

This will be passed as an argument to “FullTextImager::RenderLine” function:

Later, program will crash while trying to access this location.

Our program was crashing while processing EmfPlusDrawString record inside the EMF file while accessing an invalid memory location and processing string data field. Basically, the program was not verifying the return value of “gdiplus!BuiltLine::GetUntrimmedCharacterCount” function and this resulted in taking a different program path that  corrupted the register and various memory values, ultimately causing the crash.

How this issue was fixed?

As we have figured out by looking at patch diff above, a check was added which determined the return value of “gdiplus!BuiltLine::GetUntrimmedCharacterCount” function.

If the retuned value is 0, then program xor’s EBX which contains counter and jump to a location which calls destructor for Builtline Object:

Here is the destructor that prevents the issue:

Conclusion:

GDI+ is a very commonly used Windows component, and a vulnerability like this can affect billions of systems across the globe. We recommend our users to apply proper updates and keep their Windows deployment current.

We at McAfee are continuously fuzzing various open source and closed source library and work with vendors to fix such issues by responsibly disclosing such issues to them giving them proper time to fix the issue and release updates as needed.

We are thankful to Microsoft for working with us on fixing this issue and releasing an update.

 

 

 

 

The post Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+ appeared first on McAfee Blogs.

]]>
What is Roblox and is It Safe for Kids? https://www.mcafee.com/blogs/consumer/family-safety/what-is-roblox-and-is-it-safe-for-kids/ Mon, 28 Jun 2021 17:30:24 +0000 /blogs/?p=123781 is roblox safe for kids?

If you have a tween or teen, you’ve likely heard a lot of excited chatter about Roblox. With a reported 150 million users, there’s a good...

The post What is Roblox and is It Safe for Kids? appeared first on McAfee Blogs.

]]>
is roblox safe for kids?

If you have a tween or teen, you’ve likely heard a lot of excited chatter about Roblox. With a reported 150 million users, there’s a good chance your child has the Roblox site on their phone, tablet, PC, or Xbox. In fact, in 2020, Roblox estimated that over half of kids in the U.S. under 16 had used the forum. However, as with all digital destinations, the fun of Roblox is not without some safety concerns.  

Why do kids love Roblox? 

Roblox is an online gaming forum (not an app or game as one might assume) where users can create and share games or just play games. Kids can play Roblox games with friends they know or join games with unknown players. Roblox hosts an infinite number of games (about 20 million), which makes it a fun place to build and share creations, chat, and make friends. Game creators can also make significant money if their games take off.  

A huge component of Roblox is its social network element that allows users to chat and have meetups. During quarantine, Roblox added its own private space for users to host virtual private birthday parties and social gatherings. 

Is Roblox safe for kids? 

Like any site or app, Roblox is safe if you take the time to optimize parental controls (both in-forum and personal software), monitor your child’s use, and taking basic precautions you’re your child starts using the forum. Especially with kids drawn to gaming communities, it’s important to monitor conversations they can be having with anyone, anywhere.  

Potential Safety Issues  

  • Connections with strangers. Like other popular apps and sites, users have reported predators on Roblox and there’s a concern about the forum’s easily accessible chat feature bad actors may use to target their victims. Too, there’s a “Chat & Party” window on nearly every page of the site that any user can access.  

Roblox security tip: Adjust settings to prohibit strangers’ from friending an account. Consider watching your child play a few games and how he or she interacts or wanders through the app. Pay close attention to the chat feature. Keep the conversation open, so your child feels comfortable sharing online concerns with you.

  • Potential cyberbullying. Users can join almost any game at any time, which opens the door to possible cyberbullying. Roblox security tip: Adjust settings to block mature games and talk with kids about handling inappropriate chats, live conversations, and comments. Also, know where to report bullying or any other rule violation on the forum.  
     
  • Inappropriate content. Because Roblox game content is user-generated, game content can range from harmless and cute to games containing violent and sexual storylines or characters, according to reports. Roblox security tip: Adjust settings to block mature games. Commit to constant monitoring to ensure settings are intact. Ask your child about their favorite games and evaluate the content yourself. 
     
  • In-app currency. Robux is the platform’s in-app currency kids can use to purchase accessories games such as pets, clothes, and weapons for different. As we’ve noted in the past, kids can rack up some hefty charges when in-app currency is allowed. Roblox Security Tip: Set limits with kids on purchases or adjust Roblox settings to prohibit in-app purchases.  

Additional Roblox Security

If you have your child’s login information, you can easily view their activity history in a few vulnerable areas including private and group chats, friends list, games played, games created, and items purchased. It’s also a good idea to make sure their birthdate is correct since Roblox automatically filters chats and game content for users under 13. Roblox has a separate login for parents of younger kids that allows you to go in and view all activities.  

As always, the best way to keep your child safe on Roblox or any other site or app is to take every opportunity for open, honest conversation about personal choices and potential risks online. Oh, and sitting down to play their favorite games with them — is always the best seat in the house.  

Stay Updated  

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home and @McAfee_Family on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like us on Facebook.   

The post What is Roblox and is It Safe for Kids? appeared first on McAfee Blogs.

]]>
Homes, Not Just Devices: The New Consumer Cybersecurity https://www.mcafee.com/blogs/consumer/mobile-and-iot-security/homes-not-just-devices-the-new-consumer-cybersecurity/ Thu, 24 Jun 2021 08:01:46 +0000 /blogs/?p=123655 Strong Passwords

Over the last year, our relationship with digital technology has changed completely, and probably irrevocably. The pandemic has been bruising...

The post Homes, Not Just Devices: The New Consumer Cybersecurity appeared first on McAfee Blogs.

]]>
Strong Passwords

Over the last year, our relationship with digital technology has changed completely, and probably irrevocably. The pandemic has been bruising in many different ways, but it has been clear from the very start how important the internet has been as a tool to help us through it. Even just a few years ago, the behavioural shifts it enabled would not have been possible. From offices running on videoconferencing, to essential retail moving online, to digitally-delivered healthcare, many online tools that were once seen as promising growth areas or quality-of-life improving luxuries have come into their own as vital parts of everyday life.

Every big change in how we use technology, however, is followed sooner or later by a development in how we approach security and safety. This was true when the emergence of personal computers and ATMs led to education campaigns around the importance of PIN and password vigilance. It was true when the commoditisation of internet access created the need for consumer antivirus protection. It was even true when the automobile was first introduced, with cities rushing to introduce traffic signaling to manage that new high-speed flow.

Soon, then, we should expect to see another step in our collective attitude to security and privacy. What will that look like? For me, it should rest on a new sense of what is being protected, and new expectations about how that protection happens.

The work of threat research

To explain why, it’s worth understanding what the process of finding and fixing cybersecurity issues looks like. The first line of defence against attacks always happens during product development, when coders and engineers try to ensure that what they are creating is not vulnerable. The nature of cybersecurity, however, is that some problems will inevitably occur in finished products. That’s why there are also teams of people who analyse these products, independently testing whether they are truly safe.

At McAfee, our enterprise Advanced Threat Research (ATR) team has a long history and a strong track record of doing this testing. Often, the ATR team’s work is very similar to what people might imagine when they think of a ‘cybersecurity researcher’: it’s unpicking highly complex systems and tracing international criminal organisations responsible for attacks.

A lot of this work is much closer to home, though, and increasingly it deals with finding vulnerabilities not just in apps and computers, but in devices that few would think of as being a potential risk. The rise of the smart home means that many household items, from luxuries like exercise machines to basics like wall clocks, can also be internet-connected computers, tapping into the network to make life easier and better in a myriad of ways.

The ‘internet of things’, or IoT, has been a tech catchphrase for a long time, but it’s now a daily consumer reality too, with thermostats and air conditioners, security cameras and door locks, fridges and coffee machines all offering enhanced experiences through online connectivity. The security challenge lies in the fact that most people would view items like these just as a thermostat or as a door lock – not as a computer which requires protection. How, after all, do you install an antivirus service on a fridge?

Evolving the consumer security mindset

Combined with the increase of online activity we’ve all experienced over the last year, this requires more than widening consumers’ current thinking about security to include more devices. It requires a whole new approach. When the average household had one or two computers, it made sense to think of cybersecurity in terms of protecting the device. When any item in a home could also be an internet access point, we need to start thinking instead in terms of protecting people and families.

A big part of that will be expecting more of the companies who design and supply these devices. When the ATR team – or another threat research team – finds a flaw in a consumer device, step one is always to contact the manufacturer and work with them to fix it before malicious actors spot the opportunity. Many businesses behave responsibly, responding openly and collaboratively, developing a solution, and rolling it out as quickly as possible. Not all businesses are so conscientious. How businesses react to security problems should be a much bigger part of how we choose what to purchase.

Going back to the car, the traffic light was not the final safety innovation we saw. Over the last century, growing regulations and awareness led to a situation where, today, purchasers are likely to inspect a vehicle’s safety ratings before handing over their cash. In just the same way, attitudes to cybersecurity need to keep evolving – and soon, we may even be asking car manufacturers about how they respond to vulnerability disclosures.

The pandemic was a leap forward in how far digitalised our lives have become. Companies and customers alike now need to think carefully about what we need to talk about when we talk about making our online lives safe, secure, and private.

The post Homes, Not Just Devices: The New Consumer Cybersecurity appeared first on McAfee Blogs.

]]>
McAfee Labs Report Highlights Ransomware Threats https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-labs-report-highlights-ransomware-threats/ Thu, 24 Jun 2021 04:01:11 +0000 /blogs/?p=123511

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: June 2021. In this edition we introduce...

The post McAfee Labs Report Highlights Ransomware Threats appeared first on McAfee Blogs.

]]>

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: June 2021.

In this edition we introduce additional context into the biggest stories dominating the year thus far including recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream.

This Threats Report provides a deep dive into ransomware, in particular DarkSide, which resulted in an agenda item in talks between U.S. President Biden and Russian President Putin. While we have no intention of detailing the political landscape, we certainly do have to acknowledge that this is a threat disrupting our critical services. Furthermore, adversaries are supported within an environment that make digital investigations challenging with legal barriers that make the gathering of digital evidence almost impossible from certain geographies.

That being said, we can assure the reader that all of the recent campaigns are incorporated into our products, and of course can be tracked within our MVISION Insights preview dashboard.

This dashboard shows that – beyond the headlines – many more countries have experienced such attacks. What it will not show is that victims are paying the ransoms, and criminals are introducing more Ransomware-as-a-Service (RaaS) schemes as a result. With the five-year anniversary of the launch of the No More Ransom initiative now upon us it’s fair to say that we need more global initiatives to help combat this threat.

Q1 2021 Threat Findings

McAfee Labs threat research during the first quarter of 2021 include:

  • New malware samples averaging 688 new threats per minute
  • Coin Miner threats surged 117%
  • New Mirai malware variants drove increase in Internet of Things and Linux threats

Additional Q1 2021 content includes:

  • McAfee Global Threat Intelligence (GTI) queries and detections
  • Disclosed Security Incidents by Continent, Country, Industry and Vectors
  • Top MITRE ATT&CK Techniques APT/Crime

We hope you enjoy this Threats Report. Don’t forget to keep track of the latest campaigns and continuing threat coverage by visiting our McAfee Threat Center. Please stay safe.

The post McAfee Labs Report Highlights Ransomware Threats appeared first on McAfee Blogs.

]]>
Watch Out for These 3 Online Job Scams https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/watch-out-for-these-3-online-job-scams/ Wed, 23 Jun 2021 19:03:04 +0000 /blogs/?p=123601 Job Scam

If you recently found yourself looking for a new job, you are far from alone. According to the Institute of Labor Economics,...

The post Watch Out for These 3 Online Job Scams appeared first on McAfee Blogs.

]]>
Job Scam

If you recently found yourself looking for a new job, you are far from alone. According to the Institute of Labor Economics, more Canadians were seeking new employment opportunities at the height of the pandemic than during the previous three recessions combined. Job hunters only used to have to worry about the clarity of their cover letters and impressing interviewers. Now, however, a new hurdle is in the mix in the race for a new job: online job scams. 

Here are three online job scams that you may encounter, plus a few tips on how to avoid and report them. 

1. Fake Job Ads

Fake job ads trick employment seekers into giving up their financial information. Fake job ads are more likely to appear on free sites, such as Craigslist, but they could be listed anywhere. So, no matter where you are searching, be wary that not everyone is looking for a talented individual such as yourself. They are on the hunt for sensitive personal details. 

When you are interviewing for jobs, legitimate employers are careful and intentioned about evaluating your fit for the job. For this reason, employers want to make sure they are not interviewing fake candidates, so they are likely going to want to meet you face-to-face or through a video chat. If an employer extends a job offer after a few email exchanges or an instant messenger job interview, request a more formal meeting. If they say that they would like to move fast and hire quickly, be concerned as no real employer would act that quickly. 

Guard your personal and financial information until you are 100% sure of the legitimacy of a job offer. Be on high alert if the “human resources representative” asks for your credit card or banking information to pay for training. Fake employers may also ask for your Social Insurance Number before extending a job offer letter. A great rule of thumb is to never share your SIN with anyone over the phone or over email. 

2. Phishing Emails

Between March and September 2020, 34% of Canadian respondents reported receiving a phishing message, according to a survey by Statistics CanadaPhishing emails often include malicious links that, when clicked, download malware to your device. Online job scams may not only attempt to steal your sensitive information, but they may also be phishing attempts to take over your personal devices. 

Some scammers using job offers as a guise might email people who never applied for a new opportunity. Be careful around these types of messages, urges the University of Calgary. Recruiters will most likely reach out and offer unsolicited interviews through social networking channels rather than email. Also, when you receive emails from people looking to hire you, take note of their email domain name. Is the email domain customized to the company’s name or is it a generic @gmail or @yahoo? Check the spelling of the email domain carefully too. Phishers are notoriously bad spellers and sometimes they use incorrect spelling of domain names to trick people into thinking they are the real company. 

3. Immigration Scams

Immigrating anywhere is a massive and stressful undertaking. Cybercriminals prey upon this stressful, major life event and target immigrants with enticing, but fake, job offers. The Government of Canada advises to never trust someone who says they can guarantee you a job in Canada. Also, keep an eye on the salary. Is it very high? Do your skills not completely align with the job description? Does the job seem very easy? Unfortunately, that may mean that the offer is too good to be true.  

How to Cover Your Bases

The best way to avoid falling for job scams is to know what you are looking for and to take your time when considering a new job. Check out these tips to outsmart scammers and keep your personal information and devices safe. 

1. Verify employers

Most job applications are submitted online, but if an employer is impressed by your resume, they will likely offer a screening call. When a human resources representative calls, make sure to note their name and ask for the website address of the company. Afterwards, search for the company online and the human resources representative who called you. They should show up together on a professional-looking website or a professional networking site. 

2. Read carefully

Inspect all correspondences you get from potential employers. Phishers often use language that inspires strong emotions and urges a speedy response. Strong emotions could include excitement or fear. If the email says you only have a few hours to respond or else the job will go to someone else, be skeptical. Accepting a job is a huge decision that you should be able to take at least a few days to think about. Read carefully, always hover over links to see where they redirect, and keep a level head when making decisions about your next career move. 

3. Report fraudulent activity

When you come across fraudulent activity, it is important that you report it to the correct authorities to stop it from happening to someone else. For immigration and online job scams, contact the Canadian Anti-Fraud Centre. 

4. Install security tools 

Phishers and job scammers may have gotten in contact with you with the aim of downloading malicious software on your computer. A comprehensive suite of security tools will protect you from viruses and malware that may have slipped past your eagle eye. McAfee Total Protection offers premium antivirus software, safe web browsing, and PC optimization. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Watch Out for These 3 Online Job Scams appeared first on McAfee Blogs.

]]>
Restricting Supplier Choice Isn’t an Option to Enhance Digital Sovereignty https://www.mcafee.com/blogs/other-blogs/executive-perspectives/restricting-supplier-choice-isnt-an-option-to-enhance-digital-sovereignty/ Wed, 23 Jun 2021 17:41:00 +0000 /blogs/?p=123625

Digital sovereignty and strategic autonomy are phrases that are used almost daily in EU policy circles, loosely framed around the...

The post Restricting Supplier Choice Isn’t an Option to Enhance Digital Sovereignty appeared first on McAfee Blogs.

]]>

Digital sovereignty and strategic autonomy are phrases that are used almost daily in EU policy circles, loosely framed around the EU’s ability to carve out its own future in the digital sphere, rather than having its terms dictated from abroad. To achieve digital sovereignty in practice, having access to as broad a range of suppliers is key, not unnecessarily restricting the market.

Our ability to self-determine Europe’s digital future is at risk when we become reliant on one source, that much is clear, and has been demonstrated recently in the global supply shortage of microchips. All measures that reduce this dependency will benefit digital sovereignty, which in practice means expanding competition in the market to as many players as possible.

The means to get there are varied, and Europe is rightly seeking to build infrastructure, expand the pool of skilled experts and facilitate market entry. The EU and member states are also putting in place measures to eliminate obvious security risks in supply chains that demand an extra layer of vigilance, such as critical infrastructure, which is in the interest of national security.

But the notion that homegrown European solutions are automatically better than non-European ones – sometimes backed by measures that give European vendors and suppliers undue advantage, or which place additional hurdles for companies that handle customer data outside the EU – is misguided.

In the cybersecurity domain, in particular, limiting interoperability and vendor choice will only reduce Europe’s resilience against cyberattacks, which is a crucial element to ensuring Europe’s digital sovereignty and strategic autonomy. This is as true now as it always has been, in a sector innovating at break neck speed to meet the challenges set by our adversaries.

In this competitive market, best-in-class providers at the cutting edge of security are the ones that will make Europe more cyber-secure, irrespective of where they happen to have their headquarters or data centers.  Irrational decisions guided by protectionism should have no place in this debate. Indeed policies or practices requiring forced data localisation can often limit the benefits generated by scale and global reach, and negatively impact cyber security’s operational effectiveness.

A recent seminar organised by ECIS, the European Committee for Interoperable Systems, set out some clear principles that should guide Europe’s quest for digital sovereignty. Ensuring that the market operates as effectively as possible, supplier choice is as broad as possible, and interoperability and ability to switch suppliers is safeguarded, on the basis of clear standards, will be paramount.

That is not to say that all measures being considered are misguided. An industrial policy that improves Europe’s digital infrastructures will boost Europe’s supply of home-grown digital services and products. Countries also have legitimate reasons to safeguard their national security and are well within their rights to set criteria to this end. The real danger lies in confusing protectionism with digital sovereignty.

The post Restricting Supplier Choice Isn’t an Option to Enhance Digital Sovereignty appeared first on McAfee Blogs.

]]>
Do the Benefits of Bitcoin Outweigh the Risks? https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/do-the-benefits-of-bitcoin-outweigh-the-risks/ Tue, 22 Jun 2021 22:46:03 +0000 /blogs/?p=123577 Bitcoin

What do Burger King and the popular “Doge” meme have in common? They both have cryptocurrencies named after their likeliness. WhopperCoin and...

The post Do the Benefits of Bitcoin Outweigh the Risks? appeared first on McAfee Blogs.

]]>
Bitcoin

What do Burger King and the popular “Doge” meme have in common? They both have cryptocurrencies named after their likeliness. WhopperCoin and Dogecoin are just two examples of the thousands of types of cryptocurrencies that have caught users’ attention over the past few years. Cryptocurrencies are digital tokens generated by a computer after solving complex mathematical functions. These functions are used to verify the authenticity of a ledger, or blockchain.  

Bitcoin is the most popular cryptocurrency today, increasing its value by almost 300% in 2020. Today, almost 46 million Americans own at least one share of Bitcoin, illustrating how these cryptocurrencies are the future of tomorrow’s digital payment system — or are they? The same benefits that make them a popular choice with online users have also made them popular amongst online thieves, sparking a wave of ransomware attacks and other cyberattacks more recently. This begs the question: do the benefits of Bitcoin outweigh the risks? 

Bitcoin: Benefits vs. Risks 

Every rose has its thorn, and several Bitcoin benefits seem to be hitched to online security risks. Here are some cryptocurrency characteristics that may seem appealing to users, but also provide cybercriminals with an opportunity to exploit:  

Purchase discretion and user autonomy 

As previously mentioned, cryptocurrency exchanges take place on an online public ledger, or blockchain, to secure online transactions. This means that anybody can observe the exchange online. However, the parties making the transactions are anonymous, disguised with a random number. Bitcoin users can make purchases that are never associated with their identity, similar to a cash transaction.  

While the purchase discretion provided by Bitcoin may be appealing to users who want to remain private, this characteristic could also aid cybercriminals in malicious activity. Due to the anonymity of Bitcoin transactions, there is no way for someone to associate a person with a certain cryptocurrency wallet. Furthermore, a user could have multiple wallets, allowing them to spread their currency from one address to another.  

For a cybercriminal looking to target an individual with ransomware, the purchase discretion and anonymity of Bitcoin provide a favorable solution. In fact, Bitcoin accounts for approximately 98% of ransomware payments today. Say a hacker carries out a ransomware attack and demands that the user pay a large sum in Bitcoin. If the user completes the payment, the hacker can keep moving the currency from one anonymous account to another. That makes it very difficult — though not impossible — to trace if the individual decides to investigate the case and tries to get their money back. 

No more middleman  

Another characteristic that Bitcoin users find appealing is the autonomy offered by digital currencies. In theory, they allow users more autonomy over their own money than government-regulated currencies do. With Bitcoin, users can control how they spend their money without dealing with an intermediary authority like a bank or government. 

This lack of intermediary authority also opens a door for hackers to exploit. Say a user decides that they want to manage their finances using Bitcoin to bypass banking fees and send money to friends and family in different parts of the world. As previously mentioned, a Bitcoin user is assigned an anonymous private key that acts as their security credential. This key is generated and maintained by the user instead of a third-party agency. But what happens if the key isn’t random enough? An attacker could steal the user’s private key, and they will not be able to recover it since the Bitcoin blockchain is not dependent on any centralized third-party institutions. Therefore, it will be very difficult to track the attacker’s behaviors and recover lost funds.  

How Consumers Can Protect Themselves from Cryptocurrency-Driven Attacks 

It is safe to say that Bitcoin has caused a lot of buzz. But do the benefits outweigh the risks? Due to the nature of Bitcoin and most other public blockchains, anyone in the world can perform transactions or cryptographic computations — including cybercriminals. That’s why it is crucial for current cryptocurrency users and those considering cryptocurrency investment to do their research and know what vulnerabilities lie within the world of Bitcoin.  

Follow these tips to help protect yourself from common threats that leverage cryptocurrency:  

 1. Do your homework.  

With blockchain, cryptocurrency, and any new and emerging technology, make sure you always remain a bit skeptical. Do your homework before you embrace the technology — research your options and make note of any known security issues and what you can do to mitigate known risks. 

 2. Don’t pay the ransom.  

If a hacker does target you with ransomware demanding Bitcoin payment, it’s best not to pay the ransom. Although you may feel in the moment that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it is best to hold off on making any payments. Furthermore, a recent study found that 80% of businesses that choose to pay a ransom experience a subsequent ransomware attack. While it may feel like your only option in the moment, paying a ransom could show attackers that you’re willing to make the payment, therefore positioning you as an ideal target for yet another attack.   

3. Back up your data.  

If you are targeted with ransomware, it’s crucial that you always have backup copies of your files, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device and reinstall your files from the backup. Backups protect your data, and you won’t be tempted to reward the hackers by paying a ransom. Backups won’t prevent ransomware, but they can mitigate the risks.  

4. Update your credentials.  

Large organizations often fall prey to ransomware attacks, so take necessary precautions if a company you’ve interacted with becomes compromised from a data leak or a ransomware attack. Immediately change your passwords for all your accounts, ensuring they are strong and unique. You can also employ a password manager to keep track of your credentials and generate secure login keys.  

5. Use a comprehensive security solution 

Add an extra layer of security with a solution such as McAfee® Total Protection, which includes Ransom Guard, to help protect your devices from these cyberthreats and ensure your digital wellness online.  

The emergence of Bitcoin has indeed facilitated a wave of cybercrime that was previously difficult to perceive. In this new age of digital payments, blockchain, and cryptocurrencies, make sure that you do your research and stay vigilant when it comes to protecting your online safety. Remember: Bitcoin worth will continue to fluctuate, but your personal security will always remain invaluable.  

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Do the Benefits of Bitcoin Outweigh the Risks? appeared first on McAfee Blogs.

]]>
7 Tips to Protect Your Smartphone from Getting Hacked https://www.mcafee.com/blogs/consumer/mobile-and-iot-security/7-tips-to-protect-your-smartphone-from-getting-hacked/ Tue, 22 Jun 2021 13:00:53 +0000 /blogs/?p=123478 Sécurité des smartphones

There’s little rest for your hard-working smartphone. If you’re like many professionals today, you use it for work, play, and a mix of personal...

The post 7 Tips to Protect Your Smartphone from Getting Hacked appeared first on McAfee Blogs.

]]>
Sécurité des smartphones

There’s little rest for your hard-working smartphone. If you’re like many professionals today, you use it for work, play, and a mix of personal business in between. Now, what if something went wrong with that phone, like loss or theft? Worse yet, what if your smartphone got hacked? Let’s try and keep that from happening to you. 

Globally, plenty of people pull double duty with their smartphones. In Spain, one survey found that 55% of people use the same phone for a mix of personal and and work activity. The same survey showed that up to half of people interviewed in Japan, Australia, and the U.S. do so as well, while nations like the UK and Germany trailed at 31% and 23% respectively. 

Whether these figures trend on the low or high end, the security implications remain constant. A smartphone loaded with business and personal data makes for a desirable target. Hackers target smartphones because they’re often unprotected, which gives hackers an easy “in” to your personal information and to any corporate networks you may use.  It’s like two hacks with one stone.  

Put simply, as a working professional with a smartphone, you’re a high-value target.  

Protect your smartphone from being hacked 

As both a parent and a professional, I put together a few things you can do to protect your smartphone from hacks so that you can keep your personal and work life safe: 

1. Add extra protection with your face, finger, pattern, or PIN. 

First up, the basics. Locking your phone with facial ID, a fingerprint, pattern or a pin is your most basic form of protection, particularly in the event of loss or theft. (Your options will vary depending on the device, operating system, and manufacturer.) Take it a step further for even more protection. Secure the accounts on your phone with strong passwords and use two-factor authentication on the apps that offer it, which doubles your line of defense.    

2. Use a VPN. 

Or, put another way, don’t hop onto public Wi-Fi networks without protection. A VPN masks your connection from hackers allowing you to connect privately when you are on unsecure public networks at airports, cafes, hotels, and the like. With a VPN connection, you’ll know that your sensitive data, documents, and activities you do are protected from snooping, which is definitely a great feeling given the amount of personal and professional business we manage with our smartphones. 

3. Stick to the official app stores for your apps.

Both Google Play and Apple’s App Store have measures in place to help prevent potentially dangerous apps from making it into their stores. Malicious apps are often found outside of the app stores, which can run in the background and compromise your personal data like passwords, credit card numbers, and more—practically everything that you keep on your phone. Further, when you are in the app stores, look closely at the descriptions and reviews for apps before you download them. Malicious apps and counterfeits can still find their way into stores, and here are a few ways you can keep those bad apps from getting onto your phone.    

4. Back up the data on your phone. 

Backing up your phone is always a good idea for two reasons: 

  • First, it makes the process of transitioning to a new phone easy by transferring that backed up data from your old phone to your new phone. 
  • Second, it ensures that your data stays with you if your phone is lost or stolen—allowing you to remotely wipe the data on your lost or stolen phone while still having a secure copy of that data stored in the cloud.  

Both iPhones and Android phones have straightforward ways of backing up your phone regularly. 

5. Learn how to lock or wipe your phone remotely in case of emergency. 

Worst case scenario—your phone is gone. Really gone. Either it’s hopelessly lost or got stolen. What now? Lock it remotely or even wipe its data entirely. While that last bit about wiping the phone seems like a drastic move, if you maintain regular backups as mentioned above, your data is secure in the cloud—ready for you to restore. In all, this means that hackers won’t be able to access you, or your company’s, sensitive information—which can keep you out of trouble and your professional business safe. Apple provides iOS users with a step-by-step guide for remotely wiping devices, and Google offers up a guide for Android users as well. 

6. Get rid of old apps—and update the ones you keep. 

We all download apps, use them once, and then forget they are on our phone. Take a few moments to swipe through your screen and see which ones you’re truly done with and delete them along with their data. Some apps have an account associated with them that may store data off your phone as well. Take the extra step and delete those accounts so any off-phone data is deleted.  

The reason for this is that every extra app is another app that needs updating or that may have a security issue associated with it. In a time of data breaches and vulnerabilities, deleting old apps is a smart move. As for the ones you keep, update them regularly and turn on auto-updates if that’s an option. Updates not only introduce new features to apps, but they also often address security issues too. 

7. Protect your phone. 

With so much of your life on your phone, getting security software installed on it can protect you and the things you keep on your phone. Whether you’re an Android owner or iOS owner, mobile security software can keep your data, your shopping, and payments secure. 

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on . 

The post 7 Tips to Protect Your Smartphone from Getting Hacked appeared first on McAfee Blogs.

]]>
Transforming to a Predictive Cyber Defense https://www.mcafee.com/blogs/enterprise/transforming-to-a-predictive-cyber-defense/ Mon, 21 Jun 2021 21:16:55 +0000 /blogs/?p=123553

How much of the global economy is managed from a home network these days? Or, more importantly, what percentage of...

The post Transforming to a Predictive Cyber Defense appeared first on McAfee Blogs.

]]>

How much of the global economy is managed from a home network these days? Or, more importantly, what percentage of your company’s most sensitive data passes through employee home networks right now?

If you’re like me, working from a home office, you can’t help but think about all of the cybersecurity tradeoffs that accompanied the widespread shift from on-premises to cloud-delivered services. Better productivity in exchange for deeper vulnerabilities—like man-in-the-middle attacks—wasn’t a choice many cybersecurity pros would make under normal circumstances.

Yet, for better—and worse—there’s no going back to how things were. When Gartner revealed its annual list of top cybersecurity trends last month, we learned that while 64% of employees now work from home, at least 30-40% will continue to do so once the pandemic is over.1 In the foreseeable future, the Wi-Fi streaming your kids’ favorite shows will transport an untold amount of business data, too. All of which must be protected from device to cloud.

In the same report, Gartner said that with so many employees continuing to work from home, “endpoint protection services will need to move to cloud-delivered services.” While the vast majority of our customers made the overnight switch—many still need to adopt a cloud-native architecture.

No doubt the best transformations are the ones you plan for and manage from end-to-end. But the cloud transformation that many didn’t plan for—and most cybersecurity defenses couldn’t handle—turned out to pack the biggest punch. Here are three ways to better prepare for what comes next.

1. Establish Building Blocks

Stopping unauthorized access to corporate assets—and protecting them—is, on the face of it, a never-ending battle. You can’t build a moat, a wall, or a bubble and say, hey, my work here is done. We’ve found our customers need to solve two primary issues:

  • First, identify where data can leak and be stolen.
  • Second, prevent that event from happening with data protection spanning endpoints, web gateway, and the cloud.

So, we created the MVISION Device-to-Cloud Suites to protect all of this data coursing through home networks. Among the many types of threats we’ve tracked, one of the biggest threats is viruses infecting browsers and capturing keystrokes to steal sensitive information. We solve this by isolating a browser so that no one can see what information has been entered.

While paradigms may shift, going forward we believe it’s predictive defenses that will enable faster, smarter and more effective data loss prevention. We get there by enabling optimized endpoint threat protection, Extended Detection and Response (EDRs) that improve mean time to detect and respond to threats, and useful analytics that not only empower your SOC but also help inform and engage executives.

2. Understand Threat Perspectives

Gaining executive and board-level buy-in has long been a topic of concern in the cybersecurity field. Thanks in part to the harsh publicity and severe damage caused by state-sponsored hacks that day is finally in sight. In a recent blog, McAfee’s Steve Grobman indicated SolarWinds is the first major supply chain attack which represents a shift in tactics where a nation state has employed a new weapon for cyber-espionage.”2

Cybersecurity is perceived as the second highest source of risk for enterprises, losing out to regulatory concerns, notes Gartner.3 While today only one in 10 board of directors have a dedicated cybersecurity committee, Gartner projects that percentage will rise to 40% in four years.

One reason why cybersecurity hasn’t been elevated to an ongoing board concern previously is that many executives lack a window into the cybersecurity in their midst. And lacking a window, they have no keen understanding of their organization’s vulnerabilities. Which also makes it difficult to assess the operational value of various cybersecurity investments.

The ability to gain visual insights and predictive assessments of your security posture against dangerous threats is what generates actionable intelligence. A CISO or CSO should be able to look at a single screen and understand in minutes how well protected they are against potential threats. They also need a team that’s ready to take action on these insights and enact appropriate countermeasures to protect corporate assets from imminent attack.

3. Eliminate Headaches

You want to protect your palace from thieves, but when do you finally have too many latches, locks, and bars on your doors? At some point, less is more, particularly if you can’t remember where you put your keys. Consolidation is one of Gartner top five trends this year. Four out of five companies plan to trim their list of cybersecurity vendors in the next three years.4

In fact, Gartner’s 2020 CISO Effectiveness Survey found that 78% of CISOs have 16 or more tools in their cybersecurity vendor portfolio, while 12% have a whopping 46 or more.5 Mind you, we know there is no end-all, be-all Security vendor who does everything. But with our Device-to-Cloud Suites, your security technology resides in one umbrella platform. Without McAfee, you’d need one vendor on the desktop, another in the cloud, and one more on the web gateway.

Consolidation is intended to remove headaches rather than create them. With one SaaS-based suite that addresses your core security issues, you have lower maintenance, plus the ability to visualize where you’re vulnerable and learn what you need to do to protect it.

We’re Here to Help

McAfee is here to help organizations manage the transformation to a predictive cybersecurity defense and we provide the footprint to secure the data, endpoints, web, and cloud. From my vantage point, securing distributed digital assets demands effective security controls from device to cloud.

MVISION Device-to-Cloud Suites provide a simplified way to help accelerate your cloud transformation and adoption, better defend against attacks, and lower your total cost of operations. The suites scale with your security needs to deliver a unified endpoint, web, and cloud solution.

Learn More About McAfee Device-to-Cloud Suites:

 

Source:

1. Gartner Identifies Top Security and Risk Management Trends for 2021 (Gartner)

https://www.gartner.com/en/newsroom/press-releases/2021-03-23-gartner-identifies-top-security-and-risk-management-t

2. Why SolarWinds-SUNBURST is a Wakeup Call (McAfee)

https://www.mcafee.com/blogs/other-blogs/executive-perspectives/why-solarwinds-sunburst-is-a-wake-up-call/

3. Gartner Identifies Top Security and Risk Management Trends for 2021 (Gartner)

https://www.gartner.com/en/newsroom/press-releases/2021-03-23-gartner-identifies-top-security-and-risk-management-t

4. Ibid.

5. Gartner Survey Reveals Only 12% of CISOs Are Considered “Highly Effective” (Gartner)

https://www.gartner.com/en/newsroom/press-releases/2020-09-17-gartner-survey-reveals-only-12-percent-of-cisos-are-considered-highly-effective

The post Transforming to a Predictive Cyber Defense appeared first on McAfee Blogs.

]]>
Testing to Ensure Your Security Posture Never Slouches https://www.mcafee.com/blogs/enterprise/security-operations/testing-to-ensure-your-security-posture-never-slouches/ Thu, 17 Jun 2021 17:24:26 +0000 /blogs/?p=123469

How well can you predict, prevent and respond to ever-changing cyberthreats? How do you know that your security efforts measure...

The post Testing to Ensure Your Security Posture Never Slouches appeared first on McAfee Blogs.

]]>

How well can you predict, prevent and respond to ever-changing cyberthreats? How do you know that your security efforts measure up? The stakes are high if this is difficult to answer and track.  Imagine if you had one place where you found a comprehensive real time security posture that tells you exactly where the looming current cyber risks are and the impact?  Let’s consider a recent and relevant cyber threat.

Take, for example, the May 7th DarkSide ransomware attack that shut down Colonial Pipeline’s distribution network. That well-publicized attack spurred considerable interest in cybersecurity assessments. Ransomware doesn’t just cost money—or embarrassment—it can derail careers. As news spread, we fielded numerous calls from executives wondering: Are my systems protected against DarkSide?

Until recently, discovering the answer to such questions has required exercises such as white hat penetration testing or the completion of lengthy or sometimes generic security posture questionnaires. And we know how that goes — your results may vary from the “norm,” sometimes quite a bit.

To empower you to ask and confidently answer the “am I protected” questions, we developed MVISION Insights Unified Posture Scoring to provide real-time assessments of your environment from device to cloud and threat campaigns targeting your industry.

With the score, you’ll know at a glance: Have you done enough to stave off the most likely risks? In general, the better controls you set for your endpoints, networks and clouds, the lower your risk of breaches and data loss—and the better your security posture score. A CISO from a large enterprise recently stated that the “most significant thing for a CISO to solve is to become confident in the security score.”

Risk and Posture

Assessing risk is about determining the likelihood of an event. A risk score considers where you’re vulnerable and based on those weaknesses how likely is it that a bad actor will exploit it? That scoring approach helps security teams determine whether to apply a specific tool or countermeasures.

However, a posture score goes a step further when it considers your current environment’s risk but also whether you’ve been able to withstand attacks. Where have you applied protections to suppress an attack? It enables you to ask: what’s the state of your defensive posture?

Security posture scoring may answer other critical questions such as:

  • What are the assets and what is their criticality (discover and classify)?
  • What are the threats (events perpetrated by threat actors in the context of the critical assets and vulnerabilities)?
  • What is the likelihood of breach (target by industry, region, other historical perspective)?
  • How vulnerable is my environment (weaknesses in the infrastructure)?
  • Can my controls counter & protect my cyber assets (mitigating controls against the vulnerabilities)?
  • What is the impact of a breach (business assessment based on CIA: confidentiality, integrity & availability)?

Knowing these answers also makes security posture scoring useful for compliance risk assessment, producing a benchmark that enables your organization to compare its industry performance and also choose which concerns to prioritize. The score can also serve as an indicator of whether your organization would be approved for cyber insurance or even how much it may have to pay.

Some organizations use security posture scoring to help prepare for security audits. But it can also be used in lieu of third-party assessments—applying recommended assessments instead of expensive penetration testing.

Scoring Points at Work

No doubt, the pandemic and working from home have exacerbated security posture challenges. According to Enterprise Strategy Group (ESG), a “growing attack surface” from cloud computing and new digital devices are complicating security posture management. So is managing “inexperienced remote workers,” who may be preyed upon by various forms of malware. This can lead not only to management headaches, says ESG, but also to “vulnerabilities and potential system compromises.”

About one year ago we released the initial version of MVISION Insights posture scoring —focused on endpoint assessments. A security score was assigned based on your preparedness to thwart looming threats and the configuration of your McAfee endpoint security products. It enabled predictive assessments based on security posture aligned to campaign-specific threat intelligence.

Customers are tired of piecing together siloed security and demand a unified security approach reflected in our MVISION XDR powered by MVISION Insights. We expanded the scoring capability to also assess cloud defenses, including your countermeasures and controls. Derived from MVISION Cloud Security Advisor, the cloud security posture is weighted average of visibility and control for IaaS, SaaS,and shadow IT. There is an option to easily pivot to MVISION Cloud Security Advisor.  The Unified Security posture score is weighted average of the endpoint and cloud security posture score delivering a more robust and comprehensive assessment with the ability to drill down on specifics to enhance your security from device to cloud. Many endpoint wanna-be XDR vendors cannot provide this critical aggregated security assessment across vectors.

Becoming more robust is what all of us must do. When organizations face the jeopardy of “Ransomware-as-a-Service” payments that may scale up to $2 million, understanding how best to manage your security posture is no longer simply a nice to have, it’s become an operational imperative.

Click here to learn more about Security Posture Scoring from a few practitioners in our LinkedIn Live session.

The post Testing to Ensure Your Security Posture Never Slouches appeared first on McAfee Blogs.

]]>
Father’s Day Gift Ideas: Protecting the Tech You Give to Dad https://www.mcafee.com/blogs/consumer/family-safety/fathers-day-gift-ideas-protecting-the-tech-you-give-to-dad/ Thu, 17 Jun 2021 13:30:41 +0000 /blogs/?p=122056 Father's Day

A new piece of tech often tops the list of Father’s Day gifts. And while things such as wearable fitness devices, smart...

The post Father’s Day Gift Ideas: Protecting the Tech You Give to Dad appeared first on McAfee Blogs.

]]>
Father's Day

A new piece of tech often tops the list of Father’s Day gifts. And while things such as wearable fitness devices, smart speakers, smart outlets, or any number of other connected gadgets and do-dads are popular picks, one thing often gets overlooked—protecting those devices from hacks and attacks. 

We live in a day and age when even connected lightbulbs can be hacked. The reality is that gift-worthy tech like home cameras, speakers, and other Internet of Things (IoT) devices can fall prey to bad actorsThe reason why is relatively straightforward. Each connected thing on your home network presents a possible entry point for an attacker 

By compromising even the most innocuous of devices, like the humble lightbulb, an attacker can inject malware into your network that can then compromise high-value items like your phones and computers—along with the data on them. So, if you’re wondering why on Earth anyone would want to hack a lightbulb, that’s one reason why. 

Protecting your privacy, identity, data, and smart devices  

Your network is only as safe as the least secure device that’s on it. And the sad fact is that many consumer IoT devices simply aren’t that secure. Their hardware can be limited, leaving little room for security measures onboard, and they can use transmission protocols that are less than robust. Further, they can use default usernames and passwords that people neglect to update, making them easy to access as doing a search online for those credentials. Secure data storage can be an issue as well, whether that’s a video from a security camera or health data from a fitness device that’s stored in the cloud.  

The list of possible IoT device vulnerabilities goes on. Certainly, some manufacturers are more stringent about security than others. However, adding any IoT device to your network also adds risk. And with more and more of these devices entering our homes, dedicated hackers have more targets available to them than ever before.  

In all, estimates project that the world will have nearly 40 billion IoT devices in the next four years across homes and businesses alike. And like our computers, laptops, smartphones, and tablets, all of them will need protection. Including the connected devices that you give dad. 

Seven Ways to Protect Your IoT Devices 

As you’re shopping for the best tech gift for dad, making sure his IoT devices are secure as possible may be the best gift of all. Right off the bat, the challenge with our IoT devices is that you don’t protect them the same way you can protect our computers, phones, and tablets, Namely, there isn’t always a way to install security software on them. What to do? In fact, we can show you several ways to tighten up the security of your new and existing IoT devices. What’s more, following these steps can also improve the overall security of your network too. 

1. Do your IoT homework 

Just because that new smart device that you want to give to dad can connect to the internet doesn’t mean that it’s secure. Before you purchase, read up on reviews and comments from other customers. Look for news articles about the device manufacturer too. The fact of the matter is that some IoT device manufacturers are much better at baking security protocols into their devices than others, so check out their track record to see if you can uncover any issues with their products or security practices. Information such as this can help you make an even more informed choice. 

2. Don’t use the default—Set a strong, unique password 

As mentioned above, one issue with many IoT devices is that they often come with a default username and password. This could mean that your device, and thousands of others just like it, all share the same credentials, which makes it painfully easy for a hacker to gain access to them as those default usernames and passwords are often published online. 

When you purchase an IoT device, set a fresh password using a strong method of password creation.  And keep those passwords safe. Instead of keeping them on a notebook or on sticky notes, consider using a password managerIt acts as a database for all your passwords and stores new codes as you create them. As always, don’t store them in an unprotected file on your computer, which can be subject to a hack or data loss. 

3. Use two-factor authentication 

Our banks, and even some of the online gaming platforms we use, use two-factor authentication to make sure that we’re logging in we really are who we say we are. The two factors break down like this: 

  • Your first factor is the username and password combo you have. 
  • The second factor in the mix is something you own, like your mobile phone.  

Thus, when you log in with your username and password and then get a prompt to enter a security code that was sent to your mobile phone, that’s two-factor authentication at work. If your IoT device supports two-factor authentication, put it to use and get that extra layer of security. 

4. Secure your internet router 

Your router acts as the internet’s gateway into your home. From there, it works as a hub that connects all your devices—computers, tablets, and phones, along with your IoT devices as well. With all that data and information flowing through it, it’s vital to keep your router secure.  

As we mentioned above, the first thing to do is change the default password and name of your router if you haven’t done so alreadyAgain, use a strong method of password creation. Also, change the name of your router. When you choose a new one, go with name that doesn’t give away your address or identity. Something unique and even fun like “Pizza Lovers” or “The Internet Warehouse” are options that mask your identity and are memorable for you too.  

While you’re at it, make sure that your router’s network security is set to WPA2-PSK [AES]. As of today, that’s the strongest level of protection available for home wireless networks. If your router doesn’t offer it, you may want to consider purchasing or renting one from your provider that does. 

5. Set up a guest network specifically for your IoT devices 

Just as you can offer your guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still face the task of accessing your primary network to get at your computers and smartphones, along with the data and info that you have stored on them. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network. 

6. Update! 

As with our computers, laptops, phones, tablets, and apps, make sure you have the latest software updates for your IoT devices. The reasons here are the same: one, they’ll make sure you’re getting the latest functionality from your device; and two, updates often contain security upgrades. If there’s a setting that lets you receive automatic updates, enable it so that you always have the latest. 

7. Protect your phone 

You’ve probably seen that you can control a lot of your connected things with your smartphone. We’re using them to set the temperature, turn our lights on and off, and even see who’s at the front door. With that, it seems like we can add the label “universal remote control” our smartphones—so protecting our phones has become yet more important. Whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls—in addition to you and the phone as well. 

And protect your other things too 

And of course, let’s not forget our computers and laptops. While we’ve been primarily talking about IoT devices here, it’s a good reminder that computers and laptops need protection too. Using a strong suite of security software likeMcAfee® Total Protectioncan help defend your entire family from the latest threats and malware, make it safer to browse, and look out for your privacy too. 

Stay Updated  

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, subscribe to ournewsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Father’s Day Gift Ideas: Protecting the Tech You Give to Dad appeared first on McAfee Blogs.

]]>
The Rise of the Dark Web Gig Economy https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/the-rise-of-the-dark-web-gig-economy/ Thu, 17 Jun 2021 12:15:12 +0000 /blogs/?p=122635 dark web

The gig economy has become more prevalent in today’s world with the appeal and necessity of flexible work opportunities. Many...

The post The Rise of the Dark Web Gig Economy appeared first on McAfee Blogs.

]]>
dark web

The gig economy has become more prevalent in today’s world with the appeal and necessity of flexible work opportunities. Many take advantage of short-term contracts, side jobs, and freelance work to retain more control over how they spend their day and earn their income. However, the proliferation of these flexible work opportunities has transcended into the dark web, allowing individuals to conduct nefarious activities. Rather than contracting handyman or moving services on the dark web, you can find hackers contracting their website hacking services or buyers placing ads looking for a hacker to hire. These acts pose significant risks to online users, given the amount of stolen personal information on dark websites. Take a look at the activities you can expect to find on the dark web and the steps you can take to safeguard your online privacy.

Watch Out for These Dark Web Criminal Activities 

The dark web is part of the public internet that search engines do not index. In other words, what happens on the dark web, stays on the dark web with no traceable records. Most people don’t realize that the dark web is not illegal despite its association with criminal activities. However, the dark web has retained a criminal reputation since it is challenging to track what goes on. As a result, criminals will often frequent the dark web to conduct a variety of illegal transactions, including hacking services. 

Researchers are discovering an uptick in activity on dark web forums that includes buying and selling black hat hacking services. 90% of the activity on these forums is from people looking to hire hackers to infiltrate websites and steal databases. Additionally, 4% of the people frequenting dark web forums requested hacking services related to website hacking and malicious code injection. 

Another 7% of people on the dark web are hackers contracting out their services and tools. These services and tools include web shells, a file uploaded to a server that an attacker can use to execute operating system commands, as well as access to administrative website interfaces and ready-made exploits. Many of the services offered on these forums range in specialties such as site infiltration to data extraction. As a result, they often attract a variety of customers with numerous requests. 

Further, many of the ads seeking hacking services are aimed at database hacking. Those targeting databases are often financially incentivized hackers and companies out to steal their competitor’s information. Databases remain a popular target for hackers since they contain a significant amount of personal information ranging from first and last names to credit card numbers. Cybercriminals can then use this information to commit numerous crimes such as monetary theft, unemployment and tax relief fraud, and identity theft.

For example, the Canada Revenue Agency (CRA) had to suspend approximately 800,000 accounts after discovering matching credentials for sale on the dark web. In a previous data breach, hackers used login credentials to access taxpayer accounts, apply for COVID-19 relief funds, and reroute the funds into their bank accounts. Taxpayers could not log in to their accounts without first taking the necessary steps to regain safe access.

5 Steps to Take After a Data Breach 

Users must protect their online presence and information as these criminal activities continue to escalate in demand. Here are the five must-dos after discovering a data breach to retain your online security.

1. Leverage security software 

Be one of the first to know about a data breach by leveraging security software such as McAfee Total Protection. A comprehensive security solution that includes dark web monitoring actively monitors the dark web for data breaches and exposed information. This information includes but is not limited to your date of birth, email addresses, credit card numbers, and personal identification numbers. Robust security software also provides steps for remediation after a data breach to guide the user to regain control and integrity of their data and privacy.

2. Stay in the know 

Companies are required to notify their customers of a data breach under the PIPEDA legislature. Be on the lookout for breach notices from relevant companies since they are often the first to know about a data breach impacting their online customers. 

Create news alerts for companies that have access to your information to stay notified of the latest events. Additionally, create notifications for your bank and other financial accounts to monitor for suspicious activity such as unauthorized transactions or a drop in credit score. You will be better prepared to mitigate any cybersecurity threats with the right security software and knowledge of the latest risks.  

3. Change your credentials 

Looking back to the 800,00 taxpayers whose accounts were suspended, they could not regain access without first changing their login credentials. Changing your login credentials such as your usernames, passwords, and security questions is a critical first step to take after any data breach.

Changing your credentials prevents hackers from accessing your personal information and ensures that you regain control over your account security. The chances of a hacker accessing your data are exceptionally high if you use the same credentials across different accounts. Thus, it’s essential to change your usernames and passwords regularly to ensure your information remains secure. 

4. Update your passwords 

Just as important as changing your password regularly is changing your password following best practices. Create stronger passwords by using a combination of the following: 

  • Upper case letters 
  • Lower case letters 
  • Numbers 
  • Symbols 

Long passwords with a minimum of 12 characters are also more effective than shorter passwords since it makes it more difficult for a hacker to guess. In sum, ensure all passwords are long, complex, and only used once. Use a password manager with a built-in generator like the one included in McAfee’s Total Protection solution to make it easier to access and manage passwords. 

5. Enable multifactor authentication 

If your credentials are exposed in a data breach, using multifactor authentication will ensure hackers cannot access your information using only your login credentials. So even if your username and password are exposed, there is still a layer of security that hackers will not be able to bypass. Block out unauthorized login attempts by enabling multifactor authentication wherever applicable.  

Safeguard Against Dark Web Activities  

The dark web continues to be a primary destination for cybercrime. Online users must remain cautious about the information they retain in their online accounts and the websites with access to their personal information. Your data security and privacy are not always a guarantee, but the more precautions you take with your online safety, the better protected you will be.  

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post The Rise of the Dark Web Gig Economy appeared first on McAfee Blogs.

]]>
Why Security is Now the Foundation of Good Customer Experience https://www.mcafee.com/blogs/other-blogs/executive-perspectives/why-security-is-now-the-foundation-of-good-customer-experience/ Thu, 17 Jun 2021 04:01:34 +0000 /blogs/?p=123463

What does ‘good customer service’ mean to you in 2021? A friendly greeting when you enter a shop? Quickly fixing...

The post Why Security is Now the Foundation of Good Customer Experience appeared first on McAfee Blogs.

]]>

What does ‘good customer service’ mean to you in 2021? A friendly greeting when you enter a shop? Quickly fixing any issues with deliveries? Or, perhaps the company you entrust with your data maintaining strong security and privacy practices?

It’s been a long time since digital technology was a special interest topic. Product launches, business deals, and new innovations were once reported on only in industry magazines – now, you’d be hard pressed to find a mainstream newspaper that doesn’t have some kind of technology section. We’ve quickly become used to the fact that when the tech giants talk, everybody listens.

More recently, however, it’s become clear that the internet has taken another step towards the centre of the public conversation. While new devices and technological advancements are still (mostly) kept in separate sections of the media or tagged on to the end of the TV news, problems with technology often land straight on the front page.

Outside observers have spent decades treating hacks and attacks as something arcane, as a distant problem that only the technologists can understand and only they have to deal with. Consumers, meanwhile, were left to hope that any issue would soon be fixed – whether that’s waiting for access to their files to be restored or trying again the next day to get into a website.

Cybersecurity is now everything-security

A few recent stories have underlined that those days are, or should be, behind us. In just the last two months, ransomware attacks have interrupted the operations of pipelines, food producers and the health sector. For many, this has been followed as a story about the international nature of cybercrime and claims that cryptocurrencies are enabling new types of attack.

For those communities reliant on the targeted organisations, however, these cyber-attacks can mean higher costs when fueling their cars to get to work, or product shortages in their weekly shop. We know that there’s a lot of technical interest in analysing ransomware such as DarkSide, or the many other groups attacking sectors like manufacturing, oil and gas, and healthcare. We always need to remember, however, that the focus is not just how these attacks work, but how we can prevent the real-world impacts they have on people’s daily lives.

These are extreme examples: they are incredibly high-value targets, which criminal groups will go to extraordinary lengths in order to disrupt, and which have national consequences when they are affected. Services like online retail and customer support can be disrupted in just the same way. From the perspective of the people who use these services, however, the fact that these were ransomware attacks doesn’t matter. Whether it’s due to attacks, accidents, or mismanagement, what matters is the betrayal of trust and the knock-on effects of service loss.

Customer experience means more than a nice interface

Examples like this are why I believe that we should see cybersecurity as a much wider foundation than we do, underpinning not just a business’s IT infrastructure, but its reputation, its revenue and, yes, its customer experience.

In crowded markets, customer experience is often the key differentiator between competing businesses. A lot of the disruption that we’ve seen in many sectors thanks to the growth of digital and online approaches has come down to a better, more premium customer experience. Whole industries have arisen around easier ways to order taxis, listen to music, and buy food.

As consumers continue to seek better, simpler experiences, they will (and, I think, should) also start paying close attention to how businesses respond to such incidents and maximise service levels. Key things that shoppers might want to look for when weighing up their choices include:

  • Does the company meet (or even exceed) data privacy standards, and is this detailed in a simple manner that is understandable to its customers?
  • Is the company transparent about who they share your data with, and why, before asking for it?
  • Has the company been open when it has experienced a security incident?

Businesses, meanwhile, should be looking at how the efforts they take around cybersecurity can form part of the way they build customer confidence. By communicating clearly about the defensive measures we take – and, vitally, framing them in terms of the outcomes they have on people’s lives, not just the technical details – we can all help to make the public savvier about how they can make sure they truly rely on the services they rely on.

The post Why Security is Now the Foundation of Good Customer Experience appeared first on McAfee Blogs.

]]>
A New Program for Your Peloton – Whether You Like It or Not https://www.mcafee.com/blogs/other-blogs/mcafee-labs/a-new-program-for-your-peloton-whether-you-like-it-or-not/ Wed, 16 Jun 2021 04:01:52 +0000 /blogs/?p=122833 Connected Fitness

Executive Summary  The McAfee Advanced Threat Research team (ATR) is committed to uncovering security issues in both software and hardware to help developers...

The post A New Program for Your Peloton – Whether You Like It or Not appeared first on McAfee Blogs.

]]>
Connected Fitness

Executive Summary 

The McAfee Advanced Threat Research team (ATR) is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. As security researchers, something that we always try to establish before looking at a target is what our scope should be. More specifically, we often assume well-vetted technologies like network stacks or the OS layers are sound and instead focus our attention on the application layers or software that is specific to a target. Whether that approach is comprehensive sometimes doesn’t matter; and it’s what we decided to do for this project as well, bypassing the Android OS itself and with a focus on the Peloton code and implementations. During our research process, we uncovered a flaw (CVE-2021-33887) in the Android Verified Boot (AVB) process, which was initially out of scope, that left the Peloton vulnerable. 

For those that are not familiar with Peloton, it is a brand that has combined high end exercise equipment with cutting-edge technology. Its products are equipped with a large tablet that interfaces with the components of the fitness machine, as well as provides a way to attend virtual workout classes over the internet. “Under the hood” of this glossy exterior, however, is a standard Android tablet, and this hi-tech approach to exercise equipment has not gone unnoticed. Viral marketing mishaps aside, Peloton has garnered attention recently regarding concerns surrounding the privacy and security of its products. So, we decided to take a look for ourselves and purchased a Pelton Bike+.

Attempting to Backup 

One of the first things that we usually try do when starting a new project, especially when said projects involve large expenses like the Peloton, is to try to find a way to take a backup or system dump that could be used if a recovery is ever needed. Not all of our research techniques keep the device in a pristine state (we’d be poor hackers if they did)and having the ability to restore the device to its factory settings is a safety net that we try to implement on our targets 

Because we are working with a normal Android device with only the Peloton customizations running at the application layer, many of the processes used to back up an Android phone would also work with the Peloton. It is common in the Android custom ROM scene to use a custom recovery image that allows the user to take full flash dumps of each critical partition and provides a method to restore them later. In such communities, it often also goes without saying that the device must first be unlocked in order to perform any of these steps. While the Android OS allows users to flash these critical partitions, there are restrictions in place that typically prevent an attacker from gaining access to the “currently” running system. If an attacker was able to get their hands on an Android device with the goal of installing a rootkit, they would have to jump through some hoops. The first step that an attacker would need to take is to enable “Original Equipment Manufacturer (OEM) Unlocking”, which is a user mode setting within the “developer options” menu. Even with physical access to the bootloader, an attacker would not be able to “unlock” the Android device unless this setting is checked. This option is usually secured behind the user’s password, PIN, or biometric phone lock, preventing an attacker from accessing it easily. The second security measure in place is that even with the “OEM Unlocking” setting on, issuing commands to the bootloader to perform the unlock first causes all data on the Android device, including applications, files, passwords, etc., to be wiped. This way, even if an attacker did gain access to the Android device of an unsuspecting victim, they wouldn’t be able to install a rootkit or modify the existing kernel without deleting all the data, which both prevents personal data from falling into the attacker’s hands and makes it obvious the device has been tampered with. 

For this research effort, wresisted the urge to unlock the Peloton, as there are ways for apps to query the unlock status of a device within Android, and we wanted to ensure that any vulnerabilities we found weren’t the result of the device behaving differently due to it being unlocked. These discrepancies that arise from our research are usually identified by having two target devices: one to serve as the control and the other to serve as the test device. Unfortunately, we only had one Peloton to play with. Another issue was that the Peloton hardware is not very common and the developers of the aforementioned custom recovery images, like Team Win Recovery Project (TWRP), don’t create images for every device,  just the most common ones. So, the easy method of taking a backup would not only require unlocking the device but also trying to create our own custom recovery image 

This left us as at a crossroads. We could unlock the bootloader and root the device, granting us access to the flash memory block devices (raw interfaces to the flash partitions) internallywhich would allow us to create and restore backups as needed. However, as mentioned before, this would leave the bike in a recognizably “tampered” state. Alternatively, we could try to capture one of the bike’s Over-The-Air (OTA) updates to use as backup, but we would still need to “unlock” the device to actually flash the OTA image manually. Both options were less than ideal so we kept looking for other solutions. 

Android Verified Boot Process

Just as Secure Boot provides a security mechanism for properly booting the OS on Windows PCs, Android has implemented measures to control the boot process, called Android Verified Boot (AVB). According to Android’s documentation, AVB requires cryptographically verifying all executable code and data that is part of the Android version being booted before it is used. This includes the kernel (loaded from the boot partition), the device tree (loaded from the dtbo partition), system partition, vendor partition, and so on. 

The Peloton Bike+ ships with the default settings of “Verity Mode” set to trueas well as “Device Unlocked” and “Device Critical Unlocked” set to falsewhich is intended to prevent the loading of modified boot images and provide a way to determine if the device has been tampered with. This information was verified by running fastboot oem device-info on the Peloton, as demonstrated in Figure 1. 

 

Figure 1: OEM device info showing verity mode and unlocked status. 

To clarify, a simplified Android boot process can be visualized as follows: 


Figure 2: Simplified Android Boot Process 

If modified code is found at any of the stages in Figure 2, the boot process should abort or, if the device is unlocked, warn the user that the images are not verified and give the option to the user to abort the boot. 

Given that we defined our scope of this project to not include the Android boot process as a part of our research and verifying that Peloton has attempted to use the security measures provided by Android, we again found ourselves debating if a backup would be possible.  

In newer Android releases, including the Peloton, the update method uses Android’s Seamless System Updates (A/B). This update method no longer needs the “recovery” partition, forcing users who wish to use a custom recovery to use the fastboot boot command which will download and boot the supplied image. This is a temporary boot that doesn’t “flash“ or alter any of the flash partitions of the device and will revert to the previous boot image on restartSince this option allows for modified code to be executed, it is only available when the device is in an unlocked state and will error out with a message stating Please unlock device to enable this command, if attempted on a locked device.  

This is a good security implementation because if this command was always allowed, it would be very similar to the process of booting from a live USB on your PC, where you can login as a root user and have full control over the underlying system and components. 

Booting Modified Code 

This is where our luck or maybe naïveté worked to our advantage. Driven by our reluctance to unlock the device and our desire to make a backup, we tried to boot a generic TWRP recovery image just to see what would happen. The image ended up leaving us at a black screen, and since each recovery image needs to contain a small kernel with the correct drivers for the display, touch digitizer, and other devicespecific hardware, this was to be expectedWhat we didn’t expect, however, was for it to get past the fastboot boot command. While we didn’t get a custom recovery running, it did tell us one thingthe system was not verifying that the device was unlocked before attempting to boot a custom imageNormally this command would be denied on a “locked” device and would have just errored out on the fastboot command, as mentioned previously. 

It is also important to point out that despite having booted a modified image, the internal fuse had not been burned. These fuses are usually burned during the OEM unlocking process to identify if a device has allowed for a different “root of trust” to be installed. The burning of such a fuse is a permanent operation and a burnt fuse often indicates that the device has been tampered with. As shown in Figure 3, the “Secure Boot” fuse was still present, and the device was reporting a locked bootloader. 

Figure 3: Secure boot enabled with fused protection 

Acquiring an OTA Image 

This discovery was unexpected and we felt like we had stumbled upon a flaw that gave us the ability to finally take a backup of the device and leave the Peloton in an “untampered” state. Knowing that a custom image could be booted even with a “locked” bootloader, we began looking at ways to gather a valid boot image, which would contain the correct kernel drivers to facilitate a successful boot. If we could piece together the OTA update URL and just download an update package directly from Peloton, it would likely contain a boot image that we could modifyHaving the ability to modify a boot image would give us root and access to the blocked devices. 

Even with just ADB debugging enabled we were able to pull the Pelotonspecific applications from the device. We listed all the Peloton APKand sought out the ones that could help us get the OTA path, shown in Figure 4. 

Figure 4: Listing Peloton Specific Applications and Highlighting the one related to OTA Updates. 

Finding the name OTAService promising, we pulled down the APK and began to reverse-engineer it using JADX. After some digging, we discovered how the app was building the download URL string for OTA updateswhich would then be passed to beginDownload(), as seen in Figure 5. 

Figure 5OTA image path being constructed as “key” 

We also noticed quite a few Android log calls that could help us, such as the one right before the call to beginDownload(), so we used Android’s builtin logcat command and grepped the output for “OTA” as seen in Figure 6. Doing so, we were able to find which S3 bucket was used for the OTA updates and even a file manifest titled OTAConfig.json  

Figure 6: Relevant OTA logs in red 

Combining the information obtained from OTAService.apk and the logs, we were able to piece together the full path to the OTA images manifest file and names for each OTA zip file, as shown in Figure 7.  

Figure 7: Contents of OTAConfig.json 

Our next step was to extract the contents of the OTA update to get a valid boot.img file that would contain all the specific kernel drivers for the Peloton hardware. Since the Peloton is using AndroidA/B partitions, which facilitate seamless updates, the update packages were stored in a “payload.bin” format. Using the Android payload dumper tool, we were able to extract all of the images contained in the bin file. 

Modifying the Boot Image 

Once the boot.img was extracted, we needed a way to modify the initial kernel to allow us to gain root access on the device. Although there are a variety of ways to accomplish this, we decided to keep things simple and just use the Magisk installer to patch the boot.img file to include the “su” binary. With the boot.img patched, we were able to use the fastboot boot command again but this time passing it our patched boot.img file. Since the Verified Boot process on the Peloton failed to identify the modified boot image as tampered, the OS booted normally with the patched boot.img file. After this process was complete, the Peloton Bike+ was indistinguishable from its “normal” state under visual inspection and the process left no artifacts that would tip off the user that the Pelton had been compromised. But appearances can be deceiving, and in reality the Android OS had now been rootedallowing us to use the su” command to become root and perform actions with UID=0, as seen in Figure 8. 

Figure 8: Booting modified boot.img and executing whoami as Root 

Impact Scenarios 

As we just demonstrated, the ability to bypass the Android Verified Boot process can lead to the Android OS being compromised by an attacker with physical accessA worst-case scenario for such an attack vector might involve a malicious agent booting the Peloton with a modified image to gain elevated privileges and then leveraging those privileges to establish a reverse shell, granting the attacker unfettered root access on the bike remotely. Since the attacker never has to unlock the device to boot a modified image, there would be no trace of any access they achieved on the device. This sort of attack could be effectively delivered via the supply chain process. A malicious actor could tamper with the product at any point from construction to warehouse to delivery, installing a backdoor into the Android tablet without any way the end user could know. Another scenario could be that an attacker could simply walk up to one of these devices that is installed in a gym or a fitness room and perform the same attack, gaining root access on these devices for later use. The Pelobuddy interactive map in figure 9 below could help an attacker find public bikes to attack. 

Figure 9pelobuddy.com’s interactive map to help locate public Peloton exercise equipment. 

Once an attacker has root, they could make their presence permanent by modifying the OS in a rootkit fashion, removing any need for the attacker to repeat this step. Another risk is that an attacker could modify the system to put themselves in a man-in-the-middle position and sniff all network traffic, even SSL encrypted traffic, using a technique called SSL unpinning, which requires root privileges to hook calls to internal encryption functionality. Intercepting and decrypting network traffic in this fashion could lead to users personal data being compromised. Lastly, the Peloton Bike+ also has a camera and a microphone installed. Having remote access with root permissions on the Android tablet would allow an attacker to monitor these devices and is demoed in the impact video below. 

Disclosure Timeline and Patch 

Given the simplicity and criticality of the flaw, we decided to disclose to Peloton even as we continue to audit the device for remote vulnerabilities. We sent our vendor disclosure with full details on March 2, 2021 – shortly after, Peloton confirmed the issue and subsequently released a fix for it in software version “PTX14A-290”. The patched image no longer allows for the “boot” command to work on a user build, mitigating this vulnerability entirelyThe Peloton vulnerability disclosure process was smooth, and the team were receptive and responsive with all communications. Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment; however, the scope of our research was confined to the Bike+.

Peloton’s Head of Global Information Security, Adrian Stone, shared the following “this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”

We are continuing to investigate the Peloton Bike+, so make sure you stay up to date on McAfee’s ATR blogs for any future discoveries. 

The post A New Program for Your Peloton – Whether You Like It or Not appeared first on McAfee Blogs.

]]>
Is Your Peloton Spinning Up Malware? https://www.mcafee.com/blogs/consumer/mobile-and-iot-security/is-your-peloton-spinning-up-malware/ Wed, 16 Jun 2021 04:01:05 +0000 /blogs/?p=122800 Connected Fitness

[Disclaimer: The McAfee ATR team disclosed this vulnerability to Peloton and promptly started working together to responsibly develop and issue a patch within...

The post Is Your Peloton Spinning Up Malware? appeared first on McAfee Blogs.

]]>
Connected Fitness

[Disclaimer: The McAfee ATR team disclosed this vulnerability to Peloton and promptly started working together to responsibly develop and issue a patch within the disclosure window. The patch was tested and confirmed effective on June 4, 2021.]

Picture this: A hacker enters a gym or fitness center with a Peloton Bike+. They insert a tiny USB key with a boot image file containing malicious code that grants them remote root access. Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with. With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files, or set up remote backdoor access over the internet. They add malicious apps disguised as Netflix and Spotify to the bike in the hopes that unsuspecting users will enter their login credentials for them to harvest for other cyberattacks. They can enable the bike’s camera and microphone to spy on the device and whoever is using it. To make matters worse, they can also decrypt the bike’s encrypted communications with the various cloud services and databases it accesses, potentially intercepting all kinds of sensitive information. As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched.  

That’s a potential risk that you no longer have to worry about thanks to McAfee’s Advanced Threat Research (ATR) team. The ATR team recently disclosed a vulnerability (CVE-2021-3387) in the Peloton Bike+, which would allow a hacker with either physical access to the Bike+ or access during any point in the supply chain (from construction to delivery), to gain remote root access to the Peloton’s tablet. The hacker could install malicious software, intercept traffic and user’s personal data, and even gain control of the Bike’s camera and microphone over the internet. Further conversations with Peloton confirmed that this vulnerability is also present on Peloton Tread exercise equipment; however, the scope of our research was confined to the Bike+.

As a result of COVID-19, many consumers have looked for in-home exercise solutions, sending the demand for Peloton products soaring. The number of Peloton users grew 22% between September and the end of December 2020, with over 4.4 million members on the platform at year’s end. By combining luxury exercise equipment with high-end technology, Peloton presents an appealing solution to those looking to stay in shape with a variety of classes, all from a few taps of a tablet. Even though in-home fitness products such as Peloton promise unprecedented convenience, many consumers do not realize the risks that IoT fitness devices pose to their online security.  

Under the Hood of the Peloton Bike+  

IoT fitness devices such as the Peloton Bike+ are just like any other laptop or mobile phone that can connect to the internet. They have embedded systems complete with firmware, software, and operating systems. As a result, they are susceptible to the same kind of vulnerabilities, and their security should be approached with a similar level of scrutiny.  

Following the consumer trend in increasing IoT fitness devices, McAfee ATR began poring over the Peloton’s various systems with a critical eye, looking for potential risks consumers might not be thinking about. It was during this exploratory process that the team discovered that the Bike’s system was not verifying that the device’s bootloader was unlocked before attempting to boot a custom image. This means that the bike allowed researchers to load a file that wasn’t meant for the Peloton hardware — a command that should normally be denied on a locked device such as this one. Their first attempt only loaded a blank screen, so the team continued to search for ways to install a valid, but customized boot image, which would start the bike successfully with increased privileges.  

After some digging, researchers were able to download an update package directly from Peloton, containing a boot image that they could modify. With the ability to modify a boot image from Peloton, the researchers were granted root access. Root access means that the ATR team had the highest level of permissions on the device, allowing them to perform functions as an end-user that were not intended by Peloton developers. The Verified Boot process on the Bike failed to identify that the researchers tampered with the boot image, allowing the operating system to start up normally with the modified file. To an unsuspecting user, the Peloton Bike+ appeared completely normal, showing no signs of external modifications or clues that the device had been compromised. In reality, ATR had gained complete control of the Bike’s Android operating system.  

Tips For Staying Secure While Staying Fit 

The McAfee ATR team disclosed this vulnerability to Peloton and promptly started working together to responsibly develop and issue a patch within the disclosure window. The patch was tested and confirmed effective on June 4, 2021. The discovery serves as an important reminder to practice caution when using fitness IoT devices, and it is important that consumers keep these tips in mind to stay secure while staying fit:  

1. Update, update, update! 

Stay on top of software updates from your device manufacturer, especially since they will not always advertise their availability. Visit their website regularly to ensure you do not miss news that may affect you. Additionally, make sure to update mobile apps that pair with your IoT device. Adjust your settings to turn on automatic software updates, so you do not have to update manually and always have the latest security patches.  

2. Do your research  

Do your research before making a significant investment in an IoT device. Ask yourself if these devices are from a reputable vendor. Have they had previous data breaches in the past, or do they have an excellent reputation for providing secure products? Also, take note of the information your IoT device collects, how vendors use this information and what they release to other users or third parties. 

Above all, understand what control you have over your privacy and information usage. It is a good sign if an IoT device allows you to opt-out of having your information collected or lets you access and delete the data it does collect.  

3. Consider an identity theft protection solution 

Protect your data from being compromised by stealthy cybercriminals by using an identity theft solution such as the one included in McAfee Total Protection. This software allows users to take a proactive approach to protecting their identities with personal and financial monitoring, as well as recovery tools.  

Minimize Security Risks  

If you are one of the 4.4 million Peloton members or use other IoT fitness devices, it is important to keep in mind that these gadgets could pose a potential security risk just like any other connected device. To elevate your fitness game while protecting your privacy and data, incorporate cybersecurity best practices into your everyday life so you can confidently enjoy your IoT devices.

Collaboration with Peloton

As stated, McAfee and Peloton worked together closely to address this issue. Adrian Stone, Peloton’s Head of Global Information Security, shared that “this vulnerability reported by McAfee would require direct, physical access to a Peloton Bike+ or Tread. Like with any connected device in the home, if an attacker is able to gain physical access to it, additional physical controls and safeguards become increasingly important. To keep our Members safe, we acted quickly and in coordination with McAfee. We pushed a mandatory update in early June and every device with the update installed is protected from this issue.”

Peloton is always looking for ways to improve products and features, including making new features available to Members through software updates that are pushed to Peloton devices. For a step by step guide on how to check for updated software, Peloton Members can visit the Peloton support site.

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Is Your Peloton Spinning Up Malware? appeared first on McAfee Blogs.

]]>
McAfee Named a 2021 Gartner Peer Insights Customers’ Choice for SWG https://www.mcafee.com/blogs/enterprise/mcafee-named-a-2021-gartner-peer-insights-customers-choice-for-swg/ Tue, 15 Jun 2021 15:00:15 +0000 /blogs/?p=123190

The McAfee team is very proud to announce that, for the third year in a row, McAfee was named a...

The post McAfee Named a 2021 Gartner Peer Insights Customers’ Choice for SWG appeared first on McAfee Blogs.

]]>

The McAfee team is very proud to announce that, for the third year in a row, McAfee was named a 2021 Gartner Peer Insights Customers’ Choice for Secure Web Gateways for its Web Solution.

In its announcement, Gartner explains, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner applies rigorous methodology for recognizing vendors with a high customer satisfaction rate.

For the distinction, a vendor needs at least 20+ Reviews from Customers with over $50M Annual Review in 18-month timeframe, above Market Average Overall Rating, and above Market Average User Interest and Adoption.

About Gartner Peer Insights and “Voice of the Customer” report:

Gartner Peer Insights is a peer review and ratings platform designed for enterprise software and services decision makers. Reviews are organized by products in markets that are defined by Gartner Research in Magic Quadrant and Market Guide documents.

The “Voice of the Customer” is a document that applies a methodology to aggregated Gartner Peer Insights’ reviews in a market to provide an overall perspective for IT decision makers. This aggregated peer perspective, along with the individual detailed reviews, is complementary to expert-generated research such as Magic Quadrants and Market Guides. It can play a key role in your buying process, as it focuses on direct peer experiences of buying, implementing and operating a solution. A complimentary copy of the Peer Insights ‘Voice of the Customer’ report is available on the McAfee Web site.

Here are some quotes from customers that contributed to this distinction:

“We were using an on-prem web gateway and we have been migrated to UCE recently due to the pandemic situations. It gives us the flexibility to manage our Web GW as a SaaS solution. The solution also provides us bunch of rulesets for our daily usage needs.” CIO in the Manufacturing Industry [Link here]

“McAfee Secure web gateway provides the optimum security required for the employees of the Bank surfing the Internet. It also provides the Hybrid capabilities which allows to deploy same policies regardless of the physical location of the endpoint.”       [Link here]

MVISION Unified Cloud Edge was specifically designed to enable our customers to make a secure cloud transformation by bringing the capabilities of our highly successful Secure Web Gateway appliance solution to the cloud as part of a unified cloud offering. This way, users from any location or device can access the web and the cloud in a fast and secure manner.

“The McAfee Web Gateway integrated well with existing CASB and DLP solutions. It has been very effective at preventing users from going to malware sites. The professional services we purchased for implementation was the best we’ve ever had from any vendor of any IT security product.” Senior Cybersecurity Professional in the Healthcare Industry   [Link here]

McAfee’s Next-Gen Secure Web Gateway technology features tight integration with our CASB and DLP solutions through a converged management interface, which provides unified policies that deliver unprecedented cloud control while reducing cost and complexity. By integrating our SWG, CASB, DLP, and RBI solutions, MVISION Unified Cloud Edge provides a complete SASE security platform that delivers unparalleled data and threat protection.

“We benchmarked against another very well known gateway and there was no comparison. The other gateway only caught a small fraction of what MWG caught when filtering for potentially harmful sites.” Information Security Officer in the Finance Industry   [Link here]

As the threat landscape continues to evolve, it’s important for organizations to have a platform that is integrated and seamless. That’s why McAfee provides integrated multi-layer security including global threat intelligence, machine learning, sandboxing, UEBA, and Remote Browser Isolation to block known threats and detect the most elusive attacks.

To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please visit Gartner Peer Insights’ Customers’ Choice announcement for Web. To all of our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!

June 2021 Gartner Peer Insights ‘Voice of the Customer’: Secure Web Gateways

McAfee is named a Customers’ Choice in the June 2021 Gartner Peer Insights “Voice of the Customer”: Secure Web Gateways.

Download Now

 

The post McAfee Named a 2021 Gartner Peer Insights Customers’ Choice for SWG appeared first on McAfee Blogs.

]]>
How to Prepare for Your Child’s First Smartphone https://www.mcafee.com/blogs/consumer/family-safety/how-to-prepare-for-your-childs-first-smartphone/ Tue, 15 Jun 2021 12:40:12 +0000 /blogs/?p=122815 First smartphone

If only more things in life came with training wheels; a child’s first smartphone could certainly use some.  Like taking off the training wheels...

The post How to Prepare for Your Child’s First Smartphone appeared first on McAfee Blogs.

]]>
First smartphone

If only more things in life came with training wheels; a child’s first smartphone could certainly use some. 

Like taking off the training wheels and riding out into the neighborhood for the first time, a smartphone opens an entirely new world for children. There are apps, social media, group chats with friends, TikTok stars, and the joy of simply being “in” with their classmates and friends through the shared experience of the internet.  

For parents, the similarities between first bike rides and first phones continue. You love the growing independence that this moment brings, yet you also wonder what your child will encounter out there when you’re not around. The good and the bad. How have you prepared them for this? Are they really ready? 

When is my child ready for a smartphone? 

That’s the question, isn’t it—when is my child ready for that first smartphone?  

For years, your child has dabbled on the internet, whether that was playing on your phone while they were little, letting them spend time on a tablet, or using a computer for school. Along the way, there have been teaching moments, little lessons you’ve imparted about staying safe, how to treat others online, and so forth. In other words, you’ve introduced the internet to your child in steps. Giving them their own phone is yet another step, but a big one. 

Yet those teaching moments and little lessons are things that they’ll lean on when they’re on their own phone—whether those were about “stranger dangers” online, proper online etiquette, and the difference between safe and unsafe websites. Understanding if your child has a firm foundation for navigating all the highs and lows of the internet is a strong indication of their readiness. After all, safely entering the always-online world of having a smartphone demands a level of intellectual and emotional maturity. 

Is there a right age for a first smartphone? 

Good question. We do know that smartphone usage by children is on the rise. For example, research from Common Sense Media indicates that 53% of 11-year-olds have a smartphone, a number that jumps to 69% at age 12. That’s quite a bit of smartphone use by tweens, use which may be lightly monitored or not monitored at all. Note the percentage of ownership by age and the volume of screen time that follows in the infographic below:  

first smartphone

Source: Common Sense Media 

Why the rise, particularly in very young owners?  However, does that mean 26% of nine-year-olds should have unfettered and all-day access to the internet in the palm of their hands? That’s a topic for you to decide for yourself and for the good of your family. However, if the notion of a third grader with a smartphone seems a little on the young side to you, there are alternatives to smartphones. 

Smartphone alternatives for young children 

If keeping in touch is the primary reason for considering a smartphone, you have internet-free options that you can consider: 

  • Flip phones: Often sturdy and low cost, these are great devices for keeping in touch without the added worry and care of internet access. Likewise, it’s a good way to help younger children learn to care for a device—because it may get dropped, kicked, wet, maybe even lost. You name it. 
  • Smart watches for kids: A quick internet search will turn up a range of wearables like these. Many include calling features, an SOS button, and location tracking. Do your research, though. Some models are more fully featured than others.  
  • First phones for kids: Designed to include just the basics, these limited-feature smartphones offer a great intermediary step toward full smartphone ownership. In the U.S., brands such as Pinwheel and Gabb may be worth a look if you find this route of interest. 

In all, for a younger child, one of these options may be your best bet. They’ll help you and your child keep in touch, develop good habits, and simply learn the basic responsibilities and behaviors that come with using a device to communicate with others. 

Preparing you and your family for the first smartphone 

Now’s a perfect time to prepare yourself for the day when your child indeed gets that first proper smartphone. That entails a little research and a little conversation on your part. Topics such as cyberbullying, digital literacy, social media etiquette, and so on will be important to get an understanding on. And those are just the first few.  

A good place to start is your circle of family and friends. There, you can find out how they handled smartphone ownership with their children. You’ll likely hear a range of strategies and approaches, along with a few stories too, all of which can prepare you and your child.   

I also suggest carving out a few minutes a week to read up on our McAfee blog safety topics so that you can have all the knowledge and tools you need. We blog on topics related to parenting and children quite regularly, and you can get a quick view of them here: 

Time for the first smartphone  

Having a smartphone will change not only their life, but yours as well. Relationships will evolve as your child navigates their new online life with their middle school and high school peers. (Remember those days? They weren’t always easy. Now throw smartphones into the mix.)  

With that, give you and your child one last checkpoint. The following family talking points for owning a smartphone offer a solid framework for conversation and a way to assess if your child, and you, are truly ready for what’s ahead. 

Once smartphone day arrives, it’s time to put two things in place—mobile security and parental controls: 

  1. Get mobile security for your child’s Android phone or mobile security for iPhones. This will provide your child with basic protection, like system scans, along with further protection that steers your child clear of suspicious websites and links. 
  2. Use parental controls for your child’s phone. I also suggest being open and honest with them about using these parental controls. In effect, it’s a tool that extends your parental rules to the internet, so be clear about what those rules are. A good set of controls will let you monitor their activity on their phone, limit their screen time, plus block apps and filter websites. 

What’s next? 

Plenty. And as a mom myself, I rely heavily on those parental controls I put into place, but I also stay close to what they are doing online. It’s a bit of a mix. I simply ask them what’s going on and do a little, monitoring too. That could be asking them what their favorite games and apps are right now or talking about what playlists they’re listening to. This keeps communication open and normalizes talking about the phone/ their internet usage and what’s happening on it. Communication like this can come in handy later on should they need your help with something that’s occurred online. By talking now, the both of you will have an established place to start. 

In all, take children’s smartphone ownership in steps and prepare them for the day those training wheels come off so the both of you can fully enjoy that newfound independence of life with a smartphone.  

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Prepare for Your Child’s First Smartphone appeared first on McAfee Blogs.

]]>
McAfee a Leader in The Forrester Wave™ Unstructured Data Security Platforms https://www.mcafee.com/blogs/enterprise/mcafee-a-leader-in-the-forrester-wave-unstructured-data-security-platforms/ Mon, 14 Jun 2021 15:00:43 +0000 /blogs/?p=123163

The mass migration of employees working from home in the last 14 months has accelerated the digital transformation of businesses. ...

The post McAfee a Leader in The Forrester Wave™ Unstructured Data Security Platforms appeared first on McAfee Blogs.

]]>

The mass migration of employees working from home in the last 14 months has accelerated the digital transformation of businesses.  Cloud applications are no longer a “nice to have,” they are now essential to ensure that businesses survive.  This introduces new security challenges in being able to locate and control sensitive data across all the potential exfiltration vectors regardless of whether they are in the cloud; on premise via managed or unmanaged machines.  Attempting to control these vectors through multiple products results in unnecessary cost and complexity.

McAfee anticipated and responded to this trend, solving all these challenges through the launch of our MVISION Unified Cloud Edge solution in 2020. Unified Cloud Edge doesn’t simply offer data protections controls for endpoints, networks, web and the cloud; rather, Multi-Vector Data Protection provides customers with unified data classification and incident management that enables them to define data workflows once and have policies enforced consistently across each vector. Because of the unified approach and our extensive data protection heritage, we are delighted to be named a Leader in The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021. In our opinion, we were the top ranked dedicated cyber security vendor within the report.

We received the highest possible score in nine criteria with Forrester Research commenting on our “cloud-first data security approachand customer recognition of our “breadth of capabilities (in particular for supporting remote work and cloud use)”.

We continue to innovate within our  Unified Cloud Edge solution through the introduction of remote browser isolation to protect against risky web sites (our “heavy focus in supporting security and data protection in the cloud), which uniquely to the market allows us to continue applying DLP controls even during isolated sessions. Delivering on increased customer value through innovation isn’t just limited to new features, for instance we continue to drive down costs through an unlimited SaaS application bundle.

Click below to read the full report.

The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021

McAfee is delighted to be named a Leader in The Forrester Wave™ Unstructured Data Security Platforms, Q2 2021 report. We received the highest possible score in nine criteria with Forrester Research

Download Now

 

The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021, 17 May 2021, Heidi Shey with Amy DeMartine, Shannon Fish, Peggy Dostie

The post McAfee a Leader in The Forrester Wave™ Unstructured Data Security Platforms appeared first on McAfee Blogs.

]]>
Finding Success at Each Stage of Your Threat Intelligence Journey https://www.mcafee.com/blogs/enterprise/security-operations/finding-success-at-each-stage-of-your-threat-intelligence-journey/ Mon, 14 Jun 2021 15:00:05 +0000 /blogs/?p=123157

Every week it seems there’s another enormous breach in the media spotlight. The attackers may be state-sponsored groups with extensive...

The post Finding Success at Each Stage of Your Threat Intelligence Journey appeared first on McAfee Blogs.

]]>

Every week it seems there’s another enormous breach in the media spotlight. The attackers may be state-sponsored groups with extensive resources launching novel forms of ransomware. Where does your organization stand on its readiness and engagement versus this type of advanced persistent threat? More importantly, where does it want to go?

We believe that the way your organization uses threat intelligence is a significant difference maker in the success of your cybersecurity program. Just as organizations take the journey toward cyber defense excellence at their own rate of speed, some prioritize other investments ahead of threat intelligence, which may impede their progress. Actionable insights aren’t solely about speed, though fast-emerging threats require prompt intervention, they’re also about gaining quality and thoroughness. And that’s table stakes for advancing in your threat intelligence journey.

What is a Threat Intelligence program?

A Threat Intelligence program typically spans five organizational needs:

  • Plan — prepare by identifying the threats that might affect you
  • Collect — gather threat data from multiple feeds or reporting services
  • Process — ingest the data and organize it in a repository
  • Analyze — determine exposure and correlate intelligence with countermeasure capability
  • Disseminate — share the results and adjust your security defenses accordingly

When you disseminate a threat insight, it triggers different responses from various members of your security team. An endpoint administrator will want to automatically invoke counter-measures and security controls to block a threat immediately. A SOC analyst may take actions including looking for signs of a breach and also recommend ways to stiffen your defense posture.

Better threat intelligence provides you with more contextual information — that’s the key. How will this information help your company, in your particular industry, in your region of the world?

The Threat Intelligence journey comes in stages. Where is your program now?

Stage 1: Improving and adapting your protection

Within this stage most companies want to prevent the latest threats at their endpoint, network and cloud controls. They mostly depend on their security vendors to research and keep products up to date with the latest threat intelligence. However, in this stage companies also receive intelligence from other sources, including government, commercial and their own cyber defense investigations, and can use the extra intelligence to further update controls.

Stage 2: Improving the SOC and responding faster

At this stage, organizations advance beyond vendor-provided intelligence and adapt their protection by adding indicators from third-party threat feeds or from other organizational SOC processes such as malware analysis.

Within this stage, companies want to do more than prevent known threats with their tools. They want to understand the adversaries who might target them, improve detection and respond faster by prioritizing investigations.

Stage 3: Improving the Threat Intelligence program

Organizations with this goal know that their industry faces targeted threats every day and they have already invested significantly in their threat intelligence capability. At this stage they most likely have a team utilizing commercial and open-source tools as well as threat data feeds. They’re looking for specialized analysis services and access to raw data.

These organizations can proactively assess their exposure and determine how to reduce the attack surface. They apply threat intelligence to empower their threat hunting, either on a proactive or reactive basis.

Enter new actionable insights, next steps

Until recently it was difficult for security managers to know not just whether their organization has been exposed to a particular threat but whether they have a good level of protection against specific campaigns.

McAfee MVISION Insights is helpful at each stage of your threat intelligence journey because it proactively assesses your organization’s exposure to global threats, integrating with your telemetry, and prescribes how to reduce attack services before the attack occurs.  For stage one, organizations can proactively assess their exposure and determine how to reduce the attack surface. For stage two and three, organizations can apply threat intelligence to empower their threat hunting and analysis, either on a proactive or reactive basis.

 

MVISION Insights Dashboard

One way we help is by integrating data from both McAfee Threat Intelligence feeds such as our Global Threat Intelligence and Advanced Threat Defense, and also third-party services via MVISION APIs. While McAfee Global Threat Intelligence is one of the world’s largest sources of this information, with more than 1 billion global threat sensors in 120+ countries, and 54 billion queries each day, the key thing to know is that we have 500 plus McAfee researchers providing this form of threat intelligence as a service.  The idea is to help you elevate your threat intelligence at each step of your organization’s journey.

 

Check out the latest threats from a Preview of MVISION Insights.

 

 

 

The post Finding Success at Each Stage of Your Threat Intelligence Journey appeared first on McAfee Blogs.

]]>
The Executive Order – Improving the Nation’s Cyber Security https://www.mcafee.com/blogs/enterprise/the-executive-order-improving-the-nations-cyber-security/ Fri, 11 Jun 2021 19:00:50 +0000 /blogs/?p=123205

On May 12, the President signed the executive order (EO) on Improving the Nation’s Cybersecurity. As with every executive order,...

The post The Executive Order – Improving the Nation’s Cyber Security appeared first on McAfee Blogs.

]]>

On May 12, the President signed the executive order (EO) on Improving the Nation’s Cybersecurity. As with every executive order, it establishes timelines for compliance and specific requirements of executive branch agencies to provide specific plans to meet the stated objectives.

It is clear from the EO that the Executive Office of the President is putting significant emphasis on cyber threat intelligence and how it will help government agencies make better decisions about responding to cyber threats and incidents.  The EO also focuses on how federal agencies will govern resource access through Zero Trust and how to comprehensively define and protect hybrid service architectures.  These are critical aspects as government agencies are moving more and more mission-critical applications and services to the cloud.

The call to action in this executive order is long overdue, as modernizing the nation’s cybersecurity approach and creating coordinated intelligence and incident response capabilities should have occurred years ago. Requiring that agencies recognize the shift in the perimeter and start tearing down silos between cloud services and physical data center services is going serve to improve visibility and understanding of how departments and sub-agencies are being targeted by adversaries.

I am sure government leaders have started to review their current capability along with their strategic initiatives to ensure they map to the new EO requirements.  Where gaps are identified, agencies will need to update their plans and rethink their approach to align with the new framework and defined capabilities such as endpoint detection and response (EDR) and Zero Trust.

While the objectives outlined are critical, I do believe that agencies need to take appropriate cautions when deciding their paths to compliance. The goal of this executive order is not to add additional complexity to an already complex security organization. Rather, the goal should be to simplify and automate wherever possible. If the right approach is not decided on early, the risk is very real of adding too much complexity in pursuit of compliance, thus eroding the desired outcomes.

On the surface, it would seem that the areas of improvement outlined in the EO can be taken individually – applied threat intelligence, EDR, Zero Trust, data protection, and cloud services adoption. In reality, they should be viewed collectively. When considering solutions and architectures, agency leaders should be asking themselves some critical questions:

  1. How does my enterprise derive specific context from threat intelligence to drive proactive and predictive responses?
  2. How can my enterprise distribute locally generated threat intelligence to automatically protect my assets in a convict once, inoculate many model?
  3. How does threat intelligence drive coordinated incident response through EDR?
  4. How do threat intelligence and EDR capabilities enable informed trust in a Zero Trust architecture?
  5. How do we build upon existing log collection and SIEM capabilities to extend detection and response platforms beyond the endpoint?
  6. How do we build a resilient, multi-layered Zero Trust architecture without over complicating our enterprise security plan?

The executive order presents a great opportunity for government to evolve their cybersecurity approach to defend against modern threats and enable a more aggressive transition to the cloud and cloud services. There is also significant risk, as the urgency expressed in the EO could lead to hasty decisions that create more challenges than they solve.  To capitalize on the opportunity presented in this executive order, federal leaders must embrace a holistic approach to cybersecurity that integrates all the solutions into a platform approach including robust threat intelligence.  A standalone Zero Trust or EDR product will not accomplish an improved or modernized cybersecurity approach and could lead to more complexity.  A well-thought-out platform, not individual products, will best serve public sector organizations, giving them a clear architecture that will protect and enable our government’s future.

 

 

The post The Executive Order – Improving the Nation’s Cyber Security appeared first on McAfee Blogs.

]]>
Are Virtual Machines the New Gold for Cyber Criminals? https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/ Thu, 10 Jun 2021 15:21:43 +0000 /blogs/?p=123094 AI Cyber Security

Introduction Virtualization technology has been an IT cornerstone for organization for years now. It revolutionized the way organizations can scale...

The post Are Virtual Machines the New Gold for Cyber Criminals? appeared first on McAfee Blogs.

]]>
AI Cyber Security

Introduction

Virtualization technology has been an IT cornerstone for organization for years now. It revolutionized the way organizations can scale up IT systems in a heartbeat, allowing then to be more agile as opposed to investing into dedicated “bare-metal” hardware. To the outside untrained eye, it might seem that there are different machines on the network, while in fact all the “separate” machines are controlled by a hypervisor server. Virtualization plays such a big role nowadays that it isn’t only used to spin up servers but also anything from virtual applications to virtual user desktops.

This is something cyber criminals have been noticing too and we have seen an increased interest in hypervisors. After all, why attack the single virtual machine when you can go after the hypervisor and control all the machines at once?

In recent months several high impact CVEs regarding virtualization software have been released which allowed for Remote Code Execution (RCE); initial access brokers are offering compromised VMware vCenter servers online, as well as ransomware groups developing specific ransomware binaries for encrypting ESXi servers.

VMware CVE-2021-21985 & CVE-2021-21986

On the 25th of May VMware disclosed a vulnerability impacting VMware vCenter servers allowing for Remote Code Execution on internet accessible vCenter servers, version 6.5,6.7 and 7.0. VMware vCenter is a management tool, used to manage virtual machines and ESXi servers.

CVE-2021-21985 is a remote code execution (RCE) vulnerability in the vSphere Client via the Virtual SAN (vSAN) Health Check plugin. This plugin is enabled by default. The combination of RCE and default enablement of the plugin resulted in this being scored as a critical flaw with a CVSSv3 score of 9.8.

An attacker needs to be able to access vCenter over TCP port 443 to exploit this vulnerability. It doesn’t matter if the vCenter is remotely exposed or when the attacker has internal access.

The same exploit vector is applicable for CVE-2021-21986, which is an authentication mechanism issue in several vCenter Server Plug-ins. It would allow an attacker to run plugin functions without authentication. This leads to the CVE being scored as a ‘moderate severity’, with a CVSSv3 score of 6.5.

While writing this blog, a Proof-of-Concept was discovered that will test if the vulnerability exists; it will not execute the remote-code. The Nmap plugin can be downloaded from this location: https://github.com/alt3kx/CVE-2021-21985_PoC.

Searching with the Shodan search engine, narrowing it down to the TCP 443 port, we observe that close to 82,000 internet accessible ESXi servers are exposedZooming in further on the versions that are affected by these vulnerabilities,  almost 55,000 publicly accessible ESXi servers are potentially vulnerable to CVE-2021-21985 and CVE-2021-21986, providing remote access to them and making them potential candidates for ransomware attacks, as we will read about in the next paragraphs.

Ransomware Actors Going After Virtual Environments

Ransomware groups are always trying to find ways to hit their victims where it hurts. So, it is only logical that they are adapting to attacking virtualization environments and the native Unix/Linux machines running the hypervisors. In the past, ransomware groups were quick to abuse earlier CVEs affecting VMware. But aside from the disclosed CVEs, ransomware groups have also adapted their binaries specifically to encrypt virtual machines and their management environment. Below are some of the ransomware groups we have observed.

DarkSide Ransomware

Figure 1. Screenshot from the DarkSide ransomware group, explicitly mentioning its Linux-based encryptor and support for ESXi and NAS systems

McAfee Advanced Threat Research (ATR) analyzed the DarkSide Linux binary in our recent blog and we can confirm that a specific routine aimed at virtual machines is present in it.

Figure 2. DarkSide VMware Code routine

From the configuration file of the DarkSide Linux variant, it becomes clear that this variant is solely designed to encrypt virtual machines hosted on an ESXi server. It searches for the disk-files of the VMs, the memory files of the VMs (vmem), swap, logs, etc. – all files that are needed to start a VMware virtual machine.

Demo of Darkside encrypting an ESXi server: https://youtu.be/SMWIckvLMoE

Babuk Ransomware

Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux/UNIX and ESXi or VMware systems:

Figure 3. Babuk ransomware claiming to have built a Linux-based ransomware binary capable of encrypting ESXi servers

The malware is written in the open-source programming language Golang, most likely because it allows developers to have a single codebase to be compiled into all major operating systems. This means that, thanks to static linking, code written in Golang on a Linux system can run on a Windows or Mac system. That presents a large advantage to ransomware gangs looking to encrypt a whole infrastructure comprised of different systems architecture.

After being dropped on the ESXi server, the malware encrypts all the files on the system:

The malware was designed to target ESXi environments as we guessed, and it was confirmed when the Babuk team returned the decryptor named d_esxi.out. Unfortunately, the decryptor has been developed with some errors, which cause corruption in victim’s files:

Overall, the decryptor is poor as it only checks for the extension “.babyk” which will miss any files the victim has renamed to recover them. Also, the decryptor checks if the file is more than 32 bytes in length as the last 32 bytes are the key that will be calculated later with other hardcoded values to get the final key. This is bad design as those 32 bytes could be trash, instead of the key, as the customer could make things, etc. It does not operate efficiently by checking the paths that are checked in the malware, instead it analyzes everything. Another error we noticed was that the decryptor tries to remove a ransom note name that is NOT the same that the malware creates in each folder. This does not make any sense unless, perhaps, the Babuk developers/operators are delivering a decryptor that works for a different version and/or sample.

The problems with the Babuk decryptor left victims in horrible situations with permanently damaged data. The probability of getting a faulty decryptor isn’t persuading victims to pay up and this might be one of the main reasons that Babuk  announced that it will stop encrypting data and only exfiltrate and extort from now on.

Initial-Access-Brokers Offering VMware vCenter Machines

It is not only ransomware groups that show an interest in virtual systems; several initial access brokers are also trading access to compromised vCenter/ESXi servers on underground cybercriminal forums. The date and time of the specific offering below overlaps with the disclosure of CVE-2021-21985, but McAfee ATR hasn’t determined if this specific CVE was used to gain access to ESXi servers.

Figure 4. Threat Actor selling access to thousands of vCenter/ESXi servers

Figure 5. Threat actor offering compromised VMware ESXi servers

Patching and Detection Advice

VMware urges users running VMware vCenter and VMware Cloud Foundation affected by CVE-2021-21985 and CVE-2021-21986 to apply its patch immediately. According to VMware, a malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. The disclosed vulnerabilities have a critical CVSS base score of 9.8.

However, we do understand that VMware infrastructure is often installed on business-critical systems, so any type of patching activity usually has a high degree of impact on IT operations. Hence, the gap between vulnerability disclosure and patching is typically high. With the operating systems on VMware being a closed system they lack the ability to natively install workload protection/detection solutions. Therefore, the defenses should be based on standard cyber hygiene/risk mitigation practices and should be applied in the following order where possible.

  1. Ensure an accurate inventory of vCenter assets and their corresponding software versions.
  2. Secure the management plane of the vCenter infrastructure by applying strict network access control policies to allow access only from special management networks.
  3. Disable all internet access to vCenter/VMware Infrastructure.
  4. Apply the released VMware patches.
  5. McAfee Network Security Platform (NSP) offers signature sets for detection of CVE-2021-21985 and CVE-2021-21986.

Conclusion

Virtualization and its underlying technologies are key in today’s infrastructures. With the release of recently discovered vulnerabilities and an understanding of their criticality, threat actors are shifting focus. Proof can be seen in underground forums where affiliates recruit pentesters with knowledge of specific virtual technologies to develop custom ransomware that is designed to cripple these technologies. Remote Desktop access is the number one access vector in many ransomware cases, followed by edge-devices lacking the latest security updates, making them vulnerable to exploitation. With the latest VMware CVEs mentioned in this blog, we urge you to take the right steps to secure not only internet exposed systems, but also internal systems, to minimize the risk of your organization losing its precious VMs, or gold, to cyber criminals.

 

Special thanks to Thibault Seret, Mo Cashman, Roy Arnab and Christiaan Beek for their contributions.

The post Are Virtual Machines the New Gold for Cyber Criminals? appeared first on McAfee Blogs.

]]>
How to Teach Kids About Online Safety: A Guide https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/how-to-teach-kids-about-online-safety-a-guide-2/ Wed, 09 Jun 2021 13:15:13 +0000 /blogs/?p=122881 cybersecurity

Kids are online now more than ever, not just during free time, but also during school time. It is impossible to always peek over their...

The post How to Teach Kids About Online Safety: A Guide appeared first on McAfee Blogs.

]]>
cybersecurity

Kids are online now more than ever, not just during free time, but also during school time. It is impossible to always peek over their shoulder, and depending on their age, they may grow tired of a POS (aka parent over shoulder). The internet can be a dangerous place, but with the right education, kids can navigate hazards and remain safe and calm while online. 

Check out this online safety guide on how to keep your children engaged while learning about cybersecurity and imparting lessons that stick. This guide will work for children ages 6 through 18 with variations. 

1. Keep Lessons Relatable

The first tip to teaching kids about online safety is making sure that your lessons are relatable. For example, if the day’s lesson is about phishing, do not illustrate it with an example of a major corporation’s folly. Instead, liken it to stranger danger. Just like kids know not to talk to strangers on the sidewalk and to distrust strangers who say they have candy, tell them that the same rule applies to online strangers: Walk right by and do not accept anything you are offered. That means not clicking on any links the online stranger sends you, especially when they say you have won a prize. Thirty-four percent of Canadians have encountered a phishing attack since the beginning of the pandemic, according to Statistics Canada. This prevalence means that it is likely someone in your family will receive a phishing message. Warn children that phishing and other social engineering attempts are likely to play with their emotions to make them feel happy, excited, mad, or scared. Encourage your children to always stay calm online and let an adult know when they are approached by strangers. 

2. Emphasize What is at Stake

Along the lines of keeping cybersecurity lessons relatable, make sure that children also know what is at stake if they are irresponsible online. In the case of clicking on suspicious links, tell children that this could make their device ill. When computers are infected with a virus, or are sick, they work slowly and could shut off when they are in the middle of a school assignment. Also, make note of the prevalence of viruses, and how children should stay on guard for them constantly. Over 800,000 Canadian devices had encounters with malware in the last 30 days, at the time this article was written. 

In extreme cases, children can have their identities stolen due to irresponsible online behavior. A stolen identity could affect their credit card eligibility and set them off on the wrong foot in adulthood. Stress the severity of identity theft and the specific consequences. Teenagers who have their sights set on financial freedom, buying a car, or setting up their own bank account could be severely affected. The best way to keep your identity safe is by keeping your Social Insurance Number completely private, never sharing your banking information, and not oversharing online. Canada’s Centre for Digital and Media Literacy explains that preteens especially have a hard time judging the accuracy of online information and are vulnerable to filling out forms that ask for their personal information. When possible, try to keep all internet-connected devices in communal areas of your home so you can periodically check in on your kids. 

When teaching children about online safety, make sure you don’t use fear tactics. Be firm about the potential consequences, but emphasize that kids have your support, the right online literacy skills, and the support of antivirus software and identity theft protection to catch any threats that fall through the cracks. 

3. Use Passphrases!

Passwords are a thing of the past. The hippest new way to protect your accounts is with complex, yet memorable, passphrases. The Government of Canada defines a passphrase as “a memorized phrase consisting of mixed words with or without spaces.” When kids are old enough to be responsible for their own accounts, such as a school login, email address, or social media profile, impart the lesson of passphrases. Thinking up passphrases can turn into a fun exercise. 

When it is time to create a passphrase, have your kids brainstorm some of their favorite things that loosely relate to the account the passphrase is for. For example, a social media site’s passphrase could be about friends, like “A$hleyIsMy#1Fr13nd!” and a school login could be along the lines of “$0cial$tud!esR0ck$!” A loose association may make the passphrase easier to remember. 

If they are gamers, kids may already be familiar with leet, or using symbols in place of letters. Encourage children to practice their leet fluency and substitute as many letters for symbols as they would like. The Government of Canada recommends that passphrases be at least 15 characters long. 

As hard as it might be, never write down passphrases on paper, do not share your password with other people, and do not reuse passphrases. Instead, leverage a password manager, like McAfee True Key, to keep them safe for you. If your child is old enough, encourage them to set up their own account and protect it with two-factor authentication. 

4. See Something, Say Something

Encourage kids to ask questions! Part of your cybersecurity lessons should be to alert an adult when they are not sure if something is quite right. For example, they received an email from grandma, but there is a weird link hidden inside it. Children should know that they can come to you for questions and caution is better than rolling the dice. Questions can then lead to advanced lessons, like how to hover over links to see where they redirect and if the links look fishy. 

Cybersecurity Is for Everyone 

The cybersecurity lessons you impart on children now will set a solid foundation for sound cyber literacy for a lifetime. No one is ever too old or too young to learn the basics and then put them into practice.    Who knows? Maybe you will learn something along the way. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post How to Teach Kids About Online Safety: A Guide appeared first on McAfee Blogs.

]]>
Avoid Making Costly Mistakes with Your Mobile Payment Apps https://www.mcafee.com/blogs/consumer/mobile-and-iot-security/avoid-making-costly-mistakes-with-your-mobile-payment-apps/ Tue, 08 Jun 2021 12:26:39 +0000 /blogs/?p=122467 mobile payment

There used to be a time when one roommate split the cost of rent with another by writing a check. Who still owns a checkbook these days? Of...

The post Avoid Making Costly Mistakes with Your Mobile Payment Apps appeared first on McAfee Blogs.

]]>
mobile payment

There used to be a time when one roommate split the cost of rent with another by writing a check. Who still owns a checkbook these days? Of course, those days are nearly long gone, in large part thanks to “peer to peer” (P2P) mobile payment apps, like Venmo, Zelle, or Cash AppNow with a simple click on an app, you can transfer your friend money for brunch before you even leave the tableYet for all their convenience, P2P mobile payment apps could cost you a couple of bucks or more if you’re not on the lookout for things like fraud. The good news is that there are some straightforward ways to protect yourself. 

You likely have one of these apps on your phone alreadyIf so, you’re among the many. It’s estimated that 70% of adults in the U.S. use mobile payment apps like theseAnd chances are that you have more than just the oneOnly 25% of adults in the U.S. use just a single payment app.   

Yet with all those different apps come different policies and protections associated with them. So, if you ever get stuck with a bum charge, it may not always be so easy to get your money back. 

With that, here are seven quick tips for using your P2P mobile payment apps safely.

1. Add extra protection with your face, finger, or PIN. 

In addition to securing your account with a strong password, go into your settings and set up your app to use a PIN code, facial ID, or fingerprint ID. (And make sure you’re locking your phone the same way too.) This provides an additional layer of protection in the event your phone is stolen or lost and someone, other than you, tries to make a payment with it.  

2. Get a request or make a test before you pay in full. 

What’s worse than sending money to the wrong person? When paying a friend for the first time, have them make a payment request for you. This way, you can be sure that you’re sending money to the right person. With the freedom to create account names however one likes, a small typo can end up as a donation to a complete stranger. To top it off, that money could be gone for good! 

Another option is to make a test payment. Sending a small amount to that new account lets both of you know that the routing is right and that a full payment can be made with confidence. 

3. You can’t always issue a “hold” or “stop payment” with mobile payment apps. 

Bye, bye, bye! Unlike some other payment methods, new mobile payment apps don’t have a way to dispute a charge, cancel a payment, or otherwise use some sort of recall or retrieval feature. If anything, this reinforces the thought above—be sure that you’re absolutely making the payment to the right person. 

4. When you can, use your app with a credit card. 

Credit cards offer a couple of clear advantages over debit cards when using them in association with mobile payment apps (and online shopping for that matter too). Essentially, they can protect you better from fraud: 

  • Debit cards immediately remove cash from your account when a payment is made, whereas credit card payments appear as charges—which can be contested in the case of fraud. 
  • In the U.S., if your credit card is lost or stolen, you can report the loss and you will have no further responsibility for charges you didn’t make. Additionally, liability for each card lost or stolen is $50. Debit cards don’t enjoy these same protections. 

5. Fraudulent charge … lost or stolen card? Report it right away. 

Report any activity like this immediately to your financial institution. Timing can be of the essence in terms of limiting your liabilities and losses. For additional info, check out this article from the Federal Trade Commission (FTC) that outlines what to do if your debit or credit card is stolen and what your liabilities are.  

Also, note the following guidance from the FTC on payment apps: 

“New mobile apps and forms of payment may not provide these same protections. That means it might not always be easy to get your money back if something goes wrong. Make sure you understand the protections and assurances your payment services provider offers with their service.”  

6. Watch out for cybercrooks cashing in on mobile payment app scams. 

It’s sad but true. Crooks are setting up all kinds of scams that use mobile payment apps. A popular one involves creating fake charities or posing as legitimate ones and then asking for funds by mobile payment. To avoid getting scammed, check and see if the charity is legit. The FTC suggests researching resources like Better Business Bureau’s Wise Giving Alliance, Charity Navigator, Charity Watch or,  GuideStar. 

Overall, the FTC further recommends the following to keep yourself from getting scammed: 

  • Review the app’s fraud protection policies and understand whether and how you can recover funds if a problem arises. 
  • Be wary of any business that only accepts P2P payment apps or pre-paid debit card payments. Consider this a red flag. 
  • Never send P2P payments to, or accept payments from, someone you don’t know. 
  • Don’t use P2P payment apps for purchasing goods or services. As noted above, you may not get the consumer protections a credit or debit card can offer. 

7. Protect your phone 

With so much of your life on your phone, getting security software installed on your it can protect you and the things you keep on your phone. Whether you’re an Android owner or iOS owner, mobile security software can keep your data, shopping, and payments secure. 

Stay Updated  

To stay updated on all thingsMcAfee and on top of the latest consumer and mobile security threats, follow@McAfee_Home on Twitter, subscribe to ournewsletter, listen to our podcastHackable?, and ‘Like’ us on Facebook.

The post Avoid Making Costly Mistakes with Your Mobile Payment Apps appeared first on McAfee Blogs.

]]>
Apple Users: This macOS Malware Could Be Spying on You https://www.mcafee.com/blogs/consumer/cyberthreat-news/apple-users-this-macos-malware-could-be-spying-on-you/ Fri, 04 Jun 2021 13:19:06 +0000 /blogs/?p=122647 Mac Malware

In 2018, Macs accounted for 10% of all active personal computers. Since then, popularity has skyrocketed. In the first quarter of 2021, Macs experienced 115% growth...

The post Apple Users: This macOS Malware Could Be Spying on You appeared first on McAfee Blogs.

]]>
Mac Malware

In 2018, Macs accounted for 10% of all active personal computers. Since then, popularity has skyrocketed. In the first quarter of 2021, Macs experienced 115% growth when compared to Q1 2020, putting Apple in fourth place in the global PC market share. It is safe to say that Macs are well-loved and trusted devices by a significant portion of the population — but just how safe are they from a security perspective? 

Many users have historically believed that Macs are untouchable by hackers, giving Apple devices a reputation for being more “secure” than other PCs. However, recent attacks show that this is not the case. According to TechCrunch, a new malware called XCSSET was recently found exploiting a vulnerability that allowed it to access parts of macOS, including the microphone, webcam, and screen recorder — all without consent from the user.  

Let’s dive deeper into how XCSSET works.  

Manipulating Macs with Zero-Day Exploits 

Researchers first discovered XCSSET in 2020. The malware targeted Apple developers and the projects they use to build and code apps. By targeting app development projects, hackers infiltrated apps early in their production, causing developers to unknowingly distribute the malware to their users.  

Once the malware is running on a user’s device, it uses multiple zero-day attacks to alter the machine and spy on the user. These attacks allow the hacker to:   

  • Steal cookies from the Safari browser to gain access to a user’s online accounts. 
  • Quietly install a development version of Safari that allows attackers to modify and snoop on virtually any website. 
  • Secretly take screenshots of the victim’s device.  

XCSSET’s Significance for macOS Users 

While macOS is supposed to ask users for permission before allowing any app to record the screen, access the microphone or webcam, or open the user’s storage, XCSSET can bypass all of these permissions. This allows the malware to sneak in under the radar and inject malicious code into legitimate apps that commonly ask for screen-sharing permissions such as Zoom, WhatsApp, and Slack. By disguising itself among these legitimate apps, XCSSET inherits their permissions across the computer and avoids getting flagged by macOS’s built-in security defenses. As a result, the bug could allow hackers to access the victim’s microphone, webcam, or capture their keystrokes for login credentials or credit card information.  

How to Stay Protected Against macOS Malware 

It is unclear how many devices were affected by XCSSET. Regardless, it is crucial for consumers to understand that Mac’s historical security reputation does not replace the need for users to take online safety precautions. The following tips can help macOS users protect themselves from malware:  

1. Update your software.   

Software developers are continuously working to identify and address security issues. Frequently updating your devices’ operating systems, browsers, and apps is the easiest way to have the latest fixes and security protections. For example, Apple confirmed that it addressed the bug exploited by XCSSET in macOS 11.4, which was made available on May 24th, 2021. 

2. Avoid suspicious emails or text messages from unknown senders.  

Hackers often use phishing emails or text messages as a means to distribute malware by disguising their malicious code in links and attachments. Do not open suspicious or irrelevant messages, as this can result in malware infection. If the message claims to be from a business or someone you know, reach out to the source directly instead of responding to the message. This will allow you to confirm the sender’s legitimacy.  

3. Use a comprehensive security solution. 

Use a solution like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor — a tool to help identify malicious websites. 

Regardless of whether you are Team PC or Team Mac, it is important to realize that both platforms are susceptible to cyberthreats that are constantly changing. Doing your research on prevalent threats and software bugs puts you in a better position to protect your online safety.  

Stay Updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

The post Apple Users: This macOS Malware Could Be Spying on You appeared first on McAfee Blogs.

]]>
8 Tips for Staying Safe from Ransomware Attacks https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/8-tips-for-staying-safe-from-ransomware-attacks/ Thu, 03 Jun 2021 21:39:17 +0000 /blogs/?p=122764 Ransomware attacks

What is Ransomware? Over the past year, you may have seen the term ransomware popping up frequently. For enterprising hackers,...

The post 8 Tips for Staying Safe from Ransomware Attacks appeared first on McAfee Blogs.

]]>
Ransomware attacks

What is Ransomware?

Over the past year, you may have seen the term ransomware popping up frequently. For enterprising hackers, this once uncommon tactic has become standard operating procedure, and with good reason – it pays. Ransomware is malware that employs encryption to hold a victim’s information at ransom. The hacker uses it to encrypt a user or organization’s critical data so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations.  

Why should I care?

McAfee Labs counted a 60% increase in attacks from Q4 2019 to Q1 2020 in the United States alone. Unfortunately, the attacks targeting organizations also impact the consumers who buy from them, as the company’s data consists of its customers’ personal and financial information. That means your data if you’ve done business with the affected company. Fortunately, there are many ways you can protect yourself from ransomware attacks.  

How do I know if my information is vulnerable?

When a company is hit with a ransomware attack, they typically are quick to report the incident, even though a full analysis of what was affected and how extensive the breach may have been may take much longer. Once they have the necessary details they may reach out to their customers via email, through updates on their site, social media, or even the press to report what customer data may be at risk.  Paying attention to official communications through these various channels is the best way to know if you’ve been affected by a ransomware attack. 

Put ransomware fears in your rearview mirror with these tips:

1. Back up your data 

If you get ransomware, you’ll want to immediately disconnect any infected devices from your networks to prevent the spread of it. This means you’ll be locked out of your files by the ransomware and be unable to move the infected files. Therefore, it’s crucial that you always have backup copies of them, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup.  Backups protect your data, and you won’t be tempted to reward the malware authors by paying a ransom. Backups won’t prevent ransomware, but they can mitigate the risks.  

2. Change your credentials

If you discover that a data leak or a ransomware attack has compromised a company you’ve interacted with, act immediately and change your passwords for all your accounts. And while you’re at it, go the extra mile and create passwords that are seriously hard to crack with this next tip. 

3. Take password protection seriously

When updating your credentials, you should always ensure that your password is strong and unique. Many users utilize the same password or variations of it across all their accounts. Therefore, be sure to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials and generate secure login keys.  

4. Enable two-factor or multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. For instance, you’ll be asked to verify your identity through another device, such as a phone. This reduces the risk of successful impersonation by hackers.  

 5. Browse safely online

Be careful where you click. Don’t respond to emails and text messages from people you don’t know, and only download applications from trusted sources. This is important since malware authors often use social engineering to get you to install dangerous files. Using a security extension on your web browser is one way to browse more safely.  

6. Only use secure networks

Avoid using public Wi-Fi networks, since many of them are not secure, and cybercriminals can snoop on your internet usage. Instead, consider installing a VPN, which provides you with a secure connection to the internet no matter where you go.   

7. Never pay the ransom

While it is often large organizations that fall prey to ransomware attacks, you can also be targeted by a ransomware campaign. If this happens, don’t pay the ransom. Although you may feel in the moment that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments. Thankfully there are free resources devoted to helping you like McAfee’s No More Ransomware initiative McAfee, along with other organizations, created www.nomoreransom.org/ to educate the public about ransomware and, more importantly, to provide decryption tools to help people recover files that have been locked by ransomware. On the site you’ll find decryption tools for many types of ransomware, including the Shade ransomware.  

8. Use a comprehensive security solution

Adding an extra layer of security with a solution such as McAfee® Total Protection, which includes Ransom Guard, can help protect your devices from these cyberthreats. In addition, make sure you update your devices’ software (including security software!) early and often, as patches for flaws are typically included in each update. Comprehensive security solutions also include many of the tools we mentioned above and are simply the easiest way to ensure digital wellness online. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our newsletter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post 8 Tips for Staying Safe from Ransomware Attacks appeared first on McAfee Blogs.

]]>
The What, Why, and How of AI and Threat Detection https://www.mcafee.com/blogs/consumer/consumer-cyber-awareness/the-what-why-and-how-of-ai-and-threat-detection/ Wed, 02 Jun 2021 13:50:36 +0000 /blogs/?p=121858 AI Cyber Security

There are more online users now than ever before, thanks to the availability of network-capable devices and online services. The internet...

The post The What, Why, and How of AI and Threat Detection appeared first on McAfee Blogs.

]]>
AI Cyber Security

There are more online users now than ever before, thanks to the availability of network-capable devices and online services. The internet population in Canada is the highest it has been, topping the charts at 33 million. That number is only expected to increase through the upcoming years. However, this growing number and continued adoption of online services pose increasing cybersecurity risks as cybercriminals take advantage of more online users and exploit vulnerabilities in online infrastructure. This is why we need AI-backed software to provide advanced protection for online users.   

The nature of these online threats is ever-changing, making it difficult for legacy threat detection systems to monitor threat behavior and detect new malicious code. Fortunately, threat detection systems such as McAfee’s Antivirus and Threat Detection Defense adapt to incorporate the latest threat intelligence and artificial intelligence (AI) driven behavioral analysis. Here’s how AI impacts cybersecurity to go beyond traditional methods to protect online users. 

What is AI? 

Most of today’s antivirus and threat detection software leverages behavioral heuristic-based detection based on machine learning models to detect known malicious behavior. Traditional methods rely on data analytics to detect known threat signatures or footprints with incredible accuracy. However, these conventional methods do not account for new malicious code, otherwise known as zero-day malware, for which there is no known information available. AI is mission-critical to cybersecurity since it enables security software and providers to take a more intelligent approach to virus and malware detection. Unlike AI–backed software, traditional methods rely solely on signature-based software and data analytics.  

Similar to human-like reasoning, machine learning models follow a three-stage process to gather input, process it, and generate an output in the form of threat leads. Threat detection software can gather information from threat intelligence to understand known malware using these models. It then processes this data, stores it, and uses it to draw inferences and make decisions and predictions. Behavioral heuristic-based detection leverages multiple facets of machine learning, one of which is deep learning. 

Deep learning employs neural networks to emulate the function of neurons in the human brain. This architecture uses validation algorithms for crosschecking data and complex mathematical equations, which applies an “if this, then that” approach to reasoning. It looks at what occurred in the past and analyzes current and predictive data to reach a conclusion. As the numerous layers in this framework process more data, the more accurate the prediction becomes. 

Many antivirus and detection systems also use ensemble learning. This process takes a layered approach by applying multiple learning models to create one that is more robust and comprehensive. Ensemble learning can boost detection performance with fewer errors for a more accurate conclusion.  

Additionally, today’s detection software leverages supervised learning techniques by taking a “learn by example” approach. This process strives to develop an algorithm by understanding the relationship between a given input and the desired output. 

Machine learning is only a piece of an effective antivirus and threat detection framework. A proper framework combines new data types with machine learning and cognitive reasoning to develop a highly advanced analytical framework. This framework will allow for advanced threat detection, prevention, and remediation.  

How Can AI Help Cybersecurity? 

Online threats are increasing at a staggering pace. McAfee Labs observed an average of 588 malware threats per minuteThese risks exist and are often exacerbated for several reasons, one of which is the complexity and connectivity of today’s world. Threat detection analysts are unable to detect new malware manually due to their high volume. However, AI can identify and categorize new malware based on malicious behavior before they get a chance to affect online users. AIenabled software can also detect mutated malware that attempts to avoid detection by legacy antivirus systems.  

Today, there are more interconnected devices and online usage ingrained into people’s everyday lives. However, the growing number of digital devices creates a broader attack surface. In other words, hackers will have a higher chance of infiltrating a device and those connected to it. 

Additionally, mobile usage is putting online users at significant risk. Over 85% of the Canadian population owns a smartphone. Hackers are noticing the rising number of mobile users and are rapidly taking advantage of the fact to target users with mobile-specific malware. 

The increased online connectivity through various devices also means that more information is being stored and processed online. Nowadays, more people are placing their data and privacy in the hands of corporations that have a critical responsibility to safeguard their users’ data. The fact of the matter is that not all companies can guarantee the safeguards required to uphold this promise, ultimately resulting in data and privacy breaches. 

In response to these risks and the rising sophistication of the online landscape, security companies combine AI, threat intelligence, and data science to analyze and resolve new and complex cyber threats. AI-backed threat protection identifies and learns about new malware using machine learning modelsThis enables AI-backed antivirus software to protect online users more efficiently and reliably than ever before 

Top 3 Benefits of AI-backed Threat Detection Software  

AI addresses numerous challenges posed by increasing malware complexity and volume, making it critical for online security and privacy protection. Here are the top 3 ways AI enhances cybersecurity to better protect online users.  

1. Effective threat detection 

The most significant difference between traditional signature-based threat detection methods and advanced AI-backed methods is the capability to detect zero-day malware. Functioning exclusively from either of these two methods will not result in an adequate level of protection. However, combining theresults in a greater probability of detecting more threats with higher precision. Each method will ultimately play on the other’s strengths for a maximum level of protection. 

2. Enhanced vulnerability management 

AI enables threat detection software to think like a hacker. It can help software identify vulnerabilities that cybercriminals would typically exploit and flag them to the user. It also enables threat detection software to better pinpoint weaknesses in user devices before a threat has even occurred, unlike conventional methods. AI-backed security advances past traditional methods to better predict what a hacker would consider a vulnerability. 

2. Better security recommendations 

AI can help users understand the risks they face daily. An advanced threat detection software backed by AI can provide a more prescriptive solution to identifying risks and how to handle them. A better explanation results in a better understanding of the issue. As a result, users are more aware of how to mitigate the incident or vulnerability in the future.

Take a Smarter Approach to Security 

AI and machine learning are only a piece of an effective threat detection framework. A proper threat detection framework combines new data types with the latest machine learning capabilities to develop a highly advanced analytical framework. This framework will allow for better threat cyber threat detection, prevention, and remediation.

Stay Updated

To stay updated on all things